ipsilon.git/tests, branch preconf The Ipsilon project Change references to authkrb plugin to authgssapi 2015-04-28T21:30:07+00:00 Rob Crittenden rcritten@redhat.com 2015-04-28T19:16:54+00:00 68b9e1d3138784c3793f0a04c411f14168748692 With the switch to mod_auth_gssapi we aren't limited to only negotiated Kerberos so name the plugin to reflect this. https://fedorahosted.org/ipsilon/ticket/114 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.

https://fedorahosted.org/ipsilon/ticket/114

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Insert a small timeout before reporting the test successful 2015-04-28T19:50:28+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-28T18:26:40+00:00 f1ecda1fe05e3f7d5c0a1a5d33d11c619442416f This is so the OS gets enough time to clean up all of the sockets used during the execution of the test. Without this, sometimes a "port already in use" error will fail the next test. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This is so the OS gets enough time to clean up all
of the sockets used during the execution of the test.
Without this, sometimes a "port already in use" error
will fail the next test.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add OpenID test suite 2015-04-28T18:53:06+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-28T17:11:12+00:00 86f5401c7cb620046b6dd7730844998dec595f43 This tests core OpenID and the Attribute Exchange, Simple Registration and Teams extensions. Using a small wsgi tool because mod_auth_openid does not support all extensions. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This tests core OpenID and the Attribute Exchange,
Simple Registration and Teams extensions.

Using a small wsgi tool because mod_auth_openid does
not support all extensions.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Close database sesssions 2015-04-15T14:35:04+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-04-14T11:00:25+00:00 800b39df6e2c65fa06a0d5da48002bb26b83b435 This will close any opened database sessions at the end of the request. https://fedorahosted.org/ipsilon/ticket/110 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This will close any opened database sessions at the end
of the request.

https://fedorahosted.org/ipsilon/ticket/110

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add test for per-SP allowed and mapping attributes 2015-04-10T14:41:22+00:00 Rob Crittenden rcritten@redhat.com 2015-04-09T19:11:39+00:00 1055b7bc810139d1e6ee3c225bcfba7b88e7aeab This buidls up a specific global mapping and allowed attributes then creates an SP-specific configuration which differs enough to confirm that it is in fact overriding the default. It finishes by removing the per-SP configuration and ensuring that it falls back to the IdP-default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This buidls up a specific global mapping and allowed attributes then
creates an SP-specific configuration which differs enough to confirm
that it is in fact overriding the default. It finishes by removing the
per-SP configuration and ensuring that it falls back to the IdP-default.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Validate SP names for admin pages and REST 2015-04-02T03:18:39+00:00 Nathan Kinder nkinder@redhat.com 2015-04-02T00:36:22+00:00 8ffd2629c6554124e7e3b15dce10275a2efd8261 We were previously only validating the SP name in the admin pages for SP creation and update. The REST API would allow a SP to be created with an invalid name, which would break the ability to manage that SP in the admin pages. This patch moves the SP name validation logic out of the admin page code and centralizes it in the provider creation code. This ensures that validation will occur regardless of the interface that is used. In addition, a helper method is added to allow the admin page to check if a name is valid during update operations. https://fedorahosted.org/ipsilon/ticket/102 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We were previously only validating the SP name in the admin pages
for SP creation and update.  The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.

This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code.  This
ensures that validation will occur regardless of the interface
that is used.  In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.

https://fedorahosted.org/ipsilon/ticket/102

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Allow SP registration from ipsilon-client-install 2015-04-02T02:54:20+00:00 Nathan Kinder nkinder@redhat.com 2015-03-31T02:36:04+00:00 9600cff7a3f93529ab56044968b489030f74b76c This optionally allows a SAML SP to be registered with the IDP when running ipsilon-client-install. To register an SP, the following options are used: --saml-idp-url (Ipsilon IDP URL) --saml-sp-name (Name to register the SP as) --admin-user (Ipsilon admin user) --admin-password (Ipsilon admin password file) If the --saml-idp-url option is set, we attempt to register the SP. The --saml-sp-name option is required if you are registering a SP. The --admin-user already defaults to admin, so it only needs to be specified if your admin user has a different username. If the --admin-password option is not specified, we prompt for the password. The --saml-idp-metadata was previously required, but this option is redundant if the new --saml-idp-url option is specified and you are not using a local copy of the IDP metadata. You can now just use the --saml-idp-url option, and we build the metadata URL from it. This helps to minimize the number of required options when you are registering an SP during installation. https://fedorahosted.org/ipsilon/ticket/101 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This optionally allows a SAML SP to be registered with the IDP when
running ipsilon-client-install.  To register an SP, the following
options are used:

  --saml-idp-url   (Ipsilon IDP URL)
  --saml-sp-name   (Name to register the SP as)
  --admin-user     (Ipsilon admin user)
  --admin-password (Ipsilon admin password file)

If the --saml-idp-url option is set, we attempt to register the SP.
The --saml-sp-name option is required if you are registering a SP.
The --admin-user already defaults to admin, so it only needs to be
specified if your admin user has a different username.  If the
--admin-password option is not specified, we prompt for the password.

The --saml-idp-metadata was previously required, but this option is
redundant if the new --saml-idp-url option is specified and you are
not using a local copy of the IDP metadata.  You can now just use
the --saml-idp-url option, and we build the metadata URL from it.
This helps to minimize the number of required options when you are
registering an SP during installation.

https://fedorahosted.org/ipsilon/ticket/101

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
IdP-initiated logout for current user 2015-04-02T02:53:55+00:00 Rob Crittenden rcritten@redhat.com 2015-03-30T15:42:10+00:00 5497278fab59361c5b6bc5d3c17407128b924b9a Perform Single Logout for the current user when a logout is initiated in the IdP. A fake initial session is created. In the current logout code the initial logout requestor holds the final redirect URL. In this case it redirects back to the root IdP page. https://fedorahosted.org/ipsilon/ticket/87 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Perform Single Logout for the current user when a logout is initiated
in the IdP.

A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.

https://fedorahosted.org/ipsilon/ticket/87

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Add options to explicitly set database uris during install 2015-03-30T18:20:11+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-30T14:38:10+00:00 3fd51fe0d4593cdc39c28f11deafe27845f25584 Also offer the option to set the OpenID database URI during install https://fedorahosted.org/ipsilon/ticket/17 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Also offer the option to set the OpenID database URI during install

https://fedorahosted.org/ipsilon/ticket/17

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add tests for Name ID functionality 2015-03-24T13:42:24+00:00 Rob Crittenden rcritten@redhat.com 2015-03-19T19:20:28+00:00 0f56ef9942ee631a9306806bea8f3bb8e7b81076 Some Name ID formats are not implemented so are expected to fail. Kerberos is implemented but the test is done using form authentication so no Kerberos principal is available so authentication is denied. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Some Name ID formats are not implemented so are expected to fail.

Kerberos is implemented but the test is done using form authentication
so no Kerberos principal is available so authentication is denied.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>