def configure(self, opts, changes):
if opts['saml2'] != 'yes':
return
# Check storage path is present or create it
path = os.path.join(opts['data_dir'], 'saml2')
if not os.path.exists(path):
os.makedirs(path, 0o700)
# Use the same cert for signing and ecnryption for now
cert = Certificate(path)
cert.generate('idp', opts['hostname'])
# Generate Idp Metadata
proto = 'https'
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s%s' % (proto, opts['hostname'], opts['instanceurl'])
validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert, timedelta(validity))
if 'gssapi' in opts and opts['gssapi'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
meta.output(os.path.join(path, 'metadata.xml'))
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'saml2'
po.wipe_data()
po.wipe_config_values()
config = {
'idp storage path': path,
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
'idp key file': cert.key,
'idp nameid salt': uuid.uuid4().hex,
'idp metadata validity': opts['saml2_metadata_validity'],
'session database url': opts['saml2_session_dburl']
or opts['database_url'] % {
'datadir': opts['data_dir'],
'dbname': 'saml2.sessions.db'
}
}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# Fixup permissions so only the ipsilon user can read these files
files.fix_user_dirs(path, opts['system_user'])
def configure(self, opts, changes):
if opts['saml2'] != 'yes':
return
# Check storage path is present or create it
path = os.path.join(opts['data_dir'], 'saml2')
if not os.path.exists(path):
os.makedirs(path, 0700)
# Use the same cert for signing and ecnryption for now
cert = Certificate(path)
cert.generate('idp', opts['hostname'])
# Generate Idp Metadata
proto = 'https'
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert,
timedelta(validity))
if 'gssapi' in opts and opts['gssapi'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
meta.output(os.path.join(path, 'metadata.xml'))
# Add configuration data to database
po = PluginObject(*self.pargs)
po.name = 'saml2'
po.wipe_data()
po.wipe_config_values()
config = {'idp storage path': path,
'idp metadata file': 'metadata.xml',
'idp certificate file': cert.cert,
'idp key file': cert.key,
'idp nameid salt': uuid.uuid4().hex,
'idp metadata validity': opts['saml2_metadata_validity'],
'session database url': opts['saml2_session_dburl'] or
opts['database_url'] % {
'datadir': opts['data_dir'],
'dbname': 'saml2.sessions.db'}}
po.save_plugin_config(config)
# Update global config to add login plugin
po.is_enabled = True
po.save_enabled_state()
# Fixup permissions so only the ipsilon user can read these files
files.fix_user_dirs(path, opts['system_user'])
def init(workdir):
# Initialize SAML2, since this is quite tricky to get right
cert = Certificate(os.path.join(workdir, 'saml2'))
cert.generate('certificate', 'ipsilon-quickrun')
url = 'http://localhost:8080/'
validity = 365 * 5
meta = IdpMetadataGenerator(url, cert, timedelta(validity))
meta.output(os.path.join(workdir, 'saml2', 'metadata.xml'))
# Also initalize OpenID Connect
keyfile = os.path.join(workdir, 'openidc.key')
keyset = JWKSet()
# We generate one RSA2048 signing key
rsasig = JWK(generate='RSA', size=2048, use='sig', kid='quickstart')
keyset.add(rsasig)
with open(keyfile, 'w') as m:
m.write(keyset.export())
def init(workdir):
# Initialize SAML2, since this is quite tricky to get right
cert = Certificate(os.path.join(workdir, 'saml2'))
cert.generate('certificate', 'ipsilon-quickrun')
url = 'http://localhost:8080/idp'
validity = 365 * 5
meta = IdpMetadataGenerator(url, cert,
timedelta(validity))
meta.output(os.path.join(workdir, 'saml2', 'metadata.xml'))
# Also initalize OpenID Connect
keyfile = os.path.join(workdir, 'openidc.key')
keyset = JWKSet()
# We generate one RSA2048 signing key
rsasig = JWK(generate='RSA', size=2048, use='sig', kid='quickstart')
keyset.add(rsasig)
with open(keyfile, 'w') as m:
m.write(keyset.export())
def _get_metadata(self):
if os.path.isfile(self.cfg.idp_metadata_file):
s = os.stat(self.cfg.idp_metadata_file)
if s.st_mtime > time.time() - METADATA_RENEW_INTERVAL:
with open(self.cfg.idp_metadata_file) as m:
return m.read()
# Otherwise generate and save
idp_cert = Certificate()
idp_cert.import_cert(self.cfg.idp_certificate_file,
self.cfg.idp_key_file)
validity = int(self.cfg.idp_metadata_validity)
meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
timedelta(validity))
body = meta.output()
with open(self.cfg.idp_metadata_file, 'w+') as m:
m.write(body)
return body
def _get_metadata(self):
if os.path.isfile(self.cfg.idp_metadata_file):
s = os.stat(self.cfg.idp_metadata_file)
if s.st_mtime > time.time() - METADATA_RENEW_INTERVAL:
with open(self.cfg.idp_metadata_file) as m:
return m.read()
# Otherwise generate and save
idp_cert = Certificate()
idp_cert.import_cert(self.cfg.idp_certificate_file,
self.cfg.idp_key_file)
validity = int(self.cfg.idp_metadata_validity)
meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
timedelta(validity))
body = meta.output()
with open(self.cfg.idp_metadata_file, 'w+') as m:
m.write(body)
return body
return data
else:
with open(path, 'w') as f:
f.write(data)
if __name__ == '__main__':
import tempfile
import shutil
import os
tmpdir = tempfile.mkdtemp()
try:
# Test IDP generation
sign_cert = Certificate(tmpdir)
sign_cert.generate('idp-signing-cert', 'idp.ipsilon.example.com')
enc_cert = Certificate(tmpdir)
enc_cert.generate('idp-encryption-cert', 'idp.ipsilon.example.com')
idp = Metadata()
idp.set_entity_id('https://ipsilon.example.com/idp/metadata')
idp.set_role(IDP_ROLE)
idp.add_certs(sign_cert, enc_cert)
idp.add_service(SAML2_SERVICE_MAP['sso-post'],
'https://ipsilon.example.com/idp/saml2/POST')
idp.add_service(SAML2_SERVICE_MAP['sso-redirect'],
'https://ipsilon.example.com/idp/saml2/Redirect')
for k in SAML2_NAMEID_MAP:
idp.add_allowed_name_format(SAML2_NAMEID_MAP[k])
md_file = os.path.join(tmpdir, 'metadata.xml')
idp.output(md_file)
return data
else:
with open(path, 'w') as f:
f.write(data)
if __name__ == '__main__':
import tempfile
import shutil
import os
tmpdir = tempfile.mkdtemp()
try:
# Test IDP generation
sign_cert = Certificate(tmpdir)
sign_cert.generate('idp-signing-cert', 'idp.ipsilon.example.com')
enc_cert = Certificate(tmpdir)
enc_cert.generate('idp-encryption-cert', 'idp.ipsilon.example.com')
idp = Metadata()
idp.set_entity_id('https://ipsilon.example.com/idp/metadata')
idp.set_role(IDP_ROLE)
idp.add_certs(sign_cert, enc_cert)
idp.add_service(SAML2_SERVICE_MAP['sso-post'],
'https://ipsilon.example.com/idp/saml2/POST')
idp.add_service(SAML2_SERVICE_MAP['sso-redirect'],
'https://ipsilon.example.com/idp/saml2/Redirect')
for k in SAML2_NAMEID_MAP:
idp.add_allowed_name_format(SAML2_NAMEID_MAP[k])
md_file = os.path.join(tmpdir, 'metadata.xml')
idp.output(md_file)