rpms/mod_auth_mellon
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: bug #1332729, mellon conflicts with mod_auth_openidc

Browse Source 
am_check_uid() should be no-op if mellon not enabled
This commit is contained in:
John Dennis 2016-05-04 14:30:43 -04:00
parent e63b5beb7b
commit 12b3161f97
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
enabled_in_check_uid.patch Normal file
View File

@ -0,0 +1,34 @@
commit 912aa852ebd78577f59cf7958c709acea98ace4c
Author: John Dennis <jdennis@redhat.com>
Date: Fri Apr 8 09:01:22 2016 -0400
am_check_uid() should be no-op if mellon not enabled
mod_auth_mellon was interferring with other Apache authentication
modules (e.g. mod_auth_kerb) because when the Apache check_user_id
hook ran the logic in am_check_uid would execute even if mellon was
not enabled for the location. This short circuited the hook execution
and never allowed the authentication enabled for the location to
execute. It resulted in HTTP_UNAUTHORIZED being returned with the
client then expecting a WWW-Authenticate header field causing the
client to attempt to authenticate again.
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index a72e1ca..864396f 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3625,6 +3625,12 @@ int am_check_uid(request_rec *r)
return OK;
}
+ /* Check that the user has enabled authentication for this directory. */
+ if(dir->enable_mellon == am_enable_off
+ || dir->enable_mellon == am_enable_default) {
+ return DECLINED;
+ }
+
#ifdef HAVE_ECP
am_req_cfg_rec *req_cfg = am_get_req_cfg(r);
if (req_cfg->ecp_authn_req) {

10
mod_auth_mellon.spec
View File

@ -1,7 +1,7 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon Name: mod_auth_mellon
Version: 0.12.0 Version: 0.12.0
Release: 1%{?dist} Release: 2%{?dist}
Group: System Environment/Daemons Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf Source1: auth_mellon.conf
@ -19,6 +19,9 @@ Requires: httpd-mmn = %{_httpd_mmn}
Requires: lasso >= 2.5.0 Requires: lasso >= 2.5.0
Url: https://github.com/UNINETT/mod_auth_mellon Url: https://github.com/UNINETT/mod_auth_mellon
Patch1: enabled_in_check_uid.patch
%description %description
The mod_auth_mellon module is an authentication service that implements the The mod_auth_mellon module is an authentication service that implements the
SAML 2.0 federation protocol. It grants access based on the attributes SAML 2.0 federation protocol. It grants access based on the attributes
@ -26,6 +29,7 @@ received in assertions generated by a IdP server.
%prep %prep
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch1 -p1
%build %build
export APXS=%{_httpd_apxs} export APXS=%{_httpd_apxs}
@ -67,6 +71,10 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
%dir /run/%{name}/ %dir /run/%{name}/
%changelog %changelog
* Tue May 3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
- am_check_uid() should be no-op if mellon not enabled
* Wed Mar 9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1 * Wed Mar 9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
- Update to new upstream 0.12.0 - Update to new upstream 0.12.0
- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to - [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to