summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
84d84fb)
Always deny access to the IDP if not using SSL by default.
Always turn on secure/httponly cookies by default.
Add a switch to disable all security options for testing.
Signed-off-by: Simo Sorce <simo@redhat.com>
'sysuser': args['system_user'],
'ipsilondir': BINDIR,
'staticdir': STATICDIR,
'sysuser': args['system_user'],
'ipsilondir': BINDIR,
'staticdir': STATICDIR,
+ 'secure': "False" if args['secure'] == "no" else "True",
'debugging': "True" if args['server_debugging'] else "False"}
'debugging': "True" if args['server_debugging'] else "False"}
+ if args['secure'] == 'no':
+ confopts['secure'] = "False"
+ confopts['sslrequiressl'] = ""
+ else:
+ confopts['secure'] = "True"
+ confopts['sslrequiressl'] = " SSLRequireSSL"
if WSGI_SOCKET_PREFIX:
confopts['wsgi_socket'] = 'WSGISocketPrefix %s' % WSGI_SOCKET_PREFIX
else:
if WSGI_SOCKET_PREFIX:
confopts['wsgi_socket'] = 'WSGISocketPrefix %s' % WSGI_SOCKET_PREFIX
else:
help="User account used to run the server")
parser.add_argument('--admin-user', default='admin',
help="User account that is assigned admin privileges")
help="User account used to run the server")
parser.add_argument('--admin-user', default='admin',
help="User account that is assigned admin privileges")
+ parser.add_argument('--secure', choices=['yes', 'no'], default='yes',
+ help="Turn on all security checks")
parser.add_argument('--config-profile', default=None,
help="File containing install options")
parser.add_argument('--server-debugging', action='store_true',
parser.add_argument('--config-profile', default=None,
help="File containing install options")
parser.add_argument('--server-debugging', action='store_true',
def install_args(self, group):
group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
help='Configure SAML2 Provider')
def install_args(self, group):
group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
help='Configure SAML2 Provider')
- group.add_argument('--saml2-secure',
- choices=['yes', 'no'], default='yes',
- help='Configure SAML2 Provider')
def configure(self, opts):
if opts['saml2'] != 'yes':
def configure(self, opts):
if opts['saml2'] != 'yes':
# Generate Idp Metadata
proto = 'https'
# Generate Idp Metadata
proto = 'https'
- if opts['saml2_secure'].lower() == 'no':
+ if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s/%s/saml2' % (proto, opts['hostname'], opts['instance'])
meta = metadata.Metadata(metadata.IDP_ROLE)
proto = 'http'
url = '%s://%s/%s/saml2' % (proto, opts['hostname'], opts['instance'])
meta = metadata.Metadata(metadata.IDP_ROLE)
<Location /${instance}>
WSGIProcessGroup ${instance}
<Location /${instance}>
WSGIProcessGroup ${instance}
</Location>
<Directory ${ipsilondir}>
</Location>
<Directory ${ipsilondir}>
tools.sessions.storage_type = "file"
tools.sessions.storage_path = "${datadir}/sessions"
tools.sessions.timeout = 60
tools.sessions.storage_type = "file"
tools.sessions.storage_path = "${datadir}/sessions"
tools.sessions.timeout = 60
+tools.sessions.httponly = ${secure}
+tools.sessions.secure = ${secure}
admin_user=${TEST_USER}
system_user=${TEST_USER}
instance=idp1
admin_user=${TEST_USER}
system_user=${TEST_USER}
instance=idp1
testauth=yes
pam=no
krb=no
testauth=yes
pam=no
krb=no