Sync from SUSE:SLFO:Main apache2-mod_auth_mellon revision 7af0b07d5bd10a3fafa89cd06826e0b9

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

README.diagnostics

@@ -0,0 +1,63 @@
+mod_auth_mellon Diagnostic Information
+======================================
+
+This file contains information about diagnostic logging that helps
+to identify the source of the problems with your mod_auth_mellon
+deployment.
+
+
+Mellon Diagnostics
+------------------
+"Mellon Diagnostic" is a feature, that extends the classic DEBUG
+messages to the Apache error log (which is often incomplete and mixed
+with other irrelevant messages). It gathers all relevant information
+in a human-readable format in a single file without other irrelevant
+Apache messages, and without the need for any post-processing of the
+log data. For more details please see "Mellon Diagnostics" section
+in the documentation.
+
+
+Install and load the diagnostic module
+--------------------------------------
+Diagnostic logging must be compiled into mod_auth_module at build
+time, but it adds an overhead to the execution. Therefore SUSE
+provides two separate RPM packages - one without diagnostics and the
+second with diagnostics enabled:
+
+  - apache2-mod_auth_mellon
+    * apache module with diagnostic feature DISABLED ('mod_auth_mellon.so')
+    * production usage
+
+  - apache2-mod_auth_mellon-diagnostics
+    * apache module with diagnostics ENABLED ('mod_auth_mellon-diagnostics.so')
+    * debugging purposes only
+
+!!! IMPORTANT !!!
+Diagnostic logging may potentially contain security-sensitive
+information. Therefore you should enable diagnostic logging only
+for the minimum duration necessary.
+
+Both modules can be installed simultaneously but Apache will only
+load one of the two modules. You need to add a 'LoadModule' directive
+for either 'mod_auth_mellon.so' or 'mod_auth_mellon-diagnostics.so' into
+your configuration file:
+
+    # Load normal mod_auth_mellon module
+    LoadModule auth_mellon_module /usr/lib64/apache2/mod_auth_mellon.so
+
+or
+
+    # Load diagnostic version of mod_auth_mellon module
+    LoadModule auth_mellon_module /usr/lib64/apache2/mod_auth_mellon-diagnostics.so
+
+Don't forget to change it back when you are done debugging!
+
+
+Enable diagnostic logging
+-------------------------
+When you have 'mod_auth_mellon-diagnostics.so' module loaded, enable diagnostic
+logging by adding the following line to your configuration file and restart
+Apache.
+
+    MellonDiagnosticsEnable On
+

apache2-mod_auth_mellon.changes

@@ -0,0 +1,79 @@
+-------------------------------------------------------------------
+Mon Mar 25 14:01:29 UTC 2024 - pgajdos@suse.com
+
+- version update to 0.19.0
+  Enhancements:
+  * Support for HTTP-POST binding on Singe Logout endpoint.
+  * Update documentation.
+  Cleanup:
+  * Raise minimum Lasso version to 2.4, cleaning up legacy code for
+    compatibility with older versions, including the obsolete
+    `MellonIdPPublicKeyFile` setting which was not working with recent
+    Lasso versions.
+
+-------------------------------------------------------------------
+Mon Jul 31 21:02:37 UTC 2023 - Matthias Eliasson <elimat@opensuse.org>
+
+- Update to 0.18.1
+  * Logout endpoint should handle idP POST response
+  * mellon_create_metadata.sh: Fix compatibility with OpenSSL 3
+  * Add some clarification to the documentation
+  * Add encryption certificate to generated metadata
+- Changes in 0.18.0
+  * CVE-2021-3639 Redirect URL validation bypass - Version 0.17.0 and
+    older of mod_auth_mellon allows the redirect URL validation to be
+    bypassed by specifying an URL formatted as ///fishing-site.example.com/logout.html.
+    In this case, the browser would interpret the URL differently
+    than the APR parsing utility mellon uses and redirect to
+    fishing-site.example.com. This could be reproduced with:
+    https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+    This version fixes that issue by rejecting all URLs that start with "///".
+  * A new option MellonSessionIdleTimeout that represents the amount of
+    time a user can be inactive before the user's session times out in seconds.
+  * Several build-time fixes
+  * The CookieTest SameSite attribute was only set to None if mellon configure option
+    MellonCookieSameSite was set to something other than default. This is now fixed.
+- add libtool and xmlsec1-openssl-devel as new dependencies
+- set Buildarch to noarch for docs sub-package
+
+-------------------------------------------------------------------
+Thu May  5 17:38:16 UTC 2022 - Archie Cobbs <archie.cobbs@gmail.com>
+
+- Wrap default config in <IfModule> to avoid reload error
+
+-------------------------------------------------------------------
+Thu Sep 10 14:19:03 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- Update to 0.17.0
+  * New option MellonSendExpectHeader (default On) which allows to
+    disable sending the Expect header in the HTTP-Artifact binding to
+    improve performance when the remote party does not support this
+    header.
+  * Set SameSite attribute to None on on the cookietest cookie.
+  * Bump default generated keysize to 3072 bits in
+    mellon_create_metadata
+  * Validate if the assertion ID has not been used earlier before
+    creating a new session.
+  * Release session cache after calling invalidate endpoint.
+  * In MellonCond directives, fix a bug that setting the NC option
+    would also activate substring match and that REG would activate
+    REF.
+  * Fix MellonCond substring match to actually match the substring on
+    the attribute value
+
+-------------------------------------------------------------------
+Thu Jun  4 11:00:04 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- update mod_auth_mellon-0.16.0-env-script-interpreter.patch
+  use /bin/bash instead of /usr/bin/bash
+
+-------------------------------------------------------------------
+Mon May 11 15:44:36 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- replace version_path with the fixed value
+
+-------------------------------------------------------------------
+Tue Apr 28 12:06:51 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- initial packaging
+

apache2-mod_auth_mellon.conf

@@ -0,0 +1,2 @@
+# mod_auth_mellon lock file is created in this directory
+d /run/mod_auth_mellon 0755 wwwrun www 

apache2-mod_auth_mellon.spec

@@ -0,0 +1,131 @@
+#
+# spec file for package apache2-mod_auth_mellon
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define upstream_name mod_auth_mellon
+Name:           apache2-mod_auth_mellon
+Version:        0.19.0
+Release:        0
+Summary:        A SAML 2.0 authentication module for the Apache Server
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Web/Servers
+URL:            https://github.com/latchset/%{upstream_name}
+Source0:        https://github.com/latchset/%{upstream_name}/releases/download/v%{version}/%{upstream_name}-%{version}.tar.gz
+Source1:        %{upstream_name}.conf
+Source2:        %{name}.conf
+Source3:        README.diagnostics
+Patch0:         mod_auth_mellon-0.16.0-env-script-interpreter.patch
+BuildRequires:  apache-rpm-macros
+BuildRequires:  apache2-devel
+BuildRequires:  curl-devel
+BuildRequires:  gcc
+BuildRequires:  glib2-devel
+BuildRequires:  libtool
+BuildRequires:  openssl-devel
+BuildRequires:  pkgconfig
+BuildRequires:  xmlsec1-devel
+BuildRequires:  xmlsec1-openssl-devel
+BuildRequires:  pkgconfig(lasso) >= 2.5.1
+BuildRequires:  rubygem(asciidoctor)
+Requires:       %{apache_mmn}
+Requires:       %{apache_suse_maintenance_mmn}
+Requires:       liblasso3 >= 2.5.1
+
+%description
+The mod_auth_mellon module is an authentication service that implements the
+SAML 2.0 federation protocol. It grants access based on the attributes
+received in assertions generated by a IdP server.
+
+%package doc
+Summary:        Documentation for mod_auth_mellon module
+Group:          Productivity/Networking/Web/Servers
+Requires:       %{name} = %{version}
+BuildArch:      noarch
+
+%description doc
+This package contains a documentation for mod_auth_mellon module.
+
+%package diagnostics
+Summary:        Build of mod_auth_mellon with diagnostic logging
+Group:          Productivity/Networking/Web/Servers
+Requires:       %{name} = %{version}-%{release}
+
+%description diagnostics
+Build of mod_auth_mellon with diagnostic logging. See README.diagnostics
+in the doc directory for instructions on using the diagnostics build.
+
+%prep
+%autosetup -n %{upstream_name}-%{version}
+
+%build
+export APXS=%{_httpd_apxs}
+%configure --enable-diagnostics
+%make_build clean
+%make_build
+cp .libs/%{upstream_name}.so %{upstream_name}-diagnostics.so
+
+%configure
+%make_build clean
+%make_build
+pushd doc/user_guide
+asciidoctor -a data-uri mellon_user_guide.adoc
+popd
+
+%install
+# install module
+mkdir -p %{buildroot}/%{apache_libexecdir}
+install -m 755 .libs/%{upstream_name}.so %{buildroot}%{apache_libexecdir}
+install -m 755 %{upstream_name}-diagnostics.so %{buildroot}%{apache_libexecdir}
+
+# install module configuration
+mkdir -p %{buildroot}%{_sysconfdir}/apache2/conf.d
+install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/apache2/conf.d
+
+install -d -m 0755 %{buildroot}%{_tmpfilesdir}
+install -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
+# install script to generate metadata
+mkdir -p %{buildroot}/%{_libexecdir}/%{name}
+install -m 755 mellon_create_metadata.sh %{buildroot}/%{_libexecdir}/%{name}
+
+# install user guide
+mkdir -p %{buildroot}/%{_docdir}
+cp -r doc/user_guide %{buildroot}/%{_docdir}
+
+# install diagnostics README
+install -m 0644  %{SOURCE3} %{buildroot}/%{_docdir}
+
+%post
+%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
+
+%files diagnostics
+%{apache_libexecdir}/%{upstream_name}-diagnostics.so
+
+%files
+%license COPYING
+%doc README.md NEWS ECP.rst
+%config(noreplace) %{_sysconfdir}/apache2/conf.d/%{upstream_name}.conf
+%{apache_libexecdir}/%{upstream_name}.so
+%{_tmpfilesdir}/%{name}.conf
+%{_libexecdir}/%{name}
+%ghost /run/mod_auth_mellon
+
+%files doc
+%doc %{_docdir}/README.diagnostics
+%doc %{_docdir}/user_guide
+
+%changelog

mod_auth_mellon-0.16.0-env-script-interpreter.patch

@@ -0,0 +1,10 @@
+Index: mod_auth_mellon-0.16.0/mellon_create_metadata.sh
+===================================================================
+--- mod_auth_mellon-0.16.0.orig/mellon_create_metadata.sh
++++ mod_auth_mellon-0.16.0/mellon_create_metadata.sh
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env bash
++#!/bin/bash
+ set -e
+ 
+ PROG="$(basename "$0")"

mod_auth_mellon.conf

@@ -0,0 +1,4 @@
+<IfModule mod_auth_mellon.c>
+    MellonCacheSize 100
+    MellonLockFile "/run/mod_auth_mellon/lock"
+</IfModule>