This increases data inconsistency and also performance of the whole
update process: SqlAlchemy can use its own caching better with a single
transaction as it does not need to mark already fetched objects as dirty
and so re-fetch them again on later use. So after deleting a domain,
we can still use the previously fetched domain objects for the update
operations afterwards. Otherwise SqlAlchemy had to fetch each domain
object again with single SELECT statements which leads to bad
performance with many domains (>> 1000).
The introduced "do_commit" variable controls whether the database
changes are to be committed by the caller or in the called method
itself. So we can use a single transaction for the Domain.update()
method while still preserving the previous behavior for other callers.
Closes#428.
The new setting 'verify_ssl_connections' tells the requests library to
verify secured outgoing HTTP connections.
Usually verifying is desired and helps to reveal configuration
problems. It also disables an ugly warning when HTTPS connections
are made without verification.
Enhancements:
- More robust check when creating self-signed certificates
- Added support for SAML Requested Attributes through "SAML_SP_REQUESTED_ATTRIBUTES" parameter
Problems resolved:
- Method create_self_signed_cert() was invoked nowhere. This puts parameter "SAML_SIGN_REQUEST" description in configs/development.py as incorrect
- Method create_self_signed_cert() was returning error while trying to write out certificate and private key. File handler was opened for writing out TEXT instead of BINARY data
Enhancements:
- Two new parameters are introduced SAML_CERT_FILE and SAML_KEY_FILE. User can now explicitly define own certificate and key file anywhere on file-system.
- If parameters mentioned in previous bullet aren't explicitly defined, in PowerDNS-Admin root directory self-signed certificate will be created.
- Certificates will be used or generated in any case, because in saml.py there are explicit parameters defined which require certificate/key in order to work normally. If they aren't, exception will be thrown. Examples of parameters defined in saml.py requiring certificate: wantAssertionsEncrypted, signMetadata, wantAssertionsSigned.
- Add session handler on other blueprint's before request
- Adjustment in using jTimeout to close warning popup on
other tabs when we extend the session
From my perspective, if agreed, this change can be merged, because the basic SAM auth. functionality is now present
and was tested with "samlidp.io" iDP.
However, there are further improvements which I would like to integrate, but as a separate features in separate pull requests
- Function signatures inside SAML class were fixed
- Redirect URL for /saml/login path was modified (saml_authorized -> index.saml_authorized)
Current status is that SAML metadata can be generated under /saml/metadata and communication to SAML iDP is working
Problems remaining:
- SAML Response doesn't contain any attributes (There is no AttributeStatement on the Response). It can be that problem is on iDP side
- Background thread in retrieve_idp_data() cannot be spawned, this part is currently commented out, old code needs to be revisited
