Merge branch 'master' into bugfixes

CONVENTIONS

@@ -1,5 +1,7 @@
 	Conventions for working with the Confusa source
 
+	This is part of the developer's documentation.
+
 In order to keep a clean codebase and a tidy repository with browsable
 history, the following set of conventions govern the workflow in
 Confusa:
@@ -58,6 +60,10 @@ Confusa:
     www/root_cert.php:               exit(1);
     www/tools.php:                   exit(1);
 
+  Note: in some settings (when downloading files etc), using exit is the
+  'right thing' to do, but any function that stumbles across an
+  erroneous condition should either return a value to indicate this, or
+  throw an exception.
 
 4) OO-model where-ever possible.
 

INSTALL

@@ -20,7 +20,7 @@ To install Confusa
  - Apache2
  - PHP5
  - PEAR with MDB2.MySQL
- - php5-curl (when using remote CA for accessing the REST API)
+ - Smarty (the PHP template engine)
 
 === Install process ===
 
@@ -36,12 +36,12 @@ To install Confusa
 
      libapache2-php5
      php5-mysql
-     php5-curl
      PEAR::MDB2_mysql_driver
 
-3 b) When using online, you will also need the mcrypt library:
+3 b) When using online, you will also need the mcrypt and curl libraries:
 
      php5-mcrypt
+     php5-curl
 
 4) Configure Apache to use SSL, use the following lines in your 
    apache2/sites-enabled/appropriate.config.file and php5-openssl
@@ -148,10 +148,28 @@ f) Add a cron-job that takes backup of the database. The most critical
    A sample script lies in confusa/programs. Note that this is a simple
    mysqldump script that dumps the database specified in confusa_config
 
-7) Test and verify that the system is operational before you allow
+7) If you want NREN-admins to be able to customize the appearance of Confusa,
+you have to give the apache user write permissions to the "custom" folders in
+www/css and www/graphics. The apache user is often called 'www-data', sometimes
+also 'apache' or something else.
+If you are unsure about the user-name and have apache running, try to find it
+out by executing
+
+ps aux | grep apache | awk '{print $1}'
+or
+ps aux | grep httpd | awk '{print $1}'
+
+If your apache username is www-data, execute
+
+chown -R www-data /usr/share/confusa/www/css/custom
+chown -R www-data /usr/share/confusa/www/graphics/custom
+chmod -R 0755 /usr/share/confusa/www/css/custom
+chmod -R 0755 /usr/share/confusa/www/graphics/custom
+
+8) Test and verify that the system is operational before you allow
    public access.
 
-8*) Enable OAuth authorization for third party applications. OAuth has the 
+9*) Enable OAuth authorization for third party applications. OAuth has the
 advantage that Confusa-based non-browser applications won't need to maintain cookies any more
 and that it protects against replay attacks. Simplesamlphp supports OAuth in more recent versions.
 
@@ -165,7 +183,7 @@ You can just copy the default one, yielding for instance:
 'https://slcs.example.com/simplesaml/module.php/saml2/sp/metadata.php?source=saml2' => array(
   'host'  => '__DEFAULT__',
   'authproc' => array(
-    50 => 'core:IdPMap',
+    50 => 'core:NRENMap',
     60 => 'core:ConfusaAttributeMap',
     61 => 'core:CountryMap'
   ),

README

@@ -1,59 +1,51 @@
 			       Confusa
-			Copyright (C) 2007,2008
+			Copyright (C) 2007,2008,2009
 			   UNINETT Sigma A/S
+				NDGF
 
 
-   Confusa shall provide an easy way of creating an ARC-compatible
-   identity token from an existing (federated) identity. 
+Confusa shall provide an easy way of creating an X.509 identity token
+from an existing (federated) identity.
 
-   It shall do so, by providing a secure login environment for the user,
-   scripts for creating the required cryptographic keys and means for
-   uploading certificate signing requests (CSRs) in an easy and secure 
-   manner. Furthermore; the system shall automate the process of signing
-   valid CSR and returning these to the user.
+It shall do so, by providing a secure login environment for the user, a
+way of uploading a singing-request to the Confusa database.
 
-   This software is provided 'as is', and the developers are, under no
-   cirumstances, responsible for any loss or corruption of data or
-   hardware you may encouter. It is, however, presented in the most
-   stable manner possible at this stage, and we work very hard to ensure
-   that only stable releases reach the public domain.
-   Please report any bugs to the developers ([email protected])
+Note: the system *will* check all attributes in the subject of the
+CSR and drop the CSR if any of these attributes does not correspond
+with attributes obtained from the federated identity.
 
+Current attributes that are checked:
+ - key length. Keys shorter than key_length in
+   config/confusa_config.php will be discarded when the key is
+   uploaded.
+ - Subject in key. CommonName *must* correspond to
+   eduPersonPrincipalName.
+ - A certificate will never be reissued. For this reason, Confusa will
+   check that the public-key does not belong to a previously signed
+   certificate.
 
-The automated signing-process can be split into 2 separate ways
+The user will then be presented with a list of available (uploaded)
+CSRs and the opportunity to inspect, delete or approve for signing.
+The latter will either ship the CSR off to an online CA, or to the
+internal signing engine (standalone mode).
 
-1) After the CSR has been created and uploaded, the script will present
-   the user with an authentication URL. By following this URL, the user
-   will be authenticated and the signing will be authorized.
+The signed certificate is then made available to the user, and the
+user can choose to download, ship it via email, delete it or revoke it.
 
-   After the CSR has been created and uploaded, the user can log in to
-   the system and go to the 'Key' page. Here he/she will be presented
-   with a summary of all uploaded CSRs for this user. By inspecting
-   these, the user may approve signing or delete the CSR from the
-   database.
+This software is provided 'as is', and the developers are, under no
+circumstances, responsible for any loss or corruption of data or
+hardware you may encounter. It is, however, presented in the most
+stable manner possible at this stage, and we work very hard to ensure
+that only stable releases reach the public domain.
+Please report any bugs to the developers ([email protected])
 
-2) As an option, the user may create the key and CSR manually and then
-   choose to upload the CSR via the web interface. 
-
-   Note: the system *will* check all attributes in the subject of the
-   CSR and drop the CSR if any of these attributes does not correspond
-   with attributes obtained from the federated identity.
-
-   Current attributes that are checked:
-   - key length. Keys shorter than key_length in
-     config/confusa_config.php will be discarded when the key is
-     uploaded.
-   - Subject in key. CommonName *must* correspond to
-     eduPersonPrincipalName.
-   - A certificate will never be reissued. For this reason, Confusa will
-     check that the public-key does not belong to a previously signed
-     certificate.
 
 
 The file INSTALL contains instructions to how to install and configure
 the system. Note that Confusa depends upon simpleSAMLphp. INSTALL
 also contains the software requirements Confusa pose on the system
 
+
 LICENSE state the license under which Confusa is released (GPLv3). Read
 this before you start using the system, in case it invokes any
 restrictions upon you as a user or organization.

VERSION

@@ -23,10 +23,10 @@
 # Oh, and no, do not edit this file.
 MAJOR_VERSION=0
 MINOR_VERSION=2
-EXTRA_VERSION="rc3"
+EXTRA_VERSION=""
 
 # Codename for current release
-NAME="ALOHA"
+NAME="BETA"
 
 # If you edit this file, remember: we know where you live, we know your
 # grandmother, your inlaws, friends and other relatives. Think those