diff --git a/SOURCES/ecp_doc.patch b/SOURCES/ecp_doc.patch new file mode 100644 index 0000000..2acd5de --- /dev/null +++ b/SOURCES/ecp_doc.patch @@ -0,0 +1,29 @@ +commit 39017b2957fc7f046725339f1914eb7a87db2bea +Author: John Dennis +Date: Fri Apr 8 09:17:17 2016 -0400 + + Fix Content-Type, should be "text/xml" not "application/soap+xml" + + There was an error in the example for POST'ing the the AuthnRequest to + the IdP, the Content-Type header erroneously was + "application/soap+xml" when in fact it should have been "text/xml". + + As background the Content-Type for SOAP 1.1 is "text/xml" but in SOAP + 1.2 it was changed to "application/soap+xml". ECP is specificed to + used SOAP 1.1. + + Signed-off-by: John Dennis + +diff --git a/ECP.rst b/ECP.rst +index 4add62a..927ce13 100644 +--- a/ECP.rst ++++ b/ECP.rst +@@ -140,7 +140,7 @@ operations. + response = session.post(ecp.msgUrl, + data=ecp.msgBody, + auth=requests.auth.HTTPDigestAuth(user, password) +- headers={'Content-Type': 'application/soap+xml'}) ++ headers={'Content-Type': 'text/xml'}) + + # Process returned SOAP wrapped from IdP + ecp.processResponseMsg(response.text) diff --git a/SOURCES/enabled_in_check_uid.patch b/SOURCES/enabled_in_check_uid.patch new file mode 100644 index 0000000..ba99055 --- /dev/null +++ b/SOURCES/enabled_in_check_uid.patch @@ -0,0 +1,34 @@ +commit 912aa852ebd78577f59cf7958c709acea98ace4c +Author: John Dennis +Date: Fri Apr 8 09:01:22 2016 -0400 + + am_check_uid() should be no-op if mellon not enabled + + mod_auth_mellon was interferring with other Apache authentication + modules (e.g. mod_auth_kerb) because when the Apache check_user_id + hook ran the logic in am_check_uid would execute even if mellon was + not enabled for the location. This short circuited the hook execution + and never allowed the authentication enabled for the location to + execute. It resulted in HTTP_UNAUTHORIZED being returned with the + client then expecting a WWW-Authenticate header field causing the + client to attempt to authenticate again. + + Signed-off-by: John Dennis + +diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c +index a72e1ca..864396f 100644 +--- a/auth_mellon_handler.c ++++ b/auth_mellon_handler.c +@@ -3625,6 +3625,12 @@ int am_check_uid(request_rec *r) + return OK; + } + ++ /* Check that the user has enabled authentication for this directory. */ ++ if(dir->enable_mellon == am_enable_off ++ || dir->enable_mellon == am_enable_default) { ++ return DECLINED; ++ } ++ + #ifdef HAVE_ECP + am_req_cfg_rec *req_cfg = am_get_req_cfg(r); + if (req_cfg->ecp_authn_req) { diff --git a/SOURCES/lasso_provider_warning.patch b/SOURCES/lasso_provider_warning.patch new file mode 100644 index 0000000..1163574 --- /dev/null +++ b/SOURCES/lasso_provider_warning.patch @@ -0,0 +1,33 @@ +commit 5ba9bb72707a90503cd4d042083ea074a0cb6b8a +Author: John Dennis +Date: Fri Oct 30 15:46:33 2015 -0400 + + Role maybe unknown when assertion consumer url is looked up + + Replace the call to lasso_provider_get_metadata_one() with + lasso_provider_get_metadata_one_for_role() so that we can exlicitly + pass the LASSO_PROVIDER_ROLE_SP role. The former call obtains the + role from the provider object and then calls + lasso_provider_get_metadata_one_for_role() using that role. However + the role will not have been set in the provider until the first request is + processed. This means the first time we call this routine it won't + work correctly because the role will not have been set yet, by + explicitly passing the role we avoid this problem. + + Signed-off-by: John Dennis + +diff --git a/auth_mellon_util.c b/auth_mellon_util.c +index 155bb1a..6c694b7 100644 +--- a/auth_mellon_util.c ++++ b/auth_mellon_util.c +@@ -1827,7 +1827,9 @@ char *am_get_assertion_consumer_service_by_binding(LassoProvider *provider, cons + } + + if (selected_descriptor) { +- url = lasso_provider_get_metadata_one(provider, selected_descriptor); ++ url = lasso_provider_get_metadata_one_for_role(provider, ++ LASSO_PROVIDER_ROLE_SP, ++ selected_descriptor); + } + + lasso_release_list_of_strings(descriptors); diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec index c9e15ab..789156d 100644 --- a/SPECS/mod_auth_mellon.spec +++ b/SPECS/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.11.0 -Release: 1%{?dist} +Release: 2%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -19,6 +19,10 @@ Requires: httpd-mmn = %{_httpd_mmn} Requires: lasso >= 2.5.0 Url: https://github.com/UNINETT/mod_auth_mellon +Patch1: lasso_provider_warning.patch +Patch2: enabled_in_check_uid.patch +Patch3: ecp_doc.patch + %description The mod_auth_mellon module is an authentication service that implements the SAML 2.0 federation protocol. It grants access based on the attributes @@ -26,6 +30,9 @@ received in assertions generated by a IdP server. %prep %setup -q -n %{name}-%{version} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build export APXS=%{_httpd_apxs} @@ -53,7 +60,12 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name} %files %defattr(-,root,root) -%doc README COPYING NEWS +%if 0%{?rhel} && 0%{?rhel} < 7 +%doc COPYING +%else +%license COPYING +%endif +%doc README NEWS ECP.rst %config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf %config(noreplace) %{_httpd_confdir}/auth_mellon.conf %{_httpd_moddir}/mod_auth_mellon.so @@ -62,6 +74,14 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name} %dir /run/%{name}/ %changelog +* Fri Apr 8 2016 John Dennis - 0.11.0-2 +- Resolves: bug #1296286 + mod_auth_mellon emits CRITICAL warning message in Apache log when doing ECP +- Resolves: bug #1324536 + Installing mod_auth_mellon causes working Kerberos authentication + to start failing +- Add ECP.rst documentation file that was erroneously omitted + * Fri Sep 18 2015 John Dennis - 0.11.0-1 - Upgrade to upstream 0.11.0 release. - Includes ECP support, see NEWS for all changes.