ipsilon.git/ipsilon, branch ticket_92 Unnamed repository; edit this file 'description' to name the repository. Allow SP installation to be on non-standard ports 2015-03-14T17:13:43+00:00 Nathan Kinder nkinder@redhat.com 2015-03-14T17:00:51+00:00 bd10f81c2ba0615ee77ab2ef3613dc242dbb0899 When setting up a SP using ipsilon-client-install, there is no ability to use a non-standard port. We should allow a port number to be specified that results in the proper URLs in the SP metadata. This patch adds a --port option to ipsilon-client-install. This is used in the construction of the URLs used in the SP metadata as well as in the httpd redirect rules if httpd is being configured. https://fedorahosted.org/ipsilon/ticket/92 Signed-off-by: Nathan Kinder <nkinder@redhat.com> 
When setting up a SP using ipsilon-client-install, there is no
ability to use a non-standard port.  We should allow a port number
to be specified that results in the proper URLs in the SP metadata.

This patch adds a --port option to ipsilon-client-install.  This is
used in the construction of the URLs used in the SP metadata as well
as in the httpd redirect rules if httpd is being configured.

https://fedorahosted.org/ipsilon/ticket/92
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Don't explicitly save sessions 2015-03-12T19:36:33+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T23:51:29+00:00 22e983978fcbd84896468017dd5bdacf8a18cf3c Saving a session causes it to be unlocked, but sessions have a hook that also performs a save just before the session is finalized. In CherryPy 3.3.0 and later, an assertion was added to ensure that a session is locked when trying to perform a save. Since we perform explicit saves in our code, this causes the assertion to be tripped when the hook executes. This patch removes our explicit save calls. We should rely on the hook to save and unlock the session. https://fedorahosted.org/ipsilon/ticket/84 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Saving a session causes it to be unlocked, but sessions have a
hook that also performs a save just before the session is finalized.
In CherryPy 3.3.0 and later, an assertion was added to ensure that
a session is locked when trying to perform a save.  Since we perform
explicit saves in our code, this causes the assertion to be tripped
when the hook executes.

This patch removes our explicit save calls.  We should rely on the
hook to save and unlock the session.

https://fedorahosted.org/ipsilon/ticket/84

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Proper fallback from referer to REQUEST_URI 2015-03-12T18:48:11+00:00 Simo Sorce simo@redhat.com 2015-03-12T17:51:04+00:00 078942b2cf6d73697f4c6b8a28cabe940f358532 If the referer is present but does not contain a transaction ID we still need to fallback to the REQUEST_URI. Fix the code to check the url and then fallback to REQUEST_URI rathe than decide upfront merely on the fact a referer is available. https://fedorahosted.org/ipsilon/ticket/74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
If the referer is present but does not contain a transaction ID we still
need to fallback to the REQUEST_URI. Fix the code to check the url and
then fallback to REQUEST_URI rathe than decide upfront merely on the
fact a referer is available.

https://fedorahosted.org/ipsilon/ticket/74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Validate SP path settings during installation 2015-03-11T13:48:55+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T03:02:07+00:00 a1bcbfd426a6c3860edf53e12da32ff6daad4442 There are a number of URL path options that can be specified as options when running ipsilon-client-install. There are certain rules that must be followed to result in a valid mod_auth_mellon configuration: - All path options must be prefixed with '/'. - The mellon endpoint path (--saml-sp) must be a subpath of the httpd 'Location' element is it contained within (--saml-base). - The logout (--saml-sp-logout) and post (--saml-sp-post) paths must be subpaths of the mellon endpoint (--saml-sp). This adds validation for all of the above rules. https://fedorahosted.org/ipsilon/ticket/82 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:

 - All path options must be prefixed with '/'.

 - The mellon endpoint path (--saml-sp) must be a subpath of the
   httpd 'Location' element is it contained within (--saml-base).

 - The logout (--saml-sp-logout) and post (--saml-sp-post) paths
   must be subpaths of the mellon endpoint (--saml-sp).

This adds validation for all of the above rules.

https://fedorahosted.org/ipsilon/ticket/82

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add Cache-Control header to prevent browser caching of SAML auth location 2015-03-10T22:24:08+00:00 Nathan Kinder nkinder@redhat.com 2015-03-10T18:22:47+00:00 d67664fbffe9c380a354abe115ee5afa1ff968be We should prevent browser caching of the SAML auth location that we configure for an SP. This can be easily done by adding the following directive to that location in the httpd config: Header append Cache-Control "no-cache" https://fedorahosted.org/ipsilon/ticket/81 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:

    Header append Cache-Control "no-cache"

https://fedorahosted.org/ipsilon/ticket/81

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Require SSL on SP when using --saml-secure-setup 2015-03-10T22:24:01+00:00 Nathan Kinder nkinder@redhat.com 2015-03-10T03:28:47+00:00 42700be962e245243f10c30a29c41fcda1f3f712 If ipsilon-client-install is used with the --saml-secure-setup option (which is set by default), only https connections will work for authentication. We are not setting the SSLRequireSSL directive though, so we set mellon up to fail. This patch adds the SSLRequireSSL directive to the SP config when --saml-secure-setup is specified. In addition, we add a rewrite rule to rewrite http requests to https for the SP. https://fedorahosted.org/ipsilon/ticket/80 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication.  We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.

This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified.  In addition, we add a
rewrite rule to rewrite http requests to https for the SP.

https://fedorahosted.org/ipsilon/ticket/80

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Find transaction ids for internal redirects 2015-03-06T20:15:31+00:00 Simo Sorce simo@redhat.com 2015-03-06T17:12:00+00:00 e0aa4f23846fa9f6bb0fb9eb021e930b035100eb On internal redirections, such as when ErrorDocument is used to redirect on failed negotiate authentication we need to look harder for the transaction id. Ticket: #74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
On internal redirections, such as when ErrorDocument is used to
redirect on failed negotiate authentication we need to look harder
for the transaction id.

Ticket: #74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Fix transaction ID passing for failed authentication 2015-03-03T15:32:37+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-03T03:39:05+00:00 06b387bcc632a8db9e812c9069247b10fe2b9695 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Require admin when accessing REST pages 2015-03-03T02:44:38+00:00 Rob Crittenden rcritten@redhat.com 2015-03-02T19:47:22+00:00 13b359d8e4682fb239cf02293aef3a1b235a2cf6 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Load and initialize REST in the SAML2 plugin 2015-02-27T21:11:43+00:00 Rob Crittenden rcritten@redhat.com 2015-02-26T20:56:55+00:00 38bda85cbff4ad9f53bc7ffcbc9e02a46bae79ec https://fedorahosted.org/ipsilon/ticket/26 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>