diff options
| author | manu <manu> | 2013-04-15 15:35:01 +0000 |
|---|---|---|
| committer | manu <manu> | 2013-04-15 15:35:01 +0000 |
| commit | 1bb15e8e0ca293568c2467d171b69e4b81cceb71 (patch) | |
| tree | f17456ec7fbda4ca550a8dd0ce2a7b895876641b /www/ap2-auth-mellon | |
| parent | daec38573f1f68c67deded931d0e88e4b44d9ac9 (diff) | |
| download | pkgsrc-1bb15e8e0ca293568c2467d171b69e4b81cceb71.tar.gz | |
Upgrade ap2-auth-mellon to 0.6.1 plus a patch from upstream
Changes since 0.4.0, from NEWS file:
* Add MellonSPentityId to control entityId in autogenerated metadata
Version 0.6.1
---------------------------------------------------------------------------
* Fix the POST replay functionality when multiple users logging in
at once.
* Add a fallback for the case where the POST replay data has expired
before the user logs in.
Version 0.6.0
---------------------------------------------------------------------------
Backwards-incompatible changes:
* The POST replay functionality has been disabled by default, and the
automatic creation of the MellonPostDirectory target directory has been
removed. If you want to use the POST replay functionality, take a
look at the README file for instructions for how to enable this.
* Start discovery service when accessing the login endpoint. We used
to bypass the discovery service in this case, and just pick the first
IdP. This has been changed to send a request to the discovery service
instead, if one is configured.
* The MellonLockFile default path has been changed to:
/var/run/mod_auth_mellon.lock
This only affects platforms where a lock file is required and
where Apache doesn't have write access to that directory during
startup. (Apache can normally create files in that directory
during startup.)
Other changes:
* Fix support for SOAP logout.
* Local logout when IdP does not support SAML 2.0 Single Logout.
* MellonDoNotVerifyLogoutSignature option to disable logout signature
validation.
* Support for relative file paths in configuration.
* The debian build-directory has been removed from the repository.
* Various cleanups and bugfixes:
* Fix cookie parsing header parsing for some HTTP libraries.
* Fix inheritance of MellonAuthnContextClassRef option.
* Use ap_set_content_type() instead of accessing request->content_type.
* README indentation cleanups.
* Support for even older versions of GLib.
* Fixes for error handling during session initialization.
* Directly link with GLib rather than relying on the Lasso library
linking to it for us.
* Some code cleanups.
Version 0.5.0
---------------------------------------------------------------------------
* Honour MellonProbeDiscoveryIdP order when sending probes.
* MellonAuthnContextClassRef configuration directive, to limit
authentication to specific authentication methods.
* Support for the HTTP-POST binding when sending authentication
requests to the IdP.
* MellonSubjectConfirmationDataAddressCheck option to disable received
address checking.
* Various cleanups and bugfixes:
* Support for older versions of GLib and APR.
* Send the correct SP entityID to the discovery service.
* Do not set response headers twice.
* Several cleanups in the code that starts authentication.
Diffstat (limited to 'www/ap2-auth-mellon')
| -rw-r--r-- | www/ap2-auth-mellon/MESSAGE | 26 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/Makefile | 8 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/distinfo | 10 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/patches/patch-ai | 310 | ||||
| -rw-r--r-- | www/ap2-auth-mellon/patches/patch-aj | 105 |
5 files changed, 140 insertions, 319 deletions
diff --git a/www/ap2-auth-mellon/MESSAGE b/www/ap2-auth-mellon/MESSAGE index 94fa4db465c..49bcbe11a46 100644 --- a/www/ap2-auth-mellon/MESSAGE +++ b/www/ap2-auth-mellon/MESSAGE @@ -1,9 +1,33 @@ =========================================================================== -$NetBSD: MESSAGE,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $ +$NetBSD: MESSAGE,v 1.2 2013/04/15 15:35:01 manu Exp $ In order to use this module in your Apache installation, you need to add the following to your httpd.conf file: LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so +If upgrading from version prior 0.6.0, please not the following +backward-incompatible changes: + +* The POST replay functionality has been disabled by default, and the + automatic creation of the MellonPostDirectory target directory has been + removed. If you want to use the POST replay functionality, create a + directory accessible only by the apache user (e.g.: /var/spool/mellon) + and add this after the LoadModule for mod_auth_mellon.so: + + MellonPostDirectory /var/spool/mellon + +* Start discovery service when accessing the login endpoint. We used + to bypass the discovery service in this case, and just pick the first + IdP. This has been changed to send a request to the discovery service + instead, if one is configured. + +* The MellonLockFile default path has been changed to: + /var/run/mod_auth_mellon.lock + This only affects platforms where a lock file is required and + where Apache doesn't have write access to that directory during + startup. (Apache can normally create files in that directory + during startup.) + + =========================================================================== diff --git a/www/ap2-auth-mellon/Makefile b/www/ap2-auth-mellon/Makefile index aa86ed86f50..b329fc0fd34 100644 --- a/www/ap2-auth-mellon/Makefile +++ b/www/ap2-auth-mellon/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.25 2013/02/06 23:23:57 jperkin Exp $ +# $NetBSD: Makefile,v 1.26 2013/04/15 15:35:01 manu Exp $ # PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/} -DISTNAME= mod_auth_mellon-0.4.0 -PKGREVISION= 7 +DISTNAME= mod_auth_mellon-0.6.1 +#PKGREVISION= 1 CATEGORIES= www security MASTER_SITES= http://modmellon.googlecode.com/files/ @@ -12,6 +12,8 @@ HOMEPAGE= http://code.google.com/p/modmellon/ COMMENT= SAML 2.0 authentication for Apache LICENSE= gnu-gpl-v2 # or later +PKG_DESTDIR_SUPPORT= user-destdir + GNU_CONFIGURE= YES USE_LIBTOOL= YES USE_TOOLS+= pkg-config diff --git a/www/ap2-auth-mellon/distinfo b/www/ap2-auth-mellon/distinfo index 8a636760523..2469b980414 100644 --- a/www/ap2-auth-mellon/distinfo +++ b/www/ap2-auth-mellon/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.11 2011/12/06 09:58:01 manu Exp $ +$NetBSD: distinfo,v 1.12 2013/04/15 15:35:01 manu Exp $ -SHA1 (mod_auth_mellon-0.4.0.tar.gz) = d09f7bbefe32c2eaa624612584eab1ea8e89820a -RMD160 (mod_auth_mellon-0.4.0.tar.gz) = 92ef003ae22c43ef81d22f5027486244e76e3d3f -Size (mod_auth_mellon-0.4.0.tar.gz) = 103708 bytes -SHA1 (patch-ai) = a7a4f729301bff79cb39d441f9fa48993cdc2899 +SHA1 (mod_auth_mellon-0.6.1.tar.gz) = c1704daaafdb2105ee5f1d488f88ec914f2dd646 +RMD160 (mod_auth_mellon-0.6.1.tar.gz) = 0cef669feeb0fba516cd934f1fe8a93e6bc67239 +Size (mod_auth_mellon-0.6.1.tar.gz) = 108734 bytes +SHA1 (patch-aj) = c8219d53538cf9e10acaec861a66a3f29e22a582 diff --git a/www/ap2-auth-mellon/patches/patch-ai b/www/ap2-auth-mellon/patches/patch-ai deleted file mode 100644 index 2c89561d992..00000000000 --- a/www/ap2-auth-mellon/patches/patch-ai +++ /dev/null @@ -1,310 +0,0 @@ -$NetBSD: patch-ai,v 1.1 2011/12/06 09:58:01 manu Exp $ - -Honour MellonProbeDiscoveryIdP order when sending probes (from upstream) - ---- auth_mellon.h.orig 2011-05-18 12:39:00.000000000 +0200 -+++ auth_mellon.h 2011-12-06 09:54:08.000000000 +0100 -@@ -209,9 +209,9 @@ - - /* IdP discovery service */ - const char *discovery_url; - int probe_discovery_timeout; -- apr_hash_t *probe_discovery_idp; -+ apr_table_t *probe_discovery_idp; - - /* The configuration record we "inherit" the lasso server object from. */ - struct am_dir_cfg_rec *inherit_server_from; - /* Mutex to prevent us from creating several lasso server objects. */ ---- auth_mellon_config.c.orig 2011-05-18 12:39:00.000000000 +0200 -+++ auth_mellon_config.c 2011-12-06 09:54:08.000000000 +0100 -@@ -76,8 +76,9 @@ - * the MellonPostCount configuration directive if you change this. - */ - static const int post_count = 100; - -+#if unused - /* This function handles configuration directives which set a - * multivalued string slot in the module configuration (the destination - * strucure is a hash). - * -@@ -85,9 +86,8 @@ - * cmd_parms *cmd The command structure for this configuration - * directive. - * void *struct_ptr Pointer to the current directory configuration. - * NULL if we are not in a directory configuration. -- * This value isn't used by this function. - * const char *key The string argument following this configuration - * directive in the configuraion file. - * const char *value Optional value to be stored in the hash. - * -@@ -116,8 +116,49 @@ - apr_hash_set(*hash, apr_pstrdup(pconf, key), APR_HASH_KEY_STRING, value); - - return NULL; - } -+#endif /* unused */ -+ -+/* This function handles configuration directives which set a -+ * multivalued string slot in the module configuration (the destination -+ * strucure is a table). -+ * -+ * Parameters: -+ * cmd_parms *cmd The command structure for this configuration -+ * directive. -+ * void *struct_ptr Pointer to the current directory configuration. -+ * NULL if we are not in a directory configuration. -+ * const char *key The string argument following this configuration -+ * directive in the configuraion file. -+ * const char *value Optional value to be stored in the hash. -+ * -+ * Returns: -+ * NULL on success or an error string on failure. -+ */ -+static const char *am_set_table_string_slot(cmd_parms *cmd, -+ void *struct_ptr, -+ const char *key, -+ const char *value) -+{ -+ server_rec *s = cmd->server; -+ apr_pool_t *pconf = s->process->pconf; -+ am_dir_cfg_rec *cfg = (am_dir_cfg_rec *)struct_ptr; -+ int offset; -+ apr_table_t **table; -+ -+ /* -+ * If no value is given, we just store the key in the hash. -+ */ -+ if (value == NULL || *value == '\0') -+ value = key; -+ -+ offset = (int)(long)cmd->info; -+ table = (apr_table_t **)((char *)cfg + offset); -+ apr_table_set(*table, apr_pstrdup(pconf, key), value); -+ -+ return NULL; -+} - - /* This function handles configuration directives which set a file - * slot in the module configuration. If lasso is recent enough, it - * attempts to read the file immediatly. -@@ -1008,9 +1049,9 @@ - "Default is 1s" - ), - AP_INIT_TAKE12( - "MellonProbeDiscoveryIdP", -- am_set_hash_string_slot, -+ am_set_table_string_slot, - (void *)APR_OFFSETOF(am_dir_cfg_rec, probe_discovery_idp), - OR_AUTHCFG, - "An IdP that can be used for IdP probe discovery." - ), -@@ -1097,9 +1138,9 @@ - dir->idp_ignore = NULL; - dir->login_path = default_login_path; - dir->discovery_url = NULL; - dir->probe_discovery_timeout = -1; /* -1 means no probe discovery */ -- dir->probe_discovery_idp = apr_hash_make(p); -+ dir->probe_discovery_idp = apr_table_make(p, 0); - - dir->sp_org_name = apr_hash_make(p); - dir->sp_org_display_name = apr_hash_make(p); - dir->sp_org_url = apr_hash_make(p); -@@ -1292,12 +1333,12 @@ - (add_cfg->probe_discovery_timeout != -1 ? - add_cfg->probe_discovery_timeout : - base_cfg->probe_discovery_timeout); - -- new_cfg->probe_discovery_idp = apr_hash_copy(p, -- (apr_hash_count(add_cfg->probe_discovery_idp) > 0) ? -- add_cfg->probe_discovery_idp : -- base_cfg->probe_discovery_idp); -+ new_cfg->probe_discovery_idp = apr_table_copy(p, -+ (!apr_is_empty_table(add_cfg->probe_discovery_idp)) ? -+ add_cfg->probe_discovery_idp : -+ base_cfg->probe_discovery_idp); - - - if (cfg_can_inherit_lasso_server(add_cfg)) { - new_cfg->inherit_server_from = base_cfg->inherit_server_from; ---- auth_mellon_handler.c.orig 2011-05-18 12:39:00.000000000 +0200 -+++ auth_mellon_handler.c 2011-12-06 10:40:20.000000000 +0100 -@@ -2572,8 +2572,40 @@ - - return am_send_authn_request(r, idp, return_to, is_passive); - } - -+/* This function probes an URL (HTTP GET) -+ * -+ * Parameters: -+ * request_rec *r The request. -+ * const char *url The URL -+ * int timeout Timeout in seconds -+ * -+ * Returns: -+ * OK on success, or an error if any of the steps fail. -+ */ -+static int am_probe_url(request_rec *r, const char *url, int timeout) -+{ -+ void *dontcare; -+ apr_size_t len; -+ long status; -+ int error; -+ -+ status = 0; -+ if ((error = am_httpclient_get(r, url, &dontcare, &len, -+ timeout, &status)) != OK) -+ return error; -+ -+ if (status != HTTP_OK) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "Probe on \"%s\" returned HTTP %ld", -+ url, status); -+ return status; -+ } -+ -+ return OK; -+} -+ - /* This function handles requests to the probe discovery handler - * - * Parameters: - * request_rec *r The request. -@@ -2583,11 +2615,10 @@ - */ - static int am_handle_probe_discovery(request_rec *r) { - am_dir_cfg_rec *cfg = am_get_dir_cfg(r); - LassoServer *server; -- const char *idp = NULL; -+ const char *disco_idp = NULL; - int timeout; -- GHashTableIter iter; - char *return_to; - char *idp_param; - char *redirect_url; - int ret; -@@ -2644,82 +2675,77 @@ - - /* - * Proceed with built-in IdP discovery. - * -- * Send probes for all configured IdP to check availability. -- * The first to answer is chosen, but the list of usable -- * IdP can be restricted in configuration. -+ * First try sending probes to IdP configured for discovery. -+ * Second send probes for all configured IdP -+ * The first to answer is chosen. -+ * If none answer, use the first configured IdP - */ -- g_hash_table_iter_init(&iter, server->providers); -- while (g_hash_table_iter_next(&iter, (void**)&idp, NULL)) { -- void *dontcare; -- const char *ping_url; -- apr_size_t len; -- long status; -- -- ping_url = idp; -- -- /* -- * If a list of IdP was given for probe discovery, -- * skip any IdP that does not match. -- */ -- if (apr_hash_count(cfg->probe_discovery_idp) != 0) { -- char *value = apr_hash_get(cfg->probe_discovery_idp, -- idp, APR_HASH_KEY_STRING); -- -- if (value == NULL) { -- /* idp not in list, try the next one */ -- continue; -- } else { -- /* idp in list, use the value as the ping url */ -- ping_url = value; -+ if (!apr_is_empty_table(cfg->probe_discovery_idp)) { -+ const apr_array_header_t *header; -+ apr_table_entry_t *elts; -+ const char *url; -+ const char *idp; -+ int i; -+ -+ header = apr_table_elts(cfg->probe_discovery_idp); -+ elts = (apr_table_entry_t *)header->elts; -+ -+ for (i = 0; i < header->nelts; i++) { -+ idp = elts[i].key; -+ url = elts[i].val; -+ -+ if (am_probe_url(r, url, timeout) == OK) { -+ disco_idp = idp; -+ break; - } - } -- -- status = 0; -- if (am_httpclient_get(r, ping_url, &dontcare, &len, -- timeout, &status) != OK) -- continue; -- -- if (status != HTTP_OK) { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -- "Cannot probe %s: \"%s\" returned HTTP %ld", -- idp, ping_url, status); -- continue; -+ } else { -+ GList *iter; -+ GList *idp_list; -+ const char *idp; -+ -+ idp_list = g_hash_table_get_keys(server->providers); -+ for (iter = idp_list; iter != NULL; iter = iter->next) { -+ idp = iter->data; -+ -+ if (am_probe_url(r, idp, timeout) == OK) { -+ disco_idp = idp; -+ break; -+ } - } -- -- /* We got some succes */ -- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, -- "probeDiscovery using %s", idp); -- break; -+ g_list_free(idp_list); - } - - /* - * On failure, try default - */ -- if (idp == NULL) { -- idp = am_first_idp(r); -- if (idp == NULL) { -+ if (disco_idp == NULL) { -+ disco_idp = am_first_idp(r); -+ if (disco_idp == NULL) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "probeDiscovery found no usable IdP."); - return HTTP_INTERNAL_SERVER_ERROR; - } else { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "probeDiscovery " -- "failed, trying default IdP %s", idp); -+ "failed, trying default IdP %s", disco_idp); - } -+ } else { -+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, -+ "probeDiscovery using %s", disco_idp); - } - - redirect_url = apr_psprintf(r->pool, "%s%s%s=%s", return_to, - strchr(return_to, '?') ? "&" : "?", - am_urlencode(r->pool, idp_param), -- am_urlencode(r->pool, idp)); -+ am_urlencode(r->pool, disco_idp)); - - apr_table_setn(r->headers_out, "Location", redirect_url); - - return HTTP_SEE_OTHER; - } - -- - /* This function takes a request for an endpoint and passes it on to the - * correct handler function. - * - * Parameters: diff --git a/www/ap2-auth-mellon/patches/patch-aj b/www/ap2-auth-mellon/patches/patch-aj new file mode 100644 index 00000000000..5adaad4d9bc --- /dev/null +++ b/www/ap2-auth-mellon/patches/patch-aj @@ -0,0 +1,105 @@ +$NetBSD: patch-aj,v 1.1 2013/04/15 15:35:02 manu Exp $ + +MellonSPentityId option to control entityID in autogenerated metadata +(patch from upstream) + +Index: auth_mellon_config.c +=================================================================== +--- auth_mellon_config.c (revision 204) ++++ auth_mellon_config.c (working copy) +@@ -1064,6 +1064,13 @@ + OR_AUTHCFG, + "List of IdP entityId to ignore." + ), ++ AP_INIT_TAKE1( ++ "MellonSPentityId", ++ ap_set_string_slot, ++ (void *)APR_OFFSETOF(am_dir_cfg_rec, sp_entity_id), ++ OR_AUTHCFG, ++ "SP entity Id to be used for metadata auto generation." ++ ), + AP_INIT_TAKE12( + "MellonOrganizationName", + am_set_langstring_slot, +@@ -1231,6 +1238,7 @@ + dir->probe_discovery_timeout = -1; /* -1 means no probe discovery */ + dir->probe_discovery_idp = apr_table_make(p, 0); + ++ dir->sp_entity_id = NULL; + dir->sp_org_name = apr_hash_make(p); + dir->sp_org_display_name = apr_hash_make(p); + dir->sp_org_url = apr_hash_make(p); +@@ -1400,6 +1408,10 @@ + add_cfg->idp_ignore : + base_cfg->idp_ignore; + ++ new_cfg->sp_entity_id = (add_cfg->sp_entity_id ? ++ add_cfg->sp_entity_id : ++ base_cfg->sp_entity_id); ++ + new_cfg->sp_org_name = apr_hash_copy(p, + (apr_hash_count(add_cfg->sp_org_name) > 0) ? + add_cfg->sp_org_name : +Index: auth_mellon_handler.c +=================================================================== +--- auth_mellon_handler.c (revision 204) ++++ auth_mellon_handler.c (working copy) +@@ -117,7 +117,10 @@ + am_dir_cfg_rec *cfg = am_get_dir_cfg(r); + char *url = am_get_endpoint_url(r); + char *cert = ""; ++ const char *sp_entity_id; + ++ sp_entity_id = cfg->sp_entity_id ? cfg->sp_entity_id : url; ++ + if (cfg->sp_cert_file) { + char *sp_cert_file; + char *cp; +@@ -171,7 +174,7 @@ + return apr_psprintf(p, + "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\ + <EntityDescriptor\n\ +- entityID=\"%smetadata\"\n\ ++ entityID=\"%s%s\"\n\ + xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\ + <SPSSODescriptor\n\ + AuthnRequestsSigned=\"true\"\n\ +@@ -197,7 +200,8 @@ + </SPSSODescriptor>\n\ + %s\n\ + </EntityDescriptor>", +- url, cert, url, url, url, url, am_optional_metadata(p, r)); ++ sp_entity_id, cfg->sp_entity_id ? "" : "metadata", ++ cert, url, url, url, url, am_optional_metadata(p, r)); + } + #endif /* HAVE_lasso_server_new_from_buffers */ + +Index: auth_mellon.h +=================================================================== +--- auth_mellon.h (revision 204) ++++ auth_mellon.h (working copy) +@@ -195,6 +195,7 @@ + GList *idp_ignore; + + /* metadata autogeneration helper */ ++ char *sp_entity_id; + apr_hash_t *sp_org_name; + apr_hash_t *sp_org_display_name; + apr_hash_t *sp_org_url; +Index: README +=================================================================== +--- README (revision 204) ++++ README (working copy) +@@ -332,7 +332,11 @@ + # Default: None set. + MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml + +- # If you choose to autogenerate metadata, these option ++ # If you choose to autogenerate metadata, this option ++ # can be used to control the SP entityId ++ # MellonSPentityId "https://www.example.net/foo" ++ # ++ # If you choose to autogenerate metadata, these options + # can be used to fill the <Organization> element. They + # all follow the syntax "option [lang] value": + # MellonOrganizationName "random-service" |