Bug 1391445

Summary:	Using ipsilon-client-install --saml-auth produces Alias /protected /usr/share/ipsilon/ui/saml2sp
Product:	[Fedora] Fedora	Reporter:	Jan Pazdziora <jpazdziora>
Component:	ipsilon	Assignee:	Patrick Uiterwijk <puiterwijk>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	24	CC:	jpazdziora, puiterwijk, ssorce
Target Milestone:	---	Keywords:	Regression
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipsilon-2.0.2-2.fc25 ipsilon-2.0.2-2.fc24	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-12-28 20:20:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2016-11-03 10:49:00 UTC

Description of problem:

Running

   ipsilon-client-install --saml-idp-metadata https://$IPSILON_SERVER/idp/saml2/metadata --saml-auth /protected

produces configuration which yields 403 Forbidden even when correctly authenticated.

Version-Release number of selected component (if applicable):

ipsilon-base-2.0.0-1.fc24.noarch
ipsilon-client-2.0.0-1.fc24.noarch
ipsilon-filesystem-2.0.0-1.fc24.noarch
ipsilon-saml2-2.0.0-1.fc24.noarch
ipsilon-saml2-base-2.0.0-1.fc24.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. ipsilon-client-install --saml-idp-metadata https://$IPSILON_SERVER/idp/saml2/metadata --saml-auth /protected
2. systemctl restart httpd
3. Access the /protected URL

Actual results:

Forbidden

You don't have permission to access /protected/test.cgi on this server.

==> /var/log/httpd/ssl_error_log <==
[Thu Nov 03 16:17:12.498877 2016] [authz_core:error] [pid 3536] [client 10.34.131.181:57890] AH01630: client denied by server configuration: /usr/share/ipsilon/ui/saml2sp

Expected results:

No error.

Additional info:

The ipsilon-client-install produces /etc/httpd/conf.d/ipsilon-saml.conf which has

Alias /protected /usr/share/ipsilon/ui/saml2sp
<Directory /usr/share/ipsilon/ui/saml2sp>
</Directory>

in it.

It did not do that in previous versions and it shouldn't do that. After commenting out those lines, things start to work.

Comment 1 Fedora Update System 2016-12-04 02:07:23 UTC

ipsilon-2.0.2-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-30077d1b37

Comment 2 Fedora Update System 2016-12-04 02:07:35 UTC

ipsilon-2.0.2-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-30077d1b37

Comment 3 Fedora Update System 2016-12-04 02:13:12 UTC

ipsilon-2.0.2-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2d8fb6d7ad

Comment 4 Fedora Update System 2016-12-04 02:13:21 UTC

ipsilon-2.0.2-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2d8fb6d7ad

Comment 5 Fedora Update System 2016-12-04 02:13:35 UTC

ipsilon-2.0.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b465090499

Comment 6 Fedora Update System 2016-12-04 02:13:43 UTC

ipsilon-2.0.2-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b465090499

Comment 7 Fedora Update System 2016-12-06 03:24:06 UTC

ipsilon-2.0.2-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2d8fb6d7ad

Comment 8 Fedora Update System 2016-12-06 03:56:34 UTC

ipsilon-2.0.2-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-30077d1b37

Comment 9 Fedora Update System 2016-12-06 03:59:10 UTC

ipsilon-2.0.2-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b465090499

Comment 10 Jan Pazdziora 2016-12-06 12:17:06 UTC

Verified that ipsilon-client-2.0.2-2.fc25.noarch fixes the issue, the Alias is no longer in the config after ipsilon-client-install and I can log in fine.

Comment 11 Fedora Update System 2016-12-28 20:20:19 UTC

ipsilon-2.0.2-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2016-12-28 21:48:49 UTC

ipsilon-2.0.2-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.