import mod_auth_mellon-0.14.0-12.el8

SOURCES/0006-Add-none-option-for-samesite.patch

@@ -0,0 +1,95 @@
+From fb5ad7bf997946df4472cb94d7875ee70281d59c Mon Sep 17 00:00:00 2001
+From: Anthony Critelli <acritelli@datto.com>
+Date: Tue, 7 Jan 2020 11:14:24 -0500
+Subject: [PATCH] Add none option for samesite
+
+---
+ README.md                 | 7 +++++--
+ auth_mellon.h             | 3 ++-
+ auth_mellon_config.c      | 2 ++
+ auth_mellon_cookie.c      | 4 +++-
+ auth_mellon_diagnostics.c | 1 +
+ 5 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/README.md b/README.md
+index be374bc..82a88fc 100644
+--- a/README.md
++++ b/README.md
+@@ -218,8 +218,11 @@ MellonDiagnosticsEnable Off
+ 
+         # MellonCookieSameSite allows control over the SameSite value used
+         # for the authentication cookie.
+-        # The setting accepts values of "Strict" or "Lax"
+-        # If not set, the SameSite attribute is not set on the cookie.
++        # The setting accepts values of "Strict", "Lax", or "None".
++        # When using none, you should set "MellonSecureCookie On" to prevent
++        # compatibility issues with newer browsers.
++        # If not set, the SameSite attribute is not set on the cookie. In newer
++        # browsers, this may cause SameSite to default to "Lax"
+         # Default: not set
+         # MellonCookieSameSite lax
+ 
+diff --git a/auth_mellon.h b/auth_mellon.h
+index 9ef2d8a..5f5a20b 100644
+--- a/auth_mellon.h
++++ b/auth_mellon.h
+@@ -164,7 +164,8 @@ typedef enum {
+ typedef enum {
+   am_samesite_default,
+   am_samesite_lax,
+-  am_samesite_strict
++  am_samesite_strict,
++  am_samesite_none,
+ } am_samesite_t;
+ 
+ typedef enum {
+diff --git a/auth_mellon_config.c b/auth_mellon_config.c
+index 7932e2d..f1a9d12 100644
+--- a/auth_mellon_config.c
++++ b/auth_mellon_config.c
+@@ -583,6 +583,8 @@ static const char *am_set_samesite_slot(cmd_parms *cmd,
+         d->cookie_samesite = am_samesite_lax;
+     } else if(!strcasecmp(arg, "strict")) {
+         d->cookie_samesite = am_samesite_strict;
++    } else if(!strcasecmp(arg, "none")) {
++        d->cookie_samesite = am_samesite_none;
+     } else {
+         return "The MellonCookieSameSite parameter must be 'lax' or 'strict'";
+     }
+diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
+index 8394c18..b2c8535 100644
+--- a/auth_mellon_cookie.c
++++ b/auth_mellon_cookie.c
+@@ -1,7 +1,7 @@
+ /*
+  *
+  *   auth_mellon_cookie.c: an authentication apache module
+- *   Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
++ *   Copyright © 2003-2007 UNINETT (http://www.uninett.no/)
+  *
+  *   This program is free software; you can redistribute it and/or modify
+  *   it under the terms of the GNU General Public License as published by
+@@ -73,6 +73,8 @@ static const char *am_cookie_params(request_rec *r)
+         cookie_samesite = "; SameSite=Lax";
+     } else if (cfg->cookie_samesite == am_samesite_strict) {
+         cookie_samesite = "; SameSite=Strict";
++    } else if (cfg->cookie_samesite == am_samesite_none) {
++        cookie_samesite = "; SameSite=None";
+     }
+ 
+     secure_cookie = cfg->secure;
+diff --git a/auth_mellon_diagnostics.c b/auth_mellon_diagnostics.c
+index 792e894..912814b 100644
+--- a/auth_mellon_diagnostics.c
++++ b/auth_mellon_diagnostics.c
+@@ -214,6 +214,7 @@ am_diag_samesite_str(request_rec *r, am_samesite_t samesite)
+     case am_samesite_default: return "default";
+     case am_samesite_lax:     return "lax";
+     case am_samesite_strict:  return "strict";
++    case am_samesite_none:    return "none";
+     default:
+         return apr_psprintf(r->pool, "unknown (%d)", samesite);
+     }
+-- 
+2.21.0
+

SOURCES/0007-avoid-always-set-SameSite-cookie.patch

@@ -0,0 +1,69 @@
+From b9d87e0deb528817689f1648999a95645b1b19ad Mon Sep 17 00:00:00 2001
+From: Keita SUZUKI <keita@osstech.co.jp>
+Date: Mon, 20 Jan 2020 11:03:14 +0900
+Subject: [PATCH] avoid always set SameSite cookie
+
+---
+ auth_mellon.h        |  5 +++++
+ auth_mellon_cookie.c | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/auth_mellon.h b/auth_mellon.h
+index 5f5a20b..8bb8023 100644
+--- a/auth_mellon.h
++++ b/auth_mellon.h
+@@ -96,6 +96,11 @@ typedef enum {
+ } am_diag_flags_t;
+ #endif
+ 
++
++/* Disable SameSite Environment Value */
++#define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
++
++
+ /* This is the length of the id we use (for session IDs and
+  * replaying POST data).
+  */
+diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
+index b2c8535..55f77a5 100644
+--- a/auth_mellon_cookie.c
++++ b/auth_mellon_cookie.c
+@@ -59,6 +59,7 @@ static const char *am_cookie_params(request_rec *r)
+     const char *cookie_domain = ap_get_server_name(r);
+     const char *cookie_path = "/";
+     const char *cookie_samesite = "";
++    const char *env_var_value = NULL;
+     am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
+ 
+     if (cfg->cookie_domain) {
+@@ -69,12 +70,21 @@ static const char *am_cookie_params(request_rec *r)
+         cookie_path = cfg->cookie_path;
+     }
+ 
+-    if (cfg->cookie_samesite == am_samesite_lax) {
+-        cookie_samesite = "; SameSite=Lax";
+-    } else if (cfg->cookie_samesite == am_samesite_strict) {
+-        cookie_samesite = "; SameSite=Strict";
+-    } else if (cfg->cookie_samesite == am_samesite_none) {
+-        cookie_samesite = "; SameSite=None";
++    if (r->subprocess_env != NULL){
++        env_var_value = apr_table_get(r->subprocess_env,
++                        AM_DISABLE_SAMESITE_ENV_VAR);
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
++                     "%s : %s", AM_DISABLE_SAMESITE_ENV_VAR, env_var_value);
++    }
++
++    if (env_var_value == NULL){
++        if (cfg->cookie_samesite == am_samesite_lax) {
++            cookie_samesite = "; SameSite=Lax";
++        } else if (cfg->cookie_samesite == am_samesite_strict) {
++            cookie_samesite = "; SameSite=Strict";
++        } else if (cfg->cookie_samesite == am_samesite_none) {
++            cookie_samesite = "; SameSite=None";
++        }
+     }
+ 
+     secure_cookie = cfg->secure;
+-- 
+2.21.0
+

SOURCES/0008-Set-SameSite-to-None-on-test-cookie.patch

@@ -0,0 +1,78 @@
+From 7ef4ae72a8578475064eb66e3ed5703ccf6ee078 Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <r.pluem@gmx.de>
+Date: Thu, 30 Apr 2020 07:56:01 +0200
+Subject: [PATCH] Set SameSite to None on test cookie
+
+If the SameSite cookie attribute is to be set because
+MellonCookieSameSite is configured and MELLON_DISABLE_SAMESITE not set
+for this particular request set it to None for the test cookie.
+This ensures that the test cookie with the static test content does not
+get lost in the HTTP-POST binding request issued by the autosubmit form
+returned by the IDP.
+Addresses #20
+
+* auth_mellon.h: Add AM_FORCE_SAMESITE_NONE_NOTE
+
+* auth_mellon_handler.c (am_send_login_authn_request): Set request note
+  to set SameSite to None if appropriate.
+
+* auth_mellon_cookie.c (am_cookie_params): Set SameSite to None if
+  requested via request note.
+---
+ auth_mellon.h         | 3 +++
+ auth_mellon_cookie.c  | 6 +++++-
+ auth_mellon_handler.c | 5 +++++
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/auth_mellon.h b/auth_mellon.h
+index fd39b28..401ed9c 100644
+--- a/auth_mellon.h
++++ b/auth_mellon.h
+@@ -100,6 +100,9 @@ typedef enum {
+ /* Disable SameSite Environment Value */
+ #define AM_DISABLE_SAMESITE_ENV_VAR "MELLON_DISABLE_SAMESITE"
+ 
++/* Force setting SameSite to None */
++#define AM_FORCE_SAMESITE_NONE_NOTE "MELLON_FORCE_SAMESITE_NONE"
++
+ 
+ /* This is the length of the id we use (for session IDs and
+  * replaying POST data).
+diff --git a/auth_mellon_cookie.c b/auth_mellon_cookie.c
+index 55f77a5..6bff81e 100644
+--- a/auth_mellon_cookie.c
++++ b/auth_mellon_cookie.c
+@@ -78,7 +78,11 @@ static const char *am_cookie_params(request_rec *r)
+     }
+ 
+     if (env_var_value == NULL){
+-        if (cfg->cookie_samesite == am_samesite_lax) {
++        if ((cfg->cookie_samesite != am_samesite_default) &&
++            (apr_table_get(r->notes, AM_FORCE_SAMESITE_NONE_NOTE) != NULL)) {
++            cookie_samesite = "; SameSite=None";
++        }
++        else if (cfg->cookie_samesite == am_samesite_lax) {
+             cookie_samesite = "; SameSite=Lax";
+         } else if (cfg->cookie_samesite == am_samesite_strict) {
+             cookie_samesite = "; SameSite=Strict";
+diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
+index 395ee1d..40c9bcd 100644
+--- a/auth_mellon_handler.c
++++ b/auth_mellon_handler.c
+@@ -3261,8 +3261,13 @@ static int am_send_login_authn_request(request_rec *r, const char *idp,
+     /* Add cookie for cookie test. We know that we should have
+      * a valid cookie when we return from the IdP after SP-initiated
+      * login.
++     * Ensure that SameSite is set to None for this cookie if SameSite
++     * is allowed to be set as the cookie otherwise gets lost on
++     * HTTP-POST binding messages.
+      */
++    apr_table_setn(r->notes, AM_FORCE_SAMESITE_NONE_NOTE, "1");
+     am_cookie_set(r, "cookietest");
++    apr_table_unset(r->notes, AM_FORCE_SAMESITE_NONE_NOTE);
+ 
+     server = am_get_lasso_server(r);
+     if(server == NULL) {
+-- 
+2.26.2
+

SPECS/mod_auth_mellon.spec

@@ -1,7 +1,7 @@
 Summary: A SAML 2.0 authentication module for the Apache Httpd Server
 Name: mod_auth_mellon
 Version: 0.14.0
-Release: 11%{?dist}
+Release: 12%{?dist}
 Group: System Environment/Daemons
 Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
 Source1: auth_mellon.conf
@@ -27,6 +27,9 @@ Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
 Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
 Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
 Patch0005: 0005-CVE_2019_13038.patch
+Patch0006: 0006-Add-none-option-for-samesite.patch
+Patch0007: 0007-avoid-always-set-SameSite-cookie.patch
+Patch0008: 0008-Set-SameSite-to-None-on-test-cookie.patch
 
 # FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
 # I could not get asciidoc to render properly so instead I generated
@@ -46,6 +49,9 @@ received in assertions generated by a IdP server.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 %build
 export APXS=%{_httpd_apxs}
@@ -116,6 +122,10 @@ in the doc directory for instructions on using the diagnostics build.
 %attr(0755,apache,apache) %dir /run/%{name}/
 
 %changelog
+* Mon Jan 25 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-12
+- Resolves: rhbz#1791262 - Backport SameSite=None cookie from upstream to
+                           support latest browsers
+
 * Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
 - Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
                            via the login?ReturnTo= substring which could