saml_base must be a subpath of saml_auth in client installer

If the authenticated path doesn't reside under saml_base (which
defaults to /) then mod_auth_mellon can't find the IdP.

https://fedorahosted.org/ipsilon/ticket/163

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewd-by: Patrick Uiterwijk <puiterwijk@redhat.com>

diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install
index d72d195..668cd58 100755 (executable)
--- a/ipsilon/install/ipsilon-client-install
+++ b/ipsilon/install/ipsilon-client-install
@@ -419,6 +419,11 @@ def parse_args():
     if not args['saml_sp'].startswith(args['saml_base']):
         raise ValueError('--saml-sp must be a subpath of --saml-base.')
 
     if not args['saml_sp'].startswith(args['saml_base']):
         raise ValueError('--saml-sp must be a subpath of --saml-base.')
 

+    # The samle_auth setting must be a subpath of saml_base otherwise
+    # the IdP cannot be identified by mod_auth_mellon.
+    if not args['saml_auth'].startswith(args['saml_base']):
+        raise ValueError('--saml-auth must be a subpath of --saml-base.')
+

     # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
     # be subpaths of saml_sp (the mellon endpoint).
     path_args = {'saml_sp_logout': 'logout',
     # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
     # be subpaths of saml_sp (the mellon endpoint).
     path_args = {'saml_sp_logout': 'logout',