cascardo/ipsilon.git
4 years agoDrop usage of self._debug and use self.debug instead
Rob Crittenden [Wed, 29 Apr 2015 17:57:34 +0000 (13:57 -0400)]
Drop usage of self._debug and use self.debug instead

This method was deprecated but still used in a lot of places.

https://fedorahosted.org/ipsilon/ticket/120

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoFix lint issues with loginstack changes
Rob Crittenden [Wed, 29 Apr 2015 18:13:25 +0000 (14:13 -0400)]
Fix lint issues with loginstack changes

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMerge the login and info plugins configurations
Simo Sorce [Tue, 31 Mar 2015 20:35:15 +0000 (16:35 -0400)]
Merge the login and info plugins configurations

Having separate login and info plugins configuration pages doesn't
really make a lot of sense. As a first step moving towards login stacks
put login and info plugin configuration into a common "Login Stack"
menu item.

https://fedorahosted.org/ipsilon/ticket/117

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoChange references to authkrb plugin to authgssapi
Rob Crittenden [Tue, 28 Apr 2015 19:16:54 +0000 (15:16 -0400)]
Change references to authkrb plugin to authgssapi

With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.

https://fedorahosted.org/ipsilon/ticket/114

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
4 years agoRename authkrb plugin to authgssapi
Rob Crittenden [Tue, 28 Apr 2015 19:15:39 +0000 (15:15 -0400)]
Rename authkrb plugin to authgssapi

https://fedorahosted.org/ipsilon/ticket/114

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
4 years agoInsert a small timeout before reporting the test successful
Patrick Uiterwijk [Tue, 28 Apr 2015 18:26:40 +0000 (20:26 +0200)]
Insert a small timeout before reporting the test successful

This is so the OS gets enough time to clean up all
of the sockets used during the execution of the test.
Without this, sometimes a "port already in use" error
will fail the next test.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAllow scheme to be visible again in admin page
Patrick Uiterwijk [Tue, 28 Apr 2015 19:02:12 +0000 (21:02 +0200)]
Allow scheme to be visible again in admin page

Without this, the browser will refuse to load the scheme.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd OpenID test suite
Patrick Uiterwijk [Tue, 28 Apr 2015 17:11:12 +0000 (19:11 +0200)]
Add OpenID test suite

This tests core OpenID and the Attribute Exchange,
Simple Registration and Teams extensions.

Using a small wsgi tool because mod_auth_openid does
not support all extensions.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFix OpenID AX extension bug
Patrick Uiterwijk [Mon, 27 Apr 2015 20:22:05 +0000 (22:22 +0200)]
Fix OpenID AX extension bug

This makes sure that _display returns a dict, and that
the result from _resp can still be passed to addExtension

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFix Apache configuration to use correct location of ipsilon
Rob Crittenden [Tue, 21 Apr 2015 14:00:31 +0000 (10:00 -0400)]
Fix Apache configuration to use correct location of ipsilon

When I moved the ipsilon command from /usr/sbin to /usr/libexec
I missed updating the Apache configuration.

https://fedorahosted.org/ipsilon/ticket/119

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoMake availble a list of alternative aut methods
Simo Sorce [Mon, 27 Apr 2015 16:46:39 +0000 (12:46 -0400)]
Make availble a list of alternative aut methods

In the form case there is no way to automatically fallback to
other auth methods or even repeat transparent methods.
Add a simple list of alternative auth methods under the description
box so that the user can easily switch back and forth between them
if desired.

Fixes: https://fedorahosted.org/ipsilon/ticket/96

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoPopulate krb_principal_name from GSS_NAME env var
Rob Crittenden [Wed, 22 Apr 2015 21:29:25 +0000 (17:29 -0400)]
Populate krb_principal_name from GSS_NAME env var

mod_auth_gssapi provides by default the local name in
REMOTE_USER and the full principal in GSS_NAME. Grab a
copy of that principal for krb_principal_name.

https://fedorahosted.org/ipsilon/ticket/115

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoDisallow iframes via X-Frame-Options and CSP by default
Rob Crittenden [Thu, 23 Apr 2015 20:42:27 +0000 (16:42 -0400)]
Disallow iframes via X-Frame-Options and CSP by default

A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.

The Persona plugin relies on iframes and uses this decorator
for all endpoints.

https://fedorahosted.org/ipsilon/ticket/15

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoUse the new transaction convenience function in Persona
Patrick Uiterwijk [Thu, 23 Apr 2015 21:25:04 +0000 (23:25 +0200)]
Use the new transaction convenience function in Persona

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFix sticter lint checks
Simo Sorce [Fri, 17 Apr 2015 20:05:40 +0000 (16:05 -0400)]
Fix sticter lint checks

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoUse mod_auth_gssapi instead of mod_auth_kerb
Rob Crittenden [Tue, 14 Apr 2015 15:49:00 +0000 (11:49 -0400)]
Use mod_auth_gssapi instead of mod_auth_kerb

Change configuration on new installs only.

Enable GssapiLocalName so we have access to the local name in
REMOTE_USER and the full principle in GSS_NAME.

Enable GssapiSSLonly even though SSLRequireSSL is also set.
The belt and suspenders principla.

https://fedorahosted.org/ipsilon/ticket/89

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMove ipsilon WSGI script from /usr/sbin to /usr/libexec
Rob Crittenden [Tue, 14 Apr 2015 19:43:34 +0000 (15:43 -0400)]
Move ipsilon WSGI script from /usr/sbin to /usr/libexec

This command is not intended to be executed by end-users.

https://fedorahosted.org/ipsilon/ticket/76

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoRelease v0.6.0 v0.6.0
Patrick Uiterwijk [Wed, 15 Apr 2015 14:38:30 +0000 (16:38 +0200)]
Release v0.6.0

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoClose database sesssions
Patrick Uiterwijk [Tue, 14 Apr 2015 11:00:25 +0000 (13:00 +0200)]
Close database sesssions

This will close any opened database sessions at the end
of the request.

https://fedorahosted.org/ipsilon/ticket/110

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoBetter error handling for login mgrs in server install/uninstall
Rob Crittenden [Thu, 9 Apr 2015 23:20:03 +0000 (19:20 -0400)]
Better error handling for login mgrs in server install/uninstall

The purpose is to catch it when either no modules are enabled or if
you try to set the login module order and one of them is not
available/installed, then fail gracefully.

There were some baked-in assumptions that all login providers
are installed. Add some error handling around trying to determine
what is available, and rather than trying to force pam to be enabled
just exit with a handy message.

Don't rely on lm_order during uninstall. Use the list of enabled
Login managers instead.

Bail out of argument checking if uninstall is requested.

https://fedorahosted.org/ipsilon/ticket/105

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoFix bootstrap tooltip error
Patrick Uiterwijk [Mon, 13 Apr 2015 13:26:48 +0000 (15:26 +0200)]
Fix bootstrap tooltip error

This was caused by running the tooltip() function against
the document object, while it should be ran against the
objects that use a tooltip.
This new method is the suggested way to enable tooltips
per http://getbootstrap.com/javascript/#tooltips-examples.

https://fedorahosted.org/ipsilon/ticket/98

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAdd test for per-SP allowed and mapping attributes
Rob Crittenden [Thu, 9 Apr 2015 19:11:39 +0000 (15:11 -0400)]
Add test for per-SP allowed and mapping attributes

This buidls up a specific global mapping and allowed attributes then
creates an SP-specific configuration which differs enough to confirm
that it is in fact overriding the default. It finishes by removing the
per-SP configuration and ensuring that it falls back to the IdP-default.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMake the authtest login plugin provide more info
Rob Crittenden [Thu, 9 Apr 2015 18:59:41 +0000 (14:59 -0400)]
Make the authtest login plugin provide more info

Provide more variables to test for in allow attribute and mapping
testing.

Adds givenname (Test User), surname (the username) and
email (username@example.com).

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoThe last allowed/mapping rule can be removed in SPs
Rob Crittenden [Wed, 8 Apr 2015 20:13:55 +0000 (16:13 -0400)]
The last allowed/mapping rule can be removed in SPs

If you created rule(s) in an SP for either allowed attributes or
attribute mapping there was no way to remove the last rule meaning
it could never go back to use the global defaults.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoSAML SP template page is no longer needed
Rob Crittenden [Tue, 7 Apr 2015 19:05:59 +0000 (15:05 -0400)]
SAML SP template page is no longer needed

The page is built up using the option_config.html template now.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAdd per-SP attribute mapping and allowed attributes
Rob Crittenden [Tue, 7 Apr 2015 19:34:43 +0000 (15:34 -0400)]
Add per-SP attribute mapping and allowed attributes

The per-SP values are considered overrides and the global values
are default.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoRename and move PluginConfig to ConfigHelper
Rob Crittenden [Wed, 8 Apr 2015 13:44:14 +0000 (09:44 -0400)]
Rename and move PluginConfig to ConfigHelper

The configuration class was originally intended to be tied. At this
point it is quite generic and useful outside of plugins. Rename
it to something more generic and move it into the config module.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoConvert SAML2 SP Provider UI to use Config object
Rob Crittenden [Tue, 7 Apr 2015 19:33:32 +0000 (15:33 -0400)]
Convert SAML2 SP Provider UI to use Config object

This makes the look-and-feel the same between the SAML2 configuration
and the per-SP configuration.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMove mapping and complex list helpers out of class
Rob Crittenden [Tue, 7 Apr 2015 19:27:51 +0000 (15:27 -0400)]
Move mapping and complex list helpers out of class

This is so other classes which are not an AdminPage can also have
access to these helpers.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoRename plugin_config template to option_config
Rob Crittenden [Tue, 7 Apr 2015 19:07:17 +0000 (15:07 -0400)]
Rename plugin_config template to option_config

Give the configuration template, which maps Config objects into
HTML, a more generic name.

Along with the rename this also drops the user.is_admin check so
a user can manage their SP data.

The backend still enforces writing.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoUse disabled template for mappings and lists
Simo Sorce [Mon, 6 Apr 2015 19:19:22 +0000 (15:19 -0400)]
Use disabled template for mappings and lists

This way lists and mappings can be empty and still allow cloning
of the last row which is always disabled and hidden.

The javascript now clones the last row then fixes the indexes in the
new cloned row, and re-enables and un-hides the previous last which
becomes a new empty row.

https://fedorahosted.org/ipsilon/ticket/25

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoPrint exceptions when saving data fails in admin UI
Rob Crittenden [Tue, 31 Mar 2015 18:23:49 +0000 (14:23 -0400)]
Print exceptions when saving data fails in admin UI

There were places where a broad exception was caught when saving
administrative changes but the actual exception wasn't logged. The
user was presented only with a 'Failed to save data!' message.

https://fedorahosted.org/ipsilon/ticket/39

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoRework package setup
Patrick Uiterwijk [Mon, 16 Mar 2015 14:54:53 +0000 (15:54 +0100)]
Rework package setup

This way you can install saml2 client without ipsilon-base.
Also, -base is the server itself, ipsilon will give you the
installer with it.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoThis was renamed to _groups internally
Patrick Uiterwijk [Fri, 10 Apr 2015 00:47:29 +0000 (02:47 +0200)]
This was renamed to _groups internally

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoIf sys.exit is called or SystemExit raised, don't display success
Rob Crittenden [Thu, 9 Apr 2015 23:20:25 +0000 (19:20 -0400)]
If sys.exit is called or SystemExit raised, don't display success

If sys.exit is called, which raises SystemExit, the finally at the
end of the installer was treating it as a successful install and
displaying messages to the user. Catch this exception and mark
the install as failed to prevent this.

https://fedorahosted.org/ipsilon/ticket/66

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoRename nss info plugin to match format of info+name
Rob Crittenden [Tue, 3 Mar 2015 04:02:03 +0000 (23:02 -0500)]
Rename nss info plugin to match format of info+name

This also eliminates a namespace collision with python-nss

https://fedorahosted.org/ipsilon/ticket/104

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoCheck if test deps are installed
Patrick Uiterwijk [Mon, 6 Apr 2015 10:10:27 +0000 (12:10 +0200)]
Check if test deps are installed

https://fedorahosted.org/ipsilon/ticket/91
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoExtend default SAML IdP metadata validity period
Nathan Kinder [Tue, 7 Apr 2015 18:53:52 +0000 (11:53 -0700)]
Extend default SAML IdP metadata validity period

Our current default IdP metadata validity period is hardcoded to 30
days.  This is very limiting for anything other than a test environment
unless there is a way to allow SPs to automatically fetch updated metadata
on a regular interval.

This patch increases the default validity period to 5 years.  In addition,
a new option for ipsilon-server-install is provided to allow a different
validity period to be specified.

https://fedorahosted.org/ipsilon/ticket/103
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoSuppress --config-profile option from installer script help output
Nathan Kinder [Mon, 6 Apr 2015 16:35:03 +0000 (09:35 -0700)]
Suppress --config-profile option from installer script help output

The --config-profile option for the ipsilon-server-install and
ipsilon-client-install commands is designed to be used by the
in-tree functional tests.  It is not meant to be used by users,
but we are advertising the option in the help output.  This patch
suppresses the option from the help output.

https://fedorahosted.org/ipsilon/ticket/37

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd document on web app integration for SAML
Nathan Kinder [Fri, 3 Apr 2015 02:32:11 +0000 (19:32 -0700)]
Add document on web app integration for SAML

This adds documentation on recommended practices for integrating
web applications with Ipsilon for SAML SSO.

https://fedorahosted.org/ipsilon/ticket/43

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoValidate SP names for admin pages and REST
Nathan Kinder [Thu, 2 Apr 2015 00:36:22 +0000 (17:36 -0700)]
Validate SP names for admin pages and REST

We were previously only validating the SP name in the admin pages
for SP creation and update.  The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.

This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code.  This
ensures that validation will occur regardless of the interface
that is used.  In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.

https://fedorahosted.org/ipsilon/ticket/102

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAllow SP registration from ipsilon-client-install
Nathan Kinder [Tue, 31 Mar 2015 02:36:04 +0000 (19:36 -0700)]
Allow SP registration from ipsilon-client-install

This optionally allows a SAML SP to be registered with the IDP when
running ipsilon-client-install.  To register an SP, the following
options are used:

  --saml-idp-url   (Ipsilon IDP URL)
  --saml-sp-name   (Name to register the SP as)
  --admin-user     (Ipsilon admin user)
  --admin-password (Ipsilon admin password file)

If the --saml-idp-url option is set, we attempt to register the SP.
The --saml-sp-name option is required if you are registering a SP.
The --admin-user already defaults to admin, so it only needs to be
specified if your admin user has a different username.  If the
--admin-password option is not specified, we prompt for the password.

The --saml-idp-metadata was previously required, but this option is
redundant if the new --saml-idp-url option is specified and you are
not using a local copy of the IDP metadata.  You can now just use
the --saml-idp-url option, and we build the metadata URL from it.
This helps to minimize the number of required options when you are
registering an SP during installation.

https://fedorahosted.org/ipsilon/ticket/101

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoIdP-initiated logout for current user
Rob Crittenden [Mon, 30 Mar 2015 15:42:10 +0000 (11:42 -0400)]
IdP-initiated logout for current user

Perform Single Logout for the current user when a logout is initiated
in the IdP.

A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.

https://fedorahosted.org/ipsilon/ticket/87

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoSP uninstall attempts to run install
Nathan Kinder [Tue, 31 Mar 2015 04:21:31 +0000 (21:21 -0700)]
SP uninstall attempts to run install

When running 'ipsilon-client-install --uninstall' to uninstall a SP,
we call the install routine again after completing the uninstallation.
This leads to confusing error messages about missing required options.
This patch corrects the uninstallation logic.

https://fedorahosted.org/ipsilon/ticket/100

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoRelease v0.5.0 v0.5.0
Patrick Uiterwijk [Mon, 30 Mar 2015 20:19:48 +0000 (22:19 +0200)]
Release v0.5.0

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd options to explicitly set database uris during install
Patrick Uiterwijk [Mon, 30 Mar 2015 14:38:10 +0000 (16:38 +0200)]
Add options to explicitly set database uris during install

Also offer the option to set the OpenID database URI during install

https://fedorahosted.org/ipsilon/ticket/17

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoUse all SSSD domains for info plugin by default.
Rob Crittenden [Thu, 26 Mar 2015 19:36:02 +0000 (15:36 -0400)]
Use all SSSD domains for info plugin by default.

Rather than requiring --info-sssd-domain as an argument make it
an optional argument, defaulting to enabling all SSSD domains.

Convert the argument from a single value into a list so that multiple
invocations can be made and all domains in the list will be enabled.

There is still the possibility that failures in configuring a domain
will occur (no domain found, for example) and these are considered
"soft" failures. That is it won't abort the server installation.

https://fedorahosted.org/ipsilon/ticket/78

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd a method to Installer classes to validate argument input
Rob Crittenden [Thu, 26 Mar 2015 18:55:27 +0000 (14:55 -0400)]
Add a method to Installer classes to validate argument input

There was no way to validate argument input from plugins and
cause the installer to bail out. If a plugin needs to validate
some input it can use the validate_args() method and raise
ConfigurationError() if an issue is found.

https://fedorahosted.org/ipsilon/ticket/78

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoTry to return a redirect instead a 400 for "not logged in" state
Rob Crittenden [Wed, 25 Mar 2015 21:29:22 +0000 (17:29 -0400)]
Try to return a redirect instead a 400 for "not logged in" state

If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.

https://fedorahosted.org/ipsilon/ticket/88

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd tests for Name ID functionality
Rob Crittenden [Thu, 19 Mar 2015 19:20:28 +0000 (15:20 -0400)]
Add tests for Name ID functionality

Some Name ID formats are not implemented so are expected to fail.

Kerberos is implemented but the test is done using form authentication
so no Kerberos principal is available so authentication is denied.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMake unspecified the default Name ID format, add to enabled list
Rob Crittenden [Mon, 23 Mar 2015 21:25:55 +0000 (17:25 -0400)]
Make unspecified the default Name ID format, add to enabled list

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAllow user to specify Name ID format when configuring SP.
Rob Crittenden [Thu, 19 Mar 2015 19:19:24 +0000 (15:19 -0400)]
Allow user to specify Name ID format when configuring SP.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoImplement urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Rob Crittenden [Mon, 23 Mar 2015 17:57:12 +0000 (13:57 -0400)]
Implement urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Return the name the user authenticated with.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoImplement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Rob Crittenden [Thu, 19 Mar 2015 19:15:26 +0000 (15:15 -0400)]
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

This also makes persistent the default NameID format when generating
metadata.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoImplement urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Rob Crittenden [Wed, 18 Mar 2015 14:16:38 +0000 (10:16 -0400)]
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:transient

NameQualifier and SPNameQualifier are optional and are not included.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoWhen a new logout session is received, save old session ids
Rob Crittenden [Thu, 26 Feb 2015 20:25:07 +0000 (15:25 -0500)]
When a new logout session is received, save old session ids

When a new login session is received and an existing session
exists in logout, save the old session IDs.

These will be included in the sessions to logout of the SP.

This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.

https://fedorahosted.org/ipsilon/ticket/64

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd LDAP test
Simo Sorce [Wed, 18 Mar 2015 00:25:18 +0000 (20:25 -0400)]
Add LDAP test

This finally tests the LDAP login/info plugins as well as the special
"groups" attribute.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoFix fetching infoldap plugin groups
Simo Sorce [Wed, 18 Mar 2015 00:22:25 +0000 (20:22 -0400)]
Fix fetching infoldap plugin groups

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoset SELinux boolean httpd_can_connect_ldap when install infolap and authldap
John Dennis [Mon, 26 Jan 2015 22:11:03 +0000 (17:11 -0500)]
set SELinux boolean httpd_can_connect_ldap when install infolap and authldap

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoSet Cache-control on all generated pages, centralize in Endpoint
Rob Crittenden [Mon, 16 Mar 2015 20:31:55 +0000 (16:31 -0400)]
Set Cache-control on all generated pages, centralize in Endpoint

See "Bindings for the OASIS Security Assertion Markup Language (SAML)
V2.0" section 3.2.3.2.

https://fedorahosted.org/ipsilon/ticket/7

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoAssertion AttributeStatements must be non-empty
John Dennis [Wed, 18 Mar 2015 21:14:07 +0000 (17:14 -0400)]
Assertion AttributeStatements must be non-empty

The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.

https://fedorahosted.org/ipsilon/ticket/61

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoAllow SP installation to be on non-standard ports
Nathan Kinder [Sat, 14 Mar 2015 17:00:51 +0000 (10:00 -0700)]
Allow SP installation to be on non-standard ports

When setting up a SP using ipsilon-client-install, there is no
ability to use a non-standard port.  We should allow a port number
to be specified that results in the proper URLs in the SP metadata.

This patch adds a --port option to ipsilon-client-install.  This is
used in the construction of the URLs used in the SP metadata as well
as in the httpd redirect rules if httpd is being configured.

https://fedorahosted.org/ipsilon/ticket/92

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoProperly handle groups info in SAML provider
Simo Sorce [Tue, 17 Mar 2015 17:22:06 +0000 (13:22 -0400)]
Properly handle groups info in SAML provider

Also removes internal attributes (any attribute that starts with _

Fixes: https://fedorahosted.org/ipsilon/ticket/71

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoAdd negative authentication test
Simo Sorce [Wed, 18 Mar 2015 00:18:21 +0000 (20:18 -0400)]
Add negative authentication test

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoFix error returned from login plugins
Simo Sorce [Tue, 17 Mar 2015 23:01:59 +0000 (19:01 -0400)]
Fix error returned from login plugins

Some login plugins use form based authentication and let the user retry
on authentication errors. This is fine, however the wrong error code is
returned in this case, 401 should be returned.

Fixes: https://fedorahosted.org/ipsilon/ticket/94

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoMake SSSD Info enable the httpd_dbus_sssd boolean.
Patrick Uiterwijk [Mon, 16 Mar 2015 14:07:41 +0000 (15:07 +0100)]
Make SSSD Info enable the httpd_dbus_sssd boolean.

https://fedorahosted.org/ipsilon/ticket/23#comment:13

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoBuild dated RPMs by default
Patrick Uiterwijk [Mon, 16 Mar 2015 14:16:03 +0000 (15:16 +0100)]
Build dated RPMs by default

This stores the build date and git commit in the version.
This way, it's a lot easier to determine when it was last built.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoSave user attributes on subsequent calls to login.
Rob Crittenden [Mon, 16 Mar 2015 18:34:24 +0000 (14:34 -0400)]
Save user attributes on subsequent calls to login.

When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.

Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.

https://fedorahosted.org/ipsilon/ticket/86

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoUse the IPA API directly when adding the HTTP principal
Rob Crittenden [Fri, 13 Mar 2015 18:56:26 +0000 (14:56 -0400)]
Use the IPA API directly when adding the HTTP principal

This is the only way to force in a custom version string
so that the remote IPA server doesn't reject the request
as being newer than the server.

This also removes the need to iterate over all servers
as the IPA connection API does this automatically.

https://fedorahosted.org/ipsilon/ticket/47

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoFix some pylint warnings in logout test about shadowing variables.
Rob Crittenden [Mon, 16 Mar 2015 20:39:02 +0000 (16:39 -0400)]
Fix some pylint warnings in logout test about shadowing variables.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoAdd test for multi-SP logout
Rob Crittenden [Wed, 4 Mar 2015 22:49:40 +0000 (17:49 -0500)]
Add test for multi-SP logout

Create an additional SP, log into one, fetch the other and
the client is now logged into both. Log out of the first one
and the client is logged out of both.

https://fedorahosted.org/ipsilon/ticket/58

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoSet MALLOC_CHECK_ and MALLOC_PERTURB_ to catch memory problems
Rob Crittenden [Wed, 4 Mar 2015 22:36:29 +0000 (17:36 -0500)]
Set MALLOC_CHECK_ and MALLOC_PERTURB_ to catch memory problems

MALLOC_CHECK_ set to 3 should abort if a memory problem is found.

MALLOC_PERTURB_ should catch any usage of freed memory.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoEnable Apache access log and core dump in tests
Rob Crittenden [Wed, 4 Mar 2015 22:33:31 +0000 (17:33 -0500)]
Enable Apache access log and core dump in tests

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoDon't explicitly save sessions
Nathan Kinder [Wed, 11 Mar 2015 23:51:29 +0000 (16:51 -0700)]
Don't explicitly save sessions

Saving a session causes it to be unlocked, but sessions have a
hook that also performs a save just before the session is finalized.
In CherryPy 3.3.0 and later, an assertion was added to ensure that
a session is locked when trying to perform a save.  Since we perform
explicit saves in our code, this causes the assertion to be tripped
when the hook executes.

This patch removes our explicit save calls.  We should rely on the
hook to save and unlock the session.

https://fedorahosted.org/ipsilon/ticket/84

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoProper fallback from referer to REQUEST_URI
Simo Sorce [Thu, 12 Mar 2015 17:51:04 +0000 (13:51 -0400)]
Proper fallback from referer to REQUEST_URI

If the referer is present but does not contain a transaction ID we still
need to fallback to the REQUEST_URI. Fix the code to check the url and
then fallback to REQUEST_URI rathe than decide upfront merely on the
fact a referer is available.

https://fedorahosted.org/ipsilon/ticket/74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoValidate SP path settings during installation
Nathan Kinder [Wed, 11 Mar 2015 03:02:07 +0000 (20:02 -0700)]
Validate SP path settings during installation

There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:

 - All path options must be prefixed with '/'.

 - The mellon endpoint path (--saml-sp) must be a subpath of the
   httpd 'Location' element is it contained within (--saml-base).

 - The logout (--saml-sp-logout) and post (--saml-sp-post) paths
   must be subpaths of the mellon endpoint (--saml-sp).

This adds validation for all of the above rules.

https://fedorahosted.org/ipsilon/ticket/82

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd mod_wsgi display name for Ipsilon WSGI process
Nathan Kinder [Wed, 11 Mar 2015 03:12:03 +0000 (20:12 -0700)]
Add mod_wsgi display name for Ipsilon WSGI process

This adds the mod_wsgi display-name setting to allow the Ipsilon
WSGI process to show up with a useful process name instead of
'httpd'.  This allows one to easily distinguish the WSGI process
from other httpd processes.

https://fedorahosted.org/ipsilon/ticket/62

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd Cache-Control header to prevent browser caching of SAML auth location
Nathan Kinder [Tue, 10 Mar 2015 18:22:47 +0000 (11:22 -0700)]
Add Cache-Control header to prevent browser caching of SAML auth location

We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:

    Header append Cache-Control "no-cache"

https://fedorahosted.org/ipsilon/ticket/81

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoRequire SSL on SP when using --saml-secure-setup
Nathan Kinder [Tue, 10 Mar 2015 03:28:47 +0000 (20:28 -0700)]
Require SSL on SP when using --saml-secure-setup

If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication.  We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.

This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified.  In addition, we add a
rewrite rule to rewrite http requests to https for the SP.

https://fedorahosted.org/ipsilon/ticket/80

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFind transaction ids for internal redirects
Simo Sorce [Fri, 6 Mar 2015 17:12:00 +0000 (12:12 -0500)]
Find transaction ids for internal redirects

On internal redirections, such as when ErrorDocument is used to
redirect on failed negotiate authentication we need to look harder
for the transaction id.

Ticket: #74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoFix transaction ID passing for failed authentication
Patrick Uiterwijk [Tue, 3 Mar 2015 03:39:05 +0000 (04:39 +0100)]
Fix transaction ID passing for failed authentication

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoRequire admin when accessing REST pages
Rob Crittenden [Mon, 2 Mar 2015 19:47:22 +0000 (14:47 -0500)]
Require admin when accessing REST pages

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoInstall and package the new REST components
Rob Crittenden [Mon, 2 Mar 2015 19:47:07 +0000 (14:47 -0500)]
Install and package the new REST components

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd test for REST Service Provider GET and POST
Rob Crittenden [Fri, 27 Feb 2015 03:33:20 +0000 (22:33 -0500)]
Add test for REST Service Provider GET and POST

Provision two Service Providers then test:

- We can fetch a blank list of SPs
- Add an SP via the admin interface
- We get list of all SPs and that is it
- Add an SP via POST
- We get list of all SPs and now there are two
- We get a specific SP and confirm we got the right one.

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoBreak out getting SP metadata into a separate test helper
Rob Crittenden [Fri, 27 Feb 2015 03:25:05 +0000 (22:25 -0500)]
Break out getting SP metadata into a separate test helper

This allows us to get the metadata for creation via REST POST

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLoad and initialize REST in the SAML2 plugin
Rob Crittenden [Thu, 26 Feb 2015 20:56:55 +0000 (15:56 -0500)]
Load and initialize REST in the SAML2 plugin

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoImplement GET and POST REST API for Service Providers
Rob Crittenden [Thu, 26 Feb 2015 20:57:20 +0000 (15:57 -0500)]
Implement GET and POST REST API for Service Providers

The mount point is /idp/rest/providers/saml2/SPS.

GET .../SPS will retrieve all Service Providers
GET .../SPS/foo will retrieve the Service Provider named foo
POST .../SPS/foo will create the Service Provider named foo

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLoad REST plugins onto the Root object
Rob Crittenden [Thu, 26 Feb 2015 20:55:00 +0000 (15:55 -0500)]
Load REST plugins onto the Root object

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAdd base REST provider framework classes
Rob Crittenden [Thu, 26 Feb 2015 20:50:37 +0000 (15:50 -0500)]
Add base REST provider framework classes

These classes handle mounting the REST plugins.

The starting mount point is: /idp/rest/providers

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoChange root class of Page from Log to Endpoint
Rob Crittenden [Wed, 25 Feb 2015 15:13:26 +0000 (10:13 -0500)]
Change root class of Page from Log to Endpoint

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLow-level class for managing request endpoints
Rob Crittenden [Fri, 20 Feb 2015 15:57:32 +0000 (10:57 -0500)]
Low-level class for managing request endpoints

An Endpoint is different from a Page in that it doesn't have menus,
templates, transactions, etc. It is only defines a URL that can be
mounted.

https://fedorahosted.org/ipsilon/ticket/38

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoBump version numbers for release v0.4.0 v0.4.0
Patrick Uiterwijk [Fri, 27 Feb 2015 08:27:34 +0000 (09:27 +0100)]
Bump version numbers for release v0.4.0

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd uninstallation support.
Patrick Uiterwijk [Wed, 4 Feb 2015 09:58:14 +0000 (10:58 +0100)]
Add uninstallation support.

As part of this, made all plugins use a Installer baseclass.

https://fedorahosted.org/ipsilon/ticket/38

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAvoid attrs test flakines, stop using info_nss
Simo Sorce [Tue, 24 Feb 2015 22:34:09 +0000 (17:34 -0500)]
Avoid attrs test flakines, stop using info_nss

authtest already sets the fullname attribute,
just use that one instead of relying on nss which, on test systems
may have a completely empty gecos field, which makes the test fail.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoSplit tools between components that require them
Patrick Uiterwijk [Tue, 24 Feb 2015 21:17:23 +0000 (22:17 +0100)]
Split tools between components that require them

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
4 years ago__init__ needs to be in the main package
Patrick Uiterwijk [Tue, 24 Feb 2015 21:02:58 +0000 (22:02 +0100)]
__init__ needs to be in the main package

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoBump spec file
Patrick Uiterwijk [Tue, 24 Feb 2015 20:34:44 +0000 (21:34 +0100)]
Bump spec file

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoDo not require ipsilon-tools
Patrick Uiterwijk [Tue, 24 Feb 2015 19:59:48 +0000 (20:59 +0100)]
Do not require ipsilon-tools

If you want to install without the installer, it's not required

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoSplit the installer into -tools
Patrick Uiterwijk [Tue, 24 Feb 2015 20:23:44 +0000 (21:23 +0100)]
Split the installer into -tools

The installer is not needed if you deploy with config management

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoSplit off authform
Patrick Uiterwijk [Tue, 24 Feb 2015 19:47:27 +0000 (20:47 +0100)]
Split off authform

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>