Project

General

Profile

Development #5530

Faciliter la migration des fédérations

Added by Benjamin Dauvergne almost 5 years ago. Updated over 1 year ago.

Status:
Fermé
Priority:
Normal
Category:
-
Target version:
Start date:
17 Sep 2014
Due date:
13 Mar 2015
% Done:

100%

Patch proposed:
Yes
Planning:
No

Description

Depuis le commit 21dfe1306 les identity dump sont de nouveaux générés à partir des champs name_id_qualifier et name_id_sp_name_qualifier de l'objet LibertyFederation ce qui fait que la migration de fédérations n'est pas évidente.

L'idée serait de stocker dans ses deux champs des sentinelles, par exemple la valeur http://authentic.entrouvert.org/same_id/, pour dire que la valeur à y mettre et la même que l'entity ID de l'IdP ou du SP.

Il faut pour cela une migration pour corriger les fédérations un peu partout et modifier le code de création de l'identity dump et le code de sauvegarde des fédérations.

0001-Modify-federation-storage-so-that-we-can-store-feder.patch View (31.4 KB) Benjamin Dauvergne, 05 Nov 2014 01:14 AM

0001-Modify-federation-storage-so-that-we-can-store-feder.patch View (8.02 KB) Benjamin Dauvergne, 18 Mar 2015 03:46 PM

Associated revisions

Revision 8d8edc9c (diff)
Added by Benjamin Dauvergne over 4 years ago

Modify federation storage so that we can store federation relative to the provider model (fixes #5530)

If the content of name_id_qualifier or name_id_sp_name_qualifier is
equals to the issuer or service provider entity ID then we store a
sentinel value instead, meaning 'same as provider entity ID'. If we
change the provider entity, all federations are still correct.

History

#1 Updated by Benjamin Dauvergne almost 5 years ago

  • File 0001-Modify-federation-storage-so-that-we-can-store-feder.patch added
  • Patch proposed changed from No to Yes

#2 Updated by Benjamin Dauvergne almost 5 years ago

  • Status changed from Nouveau to En cours

#3 Updated by Frédéric Péters almost 5 years ago

Detail, could AUTHENTIC_SAME_ID_SENTINEL be urn:authentic:same-as-provider-entity-id, rather than an URL ? (I think it makes the usage clearer)

And would it be possible to use that AUTHENTIC_SAME_ID_SENTINEL constant in 0040_plug_sentinel_value_in_libertyfederation_qualifiers.py?

The migration calls raw_input(), I fear this won't fly with packages :/ there's no way to get the entity id from the database?

#4 Updated by Benjamin Dauvergne almost 5 years ago

Frédéric Péters a écrit :

Detail, could AUTHENTIC_SAME_ID_SENTINEL be urn:authentic:same-as-provider-entity-id, rather than an URL ? (I think it makes the usage clearer)

Ok. I'm not fan of using URNs as to do it really formally we should obtain the namespace from IANA but that's just pedantery.

And would it be possible to use that AUTHENTIC_SAME_ID_SENTINEL constant in 0040_plug_sentinel_value_in_libertyfederation_qualifiers.py?

Of course.

The migration calls raw_input(), I fear this won't fly with packages :/

It will block automatic updates, but it should work if the update is attended. What do you think ?

there's no way to get the entity id from the database?

Not with 100% certainty; we do not use django.contrib.sites and it does not have the schema only the domain, it could be extracted from LibertyFederation if there are some but it does not make the update safe.

#5 Updated by Benjamin Dauvergne almost 5 years ago

Updated patch. Sentinel changed to urn:authentic.entrouvert.org:same-as-provider-entity-id and SAME_ID constant re-used in migration.

#6 Updated by Frédéric Péters almost 5 years ago

It will block automatic updates, but it should work if the update is attended. What do you think ?

I still don't like it :/ Here's kind of a proposal: look for the value in the environment (let's say AUTHENTIC_IDP_ENTITY_ID_MIGRATION), and fallback on raw_input() if it's missing (or even abort) if it's missing (and there are existing LibertyFederation and LibertyProvider objects); and add this info in the "How to upgrade to a new version of authentic" section of the README file, along as the recommended way to get the value from a running instance (is it looking in the saml metadata, or is there a better way?).

#7 Updated by Benjamin Dauvergne almost 5 years ago

Frédéric Péters a écrit :

(is it looking in the saml metadata, or is there a better way?).

The URL is generated from each HTTP request, there is really no automatic way to get it from a script :/ You can deduct it from the virtual host configuration.

It will block automatic updates, but it should work if the update is attended. What do you think ?

I still don't like it :/ Here's kind of a proposal: look for the value in the environment (let's say AUTHENTIC_IDP_ENTITY_ID_MIGRATION), and fallback on raw_input() if it's missing (or even abort) if it's missing (and there are existing LibertyFederation and LibertyProvider objects); and add this info in the "How to upgrade to a new version of authentic" section of the README file, along as the recommended way to get the value from a running instance

Ok.

#8 Updated by Frédéric Péters almost 5 years ago

Benjamin Dauvergne a écrit :

Frédéric Péters a écrit :

(is it looking in the saml metadata, or is there a better way?).

The URL is generated from each HTTP request, there is really no automatic way to get it from a script :/ You can deduct it from the virtual host configuration.

That's what I meant, so the instruction to get the value would be along the lines of "go to your site /idp/saml2/metadata, and take the entityId attribute", ok.

#9 Updated by Benjamin Dauvergne over 4 years ago

  • Target version set to future

#10 Updated by Benjamin Dauvergne over 4 years ago

  • Patch proposed changed from Yes to No

#11 Updated by Benjamin Dauvergne over 4 years ago

  • Due date set to 13 Mar 2015
  • Patch proposed changed from No to Yes

#12 Updated by Benjamin Dauvergne over 4 years ago

  • Patch proposed changed from Yes to No

#13 Updated by Benjamin Dauvergne over 4 years ago

  • File deleted (0001-Modify-federation-storage-so-that-we-can-store-feder.patch)

#14 Updated by Benjamin Dauvergne over 4 years ago

This new version contains a Django 1.7 migration, it does not ask anymore for the current IdP entity ID; we just logically imply that if name_id_qualifier is not empty then it must contain the current IdP entity id; if it's empty then it should stay so.

Federations as a service provider are completely ignored as authsaml2 is deprecated and new SAML 2.0 support as a service provider will be remade with django-mellon and will not use current SAML framework.

#15 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from future to 2.1.13

#16 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from 2.1.13 to 2.2.0

#17 Updated by Benjamin Dauvergne over 4 years ago

  • Status changed from En cours to Résolu (à déployer)
  • % Done changed from 0 to 100

#18 Updated by Benjamin Dauvergne over 3 years ago

  • Status changed from Résolu (à déployer) to Solution déployée

#19 Updated by Benjamin Dauvergne over 1 year ago

  • Status changed from Solution déployée to Fermé

Also available in: Atom PDF