def __init__(self, *pargs):
super(IdpProvider, self).__init__('persona', 'Persona', 'persona',
*pargs)
self.mapping = InfoMapping()
self.page = None
self.basepath = None
self.key = None
self.key_info = None
self.description = """
Provides Persona authentication infrastructure. """
self.new_config(
self.name,
pconfig.String(
'issuer domain',
'The issuer domain of the Persona provider',
'localhost'),
pconfig.String(
'idp key file',
'The key where the Persona key is stored.',
'persona.key'),
pconfig.List(
'allowed domains',
'List of domains this IdP is willing to issue claims for.'),
)
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
self.name = 'ldap'
self.path = 'ldap'
self.page = None
self.ldap_info = None
self.service_name = 'ldap'
self.description = """
Form based login Manager that uses a simple bind LDAP operation to perform
authentication. """
self.new_config(
self.name,
pconfig.String('server url', 'The LDAP server url.',
'ldap://example.com'),
pconfig.Template('bind dn template',
'Template to turn username into DN.',
'uid=%(username)s,ou=People,dc=example,dc=com'),
pconfig.String('base dn',
'The base dn to look for users and groups',
'dc=example,dc=com'),
pconfig.Condition('get user info',
'Get user info via ldap using user credentials',
True),
pconfig.Pick('tls', 'What TLS level show be required',
['Demand', 'Allow', 'Try', 'Never', 'NoTLS'],
'Demand'),
pconfig.String('username text',
'Text used to ask for the username at login time.',
'Username'),
pconfig.String('password text',
'Text used to ask for the password at login time.',
'Password'),
pconfig.String('help text',
'Text used to guide the user at login time.',
'Provide your Username and Password'))
def __init__(self, *args):
super(InfoProvider, self).__init__(*args)
self._fas_client = None
self.name = 'fas'
self.description = """
Info plugin that retrieves user data from FAS. """
self.new_config(
self.name,
pconfig.String(
'FAS url',
'The FAS Url.',
'https://admin.fedoraproject.org/accounts/'),
pconfig.String(
'FAS Proxy client user Agent',
'The User Agent presented to the FAS Server.',
'Ipsilon v1.0'),
pconfig.Condition(
'FAS Insecure Auth',
'If checked skips FAS server cert verification.',
False),
pconfig.String(
'Bind Username',
'Username to be used when retrieving info.',
'ipsilondummy'),
pconfig.String(
'Bind Password',
'Username to be used when retrieving info.',
'Password')
)
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
self.name = 'pam'
self.path = 'pam'
self.page = None
self.description = """
Form based login Manager that uses the system's PAM infrastructure
for authentication. """
self.new_config(
self.name,
pconfig.String(
'service name',
'The name of the PAM service used to authenticate.',
'ipsilon',
readonly=True,
),
pconfig.String('username text',
'Text used to ask for the username at login time.',
'Username'),
pconfig.String('password text',
'Text used to ask for the password at login time.',
'Password'),
pconfig.String('help text',
'Text used to guide the user at login time.',
'Provide your Username and Password'))
def __init__(self, *pargs):
super(InfoProvider, self).__init__(*pargs)
self.mapper = Policy(ldap_mapping)
self.name = 'ldap'
self.description = """
Info plugin that uses LDAP to retrieve user data. """
self.new_config(
self.name,
pconfig.String('server url', 'The LDAP server url.',
'ldap://example.com'),
pconfig.Template('user dn template',
'Template to turn username into DN.',
'uid=%(username)s,ou=People,dc=example,dc=com'),
pconfig.Pick('tls', 'What TLS level show be required',
['Demand', 'Allow', 'Try', 'Never', 'NoTLS'],
'Demand'),
pconfig.String('bind dn',
'DN to bind as, if empty uses anonymous bind.',
'uid=ipsilon,ou=People,dc=example,dc=com'),
pconfig.String('bind password',
'Password to use for bind operation'),
pconfig.String('base dn',
'The base dn to look for users and groups',
'dc=example,dc=com'),
)
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
self.name = 'fas'
self.path = 'fas'
self.service_name = 'fas'
self.page = None
self.fpc = None
self.description = """
Form based login Manager that uses the Fedora Authentication Server
"""
self.new_config(
self.name,
pconfig.String('FAS url', 'The FAS Url.',
'https://admin.fedoraproject.org/accounts/'),
pconfig.String('FAS Proxy client user Agent',
'The User Agent presented to the FAS Server.',
'Ipsilon v1.0'),
pconfig.Condition(
'FAS Insecure Auth',
'If checked skips FAS server cert verification.', False),
pconfig.String('username text',
'Text used to ask for the username at login time.',
'FAS Username'),
pconfig.String('password text',
'Text used to ask for the password at login time.',
'Password'),
pconfig.String('help text',
'Text used to guide the user at login time.',
'Login with your FAS credentials'))
def __init__(self, *pargs):
super(AuthzProvider, self).__init__(*pargs)
self.name = 'spgroup'
self.description = """
Authorization plugin that allows access based on user groups.
This plugin will decline to authorize users not in the prerequisite group,
rather than reject them outright."""
self.new_config(self.name,
pconfig.String('prefix', 'Group name prefix', ''),
pconfig.String('suffix', 'Group name suffix', ''))
def __init__(self, *pargs):
super(IdpProvider, self).__init__('openidc', 'OpenID Connect',
'openidc', *pargs)
self.mapping = InfoMapping()
self.keyset = None
self.admin = None
self.page = None
self.datastore = None
self.server = None
self.basepath = None
self.extensions = LoadExtensions()
self.description = """
Provides OpenID Connect authentication infrastructure. """
self.new_config(
self.name,
pconfig.String('database url',
'Database URL for OpenID Connect storage',
'openidc.sqlite'),
pconfig.String(
'static database url',
'Database URL for OpenID Connect static client configuration',
'openidc.static.sqlite'),
pconfig.Choice('enabled extensions',
'Choose the extensions to enable',
self.extensions.available().keys()),
pconfig.String('endpoint url',
'The Absolute URL of the OpenID Connect provider',
'http://localhost:8080/openidc/'),
pconfig.String(
'documentation url',
'The Absolute URL of the OpenID Connect documentation',
'https://ipsilonproject.org/doc/openidc/'),
pconfig.String('policy url',
'The Absolute URL of the OpenID Connect policy',
'http://www.example.com/'),
pconfig.String(
'tos url',
'The Absolute URL of the OpenID Connect terms of service',
'http://www.example.com/'),
pconfig.String('idp key file',
'The file where the OpenIDC keyset is stored.',
'openidc.key'),
pconfig.String('idp sig key id', 'The key to use for signing.',
''),
pconfig.String('idp subject salt',
'The salt used for pairwise subjects.', None),
pconfig.Condition(
'allow dynamic client registration',
'Allow Dynamic Client registrations for Relying Parties',
True),
pconfig.MappingList('default attribute mapping',
'Defines how to map attributes', [['*', '*']]),
pconfig.ComplexList(
'default allowed attributes',
'Defines a list of allowed attributes, applied after mapping',
['*']),
)
def load_config(self):
self.new_config(
self.provider_id,
pconfig.String(
'Name',
'A nickname used to easily identify the Service Provider.'
' Only alphanumeric characters [A-Z,a-z,0-9] and spaces are'
' accepted.', self.name),
pconfig.String('Metadata',
"Service Provider's metadata",
self.metadata,
multiline=True),
pconfig.String('Description',
'A description of the SP to show on the Portal.',
self.description),
pconfig.String('Service Provider link',
'A link to the Service Provider for the Portal.',
self.splink),
pconfig.Condition('Visible in Portal',
'This SP is visible in the Portal.',
self.visible),
pconfig.Image(
'Image File',
'Image to display for this SP in the Portal. Scale to '
'100x200 for best results.', self.imagefile),
pconfig.Pick('Default NameID',
'Default NameID used by Service Providers.',
SAML2_NAMEID_MAP.keys(), self.default_nameid),
pconfig.Choice('Allowed NameIDs',
'Allowed NameIDs for this Service Provider.',
SAML2_NAMEID_MAP.keys(), self.allowed_nameids),
pconfig.String('User Owner',
'The user that owns this Service Provider',
self.owner),
pconfig.MappingList(
'Attribute Mapping',
'Defines how to map attributes before returning them to'
' the SP. Setting this overrides the global values.',
self.attribute_mappings),
pconfig.ComplexList(
'Allowed Attributes',
'Defines a list of allowed attributes, applied after mapping.'
' Setting this overrides the global values.',
self.allowed_attributes),
)
def __init__(self, *pargs):
super(IdpProvider, self).__init__('openid', 'OpenID', 'openid', *pargs)
self.mapping = InfoMapping()
self.page = None
self.datastore = None
self.server = None
self.basepath = None
self.extensions = LoadExtensions()
self.description = """
Provides OpenID 2.0 authentication infrastructure. """
self.new_config(
self.name,
pconfig.String('database url',
'Database URL for OpenID temp storage',
'openid.sqlite'),
pconfig.String(
'default email domain',
'Used for users missing the email property.' +
' (Leave empty to disable)', ''),
pconfig.String('endpoint url',
'The Absolute URL of the OpenID provider',
'http://localhost:8080/openid/'),
pconfig.Template(
'identity url template',
'The templated URL where identities are exposed.',
'http://localhost:8080/openid/id/%(username)s'),
pconfig.List('trusted roots', 'List of trusted relying parties.'),
pconfig.List('untrusted roots',
'List of untrusted relying parties.'),
pconfig.Choice('enabled extensions',
'Choose the extensions to enable',
self.extensions.available().keys()),
pconfig.MappingList(
'default attribute mapping',
'Defines how to map attributes before calling extensions',
[['*', '*']]),
pconfig.ComplexList(
'default allowed attributes',
'Defines a list of allowed attributes, applied after mapping',
['*']),
)
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
self.name = 'form'
self.path = 'form'
self.page = None
self.service_name = 'form'
self.description = """
Form based login Manager. Relies on mod_intercept_form_submit plugin for
actual authentication. """
self.new_config(
self.name,
pconfig.String('username text',
'Text used to ask for the username at login time.',
'Username'),
pconfig.String('password text',
'Text used to ask for the password at login time.',
'Password'),
pconfig.String(
'help text', 'Text used to guide the user at login time.',
'Insert your Username and Password and then submit.'))
def __init__(self, *args):
super(InfoProvider, self).__init__(*args)
self.mapper = Policy(fasjson_mapping)
self.name = 'fasjson'
self.description = """
Info plugin that retrieves user data from FASJSON. """
self.new_config(
self.name,
pconfig.String('FASJSON url', 'The FASJSON Url.',
'http://fasjson.tinystage.test/fasjson/'),
)
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
self.name = 'testauth'
self.service_name = 'testauth'
self.path = 'testauth'
self.page = None
self.description = """
Form based TEST login Manager, DO NOT EVER ACTIVATE IN PRODUCTION """
self.new_config(
self.name,
pconfig.String('username text',
'Text used to ask for the username at login time.',
'Username'),
pconfig.String('password text',
'Text used to ask for the password at login time.',
'Password'),
pconfig.String(
'help text', 'Text used to guide the user at login time.',
'DISABLE IN PRODUCTION, USE ONLY FOR TEST ' +
'Use any username they are all valid, "admin" gives ' +
'administrative powers. ' +
'Use the fixed password "ipsilon" for any user'),
pconfig.List('groups', 'Extra groups'))
def __init__(self, *pargs):
super(IdpProvider, self).__init__('saml2', 'SAML 2.0', 'saml2', *pargs)
self.admin = None
self.rest = None
self.page = None
self.idp = None
self.sessionfactory = None
self.description = """
Provides SAML 2.0 authentication infrastructure. """
self.new_config(
self.name,
pconfig.String('idp storage path',
'Path to data storage accessible by the IdP.',
'/var/lib/ipsilon/saml2'),
pconfig.String('idp metadata file',
'The IdP Metadata file generated at install time.',
'metadata.xml'),
pconfig.String(
'idp metadata validity',
'The IdP Metadata validity period (in days) to use when '
'generating new metadata.', METADATA_DEFAULT_VALIDITY_PERIOD),
pconfig.String(
'idp certificate file',
'The IdP PEM Certificate generated at install time.',
'certificate.pem'),
pconfig.String(
'idp key file',
'The IdP Certificate Key generated at install time.',
'certificate.key'),
pconfig.String('idp nameid salt',
'The salt used for persistent Name IDs.', None),
pconfig.Condition(
'allow self registration',
'Allow authenticated users to register applications.', True),
pconfig.Choice('default allowed nameids',
'Default Allowed NameIDs for Service Providers.',
metadata.SAML2_NAMEID_MAP.keys(), [
'unspecified', 'persistent', 'transient',
'email', 'kerberos', 'x509'
]),
pconfig.Pick('default nameid',
'Default NameID used by Service Providers.',
metadata.SAML2_NAMEID_MAP.keys(), 'unspecified'),
pconfig.String('default email domain',
'Used for users missing the email property.',
'example.com'),
pconfig.MappingList(
'default attribute mapping',
'Defines how to map attributes before returning them to SPs',
[['*', '*']]),
pconfig.ComplexList(
'default allowed attributes',
'Defines a list of allowed attributes, applied after mapping',
['*']),
pconfig.String('session database url',
'Database URL for SAML2 sessions',
'saml2.sessions.db.sqlite'),
)
if cherrypy.config.get('debug', False):
import logging
import sys
logger = logging.getLogger('lasso')
lh = logging.StreamHandler(sys.stderr)
logger.addHandler(lh)
logger.setLevel(logging.DEBUG)
def load_config(self):
self.new_config(
self.client_id,
pconfig.String('Client ID',
'Client Identifier used in the protocol.',
self.get_current_info('client_id'),
readonly=self.client_id is not None),
pconfig.String('Client Secret',
'Client secret used to authenticate.',
self.get_current_info('client_secret'),
readonly=True),
pconfig.String(
'Client Name',
'A nickname shown to the user to identify the client.',
self.get_current_info('client_name'),
readonly=self.readonly),
pconfig.List(
'Redirect URIs',
'URIs to be used by the client as redirect URIs. Must all '
'start with https if application type is web, must all start '
'with http://localhost/ if application type is native.',
self.get_current_info('redirect_uris'),
readonly=self.readonly),
pconfig.Pick('Application Type',
'Application type of the client.', ['web', 'native'],
self.get_current_info('application_type'),
readonly=self.readonly),
pconfig.String('Client URI',
'URI of the home page of the client.',
self.get_current_info('client_uri'),
readonly=self.readonly),
pconfig.List('Contacts',
'List of contacts email addressess for this client.',
self.get_current_info('contacts'),
readonly=self.readonly),
pconfig.String('Logo URI',
'URI of the a logo for the client.',
self.get_current_info('logo_uri'),
readonly=self.readonly),
pconfig.String('Policy URI',
'URI to the client privacy policy.',
self.get_current_info('policy_uri'),
readonly=self.readonly),
pconfig.String('TOS URI',
'URI to the client Terms of Service.',
self.get_current_info('tos_uri'),
readonly=self.readonly),
pconfig.String('JWKS URI',
'URI to the client JSON Web Key Set document.',
self.get_current_info('jwks_uri'),
readonly=self.readonly),
pconfig.String('JWKS',
'Document with client JSON Web Key Set',
self.get_current_info('jwks'),
readonly=self.readonly,
multiline=True),
pconfig.String(
'Sector Identifier URI',
'URI identifying the pairwise subject value sector.',
self.get_current_info('sector_identifier_uri'),
readonly=self.readonly),
pconfig.Pick('Subject type',
'Subject type to be used for this client',
['pairwise', 'public'],
self.get_current_info('subject_type'),
readonly=self.readonly),
pconfig.Choice(
'Response Types',
'Response types that will be used', [
'code', 'id_token', 'id_token token', 'code id_token',
'code token', 'code id_token token'
],
self.get_current_info('response_types'),
readonly=self.readonly),
pconfig.Choice('Grant Types',
'Grant types this client will use.',
['authorization_code', 'implicit', 'refresh_token'],
self.get_current_info('grant_types'),
readonly=self.readonly),
pconfig.List('Request URIs',
'URIs used by the client containing request objects.',
self.get_current_info('request_uris'),
readonly=self.readonly),
pconfig.Condition(
'Require Auth Time',
'Whether the client requires the last auth time.',
self.get_current_info('require_auth_time'),
readonly=self.readonly),
pconfig.Pick(
'Token Endpoint Auth Method',
'Auth method used by the client to the token endpoint.', [
'client_secret_post', 'client_secret_basic',
'client_secret_jwt', 'private_key_jwt', 'none'
],
self.get_current_info('token_endpoint_auth_method'),
readonly=self.readonly),
pconfig.Pick('ID Token Signed Response Alg',
'Algorithm used to sign ID Tokens', ['RS256'],
self.get_current_info('id_token_signed_response_alg'),
readonly=self.readonly),
pconfig.Pick('UserInfo Signed Response Alg',
'Algorithm used to sign userinfo', ['', 'RS256'],
self.get_current_info('userinfo_signed_response_alg'),
readonly=self.readonly),
pconfig.Pick('Request Object Signing Alg',
'Algorithm used to sign request objects',
jws_default_allowed_algs + ['none'],
self.get_current_info('request_object_signing_alg'),
readonly=self.readonly),
pconfig.String(
'Initiate Login URI',
'URI that third party can use to initiate login at client.',
self.get_current_info('initiate_login_uri'),
readonly=self.readonly),
pconfig.Integer('Default Max Age',
'Default maximum age for authentication timeout',
self.get_current_info('default_max_age'),
readonly=self.readonly),
pconfig.List(
'Default ACR values',
'Default Authentication Context Class requested by client.',
self.get_current_info('default_acr_values'),
readonly=self.readonly),
# TODO:
# id_token_encrypted_response_alg
# id_token_encrypted_response_enc
# userinfo_encrypted_response_alg
# userinfo_encrypted_response_enc
# request_object_encryption_alg
# request_object_encryption_enc
# token_endpoint_auth_signing_alg
)
