RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/mod_auth_mellon#11d67e1cdda8685d0fb2fd8cc8e9a744431994db

.gitignore

@@ -0,0 +1,12 @@
+/mod_auth_mellon-0.7.0.tar.gz
+/mod_auth_mellon-0.8.0.tar.gz
+/mod_auth_mellon-0.9.1.tar.gz
+/mod_auth_mellon-0.10.0.tar.gz
+/mod_auth_mellon-0.11.0.tar.gz
+/mod_auth_mellon-0.12.0.tar.gz
+/mod_auth_mellon-0.13.1.tar.gz
+/mod_auth_mellon-0.14.0.tar.gz
+/mod_auth_mellon-0.14.2.tar.gz
+/mod_auth_mellon-0.15.0.tar.gz
+/mod_auth_mellon-0.16.0.tar.gz
+/mod_auth_mellon-0.17.0.tar.gz

10-auth_mellon.conf

@@ -0,0 +1 @@
+LoadModule auth_mellon_module modules/mod_auth_mellon.so

README.redhat.rst

@@ -0,0 +1,83 @@
+Red Hat Specific mod_auth_mellon Information
+============================================
+
+This README contains information specific to Red Hat's distribution of
+``mod_auth_mellon``.
+
+Diagnostic Logging
+------------------
+
+Diagnostic logging can be used to collect run time information to help
+diagnose problems with your ``mod_auth_mellon`` deployment. Please see
+the "Mellon Diagnostics" section in the Mellon User Guide for more
+details.
+
+How to enable diagnostic logging on Red Hat systems
+```````````````````````````````````````````````````
+
+Diagnostic logging adds overhead to the execution of
+``mod_auth_mellon``. The code to emit diagnostic logging must be
+compiled into ``mod_auth_mellon`` at build time. In addition the
+diagnostic log file may contain security sensitive information which
+should not normally be written to a log file. If you have a
+version of ``mod_auth_mellon`` which was built with diagnostics you
+can disable diagnostic logging via the ``MellonDiagnosticsEnable``
+configuration directive. However given human nature the potential to
+enable diagnostic logging while resolving a problem and then forget to
+disable it is not a situation that should exist by default. Therefore
+given the overhead consideration and the desire to avoid enabling
+diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's
+ship with two versions of the ``mod_auth_mellon`` Apache module.
+
+1. The ``mod_auth_mellon`` RPM contains the normal Apache module
+   ``/usr/lib*/httpd/modules/mod_auth_mellon.so`` 
+
+2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic
+   version of the Apache module
+   ``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so``
+
+Because each version of the module has a different name both the
+normal and diagnostic modules can be installed simultaneously without
+conflict. But Apache will only load one of the two modules. Which
+module is loaded is controlled by the
+``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which
+has a line in it which looks like this::
+
+    LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+To load the diagnostics version of the module you need to change the
+module name so it looks like this::
+
+    LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so
+
+**Don't forget to change it back again when you're done debugging.**
+
+You'll also need to enable the collection of diagnostic information,
+do this by adding this directive at the top of your Mellon conf.d
+config file or inside your virtual host config (diagnostics are per
+server instance)::
+
+    MellonDiagnosticsEnable On
+
+.. NOTE::
+   Some versions of the Mellon User Guide have a typo in the name of
+   this directive, it incorrectly uses ``MellonDiagnosticEnable``
+   instead of ``MellonDiagnosticsEnable``. The difference is
+   Diagnostics is plural.
+
+The Apache ``error_log`` will contain a message indicating how it
+processed the ``MellonDiagnosticsEnable`` directive. If you loaded the
+standard module without diagnostics you'll see a message like this::
+
+    MellonDiagnosticsEnable has no effect because Mellon was not
+    compiled with diagnostics enabled, use
+    ./configure --enable-diagnostics at build time to turn this
+    feature on.
+
+If you've loaded the diagnostics version of the module you'll see a
+message in the ``error_log`` like this::
+
+    mellon diagnostics enabled for virtual server *:443
+    (/etc/httpd/conf.d/my_server.conf:7)
+    ServerName=https://my_server.example.com:443, diagnostics
+    filename=logs/mellon_diagnostics

auth_mellon.conf

@@ -0,0 +1,2 @@
+MellonCacheSize 100
+MellonLockFile "/run/mod_auth_mellon/lock"

mellon_create_metadata.sh

@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+set -e
+
+PROG="$(basename "$0")"
+
+printUsage() {
+    echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
+    echo ""
+    echo "Example:"
+    echo "  $PROG urn:someservice https://sp.example.org/mellon"
+    echo ""
+}
+
+if [ "$#" -lt 2 ]; then
+    printUsage
+    exit 1
+fi
+
+ENTITYID="$1"
+if [ -z "$ENTITYID" ]; then
+    echo "$PROG: An entity ID is required." >&2
+    exit 1
+fi
+
+BASEURL="$2"
+if [ -z "$BASEURL" ]; then
+    echo "$PROG: The URL to the MellonEndpointPath is required." >&2
+    exit 1
+fi
+
+if ! echo "$BASEURL" | grep -q '^https\?://'; then
+    echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
+    exit 1
+fi
+
+HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
+BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
+
+OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')"
+echo "Output files:"
+echo "Private key:                              $OUTFILE.key"
+echo "Certificate:                              $OUTFILE.cert"
+echo "Metadata:                                 $OUTFILE.xml"
+echo "Host:                                     $HOST"
+echo
+echo "Endpoints:"
+echo "SingleLogoutService (SOAP):               $BASEURL/logout"
+echo "SingleLogoutService (HTTP-Redirect):      $BASEURL/logout"
+echo "AssertionConsumerService (HTTP-POST):     $BASEURL/postResponse"
+echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse"
+echo "AssertionConsumerService (PAOS):          $BASEURL/paosResponse"
+echo
+
+# No files should not be readable by the rest of the world.
+umask 0077
+
+TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
+
+cat >"$TEMPLATEFILE" <<EOF
+RANDFILE           = /dev/urandom
+[req]
+default_bits       = 2048
+default_keyfile    = privkey.pem
+distinguished_name = req_distinguished_name
+prompt             = no
+policy             = policy_anything
+[req_distinguished_name]
+commonName         = $HOST
+EOF
+
+openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
+
+rm -f "$TEMPLATEFILE"
+
+CERT="$(grep -v '^-----' "$OUTFILE.cert")"
+
+cat >"$OUTFILE.xml" <<EOF
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<EntityDescriptor
+ entityID="$ENTITYID"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+ <SPSSODescriptor
+   AuthnRequestsSigned="true"
+   WantAssertionsSigned="true"
+   protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+   <KeyDescriptor use="signing">
+     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+       <ds:X509Data>
+         <ds:X509Certificate>$CERT</ds:X509Certificate>
+       </ds:X509Data>
+     </ds:KeyInfo>
+   </KeyDescriptor>
+   <KeyDescriptor use="encryption">
+     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+       <ds:X509Data>
+         <ds:X509Certificate>$CERT</ds:X509Certificate>
+       </ds:X509Data>
+     </ds:KeyInfo>
+   </KeyDescriptor>
+   <SingleLogoutService
+     Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+     Location="$BASEURL/logout" />
+   <SingleLogoutService
+     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+     Location="$BASEURL/logout" />
+   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+   <AssertionConsumerService
+     index="0"
+     isDefault="true"
+     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+     Location="$BASEURL/postResponse" />
+   <AssertionConsumerService
+     index="1"
+     Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+     Location="$BASEURL/artifactResponse" />
+   <AssertionConsumerService
+     index="2"
+     Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
+     Location="$BASEURL/paosResponse" />
+ </SPSSODescriptor>
+</EntityDescriptor>
+EOF
+
+umask 0777
+chmod go+r "$OUTFILE.xml"
+chmod go+r "$OUTFILE.cert"

mod_auth_mellon.conf

@@ -0,0 +1,2 @@
+# mod_auth_mellon lock file is created in this directory
+d /run/mod_auth_mellon 0755 apache apache

mod_auth_mellon.spec

@@ -0,0 +1,242 @@
+Summary: A SAML 2.0 authentication module for the Apache Httpd Server
+Name: mod_auth_mellon
+Version: 0.17.0
+Release: 1%{?dist}
+Source0: https://github.com/latchset/mod_auth_mellon/releases/download/v0.17.0/mod_auth_mellon-0.17.0.tar.gz
+Source1: auth_mellon.conf
+Source2: 10-auth_mellon.conf
+Source3: mod_auth_mellon.conf
+Source4: mellon_create_metadata.sh
+Source5: README.redhat.rst
+License: GPLv2+
+BuildRequires:  gcc
+BuildRequires: curl-devel
+BuildRequires: glib2-devel
+BuildRequires: httpd-devel
+BuildRequires: lasso-devel >= 2.5.1-13
+BuildRequires: openssl-devel
+BuildRequires: xmlsec1-devel
+BuildRequires: rubygem-asciidoctor
+Requires: httpd-mmn = %{_httpd_mmn}
+Requires: lasso >= 2.5.1-13
+Url: https://github.com/latchset/mod_auth_mellon
+
+
+%description
+The mod_auth_mellon module is an authentication service that implements the
+SAML 2.0 federation protocol. It grants access based on the attributes
+received in assertions generated by a IdP server.
+
+%prep
+%setup -q -n %{name}-%{version}
+
+%build
+export APXS=%{_httpd_apxs}
+%configure --enable-diagnostics
+make clean
+%{make_build}
+cp .libs/%{name}.so %{name}-diagnostics.so
+
+%configure
+make clean
+%{make_build}
+pushd doc/user_guide
+asciidoctor -a data-uri mellon_user_guide.adoc
+popd
+
+%install
+# install module
+mkdir -p %{buildroot}%{_httpd_moddir}
+install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
+install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
+
+# install module configuration
+mkdir -p %{buildroot}%{_httpd_confdir}
+install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
+mkdir -p %{buildroot}%{_httpd_modconfdir}
+install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
+
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
+mkdir -p %{buildroot}/run/%{name}
+
+# install script to generate metadata
+mkdir -p %{buildroot}/%{_libexecdir}/%{name}
+install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
+
+#install documentation
+mkdir -p %{buildroot}/%{_pkgdocdir}
+
+# install Red Hat README
+install %{SOURCE5} %{buildroot}/%{_pkgdocdir}
+
+# install user guide
+cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
+
+%package diagnostics
+Summary: Build of mod_auth_mellon with diagnostic logging
+Requires: %{name} = %{version}-%{release}
+
+%description diagnostics
+Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
+in the doc directory for instructions on using the diagnostics build.
+
+%files diagnostics
+%{_httpd_moddir}/%{name}-diagnostics.so
+
+%files
+%if 0%{?rhel} && 0%{?rhel} < 7
+%doc COPYING
+%else
+%license COPYING
+%endif
+%doc README.md NEWS ECP.rst
+%doc %{_pkgdocdir}/README.redhat.rst
+%doc %{_pkgdocdir}/user_guide
+%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
+%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
+%{_httpd_moddir}/mod_auth_mellon.so
+%{_tmpfilesdir}/mod_auth_mellon.conf
+%{_libexecdir}/%{name}
+%dir /run/%{name}/
+
+%changelog
+* Wed Sep 16 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.17.0-1
+- New upstream version 0.17.0
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild 
+
+* Thu Feb 13 2020 Tom Stellard <tstellar@redhat.com> - 0.16.0-2
+- Use make_build macro instead of just make
+- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
+
+* Mon Feb  3 2020 Jakub Hrozek <jhrozek@redhat.com> - 0.16.0-1
+- New upstream version 0.16.0
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.15.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Nov 19 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.15.0-1
+- New upstream version 0.15.0
+- Resolves: rhbz#1725742 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
+                           via the login?ReturnTo= substring which could
+                           facilitate information theft [fedora-all]
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Mar 22 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.2-1
+- Upgrade to 0.14.2
+- Related: rhbz#1691771 - CVE-2019-3877 mod_auth_mellon: open redirect in
+                          logout url when using URLs with backslashes
+- Related: rhbz#1691136 - CVE-2019-3878 mod_auth_mellon: authentication
+                          bypass in ECP flow
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed May  2 2018 John Dennis <jdennis@redhat.com> - 0.14.0-3
+- update lasso version dependency
+
+* Tue May  1 2018 John Dennis <jdennis@redhat.com> - 0.14.0-2
+- clean diagnostics build prior to normal build
+
+* Thu Apr 19 2018 John Dennis <jdennis@redhat.com> - 0.14.0-1
+- Upgrade to new upstream release
+- Add README.redhat.rst doc explaining packaging of this module.
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.13.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sun Oct  1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
+- upgrade to new upstream release
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Tue Jan 17 2017 John Dennis <jdennis@redhat.com> - 0.12.0-4
+- Resolves: bug #1414019 Incorrect PAOS Content-Type header
+
+* Mon Jan  9 2017 John Dennis <jdennis@redhat.com> - 0.12.0-3
+- bump release for rebuild
+
+* Tue May  3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
+- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
+- am_check_uid() should be no-op if mellon not enabled
+
+* Wed Mar  9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
+- Update to new upstream 0.12.0
+- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
+  incorrect error handling when reading POST data from client.
+
+- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
+  resource exhaustion) due to missing size checks when reading
+  POST data.
+
+In addition this release contains the following new features and fixes:
+
+- Add MellonRedirectDomains option to limit the sites that
+  mod_auth_mellon can redirect to. This option is enabled by default.
+
+- Add support for ECP service options in PAOS requests.
+
+- Fix AssertionConsumerService lookup for PAOS requests.
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Dec 23 2015 John Dennis <jdennis@redhat.com> - 0.11.0-3
+- Fix the following warning that appears in the Apache log
+  lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed
+
+* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-2
+- Add lasso 2.5.0 version dependency
+
+* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
+- Upgrade to upstream 0.11.0 release.
+- Includes ECP support, see NEWS for all changes.
+- Update mellon_create_metadata.sh to match internally generated metadata,
+  includes AssertionConsumerService for postResponse, artifactResponse &
+  paosResponse.
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Jan  7 2015 Simo Sorce <simo@redhat.com> 0.10.0-1
+- New upstream release
+
+* Tue Sep  2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
+- New upstream release
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
+- New upstream realease version 0.8.0
+- Upstream moved to github
+- Drops patches as they have been all included upstream
+
+* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
+- Backport of useful patches from upstream
+  - Better handling of IDP reported errors
+  - Better handling of session data storage size
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
+- Fix ownership of /run files
+
+* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
+- Initial Fedora release based on version 0.7.0
+- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>

sources

@@ -0,0 +1 @@
+SHA512 (mod_auth_mellon-0.17.0.tar.gz) = 93919b46e5966d16b334f8f633345d8566f6873a68d1e619835a52a12a70fa7068fe036c69a43ca7b46e51b4c49354d51df13ffd64c60b82747eec86fe357d2e