Add a plugin-based authorization system for SP user sessions
This system allows SP authentication requests to be authorized in
Ipsilon based on SP and user data. Authorization takes places after the
user has been authenticated, and before a response is sent back to the
SP.
The authorization plugin execution order is defined by via the
loginstack admin page. Each plugin has the option to permit or deny the
user session, or abstain from making a decision. If all configured
plugins abstain, or there are no configured plugins, the session is
denied. The first plugin to not abstain determines the result of the
authorization process.
Three plugins are included:
- "allow" unconditionally allows all sessions, and is enabled by default
- "deny" unconditionally denies all sessions, and can be used both for
testing, and as a final configured plugin to deny sessions not
explicitly permitted by other plugins
- "spgroup" requires a user to be a member of a group that matches the
name of the SP
As a new database table is added to the adminconfig database, the
database format version has been bumped to version 3. The database
upgrade test suite has been updated to test upgrades to v3.
Signed-off-by: Howard Johnson <merlin@merlinthp.org>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>