diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..88fe743 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mod_auth_mellon-0.9.1.tar.gz diff --git a/.mod_auth_mellon.metadata b/.mod_auth_mellon.metadata new file mode 100644 index 0000000..12ec71c --- /dev/null +++ b/.mod_auth_mellon.metadata @@ -0,0 +1 @@ +226f35c2f91a2f2892ac15cc33a74d8942286127 SOURCES/mod_auth_mellon-0.9.1.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch b/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch new file mode 100644 index 0000000..a27c071 --- /dev/null +++ b/SOURCES/0001-Define-envirnment-size-spacious-enough-to-hold-large.patch @@ -0,0 +1,26 @@ +From d133a1c50dba2513fcc3802af96ce7f1b79db3c6 Mon Sep 17 00:00:00 2001 +From: Jarek Polok +Date: Thu, 13 Nov 2014 13:11:57 +0100 +Subject: [PATCH] Define envirnment size spacious enough to hold large number + of attributes. + +--- + auth_mellon.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth_mellon.h b/auth_mellon.h +index e915cbfbdd33072637780145ce5d7fcf7d9ebc88..ce35959a81d470bbe22d0c71e0e710f0f0e7ff54 100644 +--- a/auth_mellon.h ++++ b/auth_mellon.h +@@ -73,7 +73,7 @@ + /* Size definitions for the session cache. + */ + #define AM_CACHE_KEYSIZE 120 +-#define AM_CACHE_ENVSIZE 128 ++#define AM_CACHE_ENVSIZE 2048 + #define AM_CACHE_USERSIZE 512 + #define AM_CACHE_DEFAULT_ENTRY_SIZE 196608 + #define AM_CACHE_MIN_ENTRY_SIZE 65536 +-- +2.1.0 + diff --git a/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch b/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch new file mode 100644 index 0000000..b83b902 --- /dev/null +++ b/SOURCES/0002-Adding-MellonMergeEnvVars-optional-functionality.patch @@ -0,0 +1,184 @@ +From 1d61071f18a0e63e03b9c37cc407327b91fc6273 Mon Sep 17 00:00:00 2001 +From: Jarek Polok +Date: Tue, 11 Nov 2014 17:38:57 +0100 +Subject: [PATCH] Adding MellonMergeEnvVars (optional) functionality Allows to + concatenate env. variables values in single variable name, ie: + +VAR=val1;val2;val3;... + +instead of standard mod_auth_mellom behaviour: + +VAR=val1 +VAR_0=val1 +VAR_1=val2 +VAR_2=val3 +... +--- + README | 16 ++++++++++++++++ + auth_mellon.h | 1 + + auth_mellon_cache.c | 35 ++++++++++++++++++++++++++--------- + auth_mellon_config.c | 18 ++++++++++++++++++ + 4 files changed, 61 insertions(+), 9 deletions(-) + +diff --git a/README b/README +index 238171301a857b9ede7933b9f4981c4bb58731ec..b5ff9b8ed8364367c32d8251d3d69fc27046d1dd 100644 +--- a/README ++++ b/README +@@ -232,6 +232,13 @@ MellonPostCount 100 + # Default. None set. + MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName" + ++ # MellonMergeEnvVars merges multiple values of environement variables ++ # set using MellonSetEnv into single variable: ++ # ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of: ++ # MYENV_VAR_0 => val1, MYENV_VAR_1 => val2 ... etc. ++ # Default: MellonMergeEnvVars Off ++ MellonMergeEnvVars On ++ + # If MellonSessionDump is set, then the SAML session will be + # available in the MELLON_SESSION environment variable + MellonSessionDump Off +@@ -590,6 +597,15 @@ MELLON_, and once named _0. + In the case of multivalued attributes MELLON_ will contain the first + value. + ++NOTE: ++ ++if MellonMergeEnvVars is set to On multiple values of attributes ++will be stored in single environement variable, separated by ";" ++ ++MELLON_ -> "value1;value2;value3[;valueX]" ++ ++and variables MELLON__0, MELLON__1, MELLON__2 will ++not be created. + + The following code is a simple php-script which prints out all the + variables: +diff --git a/auth_mellon.h b/auth_mellon.h +index e915cbfbdd33072637780145ce5d7fcf7d9ebc88..8649674617d9cb31438e9d73a822f688ce43182f 100644 +--- a/auth_mellon.h ++++ b/auth_mellon.h +@@ -175,6 +175,7 @@ typedef struct am_dir_cfg_rec { + + const char *varname; + int secure; ++ int merge_env_vars; + const char *cookie_domain; + const char *cookie_path; + apr_array_header_t *cond; +diff --git a/auth_mellon_cache.c b/auth_mellon_cache.c +index ed96732c5dec221443839be91dda50431834611b..1982e604049ca6655ea93034d5f05dd72281b34e 100644 +--- a/auth_mellon_cache.c ++++ b/auth_mellon_cache.c +@@ -521,6 +521,7 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) + const char *varname; + const char *varname_prefix; + const char *value; ++ const char *prefixed_varname; + int *count; + int status; + +@@ -581,6 +582,8 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) + } + } + ++ prefixed_varname = apr_pstrcat(r->pool, varname_prefix, varname, NULL); ++ + /* Find the number of times this variable has been set. */ + count = apr_hash_get(counters, varname, APR_HASH_KEY_STRING); + if(count == NULL) { +@@ -591,18 +594,32 @@ void am_cache_env_populate(request_rec *r, am_cache_entry_t *t) + apr_hash_set(counters, varname, APR_HASH_KEY_STRING, count); + + /* Add the variable without a suffix. */ ++ apr_table_set(r->subprocess_env,prefixed_varname,value); ++ } ++ ++ if (d->merge_env_vars != 1) { ++ ++ /* Add the variable with a suffix indicating how many times it has ++ * been added before. ++ */ + apr_table_set(r->subprocess_env, +- apr_pstrcat(r->pool, varname_prefix, varname, NULL), ++ apr_psprintf(r->pool, "%s_%d", prefixed_varname, *count), + value); ++ ++ } else if (*count > 0) { ++ ++ /* ++ * Merge multiple values, separating with ";" ++ * this makes auth_mellon work same way mod_shib is: ++ * https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess ++ */ ++ apr_table_set(r->subprocess_env, ++ prefixed_varname, ++ apr_pstrcat(r->pool, ++ apr_table_get(r->subprocess_env,prefixed_varname), ++ ";", value, NULL)); + } +- +- /* Add the variable with a suffix indicating how many times it has +- * been added before. +- */ +- apr_table_set(r->subprocess_env, +- apr_psprintf(r->pool, "%s%s_%d", varname_prefix, varname, *count), +- value); +- ++ + /* Increase the count. */ + ++(*count); + } +diff --git a/auth_mellon_config.c b/auth_mellon_config.c +index dbcbfaa6604f4bdcfdf940a1d724947ff1100a6e..d3a408a6bcbec4fc1286222542aecbfcd3ba43e9 100644 +--- a/auth_mellon_config.c ++++ b/auth_mellon_config.c +@@ -70,6 +70,12 @@ static const apr_size_t post_size = 1024 * 1024 * 1024; + */ + static const int post_count = 100; + ++/* whether to merge env. vars or not ++ * the MellonMergeEnvVars configuration directive if you change this. ++ */ ++static const int default_merge_env_vars = -1; ++ ++ + /* This function handles configuration directives which set a + * multivalued string slot in the module configuration (the destination + * strucure is a hash). +@@ -1218,6 +1224,13 @@ const command_rec auth_mellon_commands[] = { + OR_AUTHCFG, + "Whether we should replay POST requests that trigger authentication. Default is off." + ), ++ AP_INIT_FLAG( ++ "MellonMergeEnvVars", ++ ap_set_flag_slot, ++ (void *)APR_OFFSETOF(am_dir_cfg_rec, merge_env_vars), ++ OR_AUTHCFG, ++ "Whether to merge environement variables multi-values or not. Default is off." ++ ), + {NULL} + }; + +@@ -1273,6 +1286,7 @@ void *auth_mellon_dir_config(apr_pool_t *p, char *d) + + dir->varname = default_cookie_name; + dir->secure = default_secure_cookie; ++ dir->merge_env_vars = default_merge_env_vars; + dir->cond = apr_array_make(p, 0, sizeof(am_cond_t)); + dir->cookie_domain = NULL; + dir->cookie_path = NULL; +@@ -1393,6 +1407,10 @@ void *auth_mellon_dir_merge(apr_pool_t *p, void *base, void *add) + add_cfg->secure : + base_cfg->secure); + ++ new_cfg->merge_env_vars = (add_cfg->merge_env_vars != default_merge_env_vars ? ++ add_cfg->merge_env_vars : ++ base_cfg->merge_env_vars); ++ + new_cfg->cookie_domain = (add_cfg->cookie_domain != NULL ? + add_cfg->cookie_domain : + base_cfg->cookie_domain); +-- +2.1.0 + diff --git a/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch b/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch new file mode 100644 index 0000000..58a7258 --- /dev/null +++ b/SOURCES/0003-am_check_permissions-env.-variable-mapping-fix.patch @@ -0,0 +1,42 @@ +From 718fd6a0420bcaff04a2f896e294ea2b7abc9680 Mon Sep 17 00:00:00 2001 +From: Jarek Polok +Date: Sun, 16 Nov 2014 11:04:04 +0100 +Subject: [PATCH] am_check_permissions() env. variable mapping fix. + +--- + auth_mellon_util.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index d3acc959eb35e6458b90a093056af026d8ab4854..4b7e657938a47326cf4881da645659228ba2b578 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -300,16 +300,20 @@ int am_check_permissions(request_rec *r, am_cache_entry_t *session) + */ + for (j = 0; (j < session->size) && !match; j++) { + const char *varname = NULL; ++ am_envattr_conf_t *envattr_conf = NULL; + + /* + * if MAP flag is set, check for remapped + * attribute name with mellonSetEnv + */ +- if (ce->flags & AM_COND_FLAG_MAP) +- varname = apr_hash_get(dir_cfg->envattr, +- am_cache_entry_get_string(session, +- &session->env[j].varname), +- APR_HASH_KEY_STRING); ++ if (ce->flags & AM_COND_FLAG_MAP) { ++ envattr_conf = (am_envattr_conf_t *)apr_hash_get(dir_cfg->envattr, ++ am_cache_entry_get_string(session,&session->env[j].varname), ++ APR_HASH_KEY_STRING); ++ ++ if (envattr_conf != NULL) ++ varname = envattr_conf->name; ++ } + + /* + * Otherwise or if not found, use the attribute name +-- +2.1.0 + diff --git a/SOURCES/10-auth_mellon.conf b/SOURCES/10-auth_mellon.conf new file mode 100644 index 0000000..b605132 --- /dev/null +++ b/SOURCES/10-auth_mellon.conf @@ -0,0 +1 @@ +LoadModule auth_mellon_module modules/mod_auth_mellon.so diff --git a/SOURCES/auth_mellon.conf b/SOURCES/auth_mellon.conf new file mode 100644 index 0000000..ad86d39 --- /dev/null +++ b/SOURCES/auth_mellon.conf @@ -0,0 +1,2 @@ +MellonCacheSize 100 +MellonLockFile "/run/mod_auth_mellon/lock" diff --git a/SOURCES/mellon_create_metadata.sh b/SOURCES/mellon_create_metadata.sh new file mode 100644 index 0000000..4eb0baf --- /dev/null +++ b/SOURCES/mellon_create_metadata.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash +set -e + +PROG="$(basename "$0")" + +printUsage() { + echo "Usage: $PROG ENTITY-ID ENDPOINT-URL" + echo "" + echo "Example:" + echo " $PROG urn:someservice https://sp.example.org/mellon" + echo "" +} + +if [ "$#" -lt 2 ]; then + printUsage + exit 1 +fi + +ENTITYID="$1" +if [ -z "$ENTITYID" ]; then + echo "$PROG: An entity ID is required." >&2 + exit 1 +fi + +BASEURL="$2" +if [ -z "$BASEURL" ]; then + echo "$PROG: The URL to the MellonEndpointPath is required." >&2 + exit 1 +fi + +if ! echo "$BASEURL" | grep -q '^https\?://'; then + echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2 + exit 1 +fi + +HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')" +BASEURL="$(echo "$BASEURL" | sed 's#/$##')" + +OUTFILE="$(echo "$ENTITYID" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')" +echo "Output files:" +echo "Private key: $OUTFILE.key" +echo "Certificate: $OUTFILE.cert" +echo "Metadata: $OUTFILE.xml" +echo "Host: $HOST" +echo +echo "Endpoints:" +echo "SingleLogoutService: $BASEURL/logout" +echo "AssertionConsumerService: $BASEURL/postResponse" +echo + +# No files should not be readable by the rest of the world. +umask 0077 + +TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)" + +cat >"$TEMPLATEFILE" </dev/null + +rm -f "$TEMPLATEFILE" + +CERT="$(grep -v '^-----' "$OUTFILE.cert")" + +cat >"$OUTFILE.xml" < + + + + + $CERT + + + + + + + +EOF + +umask 0777 +chmod go+r "$OUTFILE.xml" +chmod go+r "$OUTFILE.cert" diff --git a/SOURCES/mod_auth_mellon.conf b/SOURCES/mod_auth_mellon.conf new file mode 100644 index 0000000..5e653bc --- /dev/null +++ b/SOURCES/mod_auth_mellon.conf @@ -0,0 +1,2 @@ +# mod_auth_mellon lock file is created in this directory +d /run/mod_auth_mellon 0755 apache apache diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec new file mode 100644 index 0000000..98c0fd1 --- /dev/null +++ b/SPECS/mod_auth_mellon.spec @@ -0,0 +1,103 @@ +Summary: A SAML 2.0 authentication module for the Apache Httpd Server +Name: mod_auth_mellon +Version: 0.9.1 +Release: 4%{?dist} +Group: System Environment/Daemons +Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: auth_mellon.conf +Source2: 10-auth_mellon.conf +Source3: mod_auth_mellon.conf +Source4: mellon_create_metadata.sh +License: GPLv2+ +BuildRequires: curl-devel, glib2-devel, httpd-devel, lasso-devel, openssl-devel, xmlsec1-devel +Requires: httpd-mmn = %{_httpd_mmn} +Requires: lasso >= 2.3.6 +Url: https://github.com/UNINETT/mod_auth_mellon + +Patch01: 0001-Define-envirnment-size-spacious-enough-to-hold-large.patch +Patch02: 0002-Adding-MellonMergeEnvVars-optional-functionality.patch +Patch03: 0003-am_check_permissions-env.-variable-mapping-fix.patch + +%description +The mod_auth_mellon module is an authentication service that implements the +SAML 2.0 federation protocol. It grants access based on the attributes +received in assertions generated by a IdP server. + +%prep +%setup -q -n %{name}-%{version} +%patch01 -p1 +%patch02 -p1 +%patch03 -p1 + +%build +export APXS=%{_httpd_apxs} +%configure +make %{?_smp_mflags} + +%install +# install module +mkdir -p %{buildroot}%{_httpd_moddir} +install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir} + +# install module configuration +mkdir -p %{buildroot}%{_httpd_confdir} +install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir} +mkdir -p %{buildroot}%{_httpd_modconfdir} +install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir} + +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir} +mkdir -p %{buildroot}/run/%{name} + +# install script to generate metadata +mkdir -p %{buildroot}/%{_libexecdir}/%{name} +install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name} + +%files +%defattr(-,root,root) +%doc README COPYING +%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf +%config(noreplace) %{_httpd_confdir}/auth_mellon.conf +%{_httpd_moddir}/mod_auth_mellon.so +%{_tmpfilesdir}/mod_auth_mellon.conf +%{_libexecdir}/%{name} +%dir /run/%{name}/ + +%changelog +* Mon Dec 8 2014 Simo Sorce 0.9.1-4 +- Large scale intreop patches +- Resolves: #1167844 + +* Wed Sep 10 2014 Simo Sorce 0.9.1-3 +- Fix upstream sources URL +- Related: #1120353 + +* Fri Sep 5 2014 Simo Sorce 0.9.1-2 +- Import package in RHEL7 +- Resolves: #1120353 + +* Tue Sep 2 2014 Simo Sorce 0.9.1-1 +- New upstream release + +* Sun Aug 17 2014 Fedora Release Engineering - 0.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jun 24 2014 Simo Sorce 0.8.0-1 +- New upstream realease version 0.8.0 +- Upstream moved to github +- Drops patches as they have been all included upstream + +* Fri Jun 20 2014 Simo Sorce 0.7.0-3 +- Backport of useful patches from upstream + - Better handling of IDP reported errors + - Better handling of session data storage size + +* Sat Jun 07 2014 Fedora Release Engineering - 0.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Dec 10 2013 Simo Sorce 0.7.0-1 +- Fix ownership of /run files + +* Wed Nov 27 2013 Simo Sorce 0.7.0-0 +- Initial Fedora release based on version 0.7.0 +- Based on an old spec file by Jean-Marc Liger