ipsilon.git, branch login_stacks The Ipsilon project Make availble a list of alternative aut methods 2015-04-27T16:46:39+00:00 Simo Sorce simo@redhat.com 2015-04-27T16:46:39+00:00 4ace945df3dee4b81012c3d14554139a4d03fc34 In the form case there is no way to automatically fallback to ther auth methods or even repeat transparent methods. Add a simple list of alternative auth methods under the description box so that the user can easily switch back and froth between them if desired. Fixes: https://fedorahosted.org/ipsilon/ticket/96 Signed-off-by: Simo Sorce <simo@redhat.com> 
In the form case there is no way to automatically fallback to
ther auth methods or even repeat transparent methods.
Add a simple list of alternative auth methods under the description
box so that the user can easily switch back and froth between them
if desired.

Fixes: https://fedorahosted.org/ipsilon/ticket/96

Signed-off-by: Simo Sorce <simo@redhat.com>
Populate krb_principal_name from GSS_NAME env var 2015-04-27T15:51:24+00:00 Rob Crittenden rcritten@redhat.com 2015-04-22T21:29:25+00:00 e5a7774427adf44c2100c5535aca569f938e7c2d mod_auth_gssapi provides by default the local name in REMOTE_USER and the full principal in GSS_NAME. Grab a copy of that principal for krb_principal_name. https://fedorahosted.org/ipsilon/ticket/115 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
mod_auth_gssapi provides by default the local name in
REMOTE_USER and the full principal in GSS_NAME. Grab a
copy of that principal for krb_principal_name.

https://fedorahosted.org/ipsilon/ticket/115

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Disallow iframes via X-Frame-Options and CSP by default 2015-04-24T17:10:34+00:00 Rob Crittenden rcritten@redhat.com 2015-04-23T20:42:27+00:00 44f663ac7dc5a6f28b25b083a21f6d9e912cff92 A decorator, allow_iframe, is also created so that specific pages can remove the deny values and allow operating within a frame. The Persona plugin relies on iframes and uses this decorator for all endpoints. https://fedorahosted.org/ipsilon/ticket/15 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.

The Persona plugin relies on iframes and uses this decorator
for all endpoints.

https://fedorahosted.org/ipsilon/ticket/15

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Use the new transaction convenience function in Persona 2015-04-24T17:08:27+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-23T21:25:04+00:00 b6d5f11ffe484e2ba7de14c7bac31c52461fe791 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Fix sticter lint checks 2015-04-17T20:09:17+00:00 Simo Sorce simo@redhat.com 2015-04-17T20:05:40+00:00 bf5398120e33ff3e88d7b3794c9437e7e75ee369 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Use mod_auth_gssapi instead of mod_auth_kerb 2015-04-17T20:05:11+00:00 Rob Crittenden rcritten@redhat.com 2015-04-14T15:49:00+00:00 7e33a3a2df613ecdfd49d621f7cc7a6424d4f96f Change configuration on new installs only. Enable GssapiLocalName so we have access to the local name in REMOTE_USER and the full principle in GSS_NAME. Enable GssapiSSLonly even though SSLRequireSSL is also set. The belt and suspenders principla. https://fedorahosted.org/ipsilon/ticket/89 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Change configuration on new installs only.

Enable GssapiLocalName so we have access to the local name in
REMOTE_USER and the full principle in GSS_NAME.

Enable GssapiSSLonly even though SSLRequireSSL is also set.
The belt and suspenders principla.

https://fedorahosted.org/ipsilon/ticket/89

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Move ipsilon WSGI script from /usr/sbin to /usr/libexec 2015-04-15T17:57:42+00:00 Rob Crittenden rcritten@redhat.com 2015-04-14T19:43:34+00:00 eaaffe854977912f9a4c0cc477197bd8ba96230f This command is not intended to be executed by end-users. https://fedorahosted.org/ipsilon/ticket/76 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
This command is not intended to be executed by end-users.

https://fedorahosted.org/ipsilon/ticket/76

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Release v0.6.0 2015-04-15T14:40:59+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-15T14:38:30+00:00 aad99a647d73820df1694848824d341f14baae4e Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Close database sesssions 2015-04-15T14:35:04+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-14T11:00:25+00:00 800b39df6e2c65fa06a0d5da48002bb26b83b435 This will close any opened database sessions at the end of the request. https://fedorahosted.org/ipsilon/ticket/110 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This will close any opened database sessions at the end
of the request.

https://fedorahosted.org/ipsilon/ticket/110

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Better error handling for login mgrs in server install/uninstall 2015-04-13T16:30:37+00:00 Rob Crittenden rcritten@redhat.com 2015-04-09T23:20:03+00:00 f73332fb7d55bd5753a8bafc2493172203fcf377 The purpose is to catch it when either no modules are enabled or if you try to set the login module order and one of them is not available/installed, then fail gracefully. There were some baked-in assumptions that all login providers are installed. Add some error handling around trying to determine what is available, and rather than trying to force pam to be enabled just exit with a handy message. Don't rely on lm_order during uninstall. Use the list of enabled Login managers instead. Bail out of argument checking if uninstall is requested. https://fedorahosted.org/ipsilon/ticket/105 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
The purpose is to catch it when either no modules are enabled or if
you try to set the login module order and one of them is not
available/installed, then fail gracefully.

There were some baked-in assumptions that all login providers
are installed. Add some error handling around trying to determine
what is available, and rather than trying to force pam to be enabled
just exit with a handy message.

Don't rely on lm_order during uninstall. Use the list of enabled
Login managers instead.

Bail out of argument checking if uninstall is requested.

https://fedorahosted.org/ipsilon/ticket/105

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>