Resolves: bug #1332729, mellon conflicts with mod_auth_openidc

am_check_uid() should be no-op if mellon not enabled
2016-05-04 14:30:43 -04:00 · 2016-05-04 14:30:43 -04:00 · 12b3161f97
commit 12b3161f97
parent e63b5beb7b
2 changed files with 43 additions and 1 deletions
--- a/enabled_in_check_uid.patch
+++ b/enabled_in_check_uid.patch
@ -0,0 +1,34 @@
+commit 912aa852ebd78577f59cf7958c709acea98ace4c
+Author: John Dennis <jdennis@redhat.com>
+Date:   Fri Apr 8 09:01:22 2016 -0400
+
+    am_check_uid() should be no-op if mellon not enabled
+    
+    mod_auth_mellon was interferring with other Apache authentication
+    modules (e.g. mod_auth_kerb) because when the Apache check_user_id
+    hook ran the logic in am_check_uid would execute even if mellon was
+    not enabled for the location. This short circuited the hook execution
+    and never allowed the authentication enabled for the location to
+    execute. It resulted in HTTP_UNAUTHORIZED being returned with the
+    client then expecting a WWW-Authenticate header field causing the
+    client to attempt to authenticate again.
+    
+    Signed-off-by: John Dennis <jdennis@redhat.com>
+
+diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
+index a72e1ca..864396f 100644
+--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
+@@ -3625,6 +3625,12 @@ int am_check_uid(request_rec *r)
+         return OK;
+     }
+ 
+    /* Check that the user has enabled authentication for this directory. */
+    if(dir->enable_mellon == am_enable_off
+       || dir->enable_mellon == am_enable_default) {
+	return DECLINED;
+    }
+
+ #ifdef HAVE_ECP
+     am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
+     if (req_cfg->ecp_authn_req) {
--- a/mod_auth_mellon.spec
+++ b/mod_auth_mellon.spec
@ -1,7 +1,7 @@
 Summary: A SAML 2.0 authentication module for the Apache Httpd Server
 Name: mod_auth_mellon
 Version: 0.12.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: System Environment/Daemons
 Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Source1: auth_mellon.conf
@ -19,6 +19,9 @@ Requires: httpd-mmn = %{_httpd_mmn}
 Requires: lasso >= 2.5.0
 Url: https://github.com/UNINETT/mod_auth_mellon

+Patch1: enabled_in_check_uid.patch
+
+
 %description
 The mod_auth_mellon module is an authentication service that implements the
 SAML 2.0 federation protocol. It grants access based on the attributes
@ -26,6 +29,7 @@ received in assertions generated by a IdP server.

 %prep
 %setup -q -n %{name}-%{version}
+%patch1 -p1

 %build
 export APXS=%{_httpd_apxs}
@ -67,6 +71,10 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
 %dir /run/%{name}/

 %changelog
+* Tue May  3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
+- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
+- am_check_uid() should be no-op if mellon not enabled
+
 * Wed Mar  9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
 - Update to new upstream 0.12.0
 - [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to