commit 1784355fd5cac16b7ecddaf49b4529924752f9dd749f02f6d4d1b35f52220a85 Author: Adrian Schröter Date: Mon Jan 13 12:19:50 2025 +0100 Sync from SUSE:SLFO:Main shibboleth-sp revision 5a8c9d541c4a7b0615a7d3aa7d4c7fd8 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/shibboleth-sp-2.5.5-doxygen_timestamp.patch b/shibboleth-sp-2.5.5-doxygen_timestamp.patch new file mode 100644 index 0000000..dea0e01 --- /dev/null +++ b/shibboleth-sp-2.5.5-doxygen_timestamp.patch @@ -0,0 +1,12 @@ +Index: shibboleth-sp-2.5.5/doxygen.cfg +=================================================================== +--- shibboleth-sp-2.5.5.orig/doxygen.cfg ++++ shibboleth-sp-2.5.5/doxygen.cfg +@@ -140,6 +140,7 @@ HTML_OUTPUT = html + HTML_FILE_EXTENSION = .html + HTML_HEADER = + HTML_FOOTER = ++HTML_TIMESTAMP = NO + HTML_STYLESHEET = + HTML_ALIGN_MEMBERS = YES + GENERATE_HTMLHELP = $(GENERATE_CHM) diff --git a/shibboleth-sp-3.5.0.tar.bz2 b/shibboleth-sp-3.5.0.tar.bz2 new file mode 100644 index 0000000..942b70d --- /dev/null +++ b/shibboleth-sp-3.5.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f301604bd17ee4d94a66e6dd7ad1c3f0917949a4a12176d55614483d78fefe58 +size 834909 diff --git a/shibboleth-sp-3.5.0.tar.bz2.asc b/shibboleth-sp-3.5.0.tar.bz2.asc new file mode 100644 index 0000000..5f34980 --- /dev/null +++ b/shibboleth-sp-3.5.0.tar.bz2.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmcPtzUACgkQN4uEVAIn +eWKBUBAAwL+ce9b9RoxH51KicisZo3rwJu/UUU55jbRa96Cqoev37I9ibRXaElRG +5ALoFwzcLGLnHUVH6XooPYTTK70UsmUUZUhV0BwdIkYeKUZcjp/08Xo3S4EqKGxM +YHc13iueDRksRIKpma0JaEdzp0QMVdNqb6laLn+v7QoVoBjKS50WGk9eIudw9Sb9 +vMfxTjfez1ObFEOwk1+PeceaBKz8kciK5p3V4++GtEYvPg47va4TgAVOIuFFKSUp +BuNDtwNs3RbZe2ZuuOU7zOeCBUEeA82qBttjVh0EWLczZkRA39oTkGi+FpTQRBOz +vgppYmvQ1qDQ0gAQ65M+dLoNUEvPA/yTlbXIHIYrWrEpOMqWR1/eRiM3xi984mdc +/GswbWb7rQAj7Up06oiX9HDw/3C2jrP+pxdsJVZBtIQsjSpeAnRYziQi0YTRwq4j +GmedAXyPfbRc4hlXWz0f9jOXl49+ObQmXXNZ5bDzv9TjNe4tYQHiUOiZ1bCcdKQr ++OVB7RMBLKzAQkYOMkbkWrPKxytRYMoGPqdT8joqL8LquE/cxj9OJb9bdRX5Ehe9 +FZ+4YmfQ/hN7771pIa1TWgiP1TsCEfm304coDoHwwohpxgNpibVvNZwJpBtoeIIa +TnmOETpOcm+71KhCFUaGMSz/ZCuycerdHkyrDY3C6XPm1bRm9Qo= +=asUQ +-----END PGP SIGNATURE----- diff --git a/shibboleth-sp.changes b/shibboleth-sp.changes new file mode 100644 index 0000000..b65be54 --- /dev/null +++ b/shibboleth-sp.changes @@ -0,0 +1,231 @@ +------------------------------------------------------------------- +Wed Nov 6 21:16:56 UTC 2024 - Antonio Teixeira + +- Update to 3.5.0: + * This is a small update to address a few bugs, update a number of libraries, + and implement a correction to the default signing algorithm used when + issuing signed requests via the SAML POST binding. This was inadvertently + still defaulting to RSA-SHA1 and should have been using RSA-SHA256. + There is the unlikely possibility of this causing interoperability issues + with badly out of date Identity Providers, so is another reason for + releasing it as a minor update. + +------------------------------------------------------------------- +Fri Feb 9 10:58:52 UTC 2024 - Daniel Molkentin + +- create correct user name runuser, not realname + +------------------------------------------------------------------- +Mon Feb 5 12:01:14 UTC 2024 - Daniel Molkentin + +- Update to use sysuser pattern +- Fix build warnings + +------------------------------------------------------------------- +Tue Jan 17 08:57:09 UTC 2023 - Dirk Müller + +- update to 3.4.1: + * Reinforcing the xmltooling library (V3.2.3, included in this Windows release) + to block an unnecessary XML Encryption construct, related to the advisory + issued for the IdP recently. The SP is not believed to be vulnerable, but this + is a defensive measure. + * A warning has been added to the log when systems do not configure an explicit + value for the redirectLimit setting. The default for this setting remains + liberal for compatibility, so the warning was requested to highlight that + fact. + +------------------------------------------------------------------- +Thu Nov 17 16:56:40 UTC 2022 - Danilo Spinella + +- Updaet to 3.4.0: + * Add a new setting suggested controlling retries when TCP connections + to shibd are used. +- Change libraries soname from 10 to 11 + +------------------------------------------------------------------- +Wed Dec 1 09:32:43 UTC 2021 - Danilo Spinella + +- Update to 3.3.0: + * This is a minor update that contains a small number of fixes, + one small feature addition, and a number of additional deprecation + warnings for at risk features. + +------------------------------------------------------------------- +Wed Nov 17 08:21:48 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * shibd.service + +------------------------------------------------------------------- +Tue Jul 13 16:07:01 UTC 2021 - Danilo Spinella + +- Update to 3.2.3: + * This is a minor update that includes some minimal new functionality and addresses some bugs. + * Fix two different security bugs (secadv_20210317 and secadv_20210426) +- Run spec-cleaner +- Change library soname from 9 to 10 +- Change lite library soname from 8 to 10 + +------------------------------------------------------------------- +Tue Dec 1 13:27:30 UTC 2020 - Kristyna Streitova + +- Update to 3.1.0 + * list of fixes and enhancements + https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes +- Update xmltooling and opensaml versions in "Requires" +- Change library soname from 8 to 9 + +------------------------------------------------------------------- +Wed Aug 19 11:27:22 UTC 2020 - Dominique Leuenberger + +- Rely on the distro-provided macros for tmpfilesdir. All half-way + current distros define this already. + +------------------------------------------------------------------- +Wed Jan 8 11:40:04 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(libsystemd) instead of systemd-devel: + Allow OBS to shortcut through the -mini flavors. + +------------------------------------------------------------------- +Mon Dec 2 10:36:30 UTC 2019 - Kristyna Streitova + +- remove fixing of the ownership of log files as this allows shibd + to escalate to root [bsc#1157471] [CVE-2019-19191] +- generate two keys on new installs instead of just one + +------------------------------------------------------------------- +Fri Apr 26 10:46:00 UTC 2019 - mvetter@suse.com + +- bsc#1130588: Require shadow instead of old pwdutils + +------------------------------------------------------------------- +Wed Mar 20 13:06:50 UTC 2019 - Kristýna Streitová + +- update to 3.0.4 + * list of fixes and enhancements + https://issues.shibboleth.net/jira/browse/SSPCPP-851?filter=12771 +- update xmltooling and opensaml versions in "Requires" + +------------------------------------------------------------------- +Mon Feb 11 19:02:26 UTC 2019 - Jan Engelhardt + +- Trim redundancies from summary + +------------------------------------------------------------------- +Mon Feb 11 13:42:19 UTC 2019 - kstreitova@suse.com + +- update to 3.0.3 + * list of fixes and enhancements + https://issues.shibboleth.net/jira/browse/SSPCPP-845?filter=12573 + +------------------------------------------------------------------- +Wed Nov 28 13:24:28 UTC 2018 - kstreitova@suse.com + +- update to 3.0.2 + * list of fixes and enhancements + https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes +- remove shibboleth-sp-2.5.6-libsystemd-daemon.patch that is no + longer needed +- update package filelist +- change library soname from 7 to 8 +- update dependencies versions + +------------------------------------------------------------------- +Wed Nov 15 12:50:45 UTC 2017 - kstreitova@suse.com + +- update to 2.6.1 + * list of fixes and enhancements + https://issues.shibboleth.net/jira/browse/SSPCPP-760?filter=12270 + * fixes [bsc#1068689] [CVE-2017-16852] + +------------------------------------------------------------------- +Thu Sep 21 16:34:48 UTC 2017 - kstreitova@suse.com + +- update to 2.6.0 + * list of fixes and enhancements + https://issues.shibboleth.net/jira/browse/SSPCPP-716?filter=11475 +- update soname for libshibsp from 6 to 7 +- adjust BuildRequires of boost + * libboost_headers-devel for openSUSE:Factory + * boost-devel for older distros +- update versions of BuildRequires for opensaml (>= 2.6.0) and + libxmltooling (>= 1.6.0) +- shibd.service: increase TimeoutStartSec to 150s (as upstream did) +- remove %{_sysconfdir}/%{realname}/*.xsl from filelist (it is no + longer present) +- run spec-cleaner + +------------------------------------------------------------------- +Thu Mar 16 11:12:11 UTC 2017 - kstreitova@suse.com + +- fix build for openSUSE:Leap:42.1 by adding %define for + tmpfiles_create as this macro doesn't exist there + +------------------------------------------------------------------- +Tue Feb 14 14:57:07 UTC 2017 - kstreitova@suse.com + +- add shibboleth-sp-2.5.6-libsystemd-daemon.patch to fix configure + to use libsystemd instead of obsolete libsystemd-daemon. + Regenerate configure via autoreconf and add autoconf and automake + BuildRequires. + +------------------------------------------------------------------- +Tue Jul 19 18:11:33 UTC 2016 - dimstar@opensuse.org + +- Use %tmpfiles_create macro: gracefully fails in case of missing + binaries (e.g. container setups). + +------------------------------------------------------------------- +Wed May 11 13:34:20 UTC 2016 - kstreitova@suse.com + +- build libmemcached support + +------------------------------------------------------------------- +Fri Apr 8 12:08:41 UTC 2016 - kstreitova@suse.com + +- update to shibboleth-sp 2.5.6 + * Update solution file after loading into VS2015 + * SSPCPP-669 - cached samlds.json files prematurely removed w/ multiple + * applicationIds + * SSPCPP-671 - Handling of partial success in LogoutResponse needs work + * Fix line feeds again, VS is also broken + * SSPCPP-670 - Session Cleanup for Database Session Storage can cause performance issues + * Re-convert linefeeds to undo Eclipse's handiwork + * SSPCPP-675 - configuration sample cites "federation.org" + * Clean up ignores + * Apply typo fixes provided by Debian packagers + * Update library/software version + * Update MSI names to carry patch version + * SSPCPP-665 - Use of systemd breaks on reboot + +------------------------------------------------------------------- +Wed Aug 5 18:09:37 UTC 2015 - mpluskal@suse.com + +- Add gpg signature + +------------------------------------------------------------------- +Thu Jul 30 13:51:20 UTC 2015 - kstreitova@suse.com + +- fix some warnings +- add service as a separate file +- remove command line switches for conditional package builds +- remove *.dist files and unused *.config files +- remove unused conditionals +- move libraries to the subpackages + +------------------------------------------------------------------- +Mon Jul 27 16:30:58 UTC 2015 - kstreitova@suse.com + +- use spec-cleaner +- package cleaning +- add shibboleth-sp-2.5.5-doxygen_timestamp.patch to remove + timestamps in a documentation generated by Doxygen and avoid + RPMLINT warnings (file-contains-date-and-time). +- add the macro %{realname} and change a name to "shibboleth-sp" +- fix Source address + +------------------------------------------------------------------- +Fri Jul 24 14:44:04 UTC 2015 - kstreitova@suse.com + +- initial revision diff --git a/shibboleth-sp.keyring b/shibboleth-sp.keyring new file mode 100644 index 0000000..731484b --- /dev/null +++ b/shibboleth-sp.keyring @@ -0,0 +1,100 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBE56gwwBEADI6Y7tBIdYr8t0zfHU2hRbD7GfuanIkn4Fhf/CZ7ICN+SfA/XP +JAx3HDRkM/nc65U2mKG7vG3zlNOcKgeFoCwqhlLc4sSGP6DDoPYKtZOLEHwA/sIy +Lldw3re5KbCFIElnbBW/0av15IGHXgyylmG24jhlY/ufjLd53Qm4agxv51kdYdgH +cI0djzLqvMWTabWhw8QtmitPZSKdqOwTqkIt6bYAdOvc9r5bvAzemw6IO01L9aX7 +/yFIVJAYySL/UpbEtLcl3B/qXUXwhiq2bAUtvdmV+35FSMrAgfD25bYv+dVoJdtX +Gb4tQcPteSRDIQYswT+bilEtGOOu9vqLvko3hSHOK2Yqc8SufDakrOlCWO1R00Sw +QHGSkPKgA5O3RpOz3qbuPN6sDt/7FgqyzB6VqF9445bTqWDfIihXEAFr97gf28Xg +ngAn2Tp8ZZ6zTzYWv3/GGvCedCcrHrIG/nKf0Z0/1q9Uf8P7crv2udGuZjs3bMtY +RQNKzki/wKRuGnZ7HjgOEDIe8E+QMs+568i5vYqdaNrmCxUodRFjwkZ/0aRuHzxo +JNQaB/r2Ckj5X/yEX6f45D0hiwBmIFz2+VUnis7RAPelcUl1X/kT4p/3gvKSsFE0 +Ti7JWCY9e+ntnzcsb4ywisFen9tQQPP4G++qnhGyApz323LfDVPJkFWWJwARAQAB +tB9TY290dCBDYW50b3IgPGNhbnRvci4yQG9zdS5lZHU+iEYEEBECAAYFAk6DTO8A +CgkQ70D8KeoogrukNwCdGX5zZOsC44CjV2AopI8KoMFJto4AoMH+qA35GIBUkEt8 +IoRVFs1rp3TGiEYEEBEKAAYFAk6ApGIACgkQpXtW80eQXRUgxwCePIV9LehYh+Ji +o8mtQ74I/NWvfDQAoLmXTfmKAganE+r/FcCcwykzj70ViQEcBBABAgAGBQJOfS4a +AAoJEH8LUwap169VyrAH/1lrWiCJarm8eFLNlajcDt5TR5ZpanZVUbuzAp9Jk8Xt +BkCMssnuzcqqSbGmq3P6CuaSTx0BybBOhRgC+UCb/DCS0TGomJYUTcG7e7MyJZC4 +ocarORGURABk1UK/fkgEBn+9o2jdDlf7bm7JHlZJ8huLjiAq5fapzp5WhTUAcreH +jYieTS5umt01yxFatxhqiTbNXzs1c7Hc19rW4cTLREm6YQUNwTIxqJ2hHyDfU13e +phowv1DpoAwLXdHAsNy/C8RKRlr0Qc4snihVkGevLNWatYK4HP6M0tEvGX9CpnTX +pOsLZkfp96RMtE2TEvMEEA0HVoZPE7/kCyYR5DForeqJARwEEAECAAYFAlQtSU8A +CgkQWcpz+XPnY1H5dQgA4p+myZvcKjMAfhgvQZtEeqeSloZIcyYF1NyWJp0WAUUK +pZKdYYauaxPVd9l+iqz0dBlVotx5CHuymbqnj6JiX55kfKsbClWcDUs0wE6NGH3m +evosr55/17u01yFGw2KhbevdpgO5i+rNAliFe5LkZ+50CEzWcO0Io2ZhXy+qYpcz +Oy71ezwstgTJG2guH5BpbcIKku75dauPkD106wmSSswA+D95nXiJ5CFSdK3c4+Q2 +GDbXoIxJtKECb0c6tsjhU1TSPgc/XeeWqAaH/z4u8S5QlQCrMYHOMmvi8ExIrZG3 +3ba8qvB4RhSMKq+5GeJ3Gsgytp/Kc7UnVo09XFYkYokCHAQQAQIABgUCToOQYAAK +CRCagE6X1wecd5lDD/9ChSLSg/WWnsyNsUoai8KIJBTWoTRgQMemSQPHCP/KgYrf +KU4Z3fat6DPdO6hXgA/tkXt5m+shexUHmnZvwUvgiQEmL39xdQl1n5zL/QJ3u+K9 +3jycQFM1m8c2TIrKMVbz8VwTYjLKUkhv1pxXZadmAap84ynyT+UpzN/M1ppXcUVV +jXlDVDuF5JSICh/zn93EA6hbSLWPt2ZE0QpEciZ7S/vVC/4nvXhz3m6ODV3zeshr +m5V8P8R4Fsmf1a9FY7s49jKWG7Ike6u29DYIkv39FQveYixo3FMfB5d8q4uzJigi +RAvsekMgYOlnmM8yu9JJ4//zCBj81Q2teFixUrTQON369X3bnEOt0Djqk0QXgXCU +vhYUdmAa6s/EZgngxeV5axDbW3vQa9Mki3UWsXnlpi4clx/nH7xWKcba27WkImDl +v3g4n2SbUFj/GOCc3DFp+qmWwFV8yMs300zSPbAqr+CXO0GAitoqpmhxCLmiauaG +ImnWqt051YWFG0hjaQLKhfjzXfsVuyEDD870RMXqnkS4oQd35OOy1OFbqgghxtJX +o8oCL2fRwvlREv0ko7X6rpCxPhiyy6LFoHRt+4X0G5h2/LbGjIV4oPi436pJyozb +83kCh5yGP1oh+GrKFfgTHxakp3MTNXzil8a+9aTyQRlARIevaFlGrKSR0umqaokC +HAQQAQIABgUCTpRR2wAKCRCgs8sJ0rNzUwVbD/4ufRZKllrocevu/7MEiNPyBYo1 +xOHhBjXXBKZqZmYUnoWmcp8mxAGdLDmHrKFni4v6mv9eHOcNkljKF1Heei9qbKsF +9UkeSlCNzELzRoQJ2wjP7enW80QoEWcAN7P3SBRwVE1XF3zBo5mwN/RXBGy7xy/6 +6Yy378uunCwnPyZabNTWrMhOIAw3Qhd2fMCoDt86sVm9x8CfQzJI8YPJOFSwbSuX +YMkfx/Va9sO5A9LDaX79abafHAHiwJBiGeu8W7VwJYh5acr/lTUQbUW8Hlco5IKz +3Rjd8t7qfCWpcALR2pOPYJaii97lEonrtT9Hx+iL9gma9PN1D80ty7bMYYtOdMsk +udH8XD0FBKEi0ViT83lzl2Wz3T/2INdJsuHLhLMo+R2wrE9M4jLsp6P4qRJ3NVpj +DkNe3CXwVQgQ6Q+EjtXGb541MvZY1442pHPE7c6eTDIgw5P7LpH0Jcim/iXQdpPW +apdLB1zxntmCRyYyDYhd0KNvWNDRsr+PAE2XK82KD8fF2r3m8eULm4buGA8tf2sq +uQ5K2okLlZT1NLIXmgThSDgSBjy/iFUz95AmtYdy2eqT5oRgXAsJDKMCl+nO5/1s +IRA1sRHaXCnPczQkiXhKidiVOuRpkThx3mMxYhIV2wYCG/pEpoeCHkuUMiBDSRpG +DaxucQQJR9r83xK5JIkCHAQTAQIABgUCTnvvowAKCRD6QbX3MKI2LppVEACA4l4N +BK1m38ziJZ0IBlWBKgXi4v0LK0jv1WrsrQzLWijoHSaLMt9wzbXjDyAlugxq+8Gf +PXr3bmV5Zyo6MeJiybLzQCXzbsPhpN3iT7tRAnU5EX7Qef390oWHB9GSTr2jE8yw +3dmx3UGFuP4ELmHIyxYvWSdSjGTPROVONRruR6/yVCrzy/51VPY4vw59Iv+JxbjY +5iE00TNtaXNcH2M9K7xnwrjSAGE4cViHpV12gqRdD94X8F/xKCxPD+kJCaAIKD2u +fGcdanabU6lM+UyrscNvnpXjDUFHdldE245yfdBgbm8RLWzJJKz9ETz/rYto+A6F +NZPRocbaeSv0A1J6v5MkmqNVISORxyCznhu+30s2Knw2Mn02quM/CxadxrrN/3ZW +Gcat29R3KG7OF9qEMV+5NJ84MHNqmUdCYSjdKrh4VGZcvA/+KrxDdlKmuk5Lj5Qt +b3QAv0ql6cUEEJ+ekunzQmW8UHz4XOwJ5r3OI1wuGdPShK6ItLls2W3Hxu3vDRFW +2trbj5/GHn67aJCRqkLtxRpgN4o9YPvC8kdj8WO/iMw10w7OfprEA8S1CjnOwkZw +Q6Mqr+JZZk/MKFHAeywIiLE1i1VPel2s4o7NXaaFthoFR33RIW3LMGFUsyfqyL/t +RGzDG3fso5VOy/4fiGulJ8YrWW9KjXGudQIb3IkCNwQTAQoAIQUCTnqDDAIbAwUL +CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA3i4RUAid5Yun8D/9dC3GDJEIVzg3j +tvkJD08TNVTMUwSQozN2V+WaQgglKJSboR5ajZY6SVMeqtlT+1LzcdU9c3lpQq0n +B1GZ8WkugYdFk8/0njXTI9Tw1i2Xhp/hKJEUzUkcx1NlyYHZ1EQjW/KVnq0rhPAb +qDDlyET/qo/38SrzZqOauMye8uT+aqUElF8W3U7l4t4C7ollnwychRrOaOJjSAwL +tK1WJIneDqLxzDv+bVmoZL+7Vw7iry4xwYovZ+7CpaZsicTJMYvo/CXG2qhyrvJ0 +DcxEIdhk0KiPkiP7Nd3b52vA4Z30yjfwqkoC1XlpzeD4v7il+L6HdcOigl4PDr85 +Uhoo//5SB654tmTL2a32w8GnCK/b8ySu6XwlUISiUABKGerycBeThz65c8Ud67Hi +P9QDK7+sEpqANxuX1IfwhCAnvdDKc96Y8kO8aC4pfO/bTFhhkyARMW98CVyP4XCy +wPXQQ75w5ekS/wecgKzYk/4S4aH1vErtDeY3WF5IDNTAOau747vgbf8nz0gxBwWg +Kdlwh11zslKV1fLPML7tiVyT2id2pGGOO3gUJ5Bu4LeUkLndQZeERZwWcd0IhDsE +JWIazg0lbEWCLtW7Cf/B0/X6MT9wq8aq64UMksnOU6iI91ZkH3mj2I8Ty+nl+ZXU +t1cVgj+AyYdyHIWLHfZkQLvkH5oJ5rkCDQROeoMMARAAtzb8+leM9ELMiTgwb4EG +KwY7wNt6mWOcrlvwp+mnGN4VPJa0ftDn/kFyPxtFkg4oVlHlmPUGk5RukRrl9K3q +zHMuWa+NqhjM69Fw9hZlvCcL0bqqq/CKB0GyJX/bn2V/WRgAuVQAL8P4fAQ/t8Sf +80lTTQ40ImE6F//n52AFsK0S5+gG71iCANY6DuMz4GUPbwTV1FKZqaYVdiz4Erxd +/qaurPDcgcaqtiSQnOf6qrYIX/LZqwQrpEmruj8l5xP1N8eTLtx0iW/mB0AXYyH2 +eXmtclHTYHjvoPgZajSO2obnLdDngqJ5zHZXkCX4RLFgCq/3A4NvxLOtVDYyiID3 +HcQ167aDbpjMHetleUKXMWIA4/6o+WZs9bhbgf6xDa73Qqug8RP4VX7FBrEe2s0x +cc9d15YbA8rGrq4jvGB3hUEw/tK/3uVuft+mRrHqNFEjKs49MKTc8vu4CyxQN21O +6dfrp/84MD93VjQUkYUrL2zxbJcBvQTA5SuE0mqBR/e8IH8UBYmuM4nWdUuHNTsw +KqzRsAqdPfZ1bNnfo9empNFEl2me2IXhNgiBpbpGEFWY02bEXdtCId/hpMNhE3y6 +pxJwTtxqj1Kw+u32qcL0lswz5tCF0CrW5ha9UDzO5xH3kY19/NXUnb2WFNqViy02 +KwpbHG5jQcQ206Amwo/Fun0AEQEAAYkCHwQYAQoACQUCTnqDDAIbDAAKCRA3i4RU +Aid5YjyED/9vz1JX0q4TEFVxzgla8BbhVwlaXoOmbJcOxw8ne2qO3NZ+ecnoWS0d +DRe1AJLcaAgC2hwpDpZ3Or5bCpQSUBlwdA/rxOMJom7GKYO9oGp54V+cjNlzJpb1 +1cKuYzj6HdmVGKbzo65G8tYUK0fDTsjWWU4Mh7HAztZH9Umh0e9103DfkGf2uS8e +A8WVc2sBwCtlfJTilyJ7LxVO+vfodb9RKTPx0PGbQBNbFaxmK64Sz4xjVUTZiHn9 +j329rTDv7yzQuCiO+CWSy7Ti789bRcUgPWv2bbg4UlTPn40OIfAUb/s1P39J3lID +g4GstZcBjGNTa5o65tF3m0+s2mDbDAToGqzqv0fHE6iDDvctudFZoUbgJ/5DSqsA +5Xe5VCRRvwR3S9t7OJS4eQdxDYWxgPGhoovNdzPePTbdIfkWBw+Wwokj0rsAUKfx +7jXZtjYXfG6NJdEHqGQLYeW23kMmxIdoY1jjWOEJwdD0q8p7M2aum9Ncjn1sW/RU +PPLu+U3rtjc6fhf4VWpvp6NVp7a8/6cgSTZL4eavYIOuXDCa44KsnGhWpPBOJNeZ +WvCkgGNCUbzArnre3iDTnf6iJ1aMrXToN838IV2svifkAvEnMkhYfjUgDIFOMOrs +fLhRULAR6zzyXiJiznT6rjlxlixsKazyy9dLC3qlwC4pCIpol0QKbQ== +=96Mf +-----END PGP PUBLIC KEY BLOCK----- diff --git a/shibboleth-sp.spec b/shibboleth-sp.spec new file mode 100644 index 0000000..8cf6c58 --- /dev/null +++ b/shibboleth-sp.spec @@ -0,0 +1,263 @@ +# +# spec file for package shibboleth-sp +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define libvers 12 +%define libvers_lite 12 +%define runuser shibd +%define realname shibboleth +%define pkgdocdir %{_docdir}/%{realname} +Name: shibboleth-sp +Version: 3.5.0 +Release: 0 +Summary: System for attribute-based Web Single Sign On +License: Apache-2.0 +Group: Productivity/Networking/Security +URL: https://shibboleth.net/ +Source0: https://shibboleth.net/downloads/service-provider/%{version}/%{name}-%{version}.tar.bz2 +Source1: https://shibboleth.net/downloads/service-provider/%{version}/%{name}-%{version}.tar.bz2.asc +Source2: %{name}.keyring +Source3: shibd.service +Patch0: shibboleth-sp-2.5.5-doxygen_timestamp.patch +BuildRequires: apache2-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: doxygen +BuildRequires: gcc-c++ +BuildRequires: krb5-devel +BuildRequires: libboost_headers-devel +BuildRequires: liblog4shib-devel >= 2 +BuildRequires: libmemcached-devel +BuildRequires: libsaml-devel >= 3.1.0 +BuildRequires: libtool +BuildRequires: libxerces-c-devel >= 3.2 +BuildRequires: libxml-security-c-devel >= 2.0.0 +BuildRequires: libxmltooling-devel >= 3.1.0 +BuildRequires: pkgconfig +BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools +BuildRequires: unixODBC-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig(libsystemd) +Requires: openssl +Requires(pre): opensaml-schemas >= 3.1.0 +Requires(pre): xmltooling-schemas >= 3.1.0 +Requires(pre): shadow +Obsoletes: shibboleth-sp = 2.5.0 +%{?systemd_requires} + +%description +Shibboleth is a Web Single Sign-On implementations based on OpenSAML +that supports multiple protocols, federated identity, and the extensible +exchange of rich attributes subject to privacy controls. + +This package contains the Shibboleth Service Provider runtime libraries, +daemon, default plugins, and Apache module. + +%package -n libshibsp%{libvers} +Summary: Shared Library for Shibboleth +Group: Productivity/Networking/Security + +%description -n libshibsp%{libvers} +Shibboleth is a Web Single Sign-On implementations based on OpenSAML +that supports multiple protocols, federated identity, and the extensible +exchange of rich attributes subject to privacy controls. + +This package contains just the shared library. + +%package -n libshibsp-lite%{libvers_lite} +Summary: Shared Library for Shibboleth +Group: Productivity/Networking/Security + +%description -n libshibsp-lite%{libvers_lite} +Shibboleth is a Web Single Sign-On implementations based on OpenSAML +that supports multiple protocols, federated identity, and the extensible +exchange of rich attributes subject to privacy controls. + +This package contains just the shared library. + +%package devel +Summary: Shibboleth Development Headers +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version}-%{release} +Requires: liblog4shib-devel >= 2 +Requires: libsaml-devel >= 3.1.0 +Requires: libshibsp%{libvers} = %{version}-%{release} +Requires: libshibsp-lite%{libvers_lite} = %{version}-%{release} +Requires: libxerces-c-devel >= 3.2 +Requires: libxml-security-c-devel >= 2.0.0 +Requires: libxmltooling-devel >= 3.1.0 +Obsoletes: shibboleth-sp-devel = 2.5.0 + +%description devel +Shibboleth is a Web Single Sign-On implementations based on OpenSAML +that supports multiple protocols, federated identity, and the extensible +exchange of rich attributes subject to privacy controls. + +This package includes files needed for development with Shibboleth. + +%prep +%autosetup -p1 + +%build +export CXXFLAGS="%{optflags} --std=c++11" +autoreconf -f -i +%configure --with-gssapi --enable-systemd --with-memcached +%make_build pkgdocdir=%{pkgdocdir} + +%install +%make_install NOKEYGEN=1 pkgdocdir=%{pkgdocdir} + +install -D -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/shibd.service +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcshibd + +sed -i "s|/var/log/httpd|/var/log/apache2|g" \ + %{buildroot}%{_sysconfdir}/%{realname}/native.logger + +sed -i "s|%{_bindir}/env bash|%{_bindir}/bash|" \ + %{buildroot}%{_sysconfdir}/%{realname}/metagen.sh + +# Delete unnecessary files +pushd %{buildroot}/%{_sysconfdir}/%{realname} +rm shibd-debian shibd-redhat shibd-amazon shibd-suse shibd-osx.plist apache.config apache2.config apache22.config shibd-systemd +rm *.dist +popd +find %{buildroot} -type f -name "*.la" -delete -print + +# Plug the SP into the Apache +touch rpm.filelist +APACHE_CONFIG="no" +if [ -f %{buildroot}%{_libdir}/%{realname}/mod_shib_24.so ] ; then + APACHE_CONFIG="apache24.config" +fi + +if [ "$APACHE_CONFIG" != "no" ] ; then + APACHE_CONFD="no" + if [ -d %{_sysconfdir}/apache2/conf.d ] ; then + APACHE_CONFD="%{_sysconfdir}/apache2/conf.d" + fi + if [ "$APACHE_CONFD" != "no" ] ; then + mkdir -p $RPM_BUILD_ROOT$APACHE_CONFD + cp -p %{buildroot}%{_sysconfdir}/%{realname}/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf + echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist + fi +fi + +# Get run directory created at boot time. +mkdir -p %{buildroot}%{_tmpfilesdir} +echo "%attr(0444,-,-) %{_tmpfilesdir}/%{realname}.conf" >> rpm.filelist +cat > %{buildroot}%{_tmpfilesdir}/%{realname}.conf < %{realname}.sysusers << EOF +u %{runuser} - "Shibboleth SP daemon" /run/%{realname} /dev/nologin +EOF +%sysusers_generate_pre %{realname}.sysusers %{name} %{name}.conf + +install -Dpm0644 %{realname}.sysusers %{buildroot}%{_sysusersdir}/%{name}.conf + +%check +%make_build check + +%pre -f %{name}.pre +%service_add_pre shibd.service +exit 0 + +%post -n libshibsp%{libvers} -p /sbin/ldconfig +%post -n libshibsp-lite%{libvers_lite} -p /sbin/ldconfig + +%post + +# Generate two keys on new installs. +if [ $1 -eq 1 ] ; then + cd %{_sysconfdir}/shibboleth + /bin/sh ./keygen.sh -b -n sp-signing -u %{runuser} -g %{runuser} + /bin/sh ./keygen.sh -b -n sp-encrypt -u %{runuser} -g %{runuser} +fi + +%service_add_post shibd.service + +%tmpfiles_create %{_tmpfilesdir}/%{realname}.conf + +%preun +# On final removal, stop shibd and remove service, restart Apache if running. +%service_del_preun shibd.service +if [ $1 -eq 0 ] ; then + /sbin/service apache2 status 1>/dev/null && /sbin/service apache2 restart 1>/dev/null +fi +exit 0 + +%postun -n libshibsp%{libvers} -p /sbin/ldconfig +%postun -n libshibsp-lite%{libvers_lite} -p /sbin/ldconfig + +%postun +%service_del_postun shibd.service +%restart_on_update apache2 + +%posttrans +# One-time extra restart of shibd and Apache to work around +# SUSE bug that breaks old %%restart_on_update macro. +# If we remove, upgrades from pre-systemd to post-systemd +# will stop doing the final restart. +%{_bindir}/systemctl try-restart shibd >/dev/null 2>&1 || : +%{_bindir}/systemctl try-restart apache2 >/dev/null 2>&1 || : +exit 0 + +%files -f rpm.filelist +%{_sbindir}/shibd +%{_sbindir}/rcshibd +%{_bindir}/mdquery +%{_bindir}/resolvertest +%dir %{_libdir}/%{realname} +%{_libdir}/%{realname}/* +%{_unitdir}/shibd.service +%{_sysusersdir}/%{name}.conf +%attr(0750,%{runuser},%{runuser}) %dir %{_localstatedir}/log/%{realname} +%attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/cache/%{realname} +%ghost %attr(0755,%{runuser},%{runuser}) %dir /run/%{realname} +%dir %{_datadir}/xml/%{realname} +%{_datadir}/xml/%{realname}/* +%dir %{_datadir}/%{realname} +%{_datadir}/%{realname}/* +%dir %{_sysconfdir}/%{realname} +%config(noreplace) %{_sysconfdir}/%{realname}/*.xml +%config(noreplace) %{_sysconfdir}/%{realname}/*.html +%config(noreplace) %{_sysconfdir}/%{realname}/*.logger +%{_tmpfilesdir}/%{realname}.conf +%{_sysconfdir}/%{realname}/apache24.config +%attr(0755,root,root) %{_sysconfdir}/%{realname}/keygen.sh +%attr(0755,root,root) %{_sysconfdir}/%{realname}/metagen.sh +%attr(0755,root,root) %{_sysconfdir}/%{realname}/seckeygen.sh +%doc %{pkgdocdir} +%exclude %{pkgdocdir}/api + +%files -n libshibsp%{libvers} +%{_libdir}/libshibsp.so.* + +%files -n libshibsp-lite%{libvers_lite} +%{_libdir}/libshibsp-lite.so.* + +%files devel +%{_includedir}/* +%{_libdir}/libshibsp.so +%{_libdir}/libshibsp-lite.so +%{_libdir}/pkgconfig/*.pc +%doc %{pkgdocdir}/api + +%changelog diff --git a/shibd.service b/shibd.service new file mode 100644 index 0000000..057059b --- /dev/null +++ b/shibd.service @@ -0,0 +1,33 @@ +[Unit] +Description=Shibboleth Service Provider Daemon +After=network.target +Before=apache2.service + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=notify +NotifyAccess=main +User=shibd +ExecStart=/usr/sbin/shibd -f -F +StandardInput=null +StandardOutput=null +StandardError=journal +TimeoutStopSec=5s +TimeoutStartSec=150s +Restart=on-failure +RestartSec=30s + +[Install] +WantedBy=multi-user.target