From 8a9b4fe36f1bd9b358b20333956af5602eb48a6c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 17 Jun 2014 09:13:38 -0400 Subject: [PATCH] Strenghten default Security options in IDP Always deny access to the IDP if not using SSL by default. Always turn on secure/httponly cookies by default. Add a switch to disable all security options for testing. Signed-off-by: Simo Sorce --- ipsilon/install/ipsilon-server-install | 9 +++++++++ ipsilon/providers/saml2idp.py | 5 +---- templates/install/idp.conf | 1 + templates/install/ipsilon.conf | 2 ++ tests/test1.cfg | 2 +- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ipsilon/install/ipsilon-server-install b/ipsilon/install/ipsilon-server-install index d570282..a4410fa 100755 --- a/ipsilon/install/ipsilon-server-install +++ b/ipsilon/install/ipsilon-server-install @@ -103,7 +103,14 @@ def install(plugins, args): 'sysuser': args['system_user'], 'ipsilondir': BINDIR, 'staticdir': STATICDIR, + 'secure': "False" if args['secure'] == "no" else "True", 'debugging': "True" if args['server_debugging'] else "False"} + if args['secure'] == 'no': + confopts['secure'] = "False" + confopts['sslrequiressl'] = "" + else: + confopts['secure'] = "True" + confopts['sslrequiressl'] = " SSLRequireSSL" if WSGI_SOCKET_PREFIX: confopts['wsgi_socket'] = 'WSGISocketPrefix %s' % WSGI_SOCKET_PREFIX else: @@ -217,6 +224,8 @@ def parse_args(plugins): help="User account used to run the server") parser.add_argument('--admin-user', default='admin', help="User account that is assigned admin privileges") + parser.add_argument('--secure', choices=['yes', 'no'], default='yes', + help="Turn on all security checks") parser.add_argument('--config-profile', default=None, help="File containing install options") parser.add_argument('--server-debugging', action='store_true', diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index e89fe0c..a94a0a4 100755 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -246,9 +246,6 @@ class Installer(object): def install_args(self, group): group.add_argument('--saml2', choices=['yes', 'no'], default='yes', help='Configure SAML2 Provider') - group.add_argument('--saml2-secure', - choices=['yes', 'no'], default='yes', - help='Configure SAML2 Provider') def configure(self, opts): if opts['saml2'] != 'yes': @@ -265,7 +262,7 @@ class Installer(object): # Generate Idp Metadata proto = 'https' - if opts['saml2_secure'].lower() == 'no': + if opts['secure'].lower() == 'no': proto = 'http' url = '%s://%s/%s/saml2' % (proto, opts['hostname'], opts['instance']) meta = metadata.Metadata(metadata.IDP_ROLE) diff --git a/templates/install/idp.conf b/templates/install/idp.conf index c49992b..19af096 100644 --- a/templates/install/idp.conf +++ b/templates/install/idp.conf @@ -5,6 +5,7 @@ ${wsgi_socket} WSGIProcessGroup ${instance} +${sslrequiressl} diff --git a/templates/install/ipsilon.conf b/templates/install/ipsilon.conf index 357a3a7..8ab17d1 100644 --- a/templates/install/ipsilon.conf +++ b/templates/install/ipsilon.conf @@ -11,4 +11,6 @@ tools.sessions.on = True tools.sessions.storage_type = "file" tools.sessions.storage_path = "${datadir}/sessions" tools.sessions.timeout = 60 +tools.sessions.httponly = ${secure} +tools.sessions.secure = ${secure} tools.protect.on = True diff --git a/tests/test1.cfg b/tests/test1.cfg index bd592a2..01402f5 100644 --- a/tests/test1.cfg +++ b/tests/test1.cfg @@ -16,7 +16,7 @@ hostname=127.0.0.10:45080 admin_user=${TEST_USER} system_user=${TEST_USER} instance=idp1 -saml2_secure=no +secure=no testauth=yes pam=no krb=no -- 2.20.1