diff --git a/.gitignore b/.gitignore index 88fe743..acad6e2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/mod_auth_mellon-0.9.1.tar.gz +SOURCES/mod_auth_mellon-0.11.0.tar.gz diff --git a/.mod_auth_mellon.metadata b/.mod_auth_mellon.metadata index 12ec71c..4bee861 100644 --- a/.mod_auth_mellon.metadata +++ b/.mod_auth_mellon.metadata @@ -1 +1 @@ -226f35c2f91a2f2892ac15cc33a74d8942286127 SOURCES/mod_auth_mellon-0.9.1.tar.gz +57403fad4595fae773abae04b631cacfbe5948f5 SOURCES/mod_auth_mellon-0.11.0.tar.gz diff --git a/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch b/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch deleted file mode 100644 index a27c071..0000000 --- a/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d133a1c50dba2513fcc3802af96ce7f1b79db3c6 Mon Sep 17 00:00:00 2001 -From: Jarek Polok -Date: Thu, 13 Nov 2014 13:11:57 +0100 -Subject: [PATCH] Define envirnment size spacious enough to hold large number - of attributes. - ---- - auth_mellon.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/auth_mellon.h b/auth_mellon.h -index e915cbfbdd33072637780145ce5d7fcf7d9ebc88..ce35959a81d470bbe22d0c71e0e710f0f0e7ff54 100644 ---- a/auth_mellon.h -+++ b/auth_mellon.h -@@ -73,7 +73,7 @@ - /* Size definitions for the session cache. - */ - #define AM_CACHE_KEYSIZE 120 --#define AM_CACHE_ENVSIZE 128 -+#define AM_CACHE_ENVSIZE 2048 - #define AM_CACHE_USERSIZE 512 - #define AM_CACHE_DEFAULT_ENTRY_SIZE 196608 - #define AM_CACHE_MIN_ENTRY_SIZE 65536 --- -2.1.0 - diff --git a/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch b/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch deleted file mode 100644 index b83b902..0000000 --- a/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 1d61071f18a0e63e03b9c37cc407327b91fc6273 Mon Sep 17 00:00:00 2001 -From: Jarek Polok -Date: Tue, 11 Nov 2014 17:38:57 +0100 -Subject: [PATCH] Adding MellonMergeEnvVars (optional) functionality Allows to - concatenate env. variables values in single variable name, ie: - -VAR=val1;val2;val3;... - -instead of standard mod_auth_mellom behaviour: - -VAR=val1 -VAR_0=val1 -VAR_1=val2 -VAR_2=val3 -... ---- - README | 16 ++++++++++++++++ - auth_mellon.h | 1 + - auth_mellon_cache.c | 35 ++++++++++++++++++++++++++--------- - auth_mellon_config.c | 18 ++++++++++++++++++ - 4 files changed, 61 insertions(+), 9 deletions(-) - -diff --git a/README b/README -index 238171301a857b9ede7933b9f4981c4bb58731ec..b5ff9b8ed8364367c32d8251d3d69fc27046d1dd 100644 ---- a/README -+++ b/README -@@ -232,6 +232,13 @@ MellonPostCount 100 - # Default. None set. - MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName" - -+ # MellonMergeEnvVars merges multiple values of environement variables -+ # set using MellonSetEnv into single variable: -+ # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of: -+ # MYENV_VAR_0 => val1, MYENV_VAR_1 => val2 ... etc. -+ # Default: MellonMergeEnvVars Off -+ MellonMergeEnvVars On -+ - # If MellonSessionDump is set, then the SAML session will be - # available in the MELLON_SESSION environment variable - MellonSessionDump Off -@@ -590,6 +597,15 @@ MELLON_, and once named _0. - In the case of multivalued attributes MELLON_ will contain the first - value. - -+NOTE: -+ -+if MellonMergeEnvVars is set to On multiple values of attributes -+will be stored in single environement variable, separated by ";" -+ -+MELLON_ -> "value1;value2;value3[;valueX]" -+ -+and variables MELLON__0, MELLON__1, MELLON__2 will -+not be created. - - The following code is a simple php-script which prints out all the - variables: -diff --git a/auth_mellon.h b/auth_mellon.h -index e915cbfbdd33072637780145ce5d7fcf7d9ebc88..8649674617d9cb31438e9d73a822f688ce43182f 100644 ---- a/auth_mellon.h -+++ b/auth_mellon.h -@@ -175,6 +175,7 @@ typedef struct am_dir_cfg_rec { - - const char *varname; - int secure; -+ int merge_env_vars; - const char *cookie_domain; - const char *cookie_path; - apr_array_header_t *cond; -diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c -index ed96732c5dec221443839be91dda50431834611b..1982e604049ca6655ea93034d5f05dd72281b34e 100644 ---- a/auth_mellon_cache.c -+++ b/auth_mellon_cache.c -@@ -521,6 +521,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) - const char *varname; - const char *varname_prefix; - const char *value; -+ const char *prefixed_varname; - int *count; - int status; - -@@ -581,6 +582,8 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) - } - } - -+ prefixed_varname = apr_pstrcat(r->pool, varname_prefix, varname, NULL); -+ - /* Find the number of times this variable has been set. */ - count = apr_hash_get(counters, varname, APR_HASH_KEY_STRING); - if(count == NULL) { -@@ -591,18 +594,32 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) - apr_hash_set(counters, varname, APR_HASH_KEY_STRING, count); - - /* Add the variable without a suffix. */ -+ apr_table_set(r->subprocess_env,prefixed_varname,value); -+ } -+ -+ if (d->merge_env_vars != 1) { -+ -+ /* Add the variable with a suffix indicating how many times it has -+ * been added before. -+ */ - apr_table_set(r->subprocess_env, -- apr_pstrcat(r->pool, varname_prefix, varname, NULL), -+ apr_psprintf(r->pool, "%s_%d", prefixed_varname, *count), - value); -+ -+ } else if (*count > 0) { -+ -+ /* -+ * Merge multiple values, separating with ";" -+ * this makes auth_mellon work same way mod_shib is: -+ * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess -+ */ -+ apr_table_set(r->subprocess_env, -+ prefixed_varname, -+ apr_pstrcat(r->pool, -+ apr_table_get(r->subprocess_env,prefixed_varname), -+ ";", value, NULL)); - } -- -- /* Add the variable with a suffix indicating how many times it has -- * been added before. -- */ -- apr_table_set(r->subprocess_env, -- apr_psprintf(r->pool, "%s%s_%d", varname_prefix, varname, *count), -- value); -- -+ - /* Increase the count. */ - ++(*count); - } -diff --git a/auth_mellon_config.c b/auth_mellon_config.c -index dbcbfaa6604f4bdcfdf940a1d724947ff1100a6e..d3a408a6bcbec4fc1286222542aecbfcd3ba43e9 100644 ---- a/auth_mellon_config.c -+++ b/auth_mellon_config.c -@@ -70,6 +70,12 @@ static const apr_size_t post_size = 1024 * 1024 * 1024; - */ - static const int post_count = 100; - -+/* whether to merge env. vars or not -+ * the MellonMergeEnvVars configuration directive if you change this. -+ */ -+static const int default_merge_env_vars = -1; -+ -+ - /* This function handles configuration directives which set a - * multivalued string slot in the module configuration (the destination - * strucure is a hash). -@@ -1218,6 +1224,13 @@ const command_rec auth_mellon_commands[] = { - OR_AUTHCFG, - "Whether we should replay POST requests that trigger authentication. Default is off." - ), -+ AP_INIT_FLAG( -+ "MellonMergeEnvVars", -+ ap_set_flag_slot, -+ (void *)APR_OFFSETOF(am_dir_cfg_rec, merge_env_vars), -+ OR_AUTHCFG, -+ "Whether to merge environement variables multi-values or not. Default is off." -+ ), - {NULL} - }; - -@@ -1273,6 +1286,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) - - dir->varname = default_cookie_name; - dir->secure = default_secure_cookie; -+ dir->merge_env_vars = default_merge_env_vars; - dir->cond = apr_array_make(p, 0, sizeof(am_cond_t)); - dir->cookie_domain = NULL; - dir->cookie_path = NULL; -@@ -1393,6 +1407,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) - add_cfg->secure : - base_cfg->secure); - -+ new_cfg->merge_env_vars = (add_cfg->merge_env_vars != default_merge_env_vars ? -+ add_cfg->merge_env_vars : -+ base_cfg->merge_env_vars); -+ - new_cfg->cookie_domain = (add_cfg->cookie_domain != NULL ? - add_cfg->cookie_domain : - base_cfg->cookie_domain); --- -2.1.0 - diff --git a/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch b/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch deleted file mode 100644 index 58a7258..0000000 --- a/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 718fd6a0420bcaff04a2f896e294ea2b7abc9680 Mon Sep 17 00:00:00 2001 -From: Jarek Polok -Date: Sun, 16 Nov 2014 11:04:04 +0100 -Subject: [PATCH] am_check_permissions() env. variable mapping fix. - ---- - auth_mellon_util.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/auth_mellon_util.c b/auth_mellon_util.c -index d3acc959eb35e6458b90a093056af026d8ab4854..4b7e657938a47326cf4881da645659228ba2b578 100644 ---- a/auth_mellon_util.c -+++ b/auth_mellon_util.c -@@ -300,16 +300,20 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session) - */ - for (j = 0; (j < session->size) && !match; j++) { - const char *varname = NULL; -+ am_envattr_conf_t *envattr_conf = NULL; - - /* - * if MAP flag is set, check for remapped - * attribute name with mellonSetEnv - */ -- if (ce->flags & AM_COND_FLAG_MAP) -- varname = apr_hash_get(dir_cfg->envattr, -- am_cache_entry_get_string(session, -- &session->env[j].varname), -- APR_HASH_KEY_STRING); -+ if (ce->flags & AM_COND_FLAG_MAP) { -+ envattr_conf = (am_envattr_conf_t *)apr_hash_get(dir_cfg->envattr, -+ am_cache_entry_get_string(session,&session->env[j].varname), -+ APR_HASH_KEY_STRING); -+ -+ if (envattr_conf != NULL) -+ varname = envattr_conf->name; -+ } - - /* - * Otherwise or if not found, use the attribute name --- -2.1.0 - diff --git a/SOURCES/mellon_create_metadata.sh b/SOURCES/mellon_create_metadata.sh index 4eb0baf..4009f1d 100644 --- a/SOURCES/mellon_create_metadata.sh +++ b/SOURCES/mellon_create_metadata.sh @@ -38,14 +38,17 @@ BASEURL="$(echo "$BASEURL" | sed 's#/$##')" OUTFILE="$(echo "$ENTITYID" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')" echo "Output files:" -echo "Private key: $OUTFILE.key" -echo "Certificate: $OUTFILE.cert" -echo "Metadata: $OUTFILE.xml" -echo "Host: $HOST" +echo "Private key: $OUTFILE.key" +echo "Certificate: $OUTFILE.cert" +echo "Metadata: $OUTFILE.xml" +echo "Host: $HOST" echo echo "Endpoints:" -echo "SingleLogoutService: $BASEURL/logout" -echo "AssertionConsumerService: $BASEURL/postResponse" +echo "SingleLogoutService (SOAP): $BASEURL/logout" +echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout" +echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse" +echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse" +echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse" echo # No files should not be readable by the rest of the world. @@ -72,18 +75,49 @@ rm -f "$TEMPLATEFILE" CERT="$(grep -v '^-----' "$OUTFILE.cert")" cat >"$OUTFILE.xml" < - - - - - $CERT - - - - - - + + + + + + + $CERT + + + + + + + $CERT + + + + + + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + EOF diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index 98c0fd1..c9e15ab 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon -Version: 0.9.1 -Release: 4%{?dist} +Version: 0.11.0 +Release: 1%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -9,15 +9,16 @@ Source2: 10-auth_mellon.conf Source3: mod_auth_mellon.conf Source4: mellon_create_metadata.sh License: GPLv2+ -BuildRequires: curl-devel, glib2-devel, httpd-devel, lasso-devel, openssl-devel, xmlsec1-devel +BuildRequires: curl-devel +BuildRequires: glib2-devel +BuildRequires: httpd-devel +BuildRequires: lasso-devel >= 2.5.0 +BuildRequires: openssl-devel +BuildRequires: xmlsec1-devel Requires: httpd-mmn = %{_httpd_mmn} -Requires: lasso >= 2.3.6 +Requires: lasso >= 2.5.0 Url: https://github.com/UNINETT/mod_auth_mellon -Patch01: 0001-Define-envirnment-size-spacious-enough-to-hold-large.patch -Patch02: 0002-Adding-MellonMergeEnvVars-optional-functionality.patch -Patch03: 0003-am_check_permissions-env.-variable-mapping-fix.patch - %description The mod_auth_mellon module is an authentication service that implements the SAML 2.0 federation protocol. It grants access based on the attributes @@ -25,9 +26,6 @@ received in assertions generated by a IdP server. %prep %setup -q -n %{name}-%{version} -%patch01 -p1 -%patch02 -p1 -%patch03 -p1 %build export APXS=%{_httpd_apxs} @@ -55,7 +53,7 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name} %files %defattr(-,root,root) -%doc README COPYING +%doc README COPYING NEWS %config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf %config(noreplace) %{_httpd_confdir}/auth_mellon.conf %{_httpd_moddir}/mod_auth_mellon.so @@ -64,6 +62,35 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name} %dir /run/%{name}/ %changelog +* Fri Sep 18 2015 John Dennis - 0.11.0-1 +- Upgrade to upstream 0.11.0 release. +- Includes ECP support, see NEWS for all changes. +- Update mellon_create_metadata.sh to match internally generated metadata, + includes AssertionConsumerService for postResponse, artifactResponse & + paosResponse. +- Add lasso 2.5.0 version dependency +- Resolves: #1205345 + +* Mon Aug 24 2015 John Dennis - 0.10.0-3 +- Rebase to upstream 0.10.0 release +- Apply upstream commits post 0.10.0 release +- Apply revised ECP pending patches, + fix patch to pickup change in configure script that causes + HAVE_ECP to be defined +- Resolves: #1205345 + +* Wed Aug 19 2015 John Dennis - 0.10.0-2 +- Rebase to upstream 0.10.0 release +- Apply upstream commits post 0.10.0 release +- Apply revised ECP pending patches +- Resolves: #1205345 + +* Mon Jun 22 2015 John Dennis - 0.10.0-1 +- Rebase to upstream 0.10.0 release +- Apply upstream commits post 0.10.0 release +- Apply ECP pending patches +- Resolves: #1205345 + * Mon Dec 8 2014 Simo Sorce 0.9.1-4 - Large scale intreop patches - Resolves: #1167844