.git/tests, branch gssapi_test Unnamed repository; edit this file 'description' to name the repository. Pull the GSSAPI principal out of the userattrs 2015-05-06T20:00:24+00:00 Rob Crittenden rcritten@redhat.com 2015-05-05T16:37:31+00:00 dd6432197b3da4be32dd00c84bfe413ac04a802d This was originally getting the principal from the user object itself which meant it was looking for it in the database. Look in the attributes instead which are stored in the user session. Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
This was originally getting the principal from the
user object itself which meant it was looking for
it in the database. Look in the attributes instead
which are stored in the user session.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Enable Kerberos NameID testing in testnameid 2015-05-06T20:00:24+00:00 Rob Crittenden rcritten@redhat.com 2015-05-05T15:27:14+00:00 b8ba1b440e0ddee478ed14480e608a2cfde10c7a Since there is now an easy way to stand up a KDC in the tests go ahead and enable it so the Kerberos NameID can be tested. Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Since there is now an easy way to stand up a KDC in the
tests go ahead and enable it so the Kerberos NameID can be
tested.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Configure a KDC, add test for GSSAPI/Kerberos 2015-05-06T20:00:24+00:00 Rob Crittenden rcritten@redhat.com 2015-04-28T14:52:55+00:00 9cbeccde3151029d70bedb0579482e10a5cbab7b Using nss_wrappers so we can control host names we can setup a KDC and test GSSAPI, including fallback to forms-based auth. This also means that fetch_page() needs to handle 401 a bit better, so it can re-try a failed authentication or fall back to forms-based auth. Note for posterity: if gss_localname() fails this is likely due to using the wrong krb5.conf in Apache, so pass in all environment variables. The KDC setup code was based heavily on the tests in the gssproxy project. https://fedorahosted.org/ipsilon/ticket/116 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Using nss_wrappers so we can control host names we can
setup a KDC and test GSSAPI, including fallback to
forms-based auth.

This also means that fetch_page() needs to handle 401
a bit better, so it can re-try a failed authentication or
fall back to forms-based auth.

Note for posterity: if gss_localname() fails this is likely
due to using the wrong krb5.conf in Apache, so pass in all
environment variables.

The KDC setup code was based heavily on the tests in the
gssproxy project.

https://fedorahosted.org/ipsilon/ticket/116

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Change references to authkrb plugin to authgssapi 2015-04-28T21:30:07+00:00 Rob Crittenden rcritten@redhat.com 2015-04-28T19:16:54+00:00 68b9e1d3138784c3793f0a04c411f14168748692 With the switch to mod_auth_gssapi we aren't limited to only negotiated Kerberos so name the plugin to reflect this. https://fedorahosted.org/ipsilon/ticket/114 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.

https://fedorahosted.org/ipsilon/ticket/114

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Insert a small timeout before reporting the test successful 2015-04-28T19:50:28+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-28T18:26:40+00:00 f1ecda1fe05e3f7d5c0a1a5d33d11c619442416f This is so the OS gets enough time to clean up all of the sockets used during the execution of the test. Without this, sometimes a "port already in use" error will fail the next test. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This is so the OS gets enough time to clean up all
of the sockets used during the execution of the test.
Without this, sometimes a "port already in use" error
will fail the next test.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add OpenID test suite 2015-04-28T18:53:06+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-28T17:11:12+00:00 86f5401c7cb620046b6dd7730844998dec595f43 This tests core OpenID and the Attribute Exchange, Simple Registration and Teams extensions. Using a small wsgi tool because mod_auth_openid does not support all extensions. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This tests core OpenID and the Attribute Exchange,
Simple Registration and Teams extensions.

Using a small wsgi tool because mod_auth_openid does
not support all extensions.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Close database sesssions 2015-04-15T14:35:04+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-14T11:00:25+00:00 800b39df6e2c65fa06a0d5da48002bb26b83b435 This will close any opened database sessions at the end of the request. https://fedorahosted.org/ipsilon/ticket/110 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This will close any opened database sessions at the end
of the request.

https://fedorahosted.org/ipsilon/ticket/110

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add test for per-SP allowed and mapping attributes 2015-04-10T14:41:22+00:00 Rob Crittenden rcritten@redhat.com 2015-04-09T19:11:39+00:00 1055b7bc810139d1e6ee3c225bcfba7b88e7aeab This buidls up a specific global mapping and allowed attributes then creates an SP-specific configuration which differs enough to confirm that it is in fact overriding the default. It finishes by removing the per-SP configuration and ensuring that it falls back to the IdP-default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This buidls up a specific global mapping and allowed attributes then
creates an SP-specific configuration which differs enough to confirm
that it is in fact overriding the default. It finishes by removing the
per-SP configuration and ensuring that it falls back to the IdP-default.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Validate SP names for admin pages and REST 2015-04-02T03:18:39+00:00 Nathan Kinder nkinder@redhat.com 2015-04-02T00:36:22+00:00 8ffd2629c6554124e7e3b15dce10275a2efd8261 We were previously only validating the SP name in the admin pages for SP creation and update. The REST API would allow a SP to be created with an invalid name, which would break the ability to manage that SP in the admin pages. This patch moves the SP name validation logic out of the admin page code and centralizes it in the provider creation code. This ensures that validation will occur regardless of the interface that is used. In addition, a helper method is added to allow the admin page to check if a name is valid during update operations. https://fedorahosted.org/ipsilon/ticket/102 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We were previously only validating the SP name in the admin pages
for SP creation and update.  The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.

This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code.  This
ensures that validation will occur regardless of the interface
that is used.  In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.

https://fedorahosted.org/ipsilon/ticket/102

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Allow SP registration from ipsilon-client-install 2015-04-02T02:54:20+00:00 Nathan Kinder nkinder@redhat.com 2015-03-31T02:36:04+00:00 9600cff7a3f93529ab56044968b489030f74b76c This optionally allows a SAML SP to be registered with the IDP when running ipsilon-client-install. To register an SP, the following options are used: --saml-idp-url (Ipsilon IDP URL) --saml-sp-name (Name to register the SP as) --admin-user (Ipsilon admin user) --admin-password (Ipsilon admin password file) If the --saml-idp-url option is set, we attempt to register the SP. The --saml-sp-name option is required if you are registering a SP. The --admin-user already defaults to admin, so it only needs to be specified if your admin user has a different username. If the --admin-password option is not specified, we prompt for the password. The --saml-idp-metadata was previously required, but this option is redundant if the new --saml-idp-url option is specified and you are not using a local copy of the IDP metadata. You can now just use the --saml-idp-url option, and we build the metadata URL from it. This helps to minimize the number of required options when you are registering an SP during installation. https://fedorahosted.org/ipsilon/ticket/101 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This optionally allows a SAML SP to be registered with the IDP when
running ipsilon-client-install.  To register an SP, the following
options are used:

  --saml-idp-url   (Ipsilon IDP URL)
  --saml-sp-name   (Name to register the SP as)
  --admin-user     (Ipsilon admin user)
  --admin-password (Ipsilon admin password file)

If the --saml-idp-url option is set, we attempt to register the SP.
The --saml-sp-name option is required if you are registering a SP.
The --admin-user already defaults to admin, so it only needs to be
specified if your admin user has a different username.  If the
--admin-password option is not specified, we prompt for the password.

The --saml-idp-metadata was previously required, but this option is
redundant if the new --saml-idp-url option is specified and you are
not using a local copy of the IDP metadata.  You can now just use
the --saml-idp-url option, and we build the metadata URL from it.
This helps to minimize the number of required options when you are
registering an SP during installation.

https://fedorahosted.org/ipsilon/ticket/101

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>