%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}} %{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} %{!?_httpd_confdir: %{expand: %%global _httpd_confdir %{_sysconfdir}/httpd/conf.d}} # Optionally build with hiredis if --with hiredis is passed %{!?_with_hiredis: %{!?_without_hiredis: %global _without_hiredis --without-hiredis}} # It is an error if both or neither required options exist. %{?_with_hiredis: %{?_without_hiredis: %{error: both _with_hiredis and _without_hiredis}}} %{!?_with_hiredis: %{!?_without_hiredis: %{error: neither _with_hiredis nor _without_hiredis}}} # /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 %{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc Name: mod_auth_openidc Version: 1.8.8 Release: 5%{?dist} Summary: OpenID Connect auth module for Apache HTTP Server Group: System Environment/Daemons License: ASL 2.0 URL: https://github.com/pingidentity/mod_auth_openidc Source0: https://github.com/pingidentity/mod_auth_openidc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: decrypt_aesgcm.patch Patch1: 0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch Patch2: 0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch Patch3: 0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch BuildRequires: httpd-devel BuildRequires: openssl-devel BuildRequires: curl-devel BuildRequires: jansson-devel BuildRequires: pcre-devel BuildRequires: autoconf BuildRequires: automake %{?_with_hiresdis:BuildRequires: hiresdis-devel} Requires: httpd-mmn = %{_httpd_mmn} %description This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. %prep %setup -q %patch0 -p1 -b decrypt_aesgcm %patch1 -p1 -b echo_req %patch2 -p1 -b scrub_headers %patch3 -p1 -b scrub_headers_oauth %build # workaround rpm-buildroot-usage export MODULES_DIR=%{_httpd_moddir} export APXS2_OPTS='-S LIBEXECDIR=${MODULES_DIR}' autoreconf %configure \ %{?_with_hiredis} \ %{?_without_hiredis} make %{?_smp_mflags} %check export MODULES_DIR=%{_httpd_moddir} make %{?_smp_mflags} test %install mkdir -p $RPM_BUILD_ROOT%{_httpd_moddir} make install MODULES_DIR=$RPM_BUILD_ROOT%{_httpd_moddir} install -m 755 -d $RPM_BUILD_ROOT%{_httpd_modconfdir} echo 'LoadModule auth_openidc_module modules/mod_auth_openidc.so' > \ $RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_openidc.conf install -m 755 -d $RPM_BUILD_ROOT%{_httpd_confdir} install -m 644 auth_openidc.conf $RPM_BUILD_ROOT%{_httpd_confdir} # Adjust httpd cache location in install config file sed -i 's!/var/cache/apache2/!/var/cache/httpd/!' $RPM_BUILD_ROOT%{_httpd_confdir}/auth_openidc.conf install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir} install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/metadata install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache %files %if 0%{?rhel} && 0%{?rhel} < 7 %doc LICENSE.txt %else %license LICENSE.txt %endif %doc ChangeLog %doc AUTHORS %doc DISCLAIMER %doc README.md %{_httpd_moddir}/mod_auth_openidc.so %config(noreplace) %{_httpd_modconfdir}/10-auth_openidc.conf %config(noreplace) %{_httpd_confdir}/auth_openidc.conf %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir} %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/metadata %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache %changelog * Tue Jan 29 2019 Jakub Hrozek - 1.8.8-5 - Resolves: rhbz#1626297 - CVE-2017-6413 mod_auth_openidc: OIDC_CLAIM and OIDCAuthNHeader not skipped in an "AuthType oauth20" configuration [rhel-7] * Tue Jan 29 2019 Jakub Hrozek - 1.8.8-4 - Resolves: rhbz#1626299 - CVE-2017-6059 mod_auth_openidc: Shows user-supplied content on error pages [rhel-7] * Thu Mar 31 2016 John Dennis - 1.8.8-3 - fix unit test failure caused by apr_jwe_decrypt_content_aesgcm() failing to null terminate decrypted string Resolves: bug#1292561 New package: mod_auth_openidc * Tue Mar 29 2016 John Dennis - 1.8.8-2 - Add %check to run test Resolves: bug#1292561 New package: mod_auth_openidc * Tue Mar 29 2016 John Dennis - 1.8.8-1 - Initial import Resolves: bug#1292561 New package: mod_auth_openidc