Attachment #9023 for bug #44966

View | Details | Raw Unified | Return to bug 44966
Collapse All | Expand All

(-)conffiles/setup_saml_sp.py (+18 lines)

Lines 36-41	Link Here

from subprocess import call

from subprocess import call

from time import sleep

from time import sleep

from urlparse import urlparse

from urlparse import urlparse

from xml.etree import ElementTree

workaround = set()

workaround = set()

Lines 49-62	Link Here

	workaround.add(True)

	workaround.add(True)

	cleanup()

	cleanup()

	metadata_download_failed = []

	metadata_download_failed = []

	metadata_validation_failed = []

	saml_idp = config_registry.get('umc/saml/idp-server')

	saml_idp = config_registry.get('umc/saml/idp-server')

	if saml_idp and not download_idp_metadata(saml_idp):

	if saml_idp and not download_idp_metadata(saml_idp):

		metadata_download_failed.append(saml_idp)

		metadata_download_failed.append(saml_idp)

	elif not valid_metadata(saml_idp):

		metadata_validation_failed.append(saml_idp)

	reload_webserver()

	reload_webserver()

	if not rewrite_sasl_configuration():

	if not rewrite_sasl_configuration():

		raise SystemExit('Could not rewrite SASL configuration for UMC.')

		raise SystemExit('Could not rewrite SASL configuration for UMC.')

	if metadata_download_failed:

	if metadata_download_failed:

		raise SystemExit('Could not download IDP metadata for %s' % (', '.join(metadata_download_failed),))

		raise SystemExit('Could not download IDP metadata for %s' % (', '.join(metadata_download_failed),))

	if metadata_validation_failed:

		raise SystemExit('IDP metadata not valid for %s' % (', '.join(metadata_validation_failed),))

def cleanup():

def cleanup():

Lines 64-69	Link Here

		os.remove(metadata)

		os.remove(metadata)

def valid_metadata(saml_idp):

	idp = bytes(urlparse(saml_idp).netloc)

	filename = '/usr/share/univention-management-console/saml/idp/%s.xml' % (idp,)

	try:

		ElementTree.parse(filename)

	except ElementTree.ParseError:

		os.remove(filename)

		return False

	return True

def download_idp_metadata(metadata):

def download_idp_metadata(metadata):

	idp = bytes(urlparse(metadata).netloc)

	idp = bytes(urlparse(metadata).netloc)

	filename = '/usr/share/univention-management-console/saml/idp/%s.xml' % (idp,)

	filename = '/usr/share/univention-management-console/saml/idp/%s.xml' % (idp,)

Lines 71-76	Link Here

		print 'Try to download idp metadata (%s/60)' % (i + 1)

		print 'Try to download idp metadata (%s/60)' % (i + 1)

		rc = call([

		rc = call([

			'/usr/bin/curl',

			'/usr/bin/curl',

			'--fail',

			'--cacert', '/etc/univention/ssl/ucsCA/CAcert.pem',

			'--cacert', '/etc/univention/ssl/ucsCA/CAcert.pem',

			'-o', filename,

			'-o', filename,

			metadata,

			metadata,

(-)univention-management-console-web-server (+4 lines)

Lines 492-497	Link Here

492

			def _decorated(self, *args, **kwargs):

492

			def _decorated(self, *args, **kwargs):

493

				message = func(self, *args, **kwargs) or ()

493

				message = func(self, *args, **kwargs) or ()

494

				super(SamlError, self).__init__(status, message)

494

				super(SamlError, self).__init__(status, message)

495

				if "Passive authentication not supported." in message:

496

					# This error just meens we need to do an active login. The frontend knows how to handle that and there is no need to log that. It still needs to be raised though.

497

					return self

498

				CORE.warn('SamlError: %s' % message)

495

				return self

499

				return self

496

			return _decorated

500

			return _decorated

497

		if func is None:

501

		if func is None:

(-)usr/share/univention-management-console/saml/sp.py (-1 / +5 lines)

from univention.config_registry.interfaces import Interfaces

from univention.config_registry.interfaces import Interfaces

from univention.config_registry import ConfigRegistry

from univention.config_registry import ConfigRegistry

from univention.management.console.log import CORE

ucr = ConfigRegistry()

ucr = ConfigRegistry()

ucr.load()

ucr.load()

	addresses.extend([y['address'] for x, y in i.all_interfaces if y and y.get('address')])

	addresses.extend([y['address'] for x, y in i.all_interfaces if y and y.get('address')])

bases = ['%s://%s/univention/saml' % (scheme, addr) for addr in addresses for scheme in ('https', 'http')]

bases = ['%s://%s/univention/saml' % (scheme, addr) for addr in addresses for scheme in ('https', 'http')]

idp_configs = glob.glob('/usr/share/univention-management-console/saml/idp/*.xml')

if not idp_configs:

	CORE.error('''SamlError: Can't find any idp. SAML won't work. Please check the ucr variable "umc/saml/idp-server".''')

CONFIG = {

CONFIG = {

	"entityid": "https://%s/univention/saml/metadata" % (fqdn,),

	"entityid": "https://%s/univention/saml/metadata" % (fqdn,),

	"name_form": NAME_FORMAT_URI,

	"name_form": NAME_FORMAT_URI,

	"cert_file": "/etc/univention/ssl/%s/cert.pem" % (fqdn,),

	"cert_file": "/etc/univention/ssl/%s/cert.pem" % (fqdn,),

	"xmlsec_binary": "/usr/bin/xmlsec1",

	"xmlsec_binary": "/usr/bin/xmlsec1",

	"metadata": {

	"metadata": {

		"local": glob.glob('/usr/share/univention-management-console/saml/idp/*.xml'),

		"local": idp_configs,

},

},

	# TODO: add contact_person?

	# TODO: add contact_person?

Return to bug 44966