Define PAOS AssertionConsumerService in ipsilon-client-install

[cascardo/ipsilon.git] / ipsilon / install / ipsilon-client-install
diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install

index 78dfb51..1d65b5f 100755 (executable)
--- a/ipsilon/install/ipsilon-client-install
+++ b/ipsilon/install/ipsilon-client-install
@@ -89,6 +89,7 @@ def saml2():
      url_sp = url + args['saml_sp']
      url_logout = url + args['saml_sp_logout']
      url_post = url + args['saml_sp_post']
+    url_paos = url + args['saml_sp_paos']
  
      # Generate metadata
      m = Metadata('sp')
@@ -97,7 +98,12 @@ def saml2():
      m.set_entity_id(url_sp)
      m.add_certs(c)
      m.add_service(SAML2_SERVICE_MAP['logout-redirect'], url_logout)
-    m.add_service(SAML2_SERVICE_MAP['response-post'], url_post, index="0")
+    if not args['no_saml_soap_logout']:
+        m.add_service(SAML2_SERVICE_MAP['slo-soap'], url_logout)
+    m.add_service(SAML2_SERVICE_MAP['response-post'], url_post,
+                  index="0", isDefault="true")
+    m.add_service(SAML2_SERVICE_MAP['response-paos'], url_paos,
+                  index="1")
      m.add_allowed_name_format(SAML2_NAMEID_MAP[args['saml_nameid']])
      sp_metafile = os.path.join(path, 'metadata.xml')
      m.output(sp_metafile)
@@ -115,6 +121,9 @@ def saml2():
                      logger.error("Failed to read password file!\n" +
                                   "Error: [%s]" % e)
                      raise
+        elif ('IPSILON_ADMIN_PASSWORD' in os.environ) and \
+             (os.environ['IPSILON_ADMIN_PASSWORD']):
+            admin_password = os.environ['IPSILON_ADMIN_PASSWORD']
          else:
              admin_password = getpass.getpass('%s password: ' %
                                               args['admin_user'])
@@ -276,7 +285,7 @@ def parse_config_profile(args):
              if g in globals():
                  globals()[g] = val
              else:
-                for k in globals().keys():
+                for k in globals():
                      if k.lower() == g.lower():
                          globals()[k] = val
                          break
@@ -327,10 +336,15 @@ def parse_args():
                          help="Where saml2 authentication is enforced")
      parser.add_argument('--saml-sp', default='/saml2',
                          help="Where saml communication happens")
-    parser.add_argument('--saml-sp-logout', default='/saml2/logout',
+    parser.add_argument('--saml-sp-logout', default=None,
                          help="Single Logout URL")
-    parser.add_argument('--saml-sp-post', default='/saml2/postResponse',
+    parser.add_argument('--saml-sp-post', default=None,
                          help="Post response URL")
+    parser.add_argument('--saml-sp-paos', default=None,
+                        help="PAOS response URL, used for ECP")
+    parser.add_argument('--no-saml-soap-logout', action='store_true',
+                        default=False,
+                        help="Disable Single Logout over SOAP")
      parser.add_argument('--saml-secure-setup', action='store_true',
                          default=True, help="Turn on all security checks")
      parser.add_argument('--saml-nameid', default='unspecified',
@@ -358,9 +372,9 @@ def parse_args():
  
      # Validate that all path options begin with '/'
      path_args = ['saml_base', 'saml_auth', 'saml_sp', 'saml_sp_logout',
-                 'saml_sp_post']
+                 'saml_sp_post', 'saml_sp_paos']
      for path_arg in path_args:
-        if not args[path_arg].startswith('/'):
+        if args[path_arg] is not None and not args[path_arg].startswith('/'):
              raise ValueError('--%s must begin with a / character.' %
                               path_arg.replace('_', '-'))
  
@@ -369,11 +383,17 @@ def parse_args():
      if not args['saml_sp'].startswith(args['saml_base']):
          raise ValueError('--saml-sp must be a subpath of --saml-base.')
  
-    # The saml_sp_logout and saml_sp_post settings must be subpaths
-    # of saml_sp (the mellon endpoint).
-    path_args = ['saml_sp_logout', 'saml_sp_post']
-    for path_arg in path_args:
-        if not args[path_arg].startswith(args['saml_sp']):
+    # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
+    # be subpaths of saml_sp (the mellon endpoint).
+    path_args = {'saml_sp_logout': 'logout',
+                 'saml_sp_post': 'postResponse',
+                 'saml_sp_paos': 'paosResponse'}
+    for path_arg, default_path in path_args.items():
+        if args[path_arg] is None:
+            args[path_arg] = '%s/%s' % (args['saml_sp'].rstrip('/'),
+                                        default_path)
+
+        elif not args[path_arg].startswith(args['saml_sp']):
              raise ValueError('--%s must be a subpath of --saml-sp' %
                               path_arg.replace('_', '-'))