Upgrade ap2-auth-mellon to 0.6.1 plus a patch from upstream

Changes since 0.4.0, from NEWS file:

* Add MellonSPentityId to control entityId in autogenerated metadata

Version 0.6.1
---------------------------------------------------------------------------

* Fix the POST replay functionality when multiple users logging in
  at once.

* Add a fallback for the case where the POST replay data has expired
  before the user logs in.

Version 0.6.0
---------------------------------------------------------------------------

Backwards-incompatible changes:

* The POST replay functionality has been disabled by default, and the
  automatic creation of the MellonPostDirectory target directory has been
  removed. If you want to use the POST replay functionality, take a
  look at the README file for instructions for how to enable this.

* Start discovery service when accessing the login endpoint. We used
  to bypass the discovery service in this case, and just pick the first
  IdP. This has been changed to send a request to the discovery service
  instead, if one is configured.

* The MellonLockFile default path has been changed to:
    /var/run/mod_auth_mellon.lock
  This only affects platforms where a lock file is required and
  where Apache doesn't have write access to that directory during
  startup. (Apache can normally create files in that directory
  during startup.)

Other changes:

* Fix support for SOAP logout.

* Local logout when IdP does not support SAML 2.0 Single Logout.

* MellonDoNotVerifyLogoutSignature option to disable logout signature
  validation.

* Support for relative file paths in configuration.

* The debian build-directory has been removed from the repository.

* Various cleanups and bugfixes:

  * Fix cookie parsing header parsing for some HTTP libraries.

  * Fix inheritance of MellonAuthnContextClassRef option.

  * Use ap_set_content_type() instead of accessing request->content_type.

  * README indentation cleanups.

  * Support for even older versions of GLib.

  * Fixes for error handling during session initialization.

  * Directly link with GLib rather than relying on the Lasso library
    linking to it for us.

  * Some code cleanups.

Version 0.5.0
---------------------------------------------------------------------------

* Honour MellonProbeDiscoveryIdP order when sending probes.

* MellonAuthnContextClassRef configuration directive, to limit
  authentication to specific authentication methods.

* Support for the HTTP-POST binding when sending authentication
  requests to the IdP.

* MellonSubjectConfirmationDataAddressCheck option to disable received
  address checking.

* Various cleanups and bugfixes:

  * Support for older versions of GLib and APR.

  * Send the correct SP entityID to the discovery service.

  * Do not set response headers twice.

  * Several cleanups in the code that starts authentication.


(manu)

@@ -1,9 +1,33 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1.1.1 2009/03/02 16:47:42 manu Exp $
+$NetBSD: MESSAGE,v 1.2 2013/04/15 15:35:01 manu Exp $
 
 In order to use this module in your Apache installation, you need to
 add the following to your httpd.conf file:
 
   LoadModule auth_mellon_module lib/httpd/mod_auth_mellon.so
+
+If upgrading from version prior 0.6.0, please not the following
+backward-incompatible changes:
+
+* The POST replay functionality has been disabled by default, and the
+  automatic creation of the MellonPostDirectory target directory has been
+  removed. If you want to use the POST replay functionality, create a
+  directory accessible only by the apache user (e.g.: /var/spool/mellon)
+  and add this after the LoadModule for mod_auth_mellon.so:
+  
+  MellonPostDirectory /var/spool/mellon
+
+* Start discovery service when accessing the login endpoint. We used
+  to bypass the discovery service in this case, and just pick the first
+  IdP. This has been changed to send a request to the discovery service
+  instead, if one is configured.
+
+* The MellonLockFile default path has been changed to:
+    /var/run/mod_auth_mellon.lock
+  This only affects platforms where a lock file is required and
+  where Apache doesn't have write access to that directory during
+  startup. (Apache can normally create files in that directory
+  during startup.)
+
 
 ===========================================================================

@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.25 2013/02/06 23:23:57 jperkin Exp $
+# $NetBSD: Makefile,v 1.26 2013/04/15 15:35:01 manu Exp $
 #
 
 PKGNAME=	${APACHE_PKG_PREFIX}-${DISTNAME:S/mod_//:S/_/-/}
-DISTNAME=	mod_auth_mellon-0.4.0
-PKGREVISION=	7
+DISTNAME=	mod_auth_mellon-0.6.1
+#PKGREVISION=	1
 CATEGORIES=	www security
 MASTER_SITES=	http://modmellon.googlecode.com/files/
 
@@ -11,6 +11,8 @@
 HOMEPAGE=	http://code.google.com/p/modmellon/
 COMMENT=	SAML 2.0 authentication for Apache
 LICENSE=	gnu-gpl-v2 # or later
+
+PKG_DESTDIR_SUPPORT=	user-destdir
 
 GNU_CONFIGURE=	YES
 USE_LIBTOOL=	YES

@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.11 2011/12/06 09:58:01 manu Exp $
+$NetBSD: distinfo,v 1.12 2013/04/15 15:35:01 manu Exp $
 
-SHA1 (mod_auth_mellon-0.4.0.tar.gz) = d09f7bbefe32c2eaa624612584eab1ea8e89820a
+SHA1 (mod_auth_mellon-0.6.1.tar.gz) = c1704daaafdb2105ee5f1d488f88ec914f2dd646
-RMD160 (mod_auth_mellon-0.4.0.tar.gz) = 92ef003ae22c43ef81d22f5027486244e76e3d3f
+RMD160 (mod_auth_mellon-0.6.1.tar.gz) = 0cef669feeb0fba516cd934f1fe8a93e6bc67239
-Size (mod_auth_mellon-0.4.0.tar.gz) = 103708 bytes
+Size (mod_auth_mellon-0.6.1.tar.gz) = 108734 bytes
-SHA1 (patch-ai) = a7a4f729301bff79cb39d441f9fa48993cdc2899
+SHA1 (patch-aj) = c8219d53538cf9e10acaec861a66a3f29e22a582

$NetBSD: patch-aj,v 1.1 2013/04/15 15:35:02 manu Exp $ 

MellonSPentityId option to control entityID in autogenerated metadata
(patch from upstream)

Index: auth_mellon_config.c
===================================================================
--- auth_mellon_config.c	(revision 204)
+++ auth_mellon_config.c	(working copy)
@@ -1064,6 +1064,13 @@
         OR_AUTHCFG,
         "List of IdP entityId to ignore."
         ),
+    AP_INIT_TAKE1(
+        "MellonSPentityId",
+        ap_set_string_slot,
+        (void *)APR_OFFSETOF(am_dir_cfg_rec, sp_entity_id),
+        OR_AUTHCFG,
+        "SP entity Id to be used for metadata auto generation."
+        ),
     AP_INIT_TAKE12(
         "MellonOrganizationName",
         am_set_langstring_slot,
@@ -1231,6 +1238,7 @@
     dir->probe_discovery_timeout = -1; /* -1 means no probe discovery */
     dir->probe_discovery_idp = apr_table_make(p, 0);
 
+    dir->sp_entity_id = NULL;
     dir->sp_org_name = apr_hash_make(p);
     dir->sp_org_display_name = apr_hash_make(p);
     dir->sp_org_url = apr_hash_make(p);
@@ -1400,6 +1408,10 @@
                           add_cfg->idp_ignore :
                           base_cfg->idp_ignore;
 
+    new_cfg->sp_entity_id = (add_cfg->sp_entity_id ?
+                             add_cfg->sp_entity_id :
+                             base_cfg->sp_entity_id);
+
     new_cfg->sp_org_name = apr_hash_copy(p,
                           (apr_hash_count(add_cfg->sp_org_name) > 0) ?
                            add_cfg->sp_org_name : 
Index: auth_mellon_handler.c
===================================================================
--- auth_mellon_handler.c	(revision 204)
+++ auth_mellon_handler.c	(working copy)
@@ -117,7 +117,10 @@
     am_dir_cfg_rec *cfg = am_get_dir_cfg(r);
     char *url = am_get_endpoint_url(r);
     char *cert = "";
+    const char *sp_entity_id;
 
+    sp_entity_id = cfg->sp_entity_id ? cfg->sp_entity_id : url;
+
     if (cfg->sp_cert_file) {
 	char *sp_cert_file;
         char *cp;
@@ -171,7 +174,7 @@
     return apr_psprintf(p,
       "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\
 <EntityDescriptor\n\
- entityID=\"%smetadata\"\n\
+ entityID=\"%s%s\"\n\
  xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
  <SPSSODescriptor\n\
    AuthnRequestsSigned=\"true\"\n\
@@ -197,7 +200,8 @@
  </SPSSODescriptor>\n\
  %s\n\
 </EntityDescriptor>",
-      url, cert, url, url, url, url, am_optional_metadata(p, r));
+      sp_entity_id, cfg->sp_entity_id ? "" : "metadata", 
+      cert, url, url, url, url, am_optional_metadata(p, r));
 }
 #endif /* HAVE_lasso_server_new_from_buffers */
 
Index: auth_mellon.h
===================================================================
--- auth_mellon.h	(revision 204)
+++ auth_mellon.h	(working copy)
@@ -195,6 +195,7 @@
     GList *idp_ignore;
 
     /* metadata autogeneration helper */
+    char *sp_entity_id;
     apr_hash_t *sp_org_name;
     apr_hash_t *sp_org_display_name;
     apr_hash_t *sp_org_url;
Index: README
===================================================================
--- README	(revision 204)
+++ README	(working copy)
@@ -332,7 +332,11 @@
         # Default: None set.
         MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
 
-        # If you choose to autogenerate metadata, these option 
+        # If you choose to autogenerate metadata, this option
+        # can be used to control the SP entityId
+        # MellonSPentityId "https://www.example.net/foo"
+        #
+        # If you choose to autogenerate metadata, these options 
         # can be used to fill the <Organization> element. They
         # all follow the syntax "option [lang] value":
         # MellonOrganizationName "random-service"