import mod_auth_mellon-0.14.0-3.el8

This commit is contained in:
CentOS Sources 2019-05-07 00:08:43 -04:00 committed by Andrew Lukoshko
commit b344d0ece5
9 changed files with 7461 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/mod_auth_mellon-0.14.0.tar.gz

View File

@ -0,0 +1 @@
4a93f8b093e1dea20e8a286931693c614903f2d9 SOURCES/mod_auth_mellon-0.14.0.tar.gz

View File

@ -0,0 +1 @@
LoadModule auth_mellon_module modules/mod_auth_mellon.so

83
SOURCES/README.redhat.rst Normal file
View File

@ -0,0 +1,83 @@
Red Hat Specific mod_auth_mellon Information
============================================
This README contains information specific to Red Hat's distribution of
``mod_auth_mellon``.
Diagnostic Logging
------------------
Diagnostic logging can be used to collect run time information to help
diagnose problems with your ``mod_auth_mellon`` deployment. Please see
the "Mellon Diagnostics" section in the Mellon User Guide for more
details.
How to enable diagnostic logging on Red Hat systems
```````````````````````````````````````````````````
Diagnostic logging adds overhead to the execution of
``mod_auth_mellon``. The code to emit diagnostic logging must be
compiled into ``mod_auth_mellon`` at build time. In addition the
diagnostic log file may contain security sensitive information which
should not normally be written to a log file. If you have a
version of ``mod_auth_mellon`` which was built with diagnostics you
can disable diagnostic logging via the ``MellonDiagnosticsEnable``
configuration directive. However given human nature the potential to
enable diagnostic logging while resolving a problem and then forget to
disable it is not a situation that should exist by default. Therefore
given the overhead consideration and the desire to avoid enabling
diagnostic logging by mistake the Red Hat ``mod_auth_mellon`` RPM's
ship with two versions of the ``mod_auth_mellon`` Apache module.
1. The ``mod_auth_mellon`` RPM contains the normal Apache module
``/usr/lib*/httpd/modules/mod_auth_mellon.so``
2. The ``mod_auth_mellon-diagnostics`` RPM contains the diagnostic
version of the Apache module
``/usr/lib*/httpd/modules/mod_auth_mellon-diagnostics.so``
Because each version of the module has a different name both the
normal and diagnostic modules can be installed simultaneously without
conflict. But Apache will only load one of the two modules. Which
module is loaded is controlled by the
``/etc/httpd/conf.modules.d/10-auth_mellon.conf`` config file which
has a line in it which looks like this::
LoadModule auth_mellon_module modules/mod_auth_mellon.so
To load the diagnostics version of the module you need to change the
module name so it looks like this::
LoadModule auth_mellon_module modules/mod_auth_mellon-diagnostics.so
**Don't forget to change it back again when you're done debugging.**
You'll also need to enable the collection of diagnostic information,
do this by adding this directive at the top of your Mellon conf.d
config file or inside your virtual host config (diagnostics are per
server instance)::
MellonDiagnosticsEnable On
.. NOTE::
Some versions of the Mellon User Guide have a typo in the name of
this directive, it incorrectly uses ``MellonDiagnosticEnable``
instead of ``MellonDiagnosticsEnable``. The difference is
Diagnostics is plural.
The Apache ``error_log`` will contain a message indicating how it
processed the ``MellonDiagnosticsEnable`` directive. If you loaded the
standard module without diagnostics you'll see a message like this::
MellonDiagnosticsEnable has no effect because Mellon was not
compiled with diagnostics enabled, use
./configure --enable-diagnostics at build time to turn this
feature on.
If you've loaded the diagnostics version of the module you'll see a
message in the ``error_log`` like this::
mellon diagnostics enabled for virtual server *:443
(/etc/httpd/conf.d/my_server.conf:7)
ServerName=https://my_server.example.com:443, diagnostics
filename=logs/mellon_diagnostics

2
SOURCES/auth_mellon.conf Normal file
View File

@ -0,0 +1,2 @@
MellonCacheSize 100
MellonLockFile "/run/mod_auth_mellon/lock"

View File

@ -0,0 +1,126 @@
#!/usr/bin/env bash
set -e
PROG="$(basename "$0")"
printUsage() {
echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
echo ""
echo "Example:"
echo " $PROG urn:someservice https://sp.example.org/mellon"
echo ""
}
if [ "$#" -lt 2 ]; then
printUsage
exit 1
fi
ENTITYID="$1"
if [ -z "$ENTITYID" ]; then
echo "$PROG: An entity ID is required." >&2
exit 1
fi
BASEURL="$2"
if [ -z "$BASEURL" ]; then
echo "$PROG: The URL to the MellonEndpointPath is required." >&2
exit 1
fi
if ! echo "$BASEURL" | grep -q '^https\?://'; then
echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
exit 1
fi
HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
OUTFILE="$(echo "$ENTITYID" | sed 's/[^0-9A-Za-z.]/_/g' | sed 's/__*/_/g')"
echo "Output files:"
echo "Private key: $OUTFILE.key"
echo "Certificate: $OUTFILE.cert"
echo "Metadata: $OUTFILE.xml"
echo "Host: $HOST"
echo
echo "Endpoints:"
echo "SingleLogoutService (SOAP): $BASEURL/logout"
echo "SingleLogoutService (HTTP-Redirect): $BASEURL/logout"
echo "AssertionConsumerService (HTTP-POST): $BASEURL/postResponse"
echo "AssertionConsumerService (HTTP-Artifact): $BASEURL/artifactResponse"
echo "AssertionConsumerService (PAOS): $BASEURL/paosResponse"
echo
# No files should not be readable by the rest of the world.
umask 0077
TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
cat >"$TEMPLATEFILE" <<EOF
RANDFILE = /dev/urandom
[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
[req_distinguished_name]
commonName = $HOST
EOF
openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
rm -f "$TEMPLATEFILE"
CERT="$(grep -v '^-----' "$OUTFILE.cert")"
cat >"$OUTFILE.xml" <<EOF
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor
entityID="$ENTITYID"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor
AuthnRequestsSigned="true"
WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>$CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="$BASEURL/logout" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="$BASEURL/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="$BASEURL/postResponse" />
<AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="$BASEURL/artifactResponse" />
<AssertionConsumerService
index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="$BASEURL/paosResponse" />
</SPSSODescriptor>
</EntityDescriptor>
EOF
umask 0777
chmod go+r "$OUTFILE.xml"
chmod go+r "$OUTFILE.cert"

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,2 @@
# mod_auth_mellon lock file is created in this directory
d /run/mod_auth_mellon 0755 apache apache

212
SPECS/mod_auth_mellon.spec Normal file
View File

@ -0,0 +1,212 @@
Summary: A SAML 2.0 authentication module for the Apache Httpd Server
Name: mod_auth_mellon
Version: 0.14.0
Release: 3%{?dist}
Group: System Environment/Daemons
Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: auth_mellon.conf
Source2: 10-auth_mellon.conf
Source3: mod_auth_mellon.conf
Source4: mellon_create_metadata.sh
Source5: README.redhat.rst
Source6: mellon_user_guide.html
License: GPLv2+
BuildRequires: gcc
BuildRequires: curl-devel
BuildRequires: glib2-devel
BuildRequires: httpd-devel
BuildRequires: lasso-devel >= 2.5.1
BuildRequires: openssl-devel
BuildRequires: xmlsec1-devel
Requires: httpd-mmn = %{_httpd_mmn}
Requires: lasso >= 2.5.1
Url: https://github.com/UNINETT/mod_auth_mellon
# FIXME: RHEL-7 does not have rubygem-asciidoctor, only asciidoc. However,
# I could not get asciidoc to render properly so instead I generated
# mellon_user_guide.html on Fedora using asciidoctor and included
# mellon_user_guide.html as a SOURCE. If the user guide source is updated
# the mellon_user_guide.html will need to be regenerated.
%description
The mod_auth_mellon module is an authentication service that implements the
SAML 2.0 federation protocol. It grants access based on the attributes
received in assertions generated by a IdP server.
%prep
%setup -q -n %{name}-%{version}
%build
export APXS=%{_httpd_apxs}
%configure --enable-diagnostics
make clean
make %{?_smp_mflags}
cp .libs/%{name}.so %{name}-diagnostics.so
%configure
make clean
make %{?_smp_mflags}
%install
# install module
mkdir -p %{buildroot}%{_httpd_moddir}
install -m 755 .libs/%{name}.so %{buildroot}%{_httpd_moddir}
install -m 755 %{name}-diagnostics.so %{buildroot}%{_httpd_moddir}
# install module configuration
mkdir -p %{buildroot}%{_httpd_confdir}
install -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}
mkdir -p %{buildroot}%{_httpd_modconfdir}
install -m 644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 644 %{SOURCE3} %{buildroot}%{_tmpfilesdir}
mkdir -p %{buildroot}/run/%{name}
# install script to generate metadata
mkdir -p %{buildroot}/%{_libexecdir}/%{name}
install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name}
#install documentation
mkdir -p %{buildroot}/%{_pkgdocdir}
# install Red Hat README
install -m 644 %{SOURCE5} %{buildroot}/%{_pkgdocdir}
# install user guide
cp -r doc/user_guide %{buildroot}/%{_pkgdocdir}
install -m 644 %{SOURCE6} %{buildroot}/%{_pkgdocdir}/user_guide
%package diagnostics
Summary: Build of mod_auth_mellon with diagnostic logging
Requires: %{name} = %{version}-%{release}
%description diagnostics
Build of mod_auth_mellon with diagnostic logging. See README.redhat.rst
in the doc directory for instructions on using the diagnostics build.
%files diagnostics
%{_httpd_moddir}/%{name}-diagnostics.so
%files
%if 0%{?rhel} && 0%{?rhel} < 7
%doc COPYING
%else
%license COPYING
%endif
%doc README.md NEWS ECP.rst
%doc %{_pkgdocdir}/README.redhat.rst
%doc %{_pkgdocdir}/user_guide
%config(noreplace) %{_httpd_modconfdir}/10-auth_mellon.conf
%config(noreplace) %{_httpd_confdir}/auth_mellon.conf
%{_httpd_moddir}/mod_auth_mellon.so
%{_tmpfilesdir}/mod_auth_mellon.conf
%{_libexecdir}/%{name}
%dir /run/%{name}/
%changelog
* Mon Jul 30 2018 Florian Weimer <fweimer@redhat.com> - 0.14.0-3
- Rebuild with fixed binutils
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-2
- Resolves: rhbz#1553885
- fix file permissions on doc files
* Fri Jun 1 2018 <jdennis@redhat.com> - 0.14.0-1
- Resolves: rhbz#1553885
- Rebase to current upstream release
* Thu Mar 29 2018 John Dennis <jdennis@redhat.com> - 0.13.1-2
- Resolves: rhbz#1481330 Add diagnostic logging
- Resolves: rhbz#1295472 Add MellonSignatureMethod config option to set
signature method used to sign SAML messages sent by Mellon.
Defaults to original sha1.
* Sun Oct 1 2017 John Dennis <jdennis@redhat.com> - 0.13.1-1
- upgrade to new upstream release
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.12.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jan 17 2017 John Dennis <jdennis@redhat.com> - 0.12.0-4
- Resolves: bug #1414019 Incorrect PAOS Content-Type header
* Mon Jan 9 2017 John Dennis <jdennis@redhat.com> - 0.12.0-3
- bump release for rebuild
* Tue May 3 2016 John Dennis <jdennis@redhat.com> - 0.12.0-2
- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc
- am_check_uid() should be no-op if mellon not enabled
* Wed Mar 9 2016 John Dennis <jdennis@redhat.com> - 0.12.0-1
- Update to new upstream 0.12.0
- [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to
incorrect error handling when reading POST data from client.
- [CVE-2016-2146] Fix DOS attack (Apache worker process crash /
resource exhaustion) due to missing size checks when reading
POST data.
In addition this release contains the following new features and fixes:
- Add MellonRedirectDomains option to limit the sites that
mod_auth_mellon can redirect to. This option is enabled by default.
- Add support for ECP service options in PAOS requests.
- Fix AssertionConsumerService lookup for PAOS requests.
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Dec 23 2015 John Dennis <jdennis@redhat.com> - 0.11.0-3
- Fix the following warning that appears in the Apache log
lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-2
- Add lasso 2.5.0 version dependency
* Fri Sep 18 2015 John Dennis <jdennis@redhat.com> - 0.11.0-1
- Upgrade to upstream 0.11.0 release.
- Includes ECP support, see NEWS for all changes.
- Update mellon_create_metadata.sh to match internally generated metadata,
includes AssertionConsumerService for postResponse, artifactResponse &
paosResponse.
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Jan 7 2015 Simo Sorce <simo@redhat.com> 0.10.0-1
- New upstream release
* Tue Sep 2 2014 Simo Sorce <simo@redhat.com> 0.9.1-1
- New upstream release
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Jun 24 2014 Simo Sorce <simo@redhat.com> 0.8.0-1
- New upstream realease version 0.8.0
- Upstream moved to github
- Drops patches as they have been all included upstream
* Fri Jun 20 2014 Simo Sorce <simo@redhat.com> 0.7.0-3
- Backport of useful patches from upstream
- Better handling of IDP reported errors
- Better handling of session data storage size
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Dec 10 2013 Simo Sorce <simo@redhat.com> 0.7.0-1
- Fix ownership of /run files
* Wed Nov 27 2013 Simo Sorce <simo@redhat.com> 0.7.0-0
- Initial Fedora release based on version 0.7.0
- Based on an old spec file by Jean-Marc Liger <jmliger@siris.sorbonne.fr>