Mon Apr 15 15:35:02 2013 UTC ()
Upgrade ap2-auth-mellon to 0.6.1 plus a patch from upstream
Changes since 0.4.0, from NEWS file:
* Add MellonSPentityId to control entityId in autogenerated metadata
Version 0.6.1
---------------------------------------------------------------------------
* Fix the POST replay functionality when multiple users logging in
at once.
* Add a fallback for the case where the POST replay data has expired
before the user logs in.
Version 0.6.0
---------------------------------------------------------------------------
Backwards-incompatible changes:
* The POST replay functionality has been disabled by default, and the
automatic creation of the MellonPostDirectory target directory has been
removed. If you want to use the POST replay functionality, take a
look at the README file for instructions for how to enable this.
* Start discovery service when accessing the login endpoint. We used
to bypass the discovery service in this case, and just pick the first
IdP. This has been changed to send a request to the discovery service
instead, if one is configured.
* The MellonLockFile default path has been changed to:
/var/run/mod_auth_mellon.lock
This only affects platforms where a lock file is required and
where Apache doesn't have write access to that directory during
startup. (Apache can normally create files in that directory
during startup.)
Other changes:
* Fix support for SOAP logout.
* Local logout when IdP does not support SAML 2.0 Single Logout.
* MellonDoNotVerifyLogoutSignature option to disable logout signature
validation.
* Support for relative file paths in configuration.
* The debian build-directory has been removed from the repository.
* Various cleanups and bugfixes:
* Fix cookie parsing header parsing for some HTTP libraries.
* Fix inheritance of MellonAuthnContextClassRef option.
* Use ap_set_content_type() instead of accessing request->content_type.
* README indentation cleanups.
* Support for even older versions of GLib.
* Fixes for error handling during session initialization.
* Directly link with GLib rather than relying on the Lasso library
linking to it for us.
* Some code cleanups.
Version 0.5.0
---------------------------------------------------------------------------
* Honour MellonProbeDiscoveryIdP order when sending probes.
* MellonAuthnContextClassRef configuration directive, to limit
authentication to specific authentication methods.
* Support for the HTTP-POST binding when sending authentication
requests to the IdP.
* MellonSubjectConfirmationDataAddressCheck option to disable received
address checking.
* Various cleanups and bugfixes:
* Support for older versions of GLib and APR.
* Send the correct SP entityID to the discovery service.
* Do not set response headers twice.
* Several cleanups in the code that starts authentication.
(manu)
diff -r1.1.1.1 -r1.2 pkgsrc/www/ap2-auth-mellon/MESSAGE
diff -r1.25 -r1.26 pkgsrc/www/ap2-auth-mellon/Makefile
diff -r1.11 -r1.12 pkgsrc/www/ap2-auth-mellon/distinfo
diff -r1.1 -r0 pkgsrc/www/ap2-auth-mellon/patches/patch-ai
diff -r0 -r1.1 pkgsrc/www/ap2-auth-mellon/patches/patch-aj
--- pkgsrc/www/ap2-auth-mellon/MESSAGE 2009/03/02 16:47:42 1.1.1.1
+++ pkgsrc/www/ap2-auth-mellon/MESSAGE 2013/04/15 15:35:01 1.2
| @@ -1,9 +1,33 @@ | | | @@ -1,9 +1,33 @@ |
1 | =========================================================================== | | 1 | =========================================================================== |
2 | $NetBSD: MESSAGE,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $ | | 2 | $NetBSD: MESSAGE,v 1.2 2013/04/15 15:35:01 manu Exp $ |
3 | | | 3 | |
4 | In order to use this module in your Apache installation, you need to | | 4 | In order to use this module in your Apache installation, you need to |
5 | add the following to your httpd.conf file: | | 5 | add the following to your httpd.conf file: |
6 | | | 6 | |
7 | LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so | | 7 | LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so |
8 | | | 8 | |
| | | 9 | If upgrading from version prior 0.6.0, please not the following |
| | | 10 | backward-incompatible changes: |
| | | 11 | |
| | | 12 | * The POST replay functionality has been disabled by default, and the |
| | | 13 | automatic creation of the MellonPostDirectory target directory has been |
| | | 14 | removed. If you want to use the POST replay functionality, create a |
| | | 15 | directory accessible only by the apache user (e.g.: /var/spool/mellon) |
| | | 16 | and add this after the LoadModule for mod_auth_mellon.so: |
| | | 17 | |
| | | 18 | MellonPostDirectory /var/spool/mellon |
| | | 19 | |
| | | 20 | * Start discovery service when accessing the login endpoint. We used |
| | | 21 | to bypass the discovery service in this case, and just pick the first |
| | | 22 | IdP. This has been changed to send a request to the discovery service |
| | | 23 | instead, if one is configured. |
| | | 24 | |
| | | 25 | * The MellonLockFile default path has been changed to: |
| | | 26 | /var/run/mod_auth_mellon.lock |
| | | 27 | This only affects platforms where a lock file is required and |
| | | 28 | where Apache doesn't have write access to that directory during |
| | | 29 | startup. (Apache can normally create files in that directory |
| | | 30 | during startup.) |
| | | 31 | |
| | | 32 | |
9 | =========================================================================== | | 33 | =========================================================================== |
--- pkgsrc/www/ap2-auth-mellon/Makefile 2013/02/06 23:23:57 1.25
+++ pkgsrc/www/ap2-auth-mellon/Makefile 2013/04/15 15:35:01 1.26
| @@ -1,27 +1,29 @@ | | | @@ -1,27 +1,29 @@ |
1 | # $NetBSD: Makefile,v 1.25 2013/02/06 23:23:57 jperkin Exp $ | | 1 | # $NetBSD: Makefile,v 1.26 2013/04/15 15:35:01 manu Exp $ |
2 | # | | 2 | # |
3 | | | 3 | |
4 | PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/} | | 4 | PKGNAME= ${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/} |
5 | DISTNAME= mod_auth_mellon-0.4.0 | | 5 | DISTNAME= mod_auth_mellon-0.6.1 |
6 | PKGREVISION= 7 | | 6 | #PKGREVISION= 1 |
7 | CATEGORIES= www security | | 7 | CATEGORIES= www security |
8 | MASTER_SITES= http://modmellon.googlecode.com/files/ | | 8 | MASTER_SITES= http://modmellon.googlecode.com/files/ |
9 | | | 9 | |
10 | MAINTAINER= manu@NetBSD.org | | 10 | MAINTAINER= manu@NetBSD.org |
11 | HOMEPAGE= http://code.google.com/p/modmellon/ | | 11 | HOMEPAGE= http://code.google.com/p/modmellon/ |
12 | COMMENT= SAML 2.0 authentication for Apache | | 12 | COMMENT= SAML 2.0 authentication for Apache |
13 | LICENSE= gnu-gpl-v2 # or later | | 13 | LICENSE= gnu-gpl-v2 # or later |
14 | | | 14 | |
| | | 15 | PKG_DESTDIR_SUPPORT= user-destdir |
| | | 16 | |
15 | GNU_CONFIGURE= YES | | 17 | GNU_CONFIGURE= YES |
16 | USE_LIBTOOL= YES | | 18 | USE_LIBTOOL= YES |
17 | USE_TOOLS+= pkg-config | | 19 | USE_TOOLS+= pkg-config |
18 | CFLAGS+= -DLASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT=0 | | 20 | CFLAGS+= -DLASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT=0 |
19 | | | 21 | |
20 | APACHE_MODULE= YES | | 22 | APACHE_MODULE= YES |
21 | APACHE_MODULE_NAME= auth_mellon_module | | 23 | APACHE_MODULE_NAME= auth_mellon_module |
22 | PKG_APACHE_ACCEPTED= apache22 | | 24 | PKG_APACHE_ACCEPTED= apache22 |
23 | .include "../../mk/apache.mk" | | 25 | .include "../../mk/apache.mk" |
24 | BUILDLINK_API_DEPENDS.apache+= apache>=2.0.47 | | 26 | BUILDLINK_API_DEPENDS.apache+= apache>=2.0.47 |
25 | | | 27 | |
26 | SUBST_CLASSES+= pthflags | | 28 | SUBST_CLASSES+= pthflags |
27 | SUBST_MESSAGES= Remove -pthread flag | | 29 | SUBST_MESSAGES= Remove -pthread flag |
--- pkgsrc/www/ap2-auth-mellon/distinfo 2011/12/06 09:58:01 1.11
+++ pkgsrc/www/ap2-auth-mellon/distinfo 2013/04/15 15:35:01 1.12
| @@ -1,6 +1,6 @@ | | | @@ -1,6 +1,6 @@ |
1 | $NetBSD: distinfo,v 1.11 2011/12/06 09:58:01 manu Exp $ | | 1 | $NetBSD: distinfo,v 1.12 2013/04/15 15:35:01 manu Exp $ |
2 | | | 2 | |
3 | SHA1 (mod_auth_mellon-0.4.0.tar.gz) = d09f7bbefe32c2eaa624612584eab1ea8e89820a | | 3 | SHA1 (mod_auth_mellon-0.6.1.tar.gz) = c1704daaafdb2105ee5f1d488f88ec914f2dd646 |
4 | RMD160 (mod_auth_mellon-0.4.0.tar.gz) = 92ef003ae22c43ef81d22f5027486244e76e3d3f | | 4 | RMD160 (mod_auth_mellon-0.6.1.tar.gz) = 0cef669feeb0fba516cd934f1fe8a93e6bc67239 |
5 | Size (mod_auth_mellon-0.4.0.tar.gz) = 103708 bytes | | 5 | Size (mod_auth_mellon-0.6.1.tar.gz) = 108734 bytes |
6 | SHA1 (patch-ai) = a7a4f729301bff79cb39d441f9fa48993cdc2899 | | 6 | SHA1 (patch-aj) = c8219d53538cf9e10acaec861a66a3f29e22a582 |
$NetBSD: patch-aj,v 1.1 2013/04/15 15:35:02 manu Exp $
MellonSPentityId option to control entityID in autogenerated metadata
(patch from upstream)
Index: auth_mellon_config.c
===================================================================
--- auth_mellon_config.c (revision 204)
+++ auth_mellon_config.c (working copy)
@@ -1064,6 +1064,13 @@
OR_AUTHCFG,
"List of IdP entityId to ignore."
),
+ AP_INIT_TAKE1(
+ "MellonSPentityId",
+ ap_set_string_slot,
+ (void *)APR_OFFSETOF(am_dir_cfg_rec, sp_entity_id),
+ OR_AUTHCFG,
+ "SP entity Id to be used for metadata auto generation."
+ ),
AP_INIT_TAKE12(
"MellonOrganizationName",
am_set_langstring_slot,
@@ -1231,6 +1238,7 @@
dir->probe_discovery_timeout = -1; /* -1 means no probe discovery */
dir->probe_discovery_idp = apr_table_make(p, 0);
+ dir->sp_entity_id = NULL;
dir->sp_org_name = apr_hash_make(p);
dir->sp_org_display_name = apr_hash_make(p);
dir->sp_org_url = apr_hash_make(p);
@@ -1400,6 +1408,10 @@
add_cfg->idp_ignore :
base_cfg->idp_ignore;
+ new_cfg->sp_entity_id = (add_cfg->sp_entity_id ?
+ add_cfg->sp_entity_id :
+ base_cfg->sp_entity_id);
+
new_cfg->sp_org_name = apr_hash_copy(p,
(apr_hash_count(add_cfg->sp_org_name) > 0) ?
add_cfg->sp_org_name :
Index: auth_mellon_handler.c
===================================================================
--- auth_mellon_handler.c (revision 204)
+++ auth_mellon_handler.c (working copy)
@@ -117,7 +117,10 @@
am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
char *url = am_get_endpoint_url(r);
char *cert = "";
+ const char *sp_entity_id;
+ sp_entity_id = cfg->sp_entity_id ? cfg->sp_entity_id : url;
+
if (cfg->sp_cert_file) {
char *sp_cert_file;
char *cp;
@@ -171,7 +174,7 @@
return apr_psprintf(p,
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\
<EntityDescriptor\n\
- entityID=\"%smetadata\"\n\
+ entityID=\"%s%s\"\n\
xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
<SPSSODescriptor\n\
AuthnRequestsSigned=\"true\"\n\
@@ -197,7 +200,8 @@
</SPSSODescriptor>\n\
%s\n\
</EntityDescriptor>",
- url, cert, url, url, url, url, am_optional_metadata(p, r));
+ sp_entity_id, cfg->sp_entity_id ? "" : "metadata",
+ cert, url, url, url, url, am_optional_metadata(p, r));
}
#endif /* HAVE_lasso_server_new_from_buffers */
Index: auth_mellon.h
===================================================================
--- auth_mellon.h (revision 204)
+++ auth_mellon.h (working copy)
@@ -195,6 +195,7 @@
GList *idp_ignore;
/* metadata autogeneration helper */
+ char *sp_entity_id;
apr_hash_t *sp_org_name;
apr_hash_t *sp_org_display_name;
apr_hash_t *sp_org_url;
Index: README
===================================================================
--- README (revision 204)
+++ README (working copy)
@@ -332,7 +332,11 @@
# Default: None set.
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
- # If you choose to autogenerate metadata, these option
+ # If you choose to autogenerate metadata, this option
+ # can be used to control the SP entityId
+ # MellonSPentityId "https://www.example.net/foo"
+ #
+ # If you choose to autogenerate metadata, these options
# can be used to fill the <Organization> element. They
# all follow the syntax "option [lang] value":
# MellonOrganizationName "random-service"