X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Finstall%2Fipsilon-client-install;h=9959cd0843b89f523a433b364eaa8aa80078659c;hp=237b4398af881be33c678a7950895419d9639f75;hb=3fd51fe0d4593cdc39c28f11deafe27845f25584;hpb=d67664fbffe9c380a354abe115ee5afa1ff968be diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install index 237b439..9959cd0 100755 --- a/ipsilon/install/ipsilon-client-install +++ b/ipsilon/install/ipsilon-client-install @@ -88,7 +88,12 @@ def saml2(): proto = 'https' if not args['saml_secure_setup']: proto = 'http' - url = '%s://%s' % (proto, args['hostname']) + + port_str = '' + if args['port']: + port_str = ':%s' % args['port'] + + url = '%s://%s%s' % (proto, args['hostname'], port_str) url_sp = url + args['saml_sp'] url_logout = url + args['saml_sp_logout'] url_post = url + args['saml_sp_post'] @@ -101,6 +106,7 @@ def saml2(): m.add_certs(c) m.add_service(SAML2_SERVICE_MAP['logout-redirect'], url_logout) m.add_service(SAML2_SERVICE_MAP['response-post'], url_post, index="0") + m.add_allowed_name_format(SAML2_NAMEID_MAP[args['saml_nameid']]) sp_metafile = os.path.join(path, 'metadata.xml') m.output(sp_metafile) @@ -126,6 +132,11 @@ def saml2(): saml_secure = 'Off' ssl_require = '#' ssl_rewrite = '#' + if args['port']: + ssl_port = args['port'] + else: + ssl_port = '443' + if args['saml_secure_setup']: saml_secure = 'On' ssl_require = '' @@ -142,7 +153,9 @@ def saml2(): 'saml_auth': saml_auth, 'ssl_require': ssl_require, 'ssl_rewrite': ssl_rewrite, + 'ssl_port': ssl_port, 'sp_hostname': args['hostname'], + 'sp_port': port_str, 'sp': psp} files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts) @@ -233,6 +246,8 @@ def parse_args(): action='version', version='%(prog)s 0.1') parser.add_argument('--hostname', default=socket.getfqdn(), help="Machine's fully qualified host name") + parser.add_argument('--port', default=None, + help="Port number that SP listens on") parser.add_argument('--admin-user', default='admin', help="Account allowed to create a SP") parser.add_argument('--httpd-user', default='apache', @@ -255,6 +270,9 @@ def parse_args(): help="Post response URL") parser.add_argument('--saml-secure-setup', action='store_true', default=True, help="Turn on all security checks") + parser.add_argument('--saml-nameid', default='unspecified', + choices=SAML2_NAMEID_MAP.keys(), + help="SAML NameID format to use") parser.add_argument('--debug', action='store_true', default=False, help="Turn on script debugging") parser.add_argument('--config-profile', default=None, @@ -268,7 +286,31 @@ def parse_args(): args = parse_config_profile(args) if len(args['hostname'].split('.')) < 2: - raise ValueError('Hostname: %s is not a FQDN.') + raise ValueError('Hostname: %s is not a FQDN.' % args['hostname']) + + if args['port'] and not args['port'].isdigit(): + raise ValueError('Port number: %s is not an integer.' % args['port']) + + # Validate that all path options begin with '/' + path_args = ['saml_base', 'saml_auth', 'saml_sp', 'saml_sp_logout', + 'saml_sp_post'] + for path_arg in path_args: + if not args[path_arg].startswith('/'): + raise ValueError('--%s must begin with a / character.' % + path_arg.replace('_', '-')) + + # The saml_sp setting must be a subpath of saml_base since it is + # used as the MellonEndpointPath. + if not args['saml_sp'].startswith(args['saml_base']): + raise ValueError('--saml-sp must be a subpath of --saml-base.') + + # The saml_sp_logout and saml_sp_post settings must be subpaths + # of saml_sp (the mellon endpoint). + path_args = ['saml_sp_logout', 'saml_sp_post'] + for path_arg in path_args: + if not args[path_arg].startswith(args['saml_sp']): + raise ValueError('--%s must be a subpath of --saml-sp' % + path_arg.replace('_', '-')) # At least one on this list needs to be specified or we do nothing sp_list = ['saml']