| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Makes lint happier
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
Avoid crashing if a provider does not have an admin interface
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This plugin simply take a Fedora username and password and authenticates
the user against the FAS Server.
FAS returned data is saved as userdata in the 'fas' attribute.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
also adds quickrun.py script to make it easy.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Replace copies of _debug function sprinkled all over the code
with a single implementation
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
- Removed replace of self._debug to self.debug
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk
- Replaced "all(lm not in" with "not any(lm in"
|
|
|
|
|
|
|
| |
This plugin uses mod_intercept_form_submit to perform authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The protect decorator was not really being used for anything, remove it.
Change the way UserSession's remote_login() works.
If called now it either sets a REMOTE_USER (if found) or nukes the current
user data in the session.
This means this function can be safely called only in a login plugin now.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
Always deny access to the IDP if not using SSL by default.
Always turn on secure/httponly cookies by default.
Add a switch to disable all security options for testing.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Use this in the testsuite so we can get meaningful output in the logs
when something fails.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make test will now run some sanity tests to make sure basic installation
procedures work in a sinthetic test environment.
Adds:
- custom httpd setup for tests
- use profiles to driver ipsilon servers and clients installation
- starts multiple httpd servers
This way we can test interaction between IDP and SP servers
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This is useful to do automated testing.
It accepts authentication as long as the password is 'ipsilon'.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
To allow for testing in a custom rootdir, and with a custom user.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This does not stop the user, but makes it hard to deal wit the directory
in testing.
Let file fixing use the default 700 permissions.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new option --config-profile accepts a INI style file, so that
installation options are passed in via a file. this is useful for
testing and automated installs.
This file can have 2 sections: globals, arguments.
The globals section can change global variable in the install script
like: TEMPLATES, CONFDIR, DATADIR, HTTPDCONFD and so on, so that an
installation can use non-standad directories.
The argumets section accepts any argument option.
The config profile file is parsed after all arguments have parsed and
can override any plugin argument.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This should be used only for testing purposes
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This way a user can avoid copying the metadata file arund but paste
the content straight from a terminal window.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Properly replace page self.url
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a SP name included spaces the referer checker would fail to match
the url. It would try to return a 403 error, unfortunately this would
also trip as a return instead of an exception was used, ending up with
a 500 error being returned to the user.
Fix url checks by unquoting before comparing.
Fix error reporting by rasing an exception when needed instead of
returning.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This was causing pam auth to fail, as the boolean was not being turned on.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
At some point a '/' got lost, causing the generation of wrong endpoints.
Clients would then be redirected to an unexisting path and get a 404.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The administrative page for configuring login plugins order had
a number of problems. The html template expects a list of plugin
names to be supplied, but a list of the actual plugin objects
was being supplied. This caused a 500 error since join() would
throw an exception when it encounters something other than a string.
Even after fixing the 500 error, actually modifying the plugin
order would not work due to further issues with plugin objects
being used when strings representing the plugin names are expected
(and vice-versa).
This patch ensures that strings representing plugin names are
supplied to the html template, and that plugin objects are used
when re-ordering the live plugin list.
Resolves: https://fedorahosted.org/ipsilon/ticket/2
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
If mod_auth_kerb encounters an internal error, catch it so we can fall back to
the next authentication module, if any, or return a proper failure message.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
On a successful install you need to retsart apache to enable the instance,
remind the user that is necessary.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The IPa helper chcks a krb keytab is available for the local HTTPD
service at the standard ipa location, and if not available, tries
to register the sevice and retrieve one from the IPA server.
At the end of the process forces the activation of the krb plugin
as well as the fallback to pam for authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Environment helpers are meta-plugins that allow to set ipsilon in
well defined environments.
For example when ipsilon is install in a FreeIPA or AD domains and
authentication methods, cetificate, keytabs etc, can be pre-configured
and deployed at the same time the server is installed with minimal
effort and wellknown methods.
These are run before any of the other plugins as they can chage the
configuration option for any of the plugins, enable or disable plugins,
or pre-configure some elements.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Add proper context to shared state directories so that httpd can write there.
Relax SElinux boolans to allow use of pam modules
This allows running Ipsilon in fully enforcing mode when pam auth
using the python-pam modules is used.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
If the server crashes stale lock files may e left behind.
This will cause the application to deadlock for the user that has
the misfortune of having a stale lock.
Forcibly remove all locks on startup.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This way all forms will get Referer checking automaticaly
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This removes the need to define a root funciton only to redirect to
a GET/POST one.
Also adds basic CSRF protection if the page is declared a form.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Report what invalid name was used and fix exception on raising the exception on
line 129
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Use helper functions to make the code more readbale and exceptions to reduce
error hndling duplication.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
We use the name to construct the admin page path, avoid odd characters
Signed-off-by: Simo Sorce <simo@redhat.com>
|