Information Card Account Management Plugin

  1. Information Card Account Management Plugin
    1. Abstract
      1. License
    2. Requirements
    3. Download
    4. Installation
    5. Configuration
      1. Configuration Options
    6. trac-admin-acct
    7. Gory Details
      1. Account Associations
      2. LDAPUserStore
    8. Known limitations
    9. Testing
    10. History
    11. Author/Contributors

Abstract

This trac hack allows Information Cards to be associated with existing accounts and then used as an authentication mechanism to a Trac system. If the groups portion of the plugin is enabled then claims in the tokens can be used to assigned the authenticated user to groups for authorization purposes. If you were looking for generic python relying party code please see: Python RP.

License

The extension is distributed to you under the lgpl, please note that it includes works copyrighted by others and released under permissive licenses such as BSD, Beerware and the Trac license.

Requirements

This trac hack is written in entirely in python, and works with Trac 0.11.

I have found that when run on apache it is often better to use expanded version of .egg files, this can be accomplished by using the -Z option with easy_install.

Some form of Python xml with dom and xpath support, tested with pyxml

m2crypto as an python wrapper to openssl which must also be installed. m2crypto also requires SWIG

Systems running python older than 2.5 require hashlib

If you use the LDAP user store module then the Python LDAP module is required.

To create and install an egg file you need to have a recent version of setuptools installed.
Please refer to the TracPlugins page for additional information about plugin installation.

Download

Installation

   easy_install -Z http://code.bandit-project.org/svn/trunk/rp/trac/infocard_acct/0.11
  • Configure the plugin (see Configuration below)
  • Either use trac-admin-acct to initialize the association store and optionally the user store, or trac-admin upgrade.

Configuration

You need to customize the trac.ini file of your project, following the instructions below

  1. Optionally add the path to your plugin directory.
  2. Enable account-manager and infocard_acct in [components] section, so that the Trac engine loads and uses this extension.
  3. Configure account-manager.
  4. Create a new section [infocard_acct] in the .ini file

Enable components

To properly enable plugin you must disable trac and account manager's LoginModules, and enable AccountManagerPlugin and InfoCardAccountPlugin components In the [components] section of trac.ini: 

[components]
trac.web.auth.LoginModule = disabled
acct_mgr.*=enabled
acct_mgr.web_ui.LoginModule=disabled
infocard_acct.* = enabled

For complete details on configuring the AccountManagerPlugin please visit AccountManagerPlugin. The InfoCardAccountPlugin adds two new password stores, TracDBUserStore and LDAPUserStore which are enabled as follows: 

[account-manager]
#any password store supported by acct-mgr including TracDBUserStore and LDAPUserStore
password_store = LDAPUserStore

If you use the LDAPUserStore then the following options are supported in the [ldap_user_store] section: 

[ldap_user_store]
# any ldap query url it's usage matches the authldapurl from mod_ldap in apache
# http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
url = ldaps://bandit-project.org/ou=people,dc=wag,dc=bandit-project,dc=org?uid?sub?(objectClass=inetOrgPerson)

# If your ldap server requires authentication to search for users, please provide that name and password
#bind_user = 
#bind_password =

Configuration Options

The InfoCardAccountPlugin configuration section [infocard_acct] supports the following: 

[infocard_acct]
# file path to the server's ssl key, required to properly decrypt and validate security tokens
private_key_path = /etc/ssl/private/server.key.unsecure

# if the ssl key file requires a pass phrase, please supply that here
#private_key_pass_phrase = ifItoldYouItWouldBeBad

# Currently only TracDBAssociationStore is supported
association_store = TracDBAssociationStore

# A list of other sections in this configuration file which should be processed.  
# These are additional blocks of data each of which will result in an infocard icon display.   
# Nothing is inherited between blocks.   Please do not use anything but alpha-numeric characters 
# in naming the configuration blocks.  The list is space delimited.
infocard_definitions = permissiveinfocard

(... per object tag instance configuration...)

Per object tag instance configuration, this can be part of the [infocard-acct] block or a separate block. This is everything needed to display an infocard icon on the page. 

# Optional setting to display a debug page after accepting a security token
debug_page = False

# Space delimited list of optional claims
optional_claims= http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

# Space delimited list of required claims
required_claims= http://schemas.xmlsoap.org/ws/2005/05/identity/claims/hatsize

# Sample of setting an error to be just an informational warning.   To upgrade/downgrade put the severity
# on the left and a list of items that you want to be that severity on the right. 
# Valid severities are 'CRITICAL', 'DEBUG', 'ERROR', 'FATAL', and 'INFO'
INFO = signature-missing-InclusiveNameSpaces

# What header text is displayed above the infocard icon.
header_text = Genric InfoCard Login

# What help text id displayed above the infocard icon and below the header.
help_text = Use a personal or managed InfoCard to access your existing account.:

#privacy_url = 
#privacy_version = 1
#issuer = 
#Audience = 

# Type of token to be requested, currently this is either urn:oasis:names:tc:SAML:1.0:assertion or 
# http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
# token_type = http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

# If the infocard is valid but not associated with any account use the associated_user to force 
# the authentication to be a specific user.
associated_user = guest

# sample additional configuration block, results in a second infocard login icon.
[permissiveinfocard]
INFO= signature-missing-InclusiveNameSpaces validate-minimal-claims-present validate-audience-present validate-required-claims-present mismatched-audience validate-time-conditions-present validate-time-conditions-inrange 
debug_page = True
header_text = Permissive Error Checking InfoCard Login
required_claims =  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
help_text = Use any infocard to login, we won't enforce much and if not associated with a particular user we will allow authentication.  By default this will allow you access as guest.   This will also display a debug page with information about the submitted security token.

associated_user = guest

trac-admin-acct

This is a configuration tool similar to trac-admin. Before the InfoCardAccountPlugin is fully functional, you must either run trac-admin [path to env] upgrade or the configuration tool must be run with at least the initenv card option. 

trac-admin-acct /var/trac/rpset initenv card

usage

trac-admin-acct supports both command line and interactive modes.

interactive usage

For a list of options supported by trac-admin-acct, start the tool giving it the path to the trac environment and type help. 

trac-admin-acct /var/trac/rpset 
>help
command line usage
Usage: trac-admin-acct </path/to/projenv> [command [subcommand] [option ...]]

Invoking trac-admin-acct without command starts interactive mode.
help
        -- Show documentation

initenv
        -- create all the database tables for infocard account manager

initenv user
        -- create just the user / passwordhash table

initenv card
        -- create just the cardkey association table

cleanenv
        -- delete all the database tables for infocard account manager

cleanenv user
        -- delete just the user / passwordhash table

cleanenv card
        -- delete just the cardkey association table

user list
        -- Show user

user add <name> <clear text password>
        -- Add user

user rename <name> <newname>
        -- Rename user

user remove <name>
        -- Remove user (leaves permissions etc.

Gory Details

Account Associations

LDAPUserStore

Known limitations

#278
Python RP should properly handle expected claims with attached attributes
#280
RP should be reviewed for potential injection attacks
#281
Python RP should handle special chars in claim values
#282
Python RP should be enhanced to support saml 2.0 tokens
#287
Python RP should verify that no namespaces are used which are not part of the inclusive namespaces element
#288
TRAC RP should have better identity selector and browser add on support

Testing

In addition to the unit tests and developer tests run this was also part of an OSIS interop event, all issues identified at that event have been resolved.

Testing has been primarily on opensuse versions of Linux.

History

  • v0.2: Removed dev tag, functionality is ready to be deployed to real sites. Fixes to infocard validity checking: empty tokens, unknown token type, missing audience, incorrect audience, missing claims, additional claims, missing NotOnOrAfter or NotBefore. Support saml 1.0 and 1.1 namespaces. Allow more than one infocard login on the /login page, each with it's own header, help, required claims, optional claims, token type, issuer, error checking, debug page and processing. Added the ability to upgrade or downgrade the severity of any of the events which are generated while parsing the token.
  • v0.1: First crack at extending the AccountManagerPlugin to support LDAP and the Trac database as user stores, and accept Information Cards as an authentication mechanism from any user store.

Author/Contributors

Author: dbuss, bandit-dev@…
Contributors: See the setup.py file, this extension utilizes code from several sources.