rpms
/
mod_auth_mellon
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import mod_auth_mellon-0.14.0-11.el8

This commit is contained in:
CentOS Sources 2020-01-21 14:17:08 -05:00 committed by Andrew Lukoshko
commit ad23017074
14 changed files with 7881 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/mod_auth_mellon-0.14.0.tar.gz

1
.mod_auth_mellon.metadata Normal file
View File

@ -0,0 +1 @@
4a93f8b093e1dea20e8a286931693c614903f2d9 SOURCES/mod_auth_mellon-0.14.0.tar.gz

80
SOURCES/0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch Normal file
View File

@ -0,0 +1,80 @@
From e09a28a30e13e5c22b481010f26b4a7743a09280 Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Tue, 5 Mar 2019 10:15:48 +0100
Subject: [PATCH] Modify am_handler setup to run before mod_proxy
The way the ECP flow works is that when a client initiates the flow, the
SP's response is HTTP 200, but not the requested content, but a signed XML
document that contains the "samlp:AuthnRequest" element. The idea is that
the ECP client would then determine the IDP and send the document to the
IDP, get a samlp:Response and convey that to the SP to get access to the
protected resource.
Internally, the auth check which is normally done with am_check_uid() set to
apache's ap_hook_check_user_id() hook, just responds with OK, so it pretends
to authenticate the user. Then in the usual flow, the request reaches the
ap_hook_handler which handles the request. There in the pipeline, mellon
registers functions am_handler() which should run first (APR_HOOK_FIRST),
determine that this request is an ECP one and return the ECP AuthnRequest
document. But in case the proxy module is also in the picture, the proxy
module "races" for who gets to be the first to handle the request in the
pipeline and wins. Therefore, the request reaches the protected resource
via mod_proxy and returns it.
This fix modifies the ap_hook_handler() call to explicitly run before
handlers from mod_proxy.c
To reproduce the bug:
0) Have a SP with mellon connected to a Keycloak IDP (or any other IDP I
guess). In the example below, my SAML SP is saml.federation.test
1) Set a Location protected by mellon that proxies requests to another
URL. For example:
ProxyPass /sp-proxy http://app.federation.test/example_app/
<Location /sp-proxy>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
2) call:
curl -L -H "Accept: application/vnd.paos+xml" \
-H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' \
http://saml.federation.test/sp-proxy
Before the patch, you would see whatever is served from the proxied
page. With the patch, you should get back a XML document with a
samlp:AuthnRequest.
---
mod_auth_mellon.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
index 74bd328..5330f48 100644
--- a/mod_auth_mellon.c
+++ b/mod_auth_mellon.c
@@ -207,6 +207,12 @@ static int am_create_request(request_rec *r)
static void register_hooks(apr_pool_t *p)
{
+ /* Our handler needs to run before mod_proxy so that it can properly
+ * return ECP AuthnRequest messages when running as a reverse proxy.
+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196
+ */
+ static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
+
ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
@@ -222,7 +228,7 @@ static void register_hooks(apr_pool_t *p)
* Therefore this hook must run before any handler that may check
* r->handler and decide that it is the only handler for this URL.
*/
- ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
+ ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
#ifdef ENABLE_DIAGNOSTICS
ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
--
2.19.2

44
SOURCES/0002-Fix-redirect-URL-validation-bypass.patch Normal file
View File

@ -0,0 +1,44 @@
From 62041428a32de402e0be6ba45fe12df6a83bedb8 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Tue, 19 Mar 2019 13:42:22 +0100
Subject: [PATCH] Fix redirect URL validation bypass
It turns out that browsers silently convert backslash characters into
forward slashes, while apr_uri_parse() does not.
This mismatch allows an attacker to bypass the redirect URL validation
by using an URL like:
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
mod_auth_mellon will assume that it is a relative URL and allow the
request to pass through, while the browsers will use it as an absolute
url and redirect to https://malicious.example.org/ .
This patch fixes this issue by rejecting all redirect URLs with
backslashes.
---
auth_mellon_util.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index 0fab309..fd442f9 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -927,6 +927,13 @@ int am_check_url(request_rec *r, const char *url)
"Control character detected in URL.");
return HTTP_BAD_REQUEST;
}
+ if (*i == '\\') {
+ /* Reject backslash character, as it can be used to bypass
+ * redirect URL validation. */
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
+ "Backslash character detected in URL.");
+ return HTTP_BAD_REQUEST;
+ }
}
return OK;
--
2.19.2

172
SOURCES/0003-backport-Make-the-environment-variable-prefix-configurable.patch Normal file
View File

@ -0,0 +1,172 @@
diff -up mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_cache.c
--- mod_auth_mellon-0.14.0/auth_mellon_cache.c.env_prefix 2017-10-02 11:44:08.000000000 +0200
+++ mod_auth_mellon-0.14.0/auth_mellon_cache.c 2019-06-10 09:46:36.806014513 +0200
@@ -589,7 +589,7 @@ void am_cache_env_populate(request_rec *
*/
for(i = 0; i < t->size; ++i) {
varname = am_cache_entry_get_string(t, &t->env[i].varname);
- varname_prefix = "MELLON_";
+ varname_prefix = d->env_prefix;
/* Check if we should map this name into another name. */
env_varname_conf = (am_envattr_conf_t *)apr_hash_get(
diff -up mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_config.c
--- mod_auth_mellon-0.14.0/auth_mellon_config.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon_config.c 2019-06-10 09:46:36.807014516 +0200
@@ -36,6 +36,11 @@ static const char *default_endpoint_path
*/
static const char *default_user_attribute = "NAME_ID";
+/* This is the default prefix to use for attributes received from the
+ * server. Customizable using the MellonEnvPrefix option
+ */
+static const char *default_env_prefix = "MELLON_";
+
/* This is the default name of the cookie which mod_auth_mellon will set.
* If you change this, then you should also update the description of the
* MellonVar configuration directive.
@@ -1372,8 +1377,10 @@ const command_rec auth_mellon_commands[]
am_set_setenv_slot,
NULL,
OR_AUTHCFG,
- "Renames attributes received from the server while retaining prefix MELLON_. The format is"
- " MellonSetEnv <old name> <new name>."
+ "Renames attributes received from the server while retaining the"
+ " prefix. The prefix defaults to MELLON_ but can be changed with"
+ " MellonEnvPrefix."
+ " The format is MellonSetEnv <old name> <new name>."
),
AP_INIT_TAKE2(
"MellonSetEnvNoPrefix",
@@ -1383,6 +1390,13 @@ const command_rec auth_mellon_commands[]
"Renames attributes received from the server without adding prefix. The format is"
" MellonSetEnvNoPrefix <old name> <new name>."
),
+ AP_INIT_TAKE1(
+ "MellonEnvPrefix",
+ ap_set_string_slot,
+ (void *)APR_OFFSETOF(am_dir_cfg_rec, env_prefix),
+ OR_AUTHCFG,
+ "The prefix to use for attributes received from the server."
+ ),
AP_INIT_FLAG(
"MellonSessionDump",
ap_set_flag_slot,
@@ -1714,6 +1728,7 @@ void *auth_mellon_dir_config(apr_pool_t
dir->cookie_path = NULL;
dir->cookie_samesite = am_samesite_default;
dir->envattr = apr_hash_make(p);
+ dir->env_prefix = default_env_prefix;
dir->userattr = default_user_attribute;
dir->idpattr = NULL;
dir->signature_method = inherit_signature_method;
@@ -1868,6 +1883,10 @@ void *auth_mellon_dir_merge(apr_pool_t *
add_cfg->envattr :
base_cfg->envattr);
+ new_cfg->env_prefix = (add_cfg->env_prefix != default_env_prefix ?
+ add_cfg->env_prefix :
+ base_cfg->env_prefix);
+
new_cfg->userattr = (add_cfg->userattr != default_user_attribute ?
add_cfg->userattr :
base_cfg->userattr);
diff -up mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c
--- mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon_diagnostics.c 2019-06-10 09:46:36.808014518 +0200
@@ -442,6 +442,9 @@ am_diag_log_dir_cfg(request_rec *r, int
"%sMellonCookieSameSite (cookie_samesite): %s\n",
indent(level+1),
am_diag_samesite_str(r, cfg->cookie_samesite));
+ apr_file_printf(diag_cfg->fd,
+ "%sMellonEnvPrefix (env_prefix): %s\n",
+ indent(level+1), cfg->env_prefix);
apr_file_printf(diag_cfg->fd,
"%sMellonCond (cond): %d items\n",
@@ -466,7 +469,7 @@ am_diag_log_dir_cfg(request_rec *r, int
apr_hash_this(hash_item, (void *)&key, NULL, (void *)&envattr_conf);
if (envattr_conf->prefixed) {
- name = apr_pstrcat(r->pool, "MELLON_",
+ name = apr_pstrcat(r->pool, cfg->env_prefix,
envattr_conf->name, NULL);
} else {
name = envattr_conf->name;
diff -up mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix mod_auth_mellon-0.14.0/auth_mellon.h
--- mod_auth_mellon-0.14.0/auth_mellon.h.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/auth_mellon.h 2019-06-10 09:46:36.805014510 +0200
@@ -237,6 +237,7 @@ typedef struct am_dir_cfg_rec {
am_samesite_t cookie_samesite;
apr_array_header_t *cond;
apr_hash_t *envattr;
+ const char *env_prefix;
const char *userattr;
const char *idpattr;
LassoSignatureMethod signature_method;
diff -up mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc
--- mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/doc/user_guide/mellon_user_guide.adoc 2019-06-10 09:48:08.422237471 +0200
@@ -2007,11 +2007,13 @@ attributes.
assertion to a name of your choosing when it is placed in the Apache
environment. This is controlled by `MellonSetEnv` and
`MellonSetEnvNoPrefix` directives. The distinction
- is `MellonSetEnv` always prepends the `MELLON_` prefix to the
+ is `MellonSetEnv` always prepends a prefix to the
environment variable name to help to prevent name collisions. The
+ prefix defaults to `MELLON_` and can be configured using the
+ `MellonEnvPrefix` configuration option. The
`MellonSetEnvNoPrefix` directive also remaps the assertion name to a
name of your choosing but it omits prepending the environment
- variable name with `MELLON_`. See <<map_assertion_attr_name>>
+ variable name with the prefix. See <<map_assertion_attr_name>>
Using the <<assertion_response,assertion example>> Mellon places these
environment variables in the Apache environment. See
@@ -2096,10 +2098,12 @@ and `MellonSetEnvNoPrefix` directives. T
assertion attribute to a name of your choosing. The `MellonSetEnv`
directive follows the same convention as all other assertion
attributes added by Mellon in that it always prefixes the environment
-variable name with `MELLON_` to help avoid name collisions in the
+variable name with a configurable prefix, which defaults to `MELLON_` to help avoid name collisions in the
Apache environment. However sometimes you do not want the `MELLON_`
-prefix added and instead you want to use exactly the environment
-variable name as specified., `MellonSetEnvNoPrefix` serves this role.
+prefix added. In case you simply want the variables prefixed with
+a different string, use the `MellonEnvPrefix` configuration option. If,
+instead you want to use exactly the environment variable name as specified.,
+`MellonSetEnvNoPrefix` serves this role.
To illustrate let's look at an example. Suppose your web app is
expecting an attribute which is the user's last name, specifically it
@@ -2117,6 +2121,15 @@ MellonSetEnvNoPrefix REMOTE_USER_LASTNAM
Also see <<set_remote_user>> for an example of setting the `REMOTE_USER`
environment variable using `MellonSetEnvNoPrefix`.
+The `MellonEnvPrefix` variable might be useful e.g. if you
+are migrating from a different SP which used its own prefix
+for the variables passed by the IdP. For example, to prefix
+all variables with `NOLLEM_` you would use:
+
+----
+MellonEnvPrefix NOLLEM_
+----
+
=== Using Mellon to apply constraints [[assertion_constraints]]
SAML attributes can be used for more than exporting those values to a
diff -up mod_auth_mellon-0.14.0/README.md.env_prefix mod_auth_mellon-0.14.0/README.md
--- mod_auth_mellon-0.14.0/README.md.env_prefix 2018-03-16 08:14:54.000000000 +0100
+++ mod_auth_mellon-0.14.0/README.md 2019-06-10 09:46:36.805014510 +0200
@@ -253,6 +253,11 @@ MellonDiagnosticsEnable Off
# Default. None set.
MellonSetEnvNoPrefix "DISPLAY_NAME" "displayName"
+ # MellonEnvPrefix changes the string the variables passed from the
+ # IdP are prefixed with.
+ # Default: MELLON_
+ MellonEnvPrefix "NOLLEM_"
+
# MellonMergeEnvVars merges multiple values of environment variables
# set using MellonSetEnv into single variable:
# ie: MYENV_VAR => val1;val2;val3 instead of default behaviour of:

49
SOURCES/0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch Normal file
View File

@ -0,0 +1,49 @@
From 6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 25 Jul 2018 12:19:39 +0200
Subject: [PATCH] Fix incorrect header used for detecting AJAX requests
The code was looking for "X-Request-With", but the header is actually
"X-Requested-With". As far as I can tell, it has always been the
latter, at least in the jQuery source code.
Fixes issue #174.
---
README.md | 2 +-
auth_mellon_handler.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 0a91dc5..8d85b43 100644
--- a/README.md
+++ b/README.md
@@ -180,7 +180,7 @@ MellonDiagnosticsEnable Off
# then we will redirect him to the login page of the IdP.
#
# There is a special handling of AJAX requests, that are
- # identified by the "X-Request-With: XMLHttpRequest" HTTP
+ # identified by the "X-Requested-With: XMLHttpRequest" HTTP
# header. Since no user interaction can happen there,
# we always fail unauthenticated (not logged in) requests
# with a 403 Forbidden error without redirecting to the IdP.
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index b16dc45..e33e6e9 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -3658,11 +3658,11 @@ int am_auth_mellon_user(request_rec *r)
* If this is an AJAX request, we cannot proceed to the IdP,
* Just fail early to save our resources
*/
- ajax_header = apr_table_get(r->headers_in, "X-Request-With");
+ ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
if (ajax_header != NULL &&
strcmp(ajax_header, "XMLHttpRequest") == 0) {
AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
- "Deny unauthenticated X-Request-With XMLHttpRequest "
+ "Deny unauthenticated X-Requested-With XMLHttpRequest "
"(AJAX) request");
return HTTP_FORBIDDEN;
}
--
2.20.1

28
SOURCES/0005-CVE_2019_13038.patch Normal file
View File

@ -0,0 +1,28 @@
From 297093e6a48a4c0fd307c2206c59a8c8eb84fb53 Mon Sep 17 00:00:00 2001
From: Valentin <awakenine@users.noreply.github.com>
Date: Fri, 6 Sep 2019 13:30:36 +0300
Subject: [PATCH] Update auth_mellon_mode.c
Fix open redirect CVE-2019-13038
---
auth_mellon_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index fd442f9..7dff61e 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char *url)
/* Sanity check of the scheme of the domain. We only allow http and https. */
if (uri.scheme) {
+ /* http and https schemes without hostname are invalid. */
+ if (!uri.hostname) {
+ return HTTP_BAD_REQUEST;
+ }
if (strcasecmp(uri.scheme, "http")
&& strcasecmp(uri.scheme, "https")) {
AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
--
2.21.0

1
SOURCES/10-auth_mellon.conf Normal file
View File

@ -0,0 +1 @@
LoadModule auth_mellon_module modules/mod_auth_mellon.so

83
SOURCES/README.redhat.rst Normal file
View File

@ -0,0 +1,83 @@
Red Hat Specific mod_auth_mellon Information
============================================
This README contains information specific to Red Hat's distribution of
``mod_auth_mellon``.
Diagnostic Logging
------------------
Diagnostic logging can be used to collect run time information to help
diagnose problems with your ``mod_auth_mellon`` deployment. Please see
the "Mellon Diagnostics" section in the Mellon User Guide for more
details.
How to enable diagnostic logging on Red Hat systems
```````````````````````````````````````````````````
Diagnostic logging adds overhead to the execution of
``mod_auth_mellon``. The code to emit diagnostic logging must be
compiled into ``mod_auth_mellon`` at build time. In addition the
diagnostic log file may contain security sensitive information which
should not normally be written to a log file. If you have a
version of ``mod_auth_mellon`` which was built with diagnostics you
can disable diagnostic logging via the ``MellonDiagnosticsEnable``
configuration directive. However given human nature the potential to
enable diagnostic logging while resolving a problem and then forget to
disable it is not a situation that should exist by default. Therefore
given the overhead consideration and the desire to avoid enabling
diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's
ship with two versions of the ``mod_auth_mellon`` Apache module.
1. The ``mod_auth_mellon`` RPM contains the normal Apache module
``/usr/lib*/httpd/modules/mod_auth_mellon.so``
2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic
version of the Apache module
``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so``
Because each version of the module has a different name both the
normal and diagnostic modules can be installed simultaneously without
conflict. But Apache will only load one of the two modules. Which
module is loaded is controlled by the
``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which
has a line in it which looks like this::
LoadModule auth_mellon_module modules/mod_auth_mellon.so
To load the diagnostics version of the module you need to change the
module name so it looks like this::
LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so
**Don't forget to change it back again when you're done debugging.**
You'll also need to enable the collection of diagnostic information,
do this by adding this directive at the top of your Mellon conf.d
config file or inside your virtual host config (diagnostics are per
server instance)::
MellonDiagnosticsEnable On
.. NOTE::
Some versions of the Mellon User Guide have a typo in the name of
this directive, it incorrectly uses ``MellonDiagnosticEnable``
instead of ``MellonDiagnosticsEnable``. The difference is
Diagnostics is plural.
The Apache ``error_log`` will contain a message indicating how it
processed the ``MellonDiagnosticsEnable`` directive. If you loaded the
standard module without diagnostics you'll see a message like this::
MellonDiagnosticsEnable has no effect because Mellon was not
compiled with diagnostics enabled, use
./configure --enable-diagnostics at build time to turn this
feature on.
If you've loaded the diagnostics version of the module you'll see a
message in the ``error_log`` like this::
mellon diagnostics enabled for virtual server *:443
(/etc/httpd/conf.d/my_server.conf:7)
ServerName=https://my_server.example.com:443, diagnostics
filename=logs/mellon_diagnostics

2
SOURCES/auth_mellon.conf Normal file
View File

@ -0,0 +1,2 @@
MellonCacheSize 100
MellonLockFile "/run/mod_auth_mellon/lock"

126
SOURCES/mellon_create_metadata.sh Normal file
View File

@ -0,0 +1,126 @@
#!/usr/bin/env bash
set -e
PROG="$(basename "$0")"
printUsage() {
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
echo ""
echo "Example:"
echo " $PROG urn:someservice https://sp.example.org/mellon"
echo ""
}
if [ "$#" -lt 2 ]; then
printUsage
exit 1
fi
ENTITYID="$1"
if [ -z "$ENTITYID" ]; then
echo "$PROG: An entity ID is required." >&2
exit 1
fi
BASEURL="$2"
if [ -z "$BASEURL" ]; then
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
exit 1
fi
if ! echo "$BASEURL" | grep -q '^https\?://'; then
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
exit 1
fi
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')"
echo "Output files:"
echo "Private key: $OUTFILE.key"
echo "Certificate: $OUTFILE.cert"
echo "Metadata: $OUTFILE.xml"
echo "Host: $HOST"
echo
echo "Endpoints:"
echo "SingleLogoutService (SOAP): $BASEURL/logout"
echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout"
echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse"
echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse"
echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse"
echo
# No files should not be readable by the rest of the world.
umask 0077
TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
cat >"$TEMPLATEFILE" <<EOF
RANDFILE = /dev/urandom
[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[req_distinguished_name]
commonName = $HOST
EOF
openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
rm -f "$TEMPLATEFILE"
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
cat >"$OUTFILE.xml" <<EOF
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
entityID="$ENTITYID"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="$BASEURL/logout" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="$BASEURL/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="$BASEURL/postResponse" />
<AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="$BASEURL/artifactResponse" />
<AssertionConsumerService
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="$BASEURL/paosResponse" />
</SPSSODescriptor>
</EntityDescriptor>
EOF
umask 0777
chmod go+r "$OUTFILE.xml"
chmod go+r "$OUTFILE.cert"

7033
SOURCES/mellon_user_guide.html Normal file
View File

File diff suppressed because one or more lines are too long

2
SOURCES/mod_auth_mellon.conf Normal file
View File

@ -0,0 +1,2 @@
# mod_auth_mellon lock file is created in this directory
d /run/mod_auth_mellon 0755 apache apache

259
SPECS/mod_auth_mellon.spec Normal file
View File

@ -0,0 +1,259 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon
Version: 0.14.0
Release: 11%{?dist}
Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf
Source2: 10-auth_mellon.conf
Source3: mod_auth_mellon.conf
Source4: mellon_create_metadata.sh
Source5: README.redhat.rst
Source6: mellon_user_guide.html
License: GPLv2+
BuildRequires: gcc
BuildRequires: curl-devel
BuildRequires: glib2-devel
BuildRequires: httpd-devel
BuildRequires: lasso-devel >= 2.5.1
BuildRequires: openssl-devel
BuildRequires: xmlsec1-devel
Requires: httpd-mmn = %{_httpd_mmn}
Requires: lasso >= 2.5.1
Url: https://github.com/UNINETT/mod_auth_mellon
Patch0001: 0001-Modify-am_handler-setup-to-run-before-mod_proxy.patch
Patch0002: 0002-Fix-redirect-URL-validation-bypass.patch
Patch0003: 0003-backport-Make-the-environment-variable-prefix-configurable.patch
Patch0004: 0004-Fix-incorrect-header-used-for-detecting-AJAX-request.patch
Patch0005: 0005-CVE_2019_13038.patch
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
# I could not get asciidoc to render properly so instead I generated
# mellon_user_guide.html on Fedora using asciidoctor and included
# mellon_user_guide.html as a SOURCE. If the user guide source is updated
# the mellon_user_guide.html will need to be regenerated.
%description
The mod_auth_mellon module is an authentication service that implements the
SAML 2.0 federation protocol. It grants access based on the attributes
received in assertions generated by a IdP server.
%prep
%setup -q -n %{name}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
export APXS=%{_httpd_apxs}
%configure --enable-diagnostics
make clean
make %{?_smp_mflags}
cp .libs/%{name}.so %{name}-diagnostics.so
%configure
make clean
make %{?_smp_mflags}
%install
# install module
mkdir -p %{buildroot}%{_httpd_moddir}
install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
# install module configuration
mkdir -p %{buildroot}%{_httpd_confdir}
install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
mkdir -p %{buildroot}%{_httpd_modconfdir}
install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
mkdir -p %{buildroot}/run/%{name}
# install script to generate metadata
mkdir -p %{buildroot}/%{_libexecdir}/%{name}
install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
#install documentation
mkdir -p %{buildroot}/%{_pkgdocdir}
# install Red Hat README
install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
# install user guide
cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
%package diagnostics
Summary: Build of mod_auth_mellon with diagnostic logging
Requires: %{name} = %{version}-%{release}
%description diagnostics
Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
in the doc directory for instructions on using the diagnostics build.
%files diagnostics
%{_httpd_moddir}/%{name}-diagnostics.so
%files
%if 0%{?rhel} && 0%{?rhel} < 7
%doc COPYING
%else
%license COPYING
%endif
%doc README.md NEWS ECP.rst
%doc %{_pkgdocdir}/README.redhat.rst
%doc %{_pkgdocdir}/user_guide
%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
%{_httpd_moddir}/mod_auth_mellon.so
%{_tmpfilesdir}/mod_auth_mellon.conf
%{_libexecdir}/%{name}
%attr(0755,apache,apache) %dir /run/%{name}/
%changelog
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-11
- Resolves: rhbz#1731053 - CVE-2019-13038 mod_auth_mellon: an Open Redirect
via the login?ReturnTo= substring which could
facilitate information theft [rhel-8]
* Fri Oct 18 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-10
- Resolves: rhbz#1761774 - mod_auth_mellon fix for AJAX header name
X-Requested-With
* Thu Jun 13 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-9
- Just bump the release number
- Related: rhbz#1718238 - mod_auth_mellon-diagnostics RPM not in product
listings
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-8
- Resolves: rhbz#1691894 - [RFE] Config option to change mod_auth_mellon prefix
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-7
- Apply the patch from the previous commit
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
redirect in logout url when using URLs with
backslashes [rhel-8]
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-6
- Resolves: rhbz#1692471 - CVE-2019-3877 appstream/mod_auth_mellon: open
redirect in logout url when using URLs with
backslashes [rhel-8]
* Fri Jun 7 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-5
- Resolves: rhbz#1692457 - CVE-2019-3878 mod_auth_mellon: authentication
bypass in ECP flow [rhel-8.1.0]
* Wed Apr 24 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.14.0-4
- Resolves: rhbz#1702695 - fresh install of mod_auth_mellon shows rpm
verification warnings
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
- Rebuild with fixed binutils
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-2
- Resolves: rhbz#1553885
- fix file permissions on doc files
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-1
- Resolves: rhbz#1553885
- Rebase to current upstream release
* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
- Resolves: rhbz#1481330 Add diagnostic logging
- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
signature method used to sign SAML messages sent by Mellon.
Defaults to original sha1.
* Sun Oct 1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
- upgrade to new upstream release
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jan 17 2017 John Dennis <jdennis@redhat.com> - 0.12.0-4
- Resolves: bug #1414019 Incorrect PAOS Content-Type header
* Mon Jan 9 2017 John Dennis <jdennis@redhat.com> - 0.12.0-3
- bump release for rebuild
* Tue May 3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
- am_check_uid() should be no-op if mellon not enabled
* Wed Mar 9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
- Update to new upstream 0.12.0
- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
incorrect error handling when reading POST data from client.
- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
resource exhaustion) due to missing size checks when reading
POST data.
In addition this release contains the following new features and fixes:
- Add MellonRedirectDomains option to limit the sites that
mod_auth_mellon can redirect to. This option is enabled by default.
- Add support for ECP service options in PAOS requests.
- Fix AssertionConsumerService lookup for PAOS requests.
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Dec 23 2015 John Dennis <jdennis@redhat.com> - 0.11.0-3
- Fix the following warning that appears in the Apache log
lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-2
- Add lasso 2.5.0 version dependency
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
- Upgrade to upstream 0.11.0 release.
- Includes ECP support, see NEWS for all changes.
- Update mellon_create_metadata.sh to match internally generated metadata,
includes AssertionConsumerService for postResponse, artifactResponse &
paosResponse.
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Jan 7 2015 Simo Sorce <simo@redhat.com> 0.10.0-1
- New upstream release
* Tue Sep 2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
- New upstream release
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
- New upstream realease version 0.8.0
- Upstream moved to github
- Drops patches as they have been all included upstream
* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
- Backport of useful patches from upstream
- Better handling of IDP reported errors
- Better handling of session data storage size
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
- Fix ownership of /run files
* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
- Initial Fedora release based on version 0.7.0
- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>