lp://staging/~roadmr/canonical-identity-provider/bulk-caveat-id-macaroon-discharge

Branch merges

Propose for merging

No branches dependent on this one.

On hold for merging into lp://staging/canonical-identity-provider/release

Ubuntu One hackers: Pending requested 2018-01-23

Diff: 185 lines (+127/-1)

3 files modified

docs/login.txt (+67/-0)
src/api/v20/handlers.py (+17/-1)
src/api/v20/tests/test_handlers.py (+43/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

1596. By Daniel Manrique on 2018-01-26

Ahh, so that's what simple_macaroon is for

1595. By Daniel Manrique on 2018-01-26

Documentation for the discharge endpoint explaining the single/multiple caveat_id flow.

Didn't document the old "root_macaroon(s)" API on purpose because it's deprecated and consumers
should NOT use it.

1594. By Daniel Manrique on 2018-01-25

Small simplification of test

1593. By Daniel Manrique on 2018-01-25

Test for mixed caveat_ids: a good one and a bogus, corrupty one

1592. By Daniel Manrique on 2018-01-23

Allow sending multiple caveat_ids to MacaroonDischargeHandler.

The semantics are similar to the old macaroons parameter (contrast with
macaroon). A new payload parameter caveat_ids is supported, should receive
a list of lists/tuples with numeric_id/caveat_id and should send back a
list of numeric_id/3rd_party_discharge (or a nice error) for each.

1591. By Daniel Manrique on 2018-01-23

Test for multiple 'good' caveat_id macaroon discharging

1590. By Daniel Manrique on 2018-01-10

Add SP-specific metadata view.

This allows URLs such as /+saml/metadata/4. If the SP with id 4 has a
custom certificate, it will be used in the metadata. If not, valid metadata
with the default global cert is shown. If no SP with the given primary key exists,
a 404 is raised.

This avoids having to tell SPs "use this metadata URL but this certificate
because the one in the metadata is bad".

The intended flow would be:

1- create the SPConfig, even if with partial config.
2- Add a custom cert
3- We can now give the SP's support people a metadata link with nice certificate.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/metadata-with-custom-cert/+merge/334994

1589. By Daniel Manrique on 2017-12-13

Use the SAML remote's configured certificate, if present.

This allows setting a custom certificate per RP. RPs for which this
field is empty fall back to the global certificate configured in settings.

All certificates must be generated from the global private key in settings,
which is a single setting for all RPs.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/pass-custom-cert-to-django-saml2-idp/+merge/334984

1588. By Daniel Manrique on 2017-12-11

Add "certificate" field to SAMLConfig model.

This allows setting a custom certificate per RP. RPs for which this
field is empty fall back to the global certificate configured in settings.

All certificates must be generated from the global private key in settings,
which is a single setting for all RPs.

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/samlconfig-certificate-field/+merge/334784

1587. By Daniel Manrique on 2017-12-04

Revert r1586 because it broke non-Canonical logins to support.canonical.com

Mechanical revert by bzr merge -r 1586..1585 ./

Merged from https://code.launchpad.net/~roadmr/canonical-identity-provider/revert-r1586/+merge/334679