From 86b42774e9fa86746f58696f0f0be6efbe921601 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Apr 14 2016 16:36:11 +0000
Subject: Support mod_nss and mod_ssl from the same config file


mod_ssl uses SSLRequireSSL while mod_nss uses NSSRequireSSL to require
TLS/SSL. Ipsilon used to expect mod_ssl while FreeIPA uses mod_nss. With
new <IfModule mod_nss.c> checks, it is no longer necessary to modify
Ipsilon's Apache config to use mod_nss.

Ipsilon still defaults to mod_ssl as TLS/SSL provider. When mod_nss is
installed, it prefers mod_nss over mod_ssl.

Fixes: #85

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/ipsilon/install/ipsilon-server-install b/ipsilon/install/ipsilon-server-install
index 80d12da..d351f4a 100755
--- a/ipsilon/install/ipsilon-server-install
+++ b/ipsilon/install/ipsilon-server-install
@@ -126,10 +126,10 @@ def install(plugins, args):
     # Whether to disable security (for testing)
     if args['secure'] == 'no':
         confopts['secure'] = "False"
-        confopts['sslrequiressl'] = ""
+        confopts['ssl_require'] = "# "
     else:
         confopts['secure'] = "True"
-        confopts['sslrequiressl'] = "   SSLRequireSSL"
+        confopts['ssl_require'] = ""
     if WSGI_SOCKET_PREFIX:
         confopts['wsgi_socket'] = 'WSGISocketPrefix %s' % WSGI_SOCKET_PREFIX
     else:
diff --git a/templates/install/idp.conf b/templates/install/idp.conf
index ff69db6..7c21774 100644
--- a/templates/install/idp.conf
+++ b/templates/install/idp.conf
@@ -7,7 +7,12 @@ ${wsgi_socket}
 
 <Location /${instance}>
     WSGIProcessGroup ${instance}
-${sslrequiressl}
+    ${ssl_require}<IfModule mod_nss.c>
+    ${ssl_require}    NSSRequireSSL
+    ${ssl_require}</IfModule>
+    ${ssl_require}<IfModule !mod_nss.c>
+    ${ssl_require}    SSLRequireSSL
+    ${ssl_require}</IfModule>
 </Location>
 
 <Directory ${ipsilondir}>
diff --git a/templates/install/saml2/sp.conf b/templates/install/saml2/sp.conf
index a7adaf9..2bb5134 100644
--- a/templates/install/saml2/sp.conf
+++ b/templates/install/saml2/sp.conf
@@ -10,7 +10,12 @@
     MellonVariable "saml-sesion-cookie"
     # Comment out the next two lines if you want to allow logins on bare HTTP
     MellonsecureCookie ${saml_secure_on}
-    ${ssl_require}SSLRequireSSL
+    ${ssl_require}<IfModule mod_nss.c>
+    ${ssl_require}    NSSRequireSSL
+    ${ssl_require}</IfModule>
+    ${ssl_require}<IfModule !mod_nss.c>
+    ${ssl_require}    SSLRequireSSL
+    ${ssl_require}</IfModule>
     MellonUser "NAME_ID"
     MellonIdP "IDP"
     MellonSessionLength 3600
@@ -24,7 +29,12 @@ ${saml_auth}
 ${sp}Alias /saml2protected /usr/share/ipsilon/ui/saml2sp
 ${sp}
 ${sp}<Directory /usr/share/ipsilon/ui/saml2sp>
-${sp}    SSLRequireSSL
+${sp}    <IfModule mod_nss.c>
+${sp}        NSSRequireSSL
+${sp}    </IfModule>
+${sp}    <IfModule !mod_nss.c>
+${sp}        SSLRequireSSL
+${sp}    </IfModule>
 ${sp}    Require all granted
 ${sp}</Directory>