.git, branch save_session Unnamed repository; edit this file 'description' to name the repository. Save user attributes on subsequent calls to login. 2015-03-16T18:58:05+00:00 Rob Crittenden rcritten@redhat.com 2015-03-16T18:34:24+00:00 fc0428f616af69d2bf0f47df1c964a249e6306dc When a login comes in via the remote_login() call no user attributes are set. These may be later filled in by a subsequent call to login() after the info plugins are called but a short-circuit in that function exits if the user matches the current session. Add an extra conditional such that if the user matches, userattributes are passed in and the current user attributes for this user is empty then save the new data. https://fedorahosted.org/ipsilon/ticket/86 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.

Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.

https://fedorahosted.org/ipsilon/ticket/86

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Add test for multi-SP logout 2015-03-16T17:47:45+00:00 Rob Crittenden rcritten@redhat.com 2015-03-04T22:49:40+00:00 e46c8f615f867d09ce76ee269b0ba81445ad320b Create an additional SP, log into one, fetch the other and the client is now logged into both. Log out of the first one and the client is logged out of both. https://fedorahosted.org/ipsilon/ticket/58 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Create an additional SP, log into one, fetch the other and
the client is now logged into both. Log out of the first one
and the client is logged out of both.

https://fedorahosted.org/ipsilon/ticket/58

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Set MALLOC_CHECK_ and MALLOC_PERTURB_ to catch memory problems 2015-03-16T17:47:41+00:00 Rob Crittenden rcritten@redhat.com 2015-03-04T22:36:29+00:00 e79330365b0da99c57d22e18df5df0760712ad7f MALLOC_CHECK_ set to 3 should abort if a memory problem is found. MALLOC_PERTURB_ should catch any usage of freed memory. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
MALLOC_CHECK_ set to 3 should abort if a memory problem is found.

MALLOC_PERTURB_ should catch any usage of freed memory.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Enable Apache access log and core dump in tests 2015-03-16T17:47:17+00:00 Rob Crittenden rcritten@redhat.com 2015-03-04T22:33:31+00:00 0ed1c2f8e804400a0b9e94e191f03ec135338727 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Don't explicitly save sessions 2015-03-12T19:36:33+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T23:51:29+00:00 22e983978fcbd84896468017dd5bdacf8a18cf3c Saving a session causes it to be unlocked, but sessions have a hook that also performs a save just before the session is finalized. In CherryPy 3.3.0 and later, an assertion was added to ensure that a session is locked when trying to perform a save. Since we perform explicit saves in our code, this causes the assertion to be tripped when the hook executes. This patch removes our explicit save calls. We should rely on the hook to save and unlock the session. https://fedorahosted.org/ipsilon/ticket/84 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Saving a session causes it to be unlocked, but sessions have a
hook that also performs a save just before the session is finalized.
In CherryPy 3.3.0 and later, an assertion was added to ensure that
a session is locked when trying to perform a save.  Since we perform
explicit saves in our code, this causes the assertion to be tripped
when the hook executes.

This patch removes our explicit save calls.  We should rely on the
hook to save and unlock the session.

https://fedorahosted.org/ipsilon/ticket/84

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Proper fallback from referer to REQUEST_URI 2015-03-12T18:48:11+00:00 Simo Sorce simo@redhat.com 2015-03-12T17:51:04+00:00 078942b2cf6d73697f4c6b8a28cabe940f358532 If the referer is present but does not contain a transaction ID we still need to fallback to the REQUEST_URI. Fix the code to check the url and then fallback to REQUEST_URI rathe than decide upfront merely on the fact a referer is available. https://fedorahosted.org/ipsilon/ticket/74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
If the referer is present but does not contain a transaction ID we still
need to fallback to the REQUEST_URI. Fix the code to check the url and
then fallback to REQUEST_URI rathe than decide upfront merely on the
fact a referer is available.

https://fedorahosted.org/ipsilon/ticket/74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Validate SP path settings during installation 2015-03-11T13:48:55+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T03:02:07+00:00 a1bcbfd426a6c3860edf53e12da32ff6daad4442 There are a number of URL path options that can be specified as options when running ipsilon-client-install. There are certain rules that must be followed to result in a valid mod_auth_mellon configuration: - All path options must be prefixed with '/'. - The mellon endpoint path (--saml-sp) must be a subpath of the httpd 'Location' element is it contained within (--saml-base). - The logout (--saml-sp-logout) and post (--saml-sp-post) paths must be subpaths of the mellon endpoint (--saml-sp). This adds validation for all of the above rules. https://fedorahosted.org/ipsilon/ticket/82 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:

 - All path options must be prefixed with '/'.

 - The mellon endpoint path (--saml-sp) must be a subpath of the
   httpd 'Location' element is it contained within (--saml-base).

 - The logout (--saml-sp-logout) and post (--saml-sp-post) paths
   must be subpaths of the mellon endpoint (--saml-sp).

This adds validation for all of the above rules.

https://fedorahosted.org/ipsilon/ticket/82

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add mod_wsgi display name for Ipsilon WSGI process 2015-03-11T13:39:10+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T03:12:03+00:00 f06950e46262e4899f42ba3b197525bb2b88b9cb This adds the mod_wsgi display-name setting to allow the Ipsilon WSGI process to show up with a useful process name instead of 'httpd'. This allows one to easily distinguish the WSGI process from other httpd processes. https://fedorahosted.org/ipsilon/ticket/62 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This adds the mod_wsgi display-name setting to allow the Ipsilon
WSGI process to show up with a useful process name instead of
'httpd'.  This allows one to easily distinguish the WSGI process
from other httpd processes.

https://fedorahosted.org/ipsilon/ticket/62

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add Cache-Control header to prevent browser caching of SAML auth location 2015-03-10T22:24:08+00:00 Nathan Kinder nkinder@redhat.com 2015-03-10T18:22:47+00:00 d67664fbffe9c380a354abe115ee5afa1ff968be We should prevent browser caching of the SAML auth location that we configure for an SP. This can be easily done by adding the following directive to that location in the httpd config: Header append Cache-Control "no-cache" https://fedorahosted.org/ipsilon/ticket/81 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:

    Header append Cache-Control "no-cache"

https://fedorahosted.org/ipsilon/ticket/81

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Require SSL on SP when using --saml-secure-setup 2015-03-10T22:24:01+00:00 Nathan Kinder nkinder@redhat.com 2015-03-10T03:28:47+00:00 42700be962e245243f10c30a29c41fcda1f3f712 If ipsilon-client-install is used with the --saml-secure-setup option (which is set by default), only https connections will work for authentication. We are not setting the SSLRequireSSL directive though, so we set mellon up to fail. This patch adds the SSLRequireSSL directive to the SP config when --saml-secure-setup is specified. In addition, we add a rewrite rule to rewrite http requests to https for the SP. https://fedorahosted.org/ipsilon/ticket/80 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication.  We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.

This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified.  In addition, we add a
rewrite rule to rewrite http requests to https for the SP.

https://fedorahosted.org/ipsilon/ticket/80

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>