ipsilon.git/ipsilon, branch master The Ipsilon project Fix sticter lint checks 2015-04-17T20:05:40+00:00 Simo Sorce simo@redhat.com 2015-04-17T20:05:40+00:00 d8fc12dcf312515315ab8a464933335a8ece3cd4 Signed-off-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Use mod_auth_gssapi instead of mod_auth_kerb 2015-04-17T20:05:11+00:00 Rob Crittenden rcritten@redhat.com 2015-04-14T15:49:00+00:00 7e33a3a2df613ecdfd49d621f7cc7a6424d4f96f Change configuration on new installs only. Enable GssapiLocalName so we have access to the local name in REMOTE_USER and the full principle in GSS_NAME. Enable GssapiSSLonly even though SSLRequireSSL is also set. The belt and suspenders principla. https://fedorahosted.org/ipsilon/ticket/89 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Change configuration on new installs only.

Enable GssapiLocalName so we have access to the local name in
REMOTE_USER and the full principle in GSS_NAME.

Enable GssapiSSLonly even though SSLRequireSSL is also set.
The belt and suspenders principla.

https://fedorahosted.org/ipsilon/ticket/89

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Move ipsilon WSGI script from /usr/sbin to /usr/libexec 2015-04-15T17:57:42+00:00 Rob Crittenden rcritten@redhat.com 2015-04-14T19:43:34+00:00 eaaffe854977912f9a4c0cc477197bd8ba96230f This command is not intended to be executed by end-users. https://fedorahosted.org/ipsilon/ticket/76 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
This command is not intended to be executed by end-users.

https://fedorahosted.org/ipsilon/ticket/76

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Close database sesssions 2015-04-15T14:35:04+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-14T11:00:25+00:00 800b39df6e2c65fa06a0d5da48002bb26b83b435 This will close any opened database sessions at the end of the request. https://fedorahosted.org/ipsilon/ticket/110 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This will close any opened database sessions at the end
of the request.

https://fedorahosted.org/ipsilon/ticket/110

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Better error handling for login mgrs in server install/uninstall 2015-04-13T16:30:37+00:00 Rob Crittenden rcritten@redhat.com 2015-04-09T23:20:03+00:00 f73332fb7d55bd5753a8bafc2493172203fcf377 The purpose is to catch it when either no modules are enabled or if you try to set the login module order and one of them is not available/installed, then fail gracefully. There were some baked-in assumptions that all login providers are installed. Add some error handling around trying to determine what is available, and rather than trying to force pam to be enabled just exit with a handy message. Don't rely on lm_order during uninstall. Use the list of enabled Login managers instead. Bail out of argument checking if uninstall is requested. https://fedorahosted.org/ipsilon/ticket/105 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
The purpose is to catch it when either no modules are enabled or if
you try to set the login module order and one of them is not
available/installed, then fail gracefully.

There were some baked-in assumptions that all login providers
are installed. Add some error handling around trying to determine
what is available, and rather than trying to force pam to be enabled
just exit with a handy message.

Don't rely on lm_order during uninstall. Use the list of enabled
Login managers instead.

Bail out of argument checking if uninstall is requested.

https://fedorahosted.org/ipsilon/ticket/105

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add test for per-SP allowed and mapping attributes 2015-04-10T14:41:22+00:00 Rob Crittenden rcritten@redhat.com 2015-04-09T19:11:39+00:00 1055b7bc810139d1e6ee3c225bcfba7b88e7aeab This buidls up a specific global mapping and allowed attributes then creates an SP-specific configuration which differs enough to confirm that it is in fact overriding the default. It finishes by removing the per-SP configuration and ensuring that it falls back to the IdP-default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This buidls up a specific global mapping and allowed attributes then
creates an SP-specific configuration which differs enough to confirm
that it is in fact overriding the default. It finishes by removing the
per-SP configuration and ensuring that it falls back to the IdP-default.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Make the authtest login plugin provide more info 2015-04-10T14:41:22+00:00 Rob Crittenden rcritten@redhat.com 2015-04-09T18:59:41+00:00 cd0a566562d0279d13c3df08366bc38acf53011a Provide more variables to test for in allow attribute and mapping testing. Adds givenname (Test User), surname (the username) and email (username@example.com). https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Provide more variables to test for in allow attribute and mapping
testing.

Adds givenname (Test User), surname (the username) and
email (username@example.com).

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
The last allowed/mapping rule can be removed in SPs 2015-04-10T14:41:09+00:00 Rob Crittenden rcritten@redhat.com 2015-04-08T20:13:55+00:00 348fcbcbaf5c686cdb077c9bed53ded95ad04b49 If you created rule(s) in an SP for either allowed attributes or attribute mapping there was no way to remove the last rule meaning it could never go back to use the global defaults. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
If you created rule(s) in an SP for either allowed attributes or
attribute mapping there was no way to remove the last rule meaning
it could never go back to use the global defaults.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add per-SP attribute mapping and allowed attributes 2015-04-10T14:38:20+00:00 Rob Crittenden rcritten@redhat.com 2015-04-07T19:34:43+00:00 81ad559af403d4d62f21209d34ba00833e007300 The per-SP values are considered overrides and the global values are default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The per-SP values are considered overrides and the global values
are default.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rename and move PluginConfig to ConfigHelper 2015-04-10T14:38:15+00:00 Rob Crittenden rcritten@redhat.com 2015-04-08T13:44:14+00:00 434bffc3b1ab4a74f0f23508e624e7427987aaf8 The configuration class was originally intended to be tied. At this point it is quite generic and useful outside of plugins. Rename it to something more generic and move it into the config module. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The configuration class was originally intended to be tied. At this
point it is quite generic and useful outside of plugins. Rename
it to something more generic and move it into the config module.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>