Attachment #9023 for bug #44966

View | Details | Raw Unified | Return to bug 44966
Collapse All | Expand All

Lines 36-41 Link Here

(-)conffiles/setup_saml_sp.py (+18 lines)
36	from subprocess import call	36	from subprocess import call
37	from time import sleep	37	from time import sleep
38	from urlparse import urlparse	38	from urlparse import urlparse
		39	from xml.etree import ElementTree
39	workaround = set()	40	workaround = set()
40		41
41		42
Lines 49-62 Link Here
49	workaround.add(True)	50	workaround.add(True)
50	cleanup()	51	cleanup()
51	metadata_download_failed = []	52	metadata_download_failed = []
		53	metadata_validation_failed = []
52	saml_idp = config_registry.get('umc/saml/idp-server')	54	saml_idp = config_registry.get('umc/saml/idp-server')
53	if saml_idp and not download_idp_metadata(saml_idp):	55	if saml_idp and not download_idp_metadata(saml_idp):
54	metadata_download_failed.append(saml_idp)	56	metadata_download_failed.append(saml_idp)
		57	elif not valid_metadata(saml_idp):
		58	metadata_validation_failed.append(saml_idp)
55	reload_webserver()	59	reload_webserver()
56	if not rewrite_sasl_configuration():	60	if not rewrite_sasl_configuration():
57	raise SystemExit('Could not rewrite SASL configuration for UMC.')	61	raise SystemExit('Could not rewrite SASL configuration for UMC.')
58	if metadata_download_failed:	62	if metadata_download_failed:
59	raise SystemExit('Could not download IDP metadata for %s' % (', '.join(metadata_download_failed),))	63	raise SystemExit('Could not download IDP metadata for %s' % (', '.join(metadata_download_failed),))
		64	if metadata_validation_failed:
		65	raise SystemExit('IDP metadata not valid for %s' % (', '.join(metadata_validation_failed),))
60		66
61		67
62	def cleanup():	68	def cleanup():
Lines 64-69 Link Here
64	os.remove(metadata)	70	os.remove(metadata)
65		71
66		72
		73	def valid_metadata(saml_idp):
		74	idp = bytes(urlparse(saml_idp).netloc)
		75	filename = '/usr/share/univention-management-console/saml/idp/%s.xml' % (idp,)
		76	try:
		77	ElementTree.parse(filename)
		78	except ElementTree.ParseError:
		79	os.remove(filename)
		80	return False
		81	return True
		82
		83
67	def download_idp_metadata(metadata):	84	def download_idp_metadata(metadata):
68	idp = bytes(urlparse(metadata).netloc)	85	idp = bytes(urlparse(metadata).netloc)
69	filename = '/usr/share/univention-management-console/saml/idp/%s.xml' % (idp,)	86	filename = '/usr/share/univention-management-console/saml/idp/%s.xml' % (idp,)
Lines 71-76 Link Here
71	print 'Try to download idp metadata (%s/60)' % (i + 1)	88	print 'Try to download idp metadata (%s/60)' % (i + 1)
72	rc = call([	89	rc = call([
73	'/usr/bin/curl',	90	'/usr/bin/curl',
		91	'--fail',
74	'--cacert', '/etc/univention/ssl/ucsCA/CAcert.pem',	92	'--cacert', '/etc/univention/ssl/ucsCA/CAcert.pem',
75	'-o', filename,	93	'-o', filename,
76	metadata,	94	metadata,

Lines 492-497 Link Here

(-)univention-management-console-web-server (+4 lines)
492	def _decorated(self, args, *kwargs):	492	def _decorated(self, args, *kwargs):
493	message = func(self, args, *kwargs) or ()	493	message = func(self, args, *kwargs) or ()
494	super(SamlError, self).__init__(status, message)	494	super(SamlError, self).__init__(status, message)
		495	if "Passive authentication not supported." in message:
		496	# This error just meens we need to do an active login. The frontend knows how to handle that and there is no need to log that. It still needs to be raised though.
		497	return self
		498	CORE.warn('SamlError: %s' % message)
495	return self	499	return self
496	return _decorated	500	return _decorated
497	if func is None:	501	if func is None:

Lines 8-13 Link Here

(-)usr/share/univention-management-console/saml/sp.py (-1 / +5 lines)
8		8
9	from univention.config_registry.interfaces import Interfaces	9	from univention.config_registry.interfaces import Interfaces
10	from univention.config_registry import ConfigRegistry	10	from univention.config_registry import ConfigRegistry
		11	from univention.management.console.log import CORE
11	ucr = ConfigRegistry()	12	ucr = ConfigRegistry()
12	ucr.load()	13	ucr.load()
13		14
Lines 24-29 Link Here
24	addresses.extend([y['address'] for x, y in i.all_interfaces if y and y.get('address')])	25	addresses.extend([y['address'] for x, y in i.all_interfaces if y and y.get('address')])
25		26
26	bases = ['%s://%s/univention/saml' % (scheme, addr) for addr in addresses for scheme in ('https', 'http')]	27	bases = ['%s://%s/univention/saml' % (scheme, addr) for addr in addresses for scheme in ('https', 'http')]
		28	idp_configs = glob.glob('/usr/share/univention-management-console/saml/idp/*.xml')
		29	if not idp_configs:
		30	CORE.error('''SamlError: Can't find any idp. SAML won't work. Please check the ucr variable "umc/saml/idp-server".''')
27	CONFIG = {	31	CONFIG = {
28	"entityid": "https://%s/univention/saml/metadata" % (fqdn,),	32	"entityid": "https://%s/univention/saml/metadata" % (fqdn,),
29	"name_form": NAME_FORMAT_URI,	33	"name_form": NAME_FORMAT_URI,
Lines 46-52 Link Here
46	"cert_file": "/etc/univention/ssl/%s/cert.pem" % (fqdn,),	50	"cert_file": "/etc/univention/ssl/%s/cert.pem" % (fqdn,),
47	"xmlsec_binary": "/usr/bin/xmlsec1",	51	"xmlsec_binary": "/usr/bin/xmlsec1",
48	"metadata": {	52	"metadata": {
49	"local": glob.glob('/usr/share/univention-management-console/saml/idp/*.xml'),	53	"local": idp_configs,
50	},	54	},
51	# TODO: add contact_person?	55	# TODO: add contact_person?
52	}	56	}

Return to bug 44966