Require SSL on SP when using --saml-secure-setup

If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication.  We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.

This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified.  In addition, we add a
rewrite rule to rewrite http requests to https for the SP.

https://fedorahosted.org/ipsilon/ticket/80

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>

diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install
index 484c462..9ed2a6f 100755 (executable)
--- a/ipsilon/install/ipsilon-client-install
+++ b/ipsilon/install/ipsilon-client-install
@@ -123,8 +123,12 @@ def saml2():
             psp = ''
 
         saml_secure = 'Off'
+        ssl_require = '#'
+        ssl_rewrite = '#'
         if args['saml_secure_setup']:
             saml_secure = 'On'
+            ssl_require = ''
+            ssl_rewrite = ''
 
         samlopts = {'saml_base': args['saml_base'],
                     'saml_protect': saml_protect,
@@ -135,6 +139,9 @@ def saml2():
                     'saml_sp': args['saml_sp'],
                     'saml_secure_on': saml_secure,
                     'saml_auth': saml_auth,
+                    'ssl_require': ssl_require,
+                    'ssl_rewrite': ssl_rewrite,
+                    'sp_hostname': args['hostname'],
                     'sp': psp}
         files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts)
 

diff --git a/templates/install/saml2/sp.conf b/templates/install/saml2/sp.conf
index 73e6417..d7872cc 100644 (file)
--- a/templates/install/saml2/sp.conf
+++ b/templates/install/saml2/sp.conf
@@ -8,8 +8,9 @@
     MellonIdPMetadataFile "${saml_idp_meta}"
     MellonEndpointPath ${saml_sp}
     MellonVariable "saml-sesion-cookie"
-    # Comment out the next line if you want to allow logins on bare HTTP
+    # Comment out the next two lines if you want to allow logins on bare HTTP
     MellonsecureCookie ${saml_secure_on}
+    ${ssl_require}SSLRequireSSL
     MellonUser "NAME_ID"
     MellonIdP "IDP"
     MellonSessionLength 3600
@@ -26,3 +27,8 @@ ${sp}<Directory /usr/share/ipsilon/ui/saml2sp>
 ${sp}    SSLRequireSSL
 ${sp}    Require all granted
 ${sp}</Directory>
+
+# Redirect requests to the secure port
+${ssl_rewrite}RewriteEngine on
+${ssl_rewrite}RewriteCond %{SERVER_PORT} !^443$$
+${ssl_rewrite}RewriteRule ^${saml_base}(.*) https://${sp_hostname}${saml_base}$$1 [L,R=301,NC]