| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
This command is not intended to be executed by end-users.
https://fedorahosted.org/ipsilon/ticket/76
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The purpose is to catch it when either no modules are enabled or if
you try to set the login module order and one of them is not
available/installed, then fail gracefully.
There were some baked-in assumptions that all login providers
are installed. Add some error handling around trying to determine
what is available, and rather than trying to force pam to be enabled
just exit with a handy message.
Don't rely on lm_order during uninstall. Use the list of enabled
Login managers instead.
Bail out of argument checking if uninstall is requested.
https://fedorahosted.org/ipsilon/ticket/105
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If sys.exit is called, which raises SystemExit, the finally at the
end of the installer was treating it as a successful install and
displaying messages to the user. Catch this exception and mark
the install as failed to prevent this.
https://fedorahosted.org/ipsilon/ticket/66
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --config-profile option for the ipsilon-server-install and
ipsilon-client-install commands is designed to be used by the
in-tree functional tests. It is not meant to be used by users,
but we are advertising the option in the help output. This patch
suppresses the option from the help output.
https://fedorahosted.org/ipsilon/ticket/37
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This optionally allows a SAML SP to be registered with the IDP when
running ipsilon-client-install. To register an SP, the following
options are used:
--saml-idp-url (Ipsilon IDP URL)
--saml-sp-name (Name to register the SP as)
--admin-user (Ipsilon admin user)
--admin-password (Ipsilon admin password file)
If the --saml-idp-url option is set, we attempt to register the SP.
The --saml-sp-name option is required if you are registering a SP.
The --admin-user already defaults to admin, so it only needs to be
specified if your admin user has a different username. If the
--admin-password option is not specified, we prompt for the password.
The --saml-idp-metadata was previously required, but this option is
redundant if the new --saml-idp-url option is specified and you are
not using a local copy of the IDP metadata. You can now just use
the --saml-idp-url option, and we build the metadata URL from it.
This helps to minimize the number of required options when you are
registering an SP during installation.
https://fedorahosted.org/ipsilon/ticket/101
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running 'ipsilon-client-install --uninstall' to uninstall a SP,
we call the install routine again after completing the uninstallation.
This leads to confusing error messages about missing required options.
This patch corrects the uninstallation logic.
https://fedorahosted.org/ipsilon/ticket/100
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Also offer the option to set the OpenID database URI during install
https://fedorahosted.org/ipsilon/ticket/17
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was no way to validate argument input from plugins and
cause the installer to bail out. If a plugin needs to validate
some input it can use the validate_args() method and raise
ConfigurationError() if an issue is found.
https://fedorahosted.org/ipsilon/ticket/78
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This also makes persistent the default NameID format when generating
metadata.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a SP using ipsilon-client-install, there is no
ability to use a non-standard port. We should allow a port number
to be specified that results in the proper URLs in the SP metadata.
This patch adds a --port option to ipsilon-client-install. This is
used in the construction of the URLs used in the SP metadata as well
as in the httpd redirect rules if httpd is being configured.
https://fedorahosted.org/ipsilon/ticket/92
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:
- All path options must be prefixed with '/'.
- The mellon endpoint path (--saml-sp) must be a subpath of the
httpd 'Location' element is it contained within (--saml-base).
- The logout (--saml-sp-logout) and post (--saml-sp-post) paths
must be subpaths of the mellon endpoint (--saml-sp).
This adds validation for all of the above rules.
https://fedorahosted.org/ipsilon/ticket/82
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:
Header append Cache-Control "no-cache"
https://fedorahosted.org/ipsilon/ticket/81
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication. We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.
This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified. In addition, we add a
rewrite rule to rewrite http requests to https for the SP.
https://fedorahosted.org/ipsilon/ticket/80
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
| |
As part of this, made all plugins use a Installer baseclass.
https://fedorahosted.org/ipsilon/ticket/38
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The call to configure the info/login/auth/provider plugins
had no way of recognizing that the configuration failed. Have it
check for an explicit False return value as an indication of failure.
This lets the configuration plugin do a simple return (None) if
it isn't enabled.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
https://fedorahosted.org/ipsilon/ticket/33
|
|
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This allows us to store session data in the DB. This way session data can
be shared by multiple servers behind a balancer.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change config template to e able to set up ipsilon with an extrenal
database.
For the easy install the database server must have 3 datbases configured,
and named exactly: admincondif, userprefs, transactions
If different names are required manual instalation will be necessary.
Database URLs (including credentials) can be set using the new option
named --database-url
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Reduce code duplication, and clearly separates admin and user dbs.
Move plugin wrapper away and let plugin code use native functions.
This patch also changes the indexed data to use a uuid and assumes
2 identical uuid cannot be created concurrently.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
Always deny access to the IDP if not using SSL by default.
Always turn on secure/httponly cookies by default.
Add a switch to disable all security options for testing.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Use this in the testsuite so we can get meaningful output in the logs
when something fails.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make test will now run some sanity tests to make sure basic installation
procedures work in a sinthetic test environment.
Adds:
- custom httpd setup for tests
- use profiles to driver ipsilon servers and clients installation
- starts multiple httpd servers
This way we can test interaction between IDP and SP servers
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
To allow for testing in a custom rootdir, and with a custom user.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This does not stop the user, but makes it hard to deal wit the directory
in testing.
Let file fixing use the default 700 permissions.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new option --config-profile accepts a INI style file, so that
installation options are passed in via a file. this is useful for
testing and automated installs.
This file can have 2 sections: globals, arguments.
The globals section can change global variable in the install script
like: TEMPLATES, CONFDIR, DATADIR, HTTPDCONFD and so on, so that an
installation can use non-standad directories.
The argumets section accepts any argument option.
The config profile file is parsed after all arguments have parsed and
can override any plugin argument.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This should be used only for testing purposes
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
On a successful install you need to retsart apache to enable the instance,
remind the user that is necessary.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Environment helpers are meta-plugins that allow to set ipsilon in
well defined environments.
For example when ipsilon is install in a FreeIPA or AD domains and
authentication methods, cetificate, keytabs etc, can be pre-configured
and deployed at the same time the server is installed with minimal
effort and wellknown methods.
These are run before any of the other plugins as they can chage the
configuration option for any of the plugins, enable or disable plugins,
or pre-configure some elements.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add proper context to shared state directories so that httpd can write there.
Relax SElinux boolans to allow use of pam modules
This allows running Ipsilon in fully enforcing mode when pam auth
using the python-pam modules is used.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Generates (self signed) certificates and a metdata.xml file.
Optionally configures an Apache Httpd server.
If the admin does not configure a specific application at install time
a default landing page is made available to be able to test that the SP
configuration works.
Uninstall removes all certificates and metadata file and is irreversible.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Mark actual top level scripts as such instead of disguising them as modules.
Also remove __init__.py from ipsilon/install as this is not a module just
the place where install scripts are kept, for now.
Note: Scripts are installed in the bin directory but the contrib spec file
moves them to sbin.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This allow to specifify what system user should be used to configure
the ipsilon server to run as.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Automatically find plugins installed in the system and exposes their
installation and configuration functions through the installer.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|