commit e18d61c7731a243b22d122e652a3461500154cc14ae38cb5327b389de1537e23 Author: Adrian Schröter Date: Wed Dec 18 16:25:48 2024 +0100 Sync from SUSE:SLFO:Main apache2-mod_auth_mellon revision 7af0b07d5bd10a3fafa89cd06826e0b9 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/README.diagnostics b/README.diagnostics new file mode 100644 index 0000000..0083fb9 --- /dev/null +++ b/README.diagnostics @@ -0,0 +1,63 @@ +mod_auth_mellon Diagnostic Information +====================================== + +This file contains information about diagnostic logging that helps +to identify the source of the problems with your mod_auth_mellon +deployment. + + +Mellon Diagnostics +------------------ +"Mellon Diagnostic" is a feature, that extends the classic DEBUG +messages to the Apache error log (which is often incomplete and mixed +with other irrelevant messages). It gathers all relevant information +in a human-readable format in a single file without other irrelevant +Apache messages, and without the need for any post-processing of the +log data. For more details please see "Mellon Diagnostics" section +in the documentation. + + +Install and load the diagnostic module +-------------------------------------- +Diagnostic logging must be compiled into mod_auth_module at build +time, but it adds an overhead to the execution. Therefore SUSE +provides two separate RPM packages - one without diagnostics and the +second with diagnostics enabled: + + - apache2-mod_auth_mellon + * apache module with diagnostic feature DISABLED ('mod_auth_mellon.so') + * production usage + + - apache2-mod_auth_mellon-diagnostics + * apache module with diagnostics ENABLED ('mod_auth_mellon-diagnostics.so') + * debugging purposes only + +!!! IMPORTANT !!! +Diagnostic logging may potentially contain security-sensitive +information. Therefore you should enable diagnostic logging only +for the minimum duration necessary. + +Both modules can be installed simultaneously but Apache will only +load one of the two modules. You need to add a 'LoadModule' directive +for either 'mod_auth_mellon.so' or 'mod_auth_mellon-diagnostics.so' into +your configuration file: + + # Load normal mod_auth_mellon module + LoadModule auth_mellon_module /usr/lib64/apache2/mod_auth_mellon.so + +or + + # Load diagnostic version of mod_auth_mellon module + LoadModule auth_mellon_module /usr/lib64/apache2/mod_auth_mellon-diagnostics.so + +Don't forget to change it back when you are done debugging! + + +Enable diagnostic logging +------------------------- +When you have 'mod_auth_mellon-diagnostics.so' module loaded, enable diagnostic +logging by adding the following line to your configuration file and restart +Apache. + + MellonDiagnosticsEnable On + diff --git a/apache2-mod_auth_mellon.changes b/apache2-mod_auth_mellon.changes new file mode 100644 index 0000000..3ae93fb --- /dev/null +++ b/apache2-mod_auth_mellon.changes @@ -0,0 +1,79 @@ +------------------------------------------------------------------- +Mon Mar 25 14:01:29 UTC 2024 - pgajdos@suse.com + +- version update to 0.19.0 + Enhancements: + * Support for HTTP-POST binding on Singe Logout endpoint. + * Update documentation. + Cleanup: + * Raise minimum Lasso version to 2.4, cleaning up legacy code for + compatibility with older versions, including the obsolete + `MellonIdPPublicKeyFile` setting which was not working with recent + Lasso versions. + +------------------------------------------------------------------- +Mon Jul 31 21:02:37 UTC 2023 - Matthias Eliasson + +- Update to 0.18.1 + * Logout endpoint should handle idP POST response + * mellon_create_metadata.sh: Fix compatibility with OpenSSL 3 + * Add some clarification to the documentation + * Add encryption certificate to generated metadata +- Changes in 0.18.0 + * CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and + older of mod_auth_mellon allows the redirect URL validation to be + bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html. + In this case, the browser would interpret the URL differently + than the APR parsing utility mellon uses and redirect to + fishing-site.example.com. This could be reproduced with: + https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html + This version fixes that issue by rejecting all URLs that start with "///". + * A new option MellonSessionIdleTimeout that represents the amount of + time a user can be inactive before the user's session times out in seconds. + * Several build-time fixes + * The CookieTest SameSite attribute was only set to None if mellon configure option + MellonCookieSameSite was set to something other than default. This is now fixed. +- add libtool and xmlsec1-openssl-devel as new dependencies +- set Buildarch to noarch for docs sub-package + +------------------------------------------------------------------- +Thu May 5 17:38:16 UTC 2022 - Archie Cobbs + +- Wrap default config in to avoid reload error + +------------------------------------------------------------------- +Thu Sep 10 14:19:03 UTC 2020 - Kristyna Streitova + +- Update to 0.17.0 + * New option MellonSendExpectHeader (default On) which allows to + disable sending the Expect header in the HTTP-Artifact binding to + improve performance when the remote party does not support this + header. + * Set SameSite attribute to None on on the cookietest cookie. + * Bump default generated keysize to 3072 bits in + mellon_create_metadata + * Validate if the assertion ID has not been used earlier before + creating a new session. + * Release session cache after calling invalidate endpoint. + * In MellonCond directives, fix a bug that setting the NC option + would also activate substring match and that REG would activate + REF. + * Fix MellonCond substring match to actually match the substring on + the attribute value + +------------------------------------------------------------------- +Thu Jun 4 11:00:04 UTC 2020 - Kristyna Streitova + +- update mod_auth_mellon-0.16.0-env-script-interpreter.patch + use /bin/bash instead of /usr/bin/bash + +------------------------------------------------------------------- +Mon May 11 15:44:36 UTC 2020 - Kristyna Streitova + +- replace version_path with the fixed value + +------------------------------------------------------------------- +Tue Apr 28 12:06:51 UTC 2020 - Kristyna Streitova + +- initial packaging + diff --git a/apache2-mod_auth_mellon.conf b/apache2-mod_auth_mellon.conf new file mode 100644 index 0000000..732c477 --- /dev/null +++ b/apache2-mod_auth_mellon.conf @@ -0,0 +1,2 @@ +# mod_auth_mellon lock file is created in this directory +d /run/mod_auth_mellon 0755 wwwrun www diff --git a/apache2-mod_auth_mellon.spec b/apache2-mod_auth_mellon.spec new file mode 100644 index 0000000..c448a82 --- /dev/null +++ b/apache2-mod_auth_mellon.spec @@ -0,0 +1,131 @@ +# +# spec file for package apache2-mod_auth_mellon +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define upstream_name mod_auth_mellon +Name: apache2-mod_auth_mellon +Version: 0.19.0 +Release: 0 +Summary: A SAML 2.0 authentication module for the Apache Server +License: GPL-2.0-or-later +Group: Productivity/Networking/Web/Servers +URL: https://github.com/latchset/%{upstream_name} +Source0: https://github.com/latchset/%{upstream_name}/releases/download/v%{version}/%{upstream_name}-%{version}.tar.gz +Source1: %{upstream_name}.conf +Source2: %{name}.conf +Source3: README.diagnostics +Patch0: mod_auth_mellon-0.16.0-env-script-interpreter.patch +BuildRequires: apache-rpm-macros +BuildRequires: apache2-devel +BuildRequires: curl-devel +BuildRequires: gcc +BuildRequires: glib2-devel +BuildRequires: libtool +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: xmlsec1-devel +BuildRequires: xmlsec1-openssl-devel +BuildRequires: pkgconfig(lasso) >= 2.5.1 +BuildRequires: rubygem(asciidoctor) +Requires: %{apache_mmn} +Requires: %{apache_suse_maintenance_mmn} +Requires: liblasso3 >= 2.5.1 + +%description +The mod_auth_mellon module is an authentication service that implements the +SAML 2.0 federation protocol. It grants access based on the attributes +received in assertions generated by a IdP server. + +%package doc +Summary: Documentation for mod_auth_mellon module +Group: Productivity/Networking/Web/Servers +Requires: %{name} = %{version} +BuildArch: noarch + +%description doc +This package contains a documentation for mod_auth_mellon module. + +%package diagnostics +Summary: Build of mod_auth_mellon with diagnostic logging +Group: Productivity/Networking/Web/Servers +Requires: %{name} = %{version}-%{release} + +%description diagnostics +Build of mod_auth_mellon with diagnostic logging. See README.diagnostics +in the doc directory for instructions on using the diagnostics build. + +%prep +%autosetup -n %{upstream_name}-%{version} + +%build +export APXS=%{_httpd_apxs} +%configure --enable-diagnostics +%make_build clean +%make_build +cp .libs/%{upstream_name}.so %{upstream_name}-diagnostics.so + +%configure +%make_build clean +%make_build +pushd doc/user_guide +asciidoctor -a data-uri mellon_user_guide.adoc +popd + +%install +# install module +mkdir -p %{buildroot}/%{apache_libexecdir} +install -m 755 .libs/%{upstream_name}.so %{buildroot}%{apache_libexecdir} +install -m 755 %{upstream_name}-diagnostics.so %{buildroot}%{apache_libexecdir} + +# install module configuration +mkdir -p %{buildroot}%{_sysconfdir}/apache2/conf.d +install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apache2/conf.d + +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf + +# install script to generate metadata +mkdir -p %{buildroot}/%{_libexecdir}/%{name} +install -m 755 mellon_create_metadata.sh %{buildroot}/%{_libexecdir}/%{name} + +# install user guide +mkdir -p %{buildroot}/%{_docdir} +cp -r doc/user_guide %{buildroot}/%{_docdir} + +# install diagnostics README +install -m 0644 %{SOURCE3} %{buildroot}/%{_docdir} + +%post +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf + +%files diagnostics +%{apache_libexecdir}/%{upstream_name}-diagnostics.so + +%files +%license COPYING +%doc README.md NEWS ECP.rst +%config(noreplace) %{_sysconfdir}/apache2/conf.d/%{upstream_name}.conf +%{apache_libexecdir}/%{upstream_name}.so +%{_tmpfilesdir}/%{name}.conf +%{_libexecdir}/%{name} +%ghost /run/mod_auth_mellon + +%files doc +%doc %{_docdir}/README.diagnostics +%doc %{_docdir}/user_guide + +%changelog diff --git a/mod_auth_mellon-0.16.0-env-script-interpreter.patch b/mod_auth_mellon-0.16.0-env-script-interpreter.patch new file mode 100644 index 0000000..4c8eee6 --- /dev/null +++ b/mod_auth_mellon-0.16.0-env-script-interpreter.patch @@ -0,0 +1,10 @@ +Index: mod_auth_mellon-0.16.0/mellon_create_metadata.sh +=================================================================== +--- mod_auth_mellon-0.16.0.orig/mellon_create_metadata.sh ++++ mod_auth_mellon-0.16.0/mellon_create_metadata.sh +@@ -1,4 +1,4 @@ +-#!/usr/bin/env bash ++#!/bin/bash + set -e + + PROG="$(basename "$0")" diff --git a/mod_auth_mellon-0.19.0.tar.gz b/mod_auth_mellon-0.19.0.tar.gz new file mode 100644 index 0000000..bc10079 --- /dev/null +++ b/mod_auth_mellon-0.19.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:998f9ad77466c9b302da7f20d5562d2db649bcec438bbf9149841d5634554afb +size 957287 diff --git a/mod_auth_mellon.conf b/mod_auth_mellon.conf new file mode 100644 index 0000000..db01650 --- /dev/null +++ b/mod_auth_mellon.conf @@ -0,0 +1,4 @@ + + MellonCacheSize 100 + MellonLockFile "/run/mod_auth_mellon/lock" +