mod_auth_mellon is a authentication module for apache. It authenticates

the user against a SAML 2.0 IdP, and and grants access to directories
depending on attributes received from the IdP.

6 files changed, 169 insertions, 0 deletions

diff --git a/www/ap2-auth-mellon/DESCR b/www/ap2-auth-mellon/DESCR
new file mode 100644
index 00000000000..c60a3240bb4
--- /dev/null
+++ b/www/ap2-auth-mellon/DESCR
@@ -0,0 +1,3 @@
+mod_auth_mellon is a authentication module for apache. It authenticates
+the user against a SAML 2.0 IdP, and and grants access to directories
+depending on attributes received from the IdP.
diff --git a/www/ap2-auth-mellon/MESSAGE b/www/ap2-auth-mellon/MESSAGE
new file mode 100644
index 00000000000..94fa4db465c
--- /dev/null
+++ b/www/ap2-auth-mellon/MESSAGE
@@ -0,0 +1,9 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $
+
+In order to use this module in your Apache installation, you need to
+add the following to your httpd.conf file:
+
+  LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so
+
+===========================================================================
diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile
new file mode 100644
index 00000000000..e91c4711678
--- /dev/null
+++ b/www/ap2-auth-mellon/Makefile
@@ -0,0 +1,35 @@
+# $NetBSD: Makefile,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $
+#
+
+PKGNAME=	${APACHE_PKG_PREFIX}-auth-mellon
+DISTNAME=	mod_auth_mellon-0.1.0
+CATEGORIES=	www security
+MASTER_SITES=	http://modmellon.googlecode.com/files/
+
+MAINTAINER=	manu@NetBSD.org
+HOMEPAGE=	http://code.google.com/p/modmellon/
+COMMENT=	SAML 2.0 authentication for Apache
+
+PKG_DESTDIR_SUPPORT=	destdir
+
+GNU_CONFIGURE=	YES
+USE_LIBTOOL=	YES
+USE_TOOLS+=	pkg-config
+
+APACHE_MODULE=	YES
+APACHE_MODULE_NAME=	auth_mellon_module
+PKG_APACHE_ACCEPTED=    apache2 apache22
+.include "../../mk/apache.mk"
+BUILDLINK_API_DEPENDS.apache+=  apache>=2.0.47
+
+CONFIGURE_ENV+=		PKG_CONFIG_PATH=${PREFIX}/lib/pkgconfig
+CONFIGURE_ENV+=		OPENSSL_CFLAGS="${CPPFLAGS}"
+CONFIGURE_ENV+=		OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto"
+CONFIGURE_ARGS+=        --with-apxs=${APXS:Q}
+
+# url2pkg-marker (please do not remove this line.)
+
+.include "../../security/lasso/buildlink3.mk"
+.include "../../www/curl/buildlink3.mk"
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/www/ap2-auth-mellon/PLIST b/www/ap2-auth-mellon/PLIST
new file mode 100644
index 00000000000..12ad91a829e
--- /dev/null
+++ b/www/ap2-auth-mellon/PLIST
@@ -0,0 +1,2 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $
+lib/httpd/mod_auth_mellon.so
diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo
new file mode 100644
index 00000000000..08f0746d08c
--- /dev/null
+++ b/www/ap2-auth-mellon/distinfo
@@ -0,0 +1,6 @@
+$NetBSD: distinfo,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $
+
+SHA1 (mod_auth_mellon-0.1.0.tar.gz) = d8f20efa3165a55bdc05526bf2077c182cd3bb80
+RMD160 (mod_auth_mellon-0.1.0.tar.gz) = 2c347b2a28867a5d0e3d1c0716e25a6e7d7756c8
+Size (mod_auth_mellon-0.1.0.tar.gz) = 74563 bytes
+SHA1 (patch-aa) = 0a9d7ec8b672b21ad828fde64a75b709cdbf808a
diff --git a/www/ap2-auth-mellon/patches/patch-aa b/www/ap2-auth-mellon/patches/patch-aa
new file mode 100644
index 00000000000..bddb56d7e89
--- /dev/null
+++ b/www/ap2-auth-mellon/patches/patch-aa
@@ -0,0 +1,114 @@
+$NetBSD: patch-aa,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $
+Index: auth_mellon_cookie.c
+===================================================================
+--- auth_mellon_cookie.c	(revision 39)
++++ auth_mellon_cookie.c	(working copy)
+@@ -140,13 +140,18 @@
+ {
+     const char *name;
+     char *cookie;
++    int secure_cookie;
+ 
+     if (id == NULL)
+         return;
+ 
++    secure_cookie = ((am_dir_cfg_rec *)am_get_dir_cfg(r))->secure;
+     name = am_cookie_name(r);
+ 
+-    cookie = apr_psprintf(r->pool, "%s=%s; Version=1; Path=/", name, id);
++    cookie = apr_psprintf(r->pool, 
++                         "%s=%s; Version=1; Path=/; Domain=%s%s;", 
++                         name, id, r->server->server_hostname,
++                         secure_cookie ? "; HttpOnly; secure" : "");
+     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                  "cookie_set: %s", cookie);
+ 
+Index: auth_mellon.h
+===================================================================
+--- auth_mellon.h	(revision 39)
++++ auth_mellon.h	(working copy)
+@@ -127,6 +127,7 @@
+     am_decoder_t decoder;
+ 
+     const char *varname;
++    int secure;
+     apr_hash_t *require;
+     apr_hash_t *envattr;
+     const char *userattr;
+Index: README
+===================================================================
+--- README	(revision 39)
++++ README	(working copy)
+@@ -161,6 +161,13 @@
+         # Default: "cookie"
+ 	MellonVariable "cookie"
+ 
++        # MellonSecureCookie enforces the HttpOnly and secure flags
++        # for the mod_mellon cookie
++        # Default: Off
++        MellonSecureCookie On
++
++        # MellonSecureCookie enforces the HttpOnly and secure flags
++        # for the mod_mellon cookie
+         # MellonUser selects which attribute we should use for the username.
+         # The username is passed on to other apache modules and to the web
+         # page the user visits. NAME_ID is an attribute which we set to
+@@ -257,7 +264,6 @@
+         # certificate for the IdP.
+         # Default: None set.
+         MellonIdPCAFile /etc/apache2/mellon/ca.pem
+-
+ </Location>
+ 
+ 
+Index: auth_mellon_config.c
+===================================================================
+--- auth_mellon_config.c	(revision 39)
++++ auth_mellon_config.c	(working copy)
+@@ -39,6 +39,10 @@
+  */
+ static const char *default_cookie_name = "cookie";
+ 
++/* The default setting for cookie flags is to not enforce HttpOnly and secure
++ */
++static const int default_secure_cookie = 0;
++
+ /* This is the default IdP initiated login location
+  * the MellonDefaultLoginPath configuration directive if you change this.
+  */
+@@ -352,6 +356,14 @@
+         " be 'mellon-cookie'."
+         ),
+     AP_INIT_TAKE1(
++        "MellonSecureCookie",
++        ap_set_flag_slot,
++        (void *)APR_OFFSETOF(am_dir_cfg_rec, secure),
++        OR_AUTHCFG,
++        "Whether the cookie set by auth_mellon should have HttpOnly and"
++        " secure flags set. Default is off."
++        ),
++    AP_INIT_TAKE1(
+         "MellonUser",
+         ap_set_string_slot,
+         (void *)APR_OFFSETOF(am_dir_cfg_rec, userattr),
+@@ -480,6 +492,7 @@
+     dir->decoder = am_decoder_default;
+ 
+     dir->varname = default_cookie_name;
++    dir->secure = default_secure_cookie;
+     dir->require   = apr_hash_make(p);
+     dir->envattr   = apr_hash_make(p);
+     dir->userattr  = default_user_attribute;
+@@ -541,6 +554,12 @@
+                         add_cfg->varname :
+                         base_cfg->varname);
+ 
++
++    new_cfg->secure = (add_cfg->secure != default_secure_cookie ?
++                        add_cfg->secure :
++                        base_cfg->secure);
++
++
+     new_cfg->require = apr_hash_copy(p,
+                                      (apr_hash_count(add_cfg->require) > 0) ?
+                                      add_cfg->require :