Simo Sorce [Thu, 25 Sep 2014 18:36:32 +0000 (14:36 -0400)]
Add transactions db default paths
Fixes installation and quickrun
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Thu, 2 Oct 2014 23:51:34 +0000 (19:51 -0400)]
Make Transaction code more robust
Avoid raising exceptions when transactions are not found, just return
no cookies or empty dicts with no transactions in them.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Sun, 5 Oct 2014 18:00:25 +0000 (14:00 -0400)]
Fix transaction handling in providers
When a provider redirects to the login code, it must retain 'ownership'
of the transaction, otherwise the login code will wipe the transaction
data as sson as the authentication is completed but before the provider
has completed its part of the transaction.
Make sure the transaction code retrieves the 'owner' from the data for
pre-existing transactions.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Sun, 5 Oct 2014 17:33:16 +0000 (13:33 -0400)]
Fix login session's userdata acquisition
With the transaction code changes th session.login() function was
incorrectly moved before all the userdata was gathered. An incomplete
set was stored in the session.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Patrick Uiterwijk [Wed, 24 Sep 2014 18:53:14 +0000 (20:53 +0200)]
Add testdir/ to gitignore.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 28 Aug 2014 18:59:13 +0000 (14:59 -0400)]
Add very simple LDAP authentication plugin
Uses python-ldap to perform a simple bind after connecting to
the LDAP server using (by default) a TLS encrypted connection.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 19 Sep 2014 19:10:27 +0000 (15:10 -0400)]
Test transactions code with full redirect login
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Wed, 10 Sep 2014 21:20:02 +0000 (17:20 -0400)]
Use transactions throughout the code
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Wed, 10 Sep 2014 21:19:55 +0000 (17:19 -0400)]
Add transactions support
In some cases a user may end up having multiple login pags in diffeent tabs in
the borwser (session restore after a crash, or simply opening multiple urls
which all redirect to the same IdP).
Without transactions multiple authentication requests in fly may step on each
other causing potentially all of them to fail to properly authenticate and
redirect back to the original web site.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Mon, 8 Sep 2014 19:55:34 +0000 (15:55 -0400)]
Refactor the data store a bit
Reduce code duplication, and clearly separates admin and user dbs.
Move plugin wrapper away and let plugin code use native functions.
This patch also changes the indexed data to use a uuid and assumes
2 identical uuid cannot be created concurrently.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Tue, 16 Sep 2014 21:07:18 +0000 (17:07 -0400)]
Add abstraction class to handle cookies
This handles secure cokies with useful helpers and defaults.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Tue, 2 Sep 2014 21:41:07 +0000 (17:41 -0400)]
Add Info providers Admin pages
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Sat, 28 Jun 2014 03:10:12 +0000 (23:10 -0400)]
Add test that checks attrs are properly returned
Uses the info_nss module to source attirbutes from the system user
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Mon, 16 Jun 2014 23:36:03 +0000 (19:36 -0400)]
Add support for returning user attributes
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 27 Jun 2014 23:29:27 +0000 (19:29 -0400)]
Add Info Provider plugin framework
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Thu, 28 Aug 2014 18:25:15 +0000 (14:25 -0400)]
Add error log facility to Log utility
Also improve debug errors by adding the originating function
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 29 Aug 2014 22:03:34 +0000 (18:03 -0400)]
Add proper ordering to login plugins config opts
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 29 Aug 2014 21:50:45 +0000 (17:50 -0400)]
Allow plugins to determine config options order
Ordering may also be partial, for any option not specified they will be
appended in lexycographic order.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 29 Aug 2014 22:04:49 +0000 (18:04 -0400)]
Remove service name from the form plugin
When using the external apache modules for form based authentication,
the pam service name is set in the apache config files and cannot be
dynamically changed, do not offr it as a configuration option.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 1 Aug 2014 14:22:04 +0000 (10:22 -0400)]
Use an instance specific session id cookie name
Avoids issues if multiple instances are used on the same server
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 1 Aug 2014 14:19:53 +0000 (10:19 -0400)]
Confine session to the instance
Set session path so that the session is sent only for the specific instance
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 1 Aug 2014 12:15:49 +0000 (08:15 -0400)]
Use helper cookie to remember the username
This makes the login page a lot more friendy
Available only over HTTPS
Max age set to 15 days
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 1 Aug 2014 12:14:58 +0000 (08:14 -0400)]
Create common form handler page
Reduce duplication
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 1 Aug 2014 11:59:52 +0000 (07:59 -0400)]
Rename form login page
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Thu, 28 Aug 2014 18:44:43 +0000 (14:44 -0400)]
Remove unused option from the FAS login plugin
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 19 Sep 2014 19:08:52 +0000 (15:08 -0400)]
Handle the presence of additional form fields
For exampe hidden fields which must be preserved and POSTed back to the
action url.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 12 Sep 2014 21:13:14 +0000 (17:13 -0400)]
Cast db value to string before comparison
Avoid false negatives when the sqlite3 db is 'smart' and automatically
converts the type to integer.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 12 Sep 2014 21:17:59 +0000 (17:17 -0400)]
Allow deferred initialization of providers
This fixes enabling a provider after the sever is started.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Mon, 8 Sep 2014 21:36:02 +0000 (17:36 -0400)]
Do not reprovision if conf is already available
Also use a more meaningful directory name by default
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Mon, 8 Sep 2014 20:00:48 +0000 (16:00 -0400)]
Declare admin attribute
Makes lint happier
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Patrick Uiterwijk [Fri, 5 Sep 2014 21:37:28 +0000 (17:37 -0400)]
Fix the check for hasattr(., 'admin')
Avoid crashing if a provider does not have an admin interface
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 26 Aug 2014 20:38:14 +0000 (16:38 -0400)]
Add FAS login plugin
This plugin simply take a Fedora username and password and authenticates
the user against the FAS Server.
FAS returned data is saved as userdata in the 'fas' attribute.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Mon, 25 Aug 2014 20:40:21 +0000 (16:40 -0400)]
Restore ability to run from checkout
also adds quickrun.py script to make it easy.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Fri, 27 Jun 2014 23:36:56 +0000 (19:36 -0400)]
Move user attribute storage into session functions
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Sat, 28 Jun 2014 00:26:22 +0000 (20:26 -0400)]
Use new Log class everywhere
Replace copies of _debug function sprinkled all over the code
with a single implementation
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
- Removed replace of self._debug to self.debug
Simo Sorce [Sat, 28 Jun 2014 00:17:00 +0000 (20:17 -0400)]
Add Log class that can be inherited from safely
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Tue, 17 Jun 2014 19:16:55 +0000 (15:16 -0400)]
Prefer the 'form' login manager in ipa setups
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk
- Replaced "all(lm not in" with "not any(lm in"
Simo Sorce [Mon, 16 Jun 2014 16:25:30 +0000 (12:25 -0400)]
Add External form auth plugin
This plugin uses mod_intercept_form_submit to perform authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Wed, 18 Jun 2014 04:04:08 +0000 (00:04 -0400)]
Rework remote_login and remove protect decorator
The protect decorator was not really being used for anything, remove it.
Change the way UserSession's remote_login() works.
If called now it either sets a REMOTE_USER (if found) or nukes the current
user data in the session.
This means this function can be safely called only in a login plugin now.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Mon, 16 Jun 2014 20:26:31 +0000 (16:26 -0400)]
Change test executables into modules
Create a common tests framework and convert tests into modules loaded
at runtime using the ipsilon plugin framework.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 16 Jun 2014 15:22:18 +0000 (11:22 -0400)]
Fix warning
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 16 Jun 2014 15:22:02 +0000 (11:22 -0400)]
Add tests to source distribution too
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 16 Jun 2014 15:21:15 +0000 (11:21 -0400)]
Add project url and maintainer data to setup file
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 17 Jun 2014 13:13:38 +0000 (09:13 -0400)]
Strenghten default Security options in IDP
Always deny access to the IDP if not using SSL by default.
Always turn on secure/httponly cookies by default.
Add a switch to disable all security options for testing.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 17 Jun 2014 18:46:25 +0000 (14:46 -0400)]
Fix non-'make test' installation
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 15 Jun 2014 21:46:47 +0000 (17:46 -0400)]
Move parsing code into helpers module
This way common test actions can be easily reused by multiple tests.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 6 Jun 2014 20:04:15 +0000 (16:04 -0400)]
Add server install option to turn on debugging
Use this in the testsuite so we can get meaningful output in the logs
when something fails.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 6 Jun 2014 19:09:24 +0000 (15:09 -0400)]
Print more info about the steps being performed
Signed-off-by: Simo Sorce <simo@redhat.com>
Jan Pazdziora [Fri, 6 Jun 2014 14:18:08 +0000 (16:18 +0200)]
Clean up only after package removal, not during upgrades.
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Jan Pazdziora [Fri, 6 Jun 2014 14:07:11 +0000 (16:07 +0200)]
Make sure semanage and restorecon are installed when we want to use them.
Addressing
Installing : ipsilon-0.2.4-3.fc20.x86_64 1/1
/var/tmp/rpm-tmp.pDkQSL: line 1: semanage: command not found
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Jan Pazdziora [Fri, 6 Jun 2014 14:02:21 +0000 (16:02 +0200)]
If there are some errors while semanaging, we want to see them.
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 4 Jun 2014 14:27:33 +0000 (10:27 -0400)]
Bump up release to 0.2.5
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 1 Jun 2014 19:47:44 +0000 (15:47 -0400)]
Add first test, checks client/server installs work
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 2 Jun 2014 18:05:57 +0000 (14:05 -0400)]
Add support for socket wrappers if available
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 28 May 2014 22:29:39 +0000 (18:29 -0400)]
Add basic testing infrastructure
make test will now run some sanity tests to make sure basic installation
procedures work in a sinthetic test environment.
Adds:
- custom httpd setup for tests
- use profiles to driver ipsilon servers and clients installation
- starts multiple httpd servers
This way we can test interaction between IDP and SP servers
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 29 May 2014 01:36:12 +0000 (21:36 -0400)]
Add test login module
This is useful to do automated testing.
It accepts authentication as long as the password is 'ipsilon'.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 29 May 2014 02:34:33 +0000 (22:34 -0400)]
Additional parametrization of template files
To allow for testing in a custom rootdir, and with a custom user.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 28 May 2014 22:28:14 +0000 (18:28 -0400)]
Do not make directory unwritable
This does not stop the user, but makes it hard to deal wit the directory
in testing.
Let file fixing use the default 700 permissions.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 27 May 2014 22:02:29 +0000 (18:02 -0400)]
Add support for passing configuration profile
The new option --config-profile accepts a INI style file, so that
installation options are passed in via a file. this is useful for
testing and automated installs.
This file can have 2 sections: globals, arguments.
The globals section can change global variable in the install script
like: TEMPLATES, CONFDIR, DATADIR, HTTPDCONFD and so on, so that an
installation can use non-standad directories.
The argumets section accepts any argument option.
The config profile file is parsed after all arguments have parsed and
can override any plugin argument.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 30 May 2014 14:09:18 +0000 (10:09 -0400)]
Allow turning off security at install time
This should be used only for testing purposes
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 29 May 2014 13:38:18 +0000 (09:38 -0400)]
Add optional field to allow pasting the metadata
This way a user can avoid copying the metadata file arund but paste
the content straight from a terminal window.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 27 May 2014 21:01:38 +0000 (17:01 -0400)]
Add tooltips to SAML forms
This should make clearer what is expected in each field.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 27 May 2014 20:13:28 +0000 (16:13 -0400)]
Show the Save button only if it useful
If the user cannot perform any action there is no reason to show the
save button.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 27 May 2014 19:28:30 +0000 (15:28 -0400)]
If krb is explicitly 'no' do not check for ipa
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 29 May 2014 02:48:57 +0000 (22:48 -0400)]
Fix location name
Must be the same name wher ethe instance is mounted!
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 27 May 2014 21:31:16 +0000 (17:31 -0400)]
Fix typo
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 19:42:24 +0000 (15:42 -0400)]
Add sdist and rpms targets to Makefile
make rpms will now create fedora rpms in dist/[s]rpms
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 13:45:08 +0000 (09:45 -0400)]
Fix sample spec file to use a versioned doc dir
This makes the same spec file work on latest Fedora and RHEL7 too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 18:18:21 +0000 (14:18 -0400)]
Fix handling of SP renames
Properly replace page self.url
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 19:20:43 +0000 (15:20 -0400)]
Fix referer checks with escaped URLs
When a SP name included spaces the referer checker would fail to match
the url. It would try to return a 403 error, unfortunately this would
also trip as a return instead of an exception was used, ending up with
a 500 error being returned to the user.
Fix url checks by unquoting before comparing.
Fix error reporting by rasing an exception when needed instead of
returning.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 19:29:45 +0000 (15:29 -0400)]
Fix E501 line too long errors
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 19:28:27 +0000 (15:28 -0400)]
Fix E256 with stricter pep8 error checker
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 19:25:29 +0000 (15:25 -0400)]
Fix E713 with stricter pep8 error checker
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 12:05:09 +0000 (14:05 +0200)]
Bump up release to 0.2.4
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 12:07:19 +0000 (14:07 +0200)]
Distribute README file too
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 20 May 2014 12:03:09 +0000 (14:03 +0200)]
Fix typo in selinux boolean name
This was causing pam auth to fail, as the boolean was not being turned on.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 19 May 2014 19:15:56 +0000 (21:15 +0200)]
Fix generation fo server's metadata file
At some point a '/' got lost, causing the generation of wrong endpoints.
Clients would then be redirected to an unexisting path and get a 404.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 7 May 2014 16:23:28 +0000 (12:23 -0400)]
Bump up release to 0.2.3
Signed-off-by: Simo Sorce <simo@redhat.com>
Nathan Kinder [Sat, 10 May 2014 00:38:32 +0000 (17:38 -0700)]
Fix broken login plugins order config handling
The administrative page for configuring login plugins order had
a number of problems. The html template expects a list of plugin
names to be supplied, but a list of the actual plugin objects
was being supplied. This caused a 500 error since join() would
throw an exception when it encounters something other than a string.
Even after fixing the 500 error, actually modifying the plugin
order would not work due to further issues with plugin objects
being used when strings representing the plugin names are expected
(and vice-versa).
This patch ensures that strings representing plugin names are
supplied to the html template, and that plugin objects are used
when re-ordering the live plugin list.
Resolves: https://fedorahosted.org/ipsilon/ticket/2
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Nathan Kinder [Fri, 9 May 2014 23:16:11 +0000 (16:16 -0700)]
WSGI settings incorrectly makes instance global
The WSGIProcessGroup directive should only apply to the /idp URI.
Without wrapping this directive in the Location element, multiple
Ipsilon instances or an Ipsilon instance installed on a FreeIPA
server will conflict and encounter problems running in the same
httpd process. All wsgi processes will end up redirected to the
last process grup defined in the configuration in this case and
all other instances of wsgi applications will be unreachable.
Resolves: https://fedorahosted.org/ipsilon/ticket/1
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Nathan Kinder [Fri, 9 May 2014 23:12:31 +0000 (16:12 -0700)]
Add details on using a principal for the admin
When Ipsilon is being installed with IPA, one is most likely going
to use Kerberos to login to Ipsilon as the administrator. We should
call this out, as the default of 'admin' for the Ipsilon admin user
will conflict with the IPA 'admin' user. You will be unable to
create a local 'admin' user at this point, requiring you to modify
the sqlite database directly to change the admin user to a full
principal.
I also corrected a typo and wrapped a line that was > 79 chars.
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 7 May 2014 13:51:25 +0000 (09:51 -0400)]
Add 500 Error handler for krb module
If mod_auth_kerb encounters an internal error, catch it so we can fall back to
the next authentication module, if any, or return a proper failure message.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 7 May 2014 13:47:20 +0000 (09:47 -0400)]
Remind the user to restart HTTPD when done
On a successful install you need to retsart apache to enable the instance,
remind the user that is necessary.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 7 May 2014 13:45:32 +0000 (09:45 -0400)]
Give more user feedback around keytab issues
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 2 May 2014 00:52:50 +0000 (20:52 -0400)]
Version bump, go to 0.2.2
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 2 May 2014 00:50:17 +0000 (20:50 -0400)]
Add README file with basic installation HOWTO
The HowTo cover the simplest scenarios for both the Identiry and
Service Provider applications.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 29 Apr 2014 21:24:29 +0000 (17:24 -0400)]
Add IPA helper for server install
The IPa helper chcks a krb keytab is available for the local HTTPD
service at the standard ipa location, and if not available, tries
to register the sevice and retrieve one from the IPA server.
At the end of the process forces the activation of the krb plugin
as well as the fallback to pam for authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 28 Apr 2014 17:58:51 +0000 (13:58 -0400)]
Add Environment Helpers installer framework
Environment helpers are meta-plugins that allow to set ipsilon in
well defined environments.
For example when ipsilon is install in a FreeIPA or AD domains and
authentication methods, cetificate, keytabs etc, can be pre-configured
and deployed at the same time the server is installed with minimal
effort and wellknown methods.
These are run before any of the other plugins as they can chage the
configuration option for any of the plugins, enable or disable plugins,
or pre-configure some elements.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 2 May 2014 01:00:14 +0000 (21:00 -0400)]
Always use saml by default
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 1 May 2014 17:16:14 +0000 (13:16 -0400)]
Make SELinux happy
Add proper context to shared state directories so that httpd can write there.
Relax SElinux boolans to allow use of pam modules
This allows running Ipsilon in fully enforcing mode when pam auth
using the python-pam modules is used.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 1 May 2014 19:31:25 +0000 (15:31 -0400)]
Avoid failing install if sessions directory exists
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 1 May 2014 20:37:12 +0000 (16:37 -0400)]
Eliminte stale locks
If the server crashes stale lock files may e left behind.
This will cause the application to deadlock for the user that has
the misfortune of having a stale lock.
Forcibly remove all locks on startup.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 2 May 2014 00:52:02 +0000 (20:52 -0400)]
Fix typo in ipsilon-client-install
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 28 Apr 2014 13:27:30 +0000 (09:27 -0400)]
Bump up spec file vesion too
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 25 Apr 2014 20:46:00 +0000 (16:46 -0400)]
Bump version up to 0.2.1
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 21 Apr 2014 03:45:18 +0000 (23:45 -0400)]
Do not hardcode sessions directory in spec file
This directory is now generated dynamicaly based on the instance
name at ipsilon-server-install time.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 04:43:37 +0000 (00:43 -0400)]
Make it easy to install mutiple server instances
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 04:16:12 +0000 (00:16 -0400)]
Move templatized file creation to tools
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 03:59:35 +0000 (23:59 -0400)]
Move fixing files functionality to tools
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 21 Apr 2014 02:00:08 +0000 (22:00 -0400)]
Convert all forms to use util.Page form support
This way all forms will get Referer checking automaticaly
Signed-off-by: Simo Sorce <simo@redhat.com>
projects / cascardo / ipsilon.git / log