|
 |
f1be0a |
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
|
|
|
f1be0a |
Name: mod_auth_mellon
|
|
|
43610c |
Version: 0.14.0
|
|
|
a860d0 |
Release: 2%{?dist}.4
|
|
|
f1be0a |
Group: System Environment/Daemons
|
|
|
f1be0a |
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
|
|
|
f1be0a |
Source1: auth_mellon.conf
|
|
|
f1be0a |
Source2: 10-auth_mellon.conf
|
|
|
f1be0a |
Source3: mod_auth_mellon.conf
|
|
|
f1be0a |
Source4: mellon_create_metadata.sh
|
|
|
43610c |
Source5: README.redhat.rst
|
|
|
43610c |
Source6: mellon_user_guide.html
|
|
|
f1be0a |
License: GPLv2+
|
|
|
f1be0a |
BuildRequires: curl-devel
|
|
|
f1be0a |
BuildRequires: glib2-devel
|
|
|
f1be0a |
BuildRequires: httpd-devel
|
|
|
43610c |
BuildRequires: lasso-devel >= 2.5.1
|
|
|
f1be0a |
BuildRequires: openssl-devel
|
|
|
f1be0a |
BuildRequires: xmlsec1-devel
|
|
|
f1be0a |
Requires: httpd-mmn = %{_httpd_mmn}
|
|
|
43610c |
Requires: lasso >= 2.5.1
|
|
|
f1be0a |
Url: https://github.com/UNINETT/mod_auth_mellon
|
|
|
f1be0a |
|
|
|
a860d0 |
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
|
|
|
a860d0 |
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
|
|
|
a860d0 |
|
|
|
43610c |
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
|
|
|
43610c |
# I could not get asciidoc to render properly so instead I generated
|
|
|
43610c |
# mellon_user_guide.html on Fedora using asciidoctor and included
|
|
|
43610c |
# mellon_user_guide.html as a SOURCE. If the user guide source is updated
|
|
|
43610c |
# the mellon_user_guide.html will need to be regenerated.
|
|
|
f1be0a |
|
|
|
f1be0a |
%description
|
|
|
f1be0a |
The mod_auth_mellon module is an authentication service that implements the
|
|
|
f1be0a |
SAML 2.0 federation protocol. It grants access based on the attributes
|
|
|
f1be0a |
received in assertions generated by a IdP server.
|
|
|
f1be0a |
|
|
|
f1be0a |
%prep
|
|
|
f1be0a |
%setup -q -n %{name}-%{version}
|
|
|
a860d0 |
%patch1 -p1
|
|
|
a860d0 |
%patch2 -p1
|
|
|
f1be0a |
|
|
|
f1be0a |
%build
|
|
|
f1be0a |
export APXS=%{_httpd_apxs}
|
|
|
6163e3 |
%configure --enable-diagnostics
|
|
|
6163e3 |
make clean
|
|
|
6163e3 |
make %{?_smp_mflags}
|
|
|
6163e3 |
cp .libs/%{name}.so %{name}-diagnostics.so
|
|
|
6163e3 |
|
|
|
f1be0a |
%configure
|
|
|
6163e3 |
make clean
|
|
|
f1be0a |
make %{?_smp_mflags}
|
|
|
f1be0a |
|
|
|
f1be0a |
%install
|
|
|
f1be0a |
# install module
|
|
|
f1be0a |
mkdir -p %{buildroot}%{_httpd_moddir}
|
|
|
f1be0a |
install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
|
|
|
6163e3 |
install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
|
|
|
f1be0a |
|
|
|
f1be0a |
# install module configuration
|
|
|
f1be0a |
mkdir -p %{buildroot}%{_httpd_confdir}
|
|
|
f1be0a |
install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
|
|
|
f1be0a |
mkdir -p %{buildroot}%{_httpd_modconfdir}
|
|
|
f1be0a |
install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
|
|
|
f1be0a |
|
|
|
f1be0a |
mkdir -p %{buildroot}%{_tmpfilesdir}
|
|
|
f1be0a |
install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
|
|
|
f1be0a |
mkdir -p %{buildroot}/run/%{name}
|
|
|
f1be0a |
|
|
|
f1be0a |
# install script to generate metadata
|
|
|
f1be0a |
mkdir -p %{buildroot}/%{_libexecdir}/%{name}
|
|
|
f1be0a |
install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
|
|
|
f1be0a |
|
|
|
6163e3 |
#install documentation
|
|
|
f1be0a |
mkdir -p %{buildroot}/%{_pkgdocdir}
|
|
|
6163e3 |
|
|
|
6163e3 |
# install Red Hat README
|
|
|
43610c |
install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
|
|
|
6163e3 |
|
|
|
6163e3 |
# install user guide
|
|
|
43610c |
cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
|
|
|
43610c |
install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
|
|
|
f1be0a |
|
|
|
6163e3 |
%package diagnostics
|
|
|
6163e3 |
Summary: Build of mod_auth_mellon with diagnostic logging
|
|
|
6163e3 |
Requires: %{name} = %{version}-%{release}
|
|
|
6163e3 |
|
|
|
6163e3 |
%description diagnostics
|
|
|
43610c |
Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
|
|
|
43610c |
in the doc directory for instructions on using the diagnostics build.
|
|
|
6163e3 |
|
|
|
6163e3 |
%files diagnostics
|
|
|
6163e3 |
%{_httpd_moddir}/%{name}-diagnostics.so
|
|
|
f1be0a |
|
|
|
f1be0a |
%files
|
|
|
f1be0a |
%defattr(-,root,root)
|
|
|
f1be0a |
%if 0%{?rhel} && 0%{?rhel} < 7
|
|
|
f1be0a |
%doc COPYING
|
|
|
f1be0a |
%else
|
|
|
f1be0a |
%license COPYING
|
|
|
f1be0a |
%endif
|
|
|
43610c |
%doc README.md NEWS ECP.rst
|
|
|
6163e3 |
%doc %{_pkgdocdir}/README.redhat.rst
|
|
|
f1be0a |
%doc %{_pkgdocdir}/user_guide
|
|
|
f1be0a |
%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
|
|
|
f1be0a |
%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
|
|
|
f1be0a |
%{_httpd_moddir}/mod_auth_mellon.so
|
|
|
f1be0a |
%{_tmpfilesdir}/mod_auth_mellon.conf
|
|
|
f1be0a |
%{_libexecdir}/%{name}
|
|
|
f1be0a |
%dir /run/%{name}/
|
|
|
f1be0a |
|
|
|
f1be0a |
%changelog
|
|
|
a860d0 |
* Mon Apr 8 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.4
|
|
|
a860d0 |
- Actually apply the patch in the previous build
|
|
|
a860d0 |
- Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect
|
|
|
a860d0 |
in logout url when using URLs with backslashes
|
|
|
a860d0 |
|
|
|
a860d0 |
* Mon Apr 8 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.3
|
|
|
a860d0 |
- Resolves: rhbz#1697488 - CVE-2019-3877 mod_auth_mellon: open redirect
|
|
|
a860d0 |
in logout url when using URLs with backslashes
|
|
|
a860d0 |
[rhel-7] [rhel-7.6.z]
|
|
|
a860d0 |
|
|
|
a860d0 |
* Mon Apr 8 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.2
|
|
|
a860d0 |
- Resolves: rhbz#1697487 - mod_auth_mellon Cert files name wrong when
|
|
|
a860d0 |
hostname contains a number
|
|
|
a860d0 |
|
|
|
a860d0 |
* Fri Mar 22 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-2.1
|
|
|
a860d0 |
- Resolves: rhbz#1692455 - CVE-2019-3878 mod_auth_mellon: authentication
|
|
|
a860d0 |
bypass in ECP flow [rhel-7.6.z]
|
|
|
a860d0 |
|
|
|
43610c |
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-2
|
|
|
43610c |
- Resolves: rhbz#1553885
|
|
|
43610c |
- fix file permissions on doc files
|
|
|
43610c |
|
|
|
43610c |
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-1
|
|
|
43610c |
- Resolves: rhbz#1553885
|
|
|
43610c |
- Rebase to current upstream release
|
|
|
6163e3 |
|
|
|
6163e3 |
* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
|
|
|
43610c |
- Resolves: rhbz#1481330 Add diagnostic logging
|
|
|
43610c |
- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
|
|
|
43610c |
signature method used to sign SAML messages sent by Mellon.
|
|
|
43610c |
Defaults to original sha1.
|
|
|
6163e3 |
|
|
|
f1be0a |
* Fri Oct 20 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
|
|
|
f1be0a |
- Resolves: rhbz#1481332 Upgrade to current upstream 0.13.1
|
|
|
f1be0a |
- Adds the following upstream bug fixes on top of 0.13.1:
|
|
|
f1be0a |
* ee97812 Add Mellon User Guide
|
|
|
f1be0a |
* daa5d1e If no IdP's are defined explicitly log that fact
|
|
|
f1be0a |
* c291232 Make MellonUser case-insensitive.
|
|
|
f1be0a |
* 2c2e19d Fix incorrect error check for many `lasso_*`-functions.
|
|
|
f1be0a |
* 5c5ed1d Fix segmentation fault with POST field without a value.
|
|
|
f1be0a |
* 4c924d9 Fix some log message typos
|
|
|
f1be0a |
* 93faba4 Update log msg for Invalid Destination and Invalid Audience to
|
|
|
f1be0a |
show both the expected and received values.
|
|
|
f1be0a |
- Add new mellon user guide to installed docdir
|
|
|
f1be0a |
|
|
|
f1be0a |
* Mon Jan 30 2017 John Dennis <jdennis@redhat.com> - 0.11.0-4
|
|
|
f1be0a |
- Resolves: rhbz#1414021 - Incorrect Content-Type header in ECP PAOS
|
|
|
f1be0a |
Rebuilding due to missing comment in Changelog
|
|
|
f1be0a |
|
|
|
f1be0a |
* Mon Jan 30 2017 John Dennis <jdennis@redhat.com> - 0.11.0-3
|
|
|
f1be0a |
- Resolves: rhbz#1414021 - Incorrect Content-Type header in ECP PAOS
|
|
|
f1be0a |
|
|
|
f1be0a |
* Fri Apr 8 2016 John Dennis <jdennis@redhat.com> - 0.11.0-2
|
|
|
f1be0a |
- Resolves: bug #1296286
|
|
|
f1be0a |
mod_auth_mellon emits CRITICAL warning message in Apache log when doing ECP
|
|
|
f1be0a |
- Resolves: bug #1324536
|
|
|
f1be0a |
Installing mod_auth_mellon causes working Kerberos authentication
|
|
|
f1be0a |
to start failing
|
|
|
f1be0a |
- Add ECP.rst documentation file that was erroneously omitted
|
|
|
f1be0a |
|
|
|
f1be0a |
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
|
|
|
f1be0a |
- Upgrade to upstream 0.11.0 release.
|
|
|
f1be0a |
- Includes ECP support, see NEWS for all changes.
|
|
|
f1be0a |
- Update mellon_create_metadata.sh to match internally generated metadata,
|
|
|
f1be0a |
includes AssertionConsumerService for postResponse, artifactResponse &
|
|
|
f1be0a |
paosResponse.
|
|
|
f1be0a |
- Add lasso 2.5.0 version dependency
|
|
|
f1be0a |
- Resolves: #1205345
|
|
|
f1be0a |
|
|
|
f1be0a |
* Mon Aug 24 2015 John Dennis <jdennis@redhat.com> - 0.10.0-3
|
|
|
f1be0a |
- Rebase to upstream 0.10.0 release
|
|
|
f1be0a |
- Apply upstream commits post 0.10.0 release
|
|
|
f1be0a |
- Apply revised ECP pending patches,
|
|
|
f1be0a |
fix patch to pickup change in configure script that causes
|
|
|
f1be0a |
HAVE_ECP to be defined
|
|
|
f1be0a |
- Resolves: #1205345
|
|
|
f1be0a |
|
|
|
f1be0a |
* Wed Aug 19 2015 John Dennis <jdennis@redhat.com> - 0.10.0-2
|
|
|
f1be0a |
- Rebase to upstream 0.10.0 release
|
|
|
f1be0a |
- Apply upstream commits post 0.10.0 release
|
|
|
f1be0a |
- Apply revised ECP pending patches
|
|
|
f1be0a |
- Resolves: #1205345
|
|
|
f1be0a |
|
|
|
f1be0a |
* Mon Jun 22 2015 John Dennis <jdennis@redhat.com> - 0.10.0-1
|
|
|
f1be0a |
- Rebase to upstream 0.10.0 release
|
|
|
f1be0a |
- Apply upstream commits post 0.10.0 release
|
|
|
f1be0a |
- Apply ECP pending patches
|
|
|
f1be0a |
- Resolves: #1205345
|
|
|
f1be0a |
|
|
|
f1be0a |
* Mon Dec 8 2014 Simo Sorce <simo@redhat.com> 0.9.1-4
|
|
|
f1be0a |
- Large scale intreop patches
|
|
|
f1be0a |
- Resolves: #1167844
|
|
|
f1be0a |
|
|
|
f1be0a |
* Wed Sep 10 2014 Simo Sorce <simo@redhat.com> 0.9.1-3
|
|
|
f1be0a |
- Fix upstream sources URL
|
|
|
f1be0a |
- Related: #1120353
|
|
|
f1be0a |
|
|
|
f1be0a |
* Fri Sep 5 2014 Simo Sorce <simo@redhat.com> 0.9.1-2
|
|
|
f1be0a |
- Import package in RHEL7
|
|
|
f1be0a |
- Resolves: #1120353
|
|
|
f1be0a |
|
|
|
f1be0a |
* Tue Sep 2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
|
|
|
f1be0a |
- New upstream release
|
|
|
f1be0a |
|
|
|
f1be0a |
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
|
|
|
f1be0a |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
|
|
f1be0a |
|
|
|
f1be0a |
* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
|
|
|
f1be0a |
- New upstream realease version 0.8.0
|
|
|
f1be0a |
- Upstream moved to github
|
|
|
f1be0a |
- Drops patches as they have been all included upstream
|
|
|
f1be0a |
|
|
|
f1be0a |
* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
|
|
|
f1be0a |
- Backport of useful patches from upstream
|
|
|
f1be0a |
- Better handling of IDP reported errors
|
|
|
f1be0a |
- Better handling of session data storage size
|
|
|
f1be0a |
|
|
|
f1be0a |
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
|
|
|
f1be0a |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
|
|
f1be0a |
|
|
|
f1be0a |
* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
|
|
|
f1be0a |
- Fix ownership of /run files
|
|
|
f1be0a |
|
|
|
f1be0a |
* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
|
|
|
f1be0a |
- Initial Fedora release based on version 0.7.0
|
|
|
f1be0a |
- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>
|