diff --git a/.gitignore b/.gitignore
index 88fe743..acad6e2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/mod_auth_mellon-0.9.1.tar.gz
+SOURCES/mod_auth_mellon-0.11.0.tar.gz
diff --git a/.mod_auth_mellon.metadata b/.mod_auth_mellon.metadata
index 12ec71c..4bee861 100644
--- a/.mod_auth_mellon.metadata
+++ b/.mod_auth_mellon.metadata
@@ -1 +1 @@
-226f35c2f91a2f2892ac15cc33a74d8942286127 SOURCES/mod_auth_mellon-0.9.1.tar.gz
+57403fad4595fae773abae04b631cacfbe5948f5 SOURCES/mod_auth_mellon-0.11.0.tar.gz
diff --git a/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch b/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch
deleted file mode 100644
index a27c071..0000000
--- a/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From d133a1c50dba2513fcc3802af96ce7f1b79db3c6 Mon Sep 17 00:00:00 2001
-From: Jarek Polok <jpolok@xenophile.cern.ch>
-Date: Thu, 13 Nov 2014 13:11:57 +0100
-Subject: [PATCH] Define envirnment size spacious enough to hold large number
- of attributes.
-
----
- auth_mellon.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/auth_mellon.h b/auth_mellon.h
-index e915cbfbdd33072637780145ce5d7fcf7d9ebc88..ce35959a81d470bbe22d0c71e0e710f0f0e7ff54 100644
---- a/auth_mellon.h
-+++ b/auth_mellon.h
-@@ -73,7 +73,7 @@
- /* Size definitions for the session cache.
- */
- #define AM_CACHE_KEYSIZE 120
--#define AM_CACHE_ENVSIZE 128
-+#define AM_CACHE_ENVSIZE 2048
- #define AM_CACHE_USERSIZE 512
- #define AM_CACHE_DEFAULT_ENTRY_SIZE 196608
- #define AM_CACHE_MIN_ENTRY_SIZE 65536
---
-2.1.0
-
diff --git a/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch b/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch
deleted file mode 100644
index b83b902..0000000
--- a/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From 1d61071f18a0e63e03b9c37cc407327b91fc6273 Mon Sep 17 00:00:00 2001
-From: Jarek Polok <jpolok@xenophile.cern.ch>
-Date: Tue, 11 Nov 2014 17:38:57 +0100
-Subject: [PATCH] Adding MellonMergeEnvVars (optional) functionality Allows to
- concatenate env. variables values in single variable name, ie:
-
-VAR=val1;val2;val3;...
-
-instead of standard mod_auth_mellom behaviour:
-
-VAR=val1
-VAR_0=val1
-VAR_1=val2
-VAR_2=val3
-...
----
- README | 16 ++++++++++++++++
- auth_mellon.h | 1 +
- auth_mellon_cache.c | 35 ++++++++++++++++++++++++++---------
- auth_mellon_config.c | 18 ++++++++++++++++++
- 4 files changed, 61 insertions(+), 9 deletions(-)
-
-diff --git a/README b/README
-index 238171301a857b9ede7933b9f4981c4bb58731ec..b5ff9b8ed8364367c32d8251d3d69fc27046d1dd 100644
---- a/README
-+++ b/README
-@@ -232,6 +232,13 @@ MellonPostCount 100
- # Default. None set.
- MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
-
-+ # MellonMergeEnvVars merges multiple values of environement variables
-+ # set using MellonSetEnv into single variable:
-+ # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of:
-+ # MYENV_VAR_0 => val1, MYENV_VAR_1 => val2 ... etc.
-+ # Default: MellonMergeEnvVars Off
-+ MellonMergeEnvVars On
-+
- # If MellonSessionDump is set, then the SAML session will be
- # available in the MELLON_SESSION environment variable
- MellonSessionDump Off
-@@ -590,6 +597,15 @@ MELLON_<name>, and once named <MELLON_<name>_0.
- In the case of multivalued attributes MELLON_<name> will contain the first
- value.
-
-+NOTE:
-+
-+if MellonMergeEnvVars is set to On multiple values of attributes
-+will be stored in single environement variable, separated by ";"
-+
-+MELLON_<name> -> "value1;value2;value3[;valueX]"
-+
-+and variables MELLON_<name>_0, MELLON_<name>_1, MELLON_<name>_2 will
-+not be created.
-
- The following code is a simple php-script which prints out all the
- variables:
-diff --git a/auth_mellon.h b/auth_mellon.h
-index e915cbfbdd33072637780145ce5d7fcf7d9ebc88..8649674617d9cb31438e9d73a822f688ce43182f 100644
---- a/auth_mellon.h
-+++ b/auth_mellon.h
-@@ -175,6 +175,7 @@ typedef struct am_dir_cfg_rec {
-
- const char *varname;
- int secure;
-+ int merge_env_vars;
- const char *cookie_domain;
- const char *cookie_path;
- apr_array_header_t *cond;
-diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c
-index ed96732c5dec221443839be91dda50431834611b..1982e604049ca6655ea93034d5f05dd72281b34e 100644
---- a/auth_mellon_cache.c
-+++ b/auth_mellon_cache.c
-@@ -521,6 +521,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t)
- const char *varname;
- const char *varname_prefix;
- const char *value;
-+ const char *prefixed_varname;
- int *count;
- int status;
-
-@@ -581,6 +582,8 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t)
- }
- }
-
-+ prefixed_varname = apr_pstrcat(r->pool, varname_prefix, varname, NULL);
-+
- /* Find the number of times this variable has been set. */
- count = apr_hash_get(counters, varname, APR_HASH_KEY_STRING);
- if(count == NULL) {
-@@ -591,18 +594,32 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t)
- apr_hash_set(counters, varname, APR_HASH_KEY_STRING, count);
-
- /* Add the variable without a suffix. */
-+ apr_table_set(r->subprocess_env,prefixed_varname,value);
-+ }
-+
-+ if (d->merge_env_vars != 1) {
-+
-+ /* Add the variable with a suffix indicating how many times it has
-+ * been added before.
-+ */
- apr_table_set(r->subprocess_env,
-- apr_pstrcat(r->pool, varname_prefix, varname, NULL),
-+ apr_psprintf(r->pool, "%s_%d", prefixed_varname, *count),
- value);
-+
-+ } else if (*count > 0) {
-+
-+ /*
-+ * Merge multiple values, separating with ";"
-+ * this makes auth_mellon work same way mod_shib is:
-+ * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess
-+ */
-+ apr_table_set(r->subprocess_env,
-+ prefixed_varname,
-+ apr_pstrcat(r->pool,
-+ apr_table_get(r->subprocess_env,prefixed_varname),
-+ ";", value, NULL));
- }
--
-- /* Add the variable with a suffix indicating how many times it has
-- * been added before.
-- */
-- apr_table_set(r->subprocess_env,
-- apr_psprintf(r->pool, "%s%s_%d", varname_prefix, varname, *count),
-- value);
--
-+
- /* Increase the count. */
- ++(*count);
- }
-diff --git a/auth_mellon_config.c b/auth_mellon_config.c
-index dbcbfaa6604f4bdcfdf940a1d724947ff1100a6e..d3a408a6bcbec4fc1286222542aecbfcd3ba43e9 100644
---- a/auth_mellon_config.c
-+++ b/auth_mellon_config.c
-@@ -70,6 +70,12 @@ static const apr_size_t post_size = 1024 * 1024 * 1024;
- */
- static const int post_count = 100;
-
-+/* whether to merge env. vars or not
-+ * the MellonMergeEnvVars configuration directive if you change this.
-+ */
-+static const int default_merge_env_vars = -1;
-+
-+
- /* This function handles configuration directives which set a
- * multivalued string slot in the module configuration (the destination
- * strucure is a hash).
-@@ -1218,6 +1224,13 @@ const command_rec auth_mellon_commands[] = {
- OR_AUTHCFG,
- "Whether we should replay POST requests that trigger authentication. Default is off."
- ),
-+ AP_INIT_FLAG(
-+ "MellonMergeEnvVars",
-+ ap_set_flag_slot,
-+ (void *)APR_OFFSETOF(am_dir_cfg_rec, merge_env_vars),
-+ OR_AUTHCFG,
-+ "Whether to merge environement variables multi-values or not. Default is off."
-+ ),
- {NULL}
- };
-
-@@ -1273,6 +1286,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d)
-
- dir->varname = default_cookie_name;
- dir->secure = default_secure_cookie;
-+ dir->merge_env_vars = default_merge_env_vars;
- dir->cond = apr_array_make(p, 0, sizeof(am_cond_t));
- dir->cookie_domain = NULL;
- dir->cookie_path = NULL;
-@@ -1393,6 +1407,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add)
- add_cfg->secure :
- base_cfg->secure);
-
-+ new_cfg->merge_env_vars = (add_cfg->merge_env_vars != default_merge_env_vars ?
-+ add_cfg->merge_env_vars :
-+ base_cfg->merge_env_vars);
-+
- new_cfg->cookie_domain = (add_cfg->cookie_domain != NULL ?
- add_cfg->cookie_domain :
- base_cfg->cookie_domain);
---
-2.1.0
-
diff --git a/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch b/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch
deleted file mode 100644
index 58a7258..0000000
--- a/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 718fd6a0420bcaff04a2f896e294ea2b7abc9680 Mon Sep 17 00:00:00 2001
-From: Jarek Polok <jaroslaw.polok@cern.ch>
-Date: Sun, 16 Nov 2014 11:04:04 +0100
-Subject: [PATCH] am_check_permissions() env. variable mapping fix.
-
----
- auth_mellon_util.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/auth_mellon_util.c b/auth_mellon_util.c
-index d3acc959eb35e6458b90a093056af026d8ab4854..4b7e657938a47326cf4881da645659228ba2b578 100644
---- a/auth_mellon_util.c
-+++ b/auth_mellon_util.c
-@@ -300,16 +300,20 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session)
- */
- for (j = 0; (j < session->size) && !match; j++) {
- const char *varname = NULL;
-+ am_envattr_conf_t *envattr_conf = NULL;
-
- /*
- * if MAP flag is set, check for remapped
- * attribute name with mellonSetEnv
- */
-- if (ce->flags & AM_COND_FLAG_MAP)
-- varname = apr_hash_get(dir_cfg->envattr,
-- am_cache_entry_get_string(session,
-- &session->env[j].varname),
-- APR_HASH_KEY_STRING);
-+ if (ce->flags & AM_COND_FLAG_MAP) {
-+ envattr_conf = (am_envattr_conf_t *)apr_hash_get(dir_cfg->envattr,
-+ am_cache_entry_get_string(session,&session->env[j].varname),
-+ APR_HASH_KEY_STRING);
-+
-+ if (envattr_conf != NULL)
-+ varname = envattr_conf->name;
-+ }
-
- /*
- * Otherwise or if not found, use the attribute name
---
-2.1.0
-
diff --git a/SOURCES/mellon_create_metadata.sh b/SOURCES/mellon_create_metadata.sh
index 4eb0baf..4009f1d 100644
--- a/SOURCES/mellon_create_metadata.sh
+++ b/SOURCES/mellon_create_metadata.sh
@@ -38,14 +38,17 @@ BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
OUTFILE="$(echo "$ENTITYID" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')"
echo "Output files:"
-echo "Private key: $OUTFILE.key"
-echo "Certificate: $OUTFILE.cert"
-echo "Metadata: $OUTFILE.xml"
-echo "Host: $HOST"
+echo "Private key: $OUTFILE.key"
+echo "Certificate: $OUTFILE.cert"
+echo "Metadata: $OUTFILE.xml"
+echo "Host: $HOST"
echo
echo "Endpoints:"
-echo "SingleLogoutService: $BASEURL/logout"
-echo "AssertionConsumerService: $BASEURL/postResponse"
+echo "SingleLogoutService (SOAP): $BASEURL/logout"
+echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout"
+echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse"
+echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse"
+echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse"
echo
# No files should not be readable by the rest of the world.
@@ -72,18 +75,49 @@ rm -f "$TEMPLATEFILE"
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
cat >"$OUTFILE.xml" <<EOF
-<EntityDescriptor entityID="$ENTITYID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
- <KeyDescriptor use="signing">
- <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:X509Data>
- <ds:X509Certificate>$CERT</ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
- <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/logout"/>
- <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/postResponse" index="0"/>
- </SPSSODescriptor>
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<EntityDescriptor
+ entityID="$ENTITYID"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+ <SPSSODescriptor
+ AuthnRequestsSigned="true"
+ WantAssertionsSigned="true"
+ protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>$CERT</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <KeyDescriptor use="encryption">
+ <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+ <ds:X509Data>
+ <ds:X509Certificate>$CERT</ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+ Location="$BASEURL/logout" />
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="$BASEURL/logout" />
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+ <AssertionConsumerService
+ index="0"
+ isDefault="true"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+ Location="$BASEURL/postResponse" />
+ <AssertionConsumerService
+ index="1"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="$BASEURL/artifactResponse" />
+ <AssertionConsumerService
+ index="2"
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+ Location="$BASEURL/paosResponse" />
+ </SPSSODescriptor>
</EntityDescriptor>
EOF
diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec
index 98c0fd1..c9e15ab 100644
--- a/SPECS/mod_auth_mellon.spec
+++ b/SPECS/mod_auth_mellon.spec
@@ -1,7 +1,7 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon
-Version: 0.9.1
-Release: 4%{?dist}
+Version: 0.11.0
+Release: 1%{?dist}
Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf
@@ -9,15 +9,16 @@ Source2: 10-auth_mellon.conf
Source3: mod_auth_mellon.conf
Source4: mellon_create_metadata.sh
License: GPLv2+
-BuildRequires: curl-devel, glib2-devel, httpd-devel, lasso-devel, openssl-devel, xmlsec1-devel
+BuildRequires: curl-devel
+BuildRequires: glib2-devel
+BuildRequires: httpd-devel
+BuildRequires: lasso-devel >= 2.5.0
+BuildRequires: openssl-devel
+BuildRequires: xmlsec1-devel
Requires: httpd-mmn = %{_httpd_mmn}
-Requires: lasso >= 2.3.6
+Requires: lasso >= 2.5.0
Url: https://github.com/UNINETT/mod_auth_mellon
-Patch01: 0001-Define-envirnment-size-spacious-enough-to-hold-large.patch
-Patch02: 0002-Adding-MellonMergeEnvVars-optional-functionality.patch
-Patch03: 0003-am_check_permissions-env.-variable-mapping-fix.patch
-
%description
The mod_auth_mellon module is an authentication service that implements the
SAML 2.0 federation protocol. It grants access based on the attributes
@@ -25,9 +26,6 @@ received in assertions generated by a IdP server.
%prep
%setup -q -n %{name}-%{version}
-%patch01 -p1
-%patch02 -p1
-%patch03 -p1
%build
export APXS=%{_httpd_apxs}
@@ -55,7 +53,7 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
%files
%defattr(-,root,root)
-%doc README COPYING
+%doc README COPYING NEWS
%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
%{_httpd_moddir}/mod_auth_mellon.so
@@ -64,6 +62,35 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
%dir /run/%{name}/
%changelog
+* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
+- Upgrade to upstream 0.11.0 release.
+- Includes ECP support, see NEWS for all changes.
+- Update mellon_create_metadata.sh to match internally generated metadata,
+ includes AssertionConsumerService for postResponse, artifactResponse &
+ paosResponse.
+- Add lasso 2.5.0 version dependency
+- Resolves: #1205345
+
+* Mon Aug 24 2015 John Dennis <jdennis@redhat.com> - 0.10.0-3
+- Rebase to upstream 0.10.0 release
+- Apply upstream commits post 0.10.0 release
+- Apply revised ECP pending patches,
+ fix patch to pickup change in configure script that causes
+ HAVE_ECP to be defined
+- Resolves: #1205345
+
+* Wed Aug 19 2015 John Dennis <jdennis@redhat.com> - 0.10.0-2
+- Rebase to upstream 0.10.0 release
+- Apply upstream commits post 0.10.0 release
+- Apply revised ECP pending patches
+- Resolves: #1205345
+
+* Mon Jun 22 2015 John Dennis <jdennis@redhat.com> - 0.10.0-1
+- Rebase to upstream 0.10.0 release
+- Apply upstream commits post 0.10.0 release
+- Apply ECP pending patches
+- Resolves: #1205345
+
* Mon Dec 8 2014 Simo Sorce <simo@redhat.com> 0.9.1-4
- Large scale intreop patches
- Resolves: #1167844