From 7f146bcbe3ae20db27e2daf294c19a40ccd419e6 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Sat, 14 Mar 2015 10:00:51 -0700 Subject: [PATCH] Allow SP installation to be on non-standard ports When setting up a SP using ipsilon-client-install, there is no ability to use a non-standard port. We should allow a port number to be specified that results in the proper URLs in the SP metadata. This patch adds a --port option to ipsilon-client-install. This is used in the construction of the URLs used in the SP metadata as well as in the httpd redirect rules if httpd is being configured. https://fedorahosted.org/ipsilon/ticket/92 Signed-off-by: Nathan Kinder Reviewed-by: Rob Crittenden --- ipsilon/install/ipsilon-client-install | 21 +++++++++++++++++++-- templates/install/saml2/sp.conf | 4 ++-- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install index f7d9883..2390992 100755 --- a/ipsilon/install/ipsilon-client-install +++ b/ipsilon/install/ipsilon-client-install @@ -88,7 +88,12 @@ def saml2(): proto = 'https' if not args['saml_secure_setup']: proto = 'http' - url = '%s://%s' % (proto, args['hostname']) + + port_str = '' + if args['port']: + port_str = ':%s' % args['port'] + + url = '%s://%s%s' % (proto, args['hostname'], port_str) url_sp = url + args['saml_sp'] url_logout = url + args['saml_sp_logout'] url_post = url + args['saml_sp_post'] @@ -126,6 +131,11 @@ def saml2(): saml_secure = 'Off' ssl_require = '#' ssl_rewrite = '#' + if args['port']: + ssl_port = args['port'] + else: + ssl_port = '443' + if args['saml_secure_setup']: saml_secure = 'On' ssl_require = '' @@ -142,7 +152,9 @@ def saml2(): 'saml_auth': saml_auth, 'ssl_require': ssl_require, 'ssl_rewrite': ssl_rewrite, + 'ssl_port': ssl_port, 'sp_hostname': args['hostname'], + 'sp_port': port_str, 'sp': psp} files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts) @@ -233,6 +245,8 @@ def parse_args(): action='version', version='%(prog)s 0.1') parser.add_argument('--hostname', default=socket.getfqdn(), help="Machine's fully qualified host name") + parser.add_argument('--port', default=None, + help="Port number that SP listens on") parser.add_argument('--admin-user', default='admin', help="Account allowed to create a SP") parser.add_argument('--httpd-user', default='apache', @@ -268,7 +282,10 @@ def parse_args(): args = parse_config_profile(args) if len(args['hostname'].split('.')) < 2: - raise ValueError('Hostname: %s is not a FQDN.') + raise ValueError('Hostname: %s is not a FQDN.' % args['hostname']) + + if args['port'] and not args['port'].isdigit(): + raise ValueError('Port number: %s is not an integer.' % args['port']) # Validate that all path options begin with '/' path_args = ['saml_base', 'saml_auth', 'saml_sp', 'saml_sp_logout', diff --git a/templates/install/saml2/sp.conf b/templates/install/saml2/sp.conf index d7872cc..a7adaf9 100644 --- a/templates/install/saml2/sp.conf +++ b/templates/install/saml2/sp.conf @@ -30,5 +30,5 @@ ${sp} # Redirect requests to the secure port ${ssl_rewrite}RewriteEngine on -${ssl_rewrite}RewriteCond %{SERVER_PORT} !^443$$ -${ssl_rewrite}RewriteRule ^${saml_base}(.*) https://${sp_hostname}${saml_base}$$1 [L,R=301,NC] +${ssl_rewrite}RewriteCond %{SERVER_PORT} !^${ssl_port}$$ +${ssl_rewrite}RewriteRule ^${saml_base}(.*) https://${sp_hostname}${sp_port}${saml_base}$$1 [L,R=301,NC] -- 2.20.1