~maxiberta/canonical-identity-provider/vanilla-sshkeys-debug : changes

~maxiberta/canonical-identity-provider/vanilla-sshkeys-debug » Changes from revision 1710

From Revision 1693 to 1674

Rev	Summary	Authors	Date
1693	Updated invalid username error message in account registrati... Updated invalid username error message in account registration/edit form. Merged from https://code.launchpad.net/~matiasb/canonical-identity-provider/updated-username-error-msg/+merge/369005	Matias Bordese	4 years ago
1692	Allow generation of gdpr report from the email changelist. Allow generation of gdpr report from the email changelist. Previously, this was only doable from the account changelist, but the main search criteria for gdpr requests is email address; so it's cumbersome to first search for an email address, grab e.g. the openid to do a search in the account changelist, and then build the gdpr report there. The tests try not to duplicate things that are already tested in the account gdpr report tests. Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/gdpr-report-from-email/+merge/368565	Daniel Manrique	4 years ago
1691	update bson 0.3.4 update bson 0.3.4 Merged from https://code.launchpad.net/~verterok/canonical-identity-provider/update-bson-0.3.4/+merge/367924	Guillermo Gonzalez	5 years ago
1690	make it work in xenial make it work in xenial Merged from https://code.launchpad.net/~verterok/canonical-identity-provider/xenial-port/+merge/366731	Guillermo Gonzalez	5 years ago
1689	Show friendly help if we can't find the openid session token... Show friendly help if we can't find the openid session token from a validation link The most common reason for that is initiating a login on a third-party site, creating the account in sso as part of the flow, then clicking on the activation link on another device or browser. SO instead of sending people to a terse 404 page which causes them to fume and come file bugs which end up as dupes of https://pad.lv/1693375, the new (still a 404-code) page explains what to do and provides a link where they can validate their e-mail address out of the third-party login flow (which is the workaround we recommend anyway, after painful back and forth checking the format of the link they clicked on and referring to the cited bug) Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/better-evil-token-instructions/+merge/367285	Daniel Manrique	5 years ago
1688	Consolidating username validation with LP. Consolidating username validation with LP. Merged from https://code.launchpad.net/~cprov/canonical-identity-provider/username-validation-ng/+merge/367193	Celso Providelo	5 years ago
1687	Enable the zh-tw language support for Ubuntu One web UI. Enable the zh-tw language support for Ubuntu One web UI. Merged from https://code.launchpad.net/~cypressyew/canonical-identity-provider/canonical-identity-provider/+merge/366307	Po-Hsu Lin	5 years ago
1686	New privileged API for checking username availability. New privileged API for checking username availability. Merged from https://code.launchpad.net/~cprov/canonical-identity-provider/usernames-api/+merge/365688	Celso Providelo	5 years ago
1685	SAML: Ensure all dicts used to build assertions contain only... SAML: Ensure all dicts used to build assertions contain only utf-8-encoded data. The SAML library we use assumes use only of ascii inputs and parameters and Python 2 str <-> unicode implicit conversion intricacies. Some of those assumptions are broken by SSO's use of the library and particularly the CanonicalProcessor, which gets a lot of those assertion parameters and attributes from the database; SP config parameters, custom attributes come from Django ORM and are thus unicode, and since the SAML library doesn't do explicit unicode data encoding, it barfs when implicit conversions for unicode data that contains non-ascii characters are attempted, particularly when using the python string.Template classes and base64-encoding the final assertion;these behave predictably badly when given a str template and fed unicode substitution values. Since the output is expected to be utf8-encoded XML, this MP just ensures all the pieces used by the library to assemble, sign and encode the assertion are sent as utf8-encoded strs rather than unicodes. This problem was only exposed when we added a new "full name" substitution for SAML attributes: up until now, by some fluke, all the date we fed to the SAML library was ascii-only and so even when we were sending mixed strs and unicodes back and forth, implicit conversion of unicode to str worked fine and the problem went undetected. However, fullnames, unlike URLs and other identifiers, usernames and OpenIDs, understandably can contain non-ascii characters. Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/saml-unicode/+merge/365615	Daniel Manrique	5 years ago
1684	Allow username edit via privileged API. Allow username edit via privileged API. Merged from https://code.launchpad.net/~cprov/canonical-identity-provider/username-edit-api/+merge/365792	Celso Providelo	5 years ago
1683	Stop accepting usernames with DOTs and PLUSes. Stop accepting usernames with DOTs and PLUSes. Merged from https://code.launchpad.net/~cprov/canonical-identity-provider/cleaner-usernames/+merge/365370	Celso Providelo	5 years ago
1682	Add GDPR report admin action for accounts. Add GDPR report admin action for accounts. The intent is to have a read-only, copy-pasteable view for GDPR requests. Currently the information to be reported is scattered between the Account change form and the auth logs changelist. The Account form contains most of the relevant data but since it's a form, it can't be cleanly copy-pasted. If more GDPR-relevant information is required, this view can easily be expanded to present that as well. Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/gdpr-report/+merge/365134	Daniel Manrique	5 years ago
1681	Do not store/use an OATH TOTP client's calculated "absolute ... Do not store/use an OATH TOTP client's calculated "absolute drift". Per LP bug #1817075, the "stored absolute drift" functionality of python-oath is broken and allows a client to reuse a token that is just expired (due to allowing relative drift of +/-30 seconds), and keep reusing it just past the end of the previously-calculated absolute drift to keep it "alive" indefinitely. A side-effect of this is that we will require OATH TOTP devices to have accurate clocks, which is deemed acceptable since the vast majority of clients are either phones or computers. "Accurate" is quite lenient though, because a device can be +/- 45 seconds off and still generate valid codes. Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/non-drifting-totp/+merge/363558	Daniel Manrique	5 years ago
1680	Add two new substitutions to be used in SAML attribute value... Add two new substitutions to be used in SAML attribute values. "displayname" is normally the users' Full Name in SSO. "email" is the e-mail address. These enable reporting richer SAML attributes to SPs who can then create nicer-looking local identities. Additionally, the existence of the e-mail attribute/substitution might allow for full compliance with the SAML 8.3 "persistent" policy, though this would require additional implementation work. Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/saml-extra-attribute-substitutions/+merge/362265	Daniel Manrique	5 years ago
1679	Actually honor SAML AuthnRequests' NameIDPolicy format. Actually honor SAML AuthnRequests' NameIDPolicy format. This was done to accommodate SPs (Bomgar) which request persistent names, indicating so in their AuthnRequest. SSO usually ignores this and always sends "email"-policy names, which most SPs handle fine but Bomgar fails with. The fully-correct thing to do would be to always honor the AuthnRequest and support most/all of the SAML-specified policies, but that'd be a large effort and risks changing semantics for other SPs, which would prevent people from logging in, which would be bad. Another quirk is that, while we respond saying we're giving a persistent identifier, our identifier (the e-mail address) does NOT actually conform to persistent semantics per SAML spec's section 8.3; we are sending the same value (the e-mail address), just saying it's "persistent" as requested by the SP. We do have a persistent identifier (the OpenID) but we can't send that because then it gets sent as the username, identifier, and email address. Again, support for this can be added to our django-saml2-idp fork but it's more work for something that at the moment is required only by one SP. Due do the above, in order to support Bomgar (and possibly other SPs) in a more selective way, we only honor a non-email NameIDPolicy if: - the SP is configured to honor this (a boolean in the SPConfig) - the requested NameID policy is "persistent". This allows us to switch this on only for very specific SPs for which we have more control and fully understand the consequences of "lying" with our "persistent" support. In all other cases, we continue ignoring/overriding this and always sending our response with "email" policy. (As a rant, the best thing to do would be to trash our hacky SAML library and integrate OneLogin's SAML library which is fully standards-compliant, which is however a huge undertaking we would have to consider and prioritize) Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/support-saml-persistent-nameid-policy-format/+merge/361982	Daniel Manrique	5 years ago
1678	Add honor_authnrequest_nameidpolicy_format boolean field to ... Add honor_authnrequest_nameidpolicy_format boolean field to SAMLConfig. The intended use is to enable honoring the nameid policy format requested by the SP's AuthnRequest, on a config-by-config basis. This is done because a change to fully support honoring this with appropriate semantics is large and likely to break existing remotes, so this allows a smaller change that works for specific remotes. Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/honor-authnrequest-nameid-policy-format-field/+merge/361981	Daniel Manrique	5 years ago
1677	Redirect forgot password valid POST to email-sent view regar... Redirect forgot password valid POST to email-sent view regardless of whether the account exists or not. Merged from https://code.launchpad.net/~maxiberta/canonical-identity-provider/prevent-forgot-password-user-enumeration/+merge/361166	Maximiliano Bertacch...	5 years ago
1676	Pre-fill forgot password form with email value entered in th... Pre-fill forgot password form with email value entered in the login form. Merged from https://code.launchpad.net/~maxiberta/canonical-identity-provider/smarter-forget-password-link/+merge/361579	Maximiliano Bertacch...	5 years ago
1675	Remove the expiry caveat from the discharge macaroon. Remove the expiry caveat from the discharge macaroon. Merged from https://code.launchpad.net/~twom/canonical-identity-provider/unexpiring-discharge-macaroon/+merge/359240	Tom Wardill	5 years ago
1674	Show a nice error message at user registration and reset pas... Show a nice error message at user registration and reset password views when the API returns 429 - too many requests. Merged from https://code.launchpad.net/~maxiberta/canonical-identity-provider/fix-429-crash/+merge/361148	Maximiliano Bertacch...	5 years ago

Older »