From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 4 Sep 2015 15:00:09 +0000 (-0400)
Subject: saml_base must be a subpath of saml_auth in client installer
X-Git-Tag: v1.1.0~11
X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=commitdiff_plain;h=3b079b3735ea98b3b36b22b0f0353cb56f023dad

saml_base must be a subpath of saml_auth in client installer

If the authenticated path doesn't reside under saml_base (which
defaults to /) then mod_auth_mellon can't find the IdP.

https://fedorahosted.org/ipsilon/ticket/163

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewd-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---

diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install
index d72d195..668cd58 100755
--- a/ipsilon/install/ipsilon-client-install
+++ b/ipsilon/install/ipsilon-client-install
@@ -419,6 +419,11 @@ def parse_args():
     if not args['saml_sp'].startswith(args['saml_base']):
         raise ValueError('--saml-sp must be a subpath of --saml-base.')
 
+    # The samle_auth setting must be a subpath of saml_base otherwise
+    # the IdP cannot be identified by mod_auth_mellon.
+    if not args['saml_auth'].startswith(args['saml_base']):
+        raise ValueError('--saml-auth must be a subpath of --saml-base.')
+
     # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
     # be subpaths of saml_sp (the mellon endpoint).
     path_args = {'saml_sp_logout': 'logout',