new, version 0.7.0

based on fedora package
5f23c37313733e6fa2245d2017ae23de0e3c8d2a

diff --git a/apache-mod_auth_mellon.spec b/apache-mod_auth_mellon.spec
new file mode 100644 (file)
index 0000000..430ebd4
--- /dev/null
+++ b/apache-mod_auth_mellon.spec
@@ -0,0 +1,62 @@
+%define                mod_name        auth_mellon
+%define        apxs            %{_sbindir}/apxs
+Summary:       A SAML 2.0 authentication module for the Apache Httpd Server
+Name:          apache-mod_%{mod_name}
+Version:       0.7.0
+Release:       1
+License:       GPL v2+
+Group:         Networking/Daemons/HTTP
+Source0:       https://modmellon.googlecode.com/files/mod_auth_mellon-%{version}.tar.gz
+# Source0-md5: b1d58363c6feb00a39402b347bc2e17b
+Source1:       auth_mellon.conf
+Source3:       mod_auth_mellon.tmpfiles
+Source4:       mellon_create_metadata.sh
+URL:           https://code.google.com/p/modmellon/
+BuildRequires: %{apxs}
+BuildRequires: apache-devel >= 2.2
+BuildRequires: curl-devel
+BuildRequires: glib2-devel
+BuildRequires: lasso-devel
+BuildRequires: openssl-devel
+BuildRequires: rpmbuild(macros) >= 1.268
+BuildRequires: xmlsec1-devel
+Requires:      apache(modules-api) = %apache_modules_api
+Requires:      lasso >= 2.3.6
+BuildRoot:     %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%define                _pkglibdir      %(%{apxs} -q LIBEXECDIR 2>/dev/null)
+%define                _sysconfdir     %(%{apxs} -q SYSCONFDIR 2>/dev/null)/conf.d
+
+%description
+The mod_auth_mellon module is an authentication service that
+implements the SAML 2.0 federation protocol. It grants access based on
+the attributes received in assertions generated by a IdP server.
+
+%prep
+%setup -q -n mod_%{mod_name}-%{version}
+
+%build
+%configure \
+       APXS=%{apxs}
+%{__make}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{%{_pkglibdir},%{_sysconfdir},%{systemdtmpfilesdir},%{_libdir}/%{name},/var/run/mod_%{mod_name}}
+
+install -p .libs/mod_%{mod_name}.so $RPM_BUILD_ROOT%{_pkglibdir}
+cp -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/90_mod_%{mod_name}.conf
+cp -p %{SOURCE3} $RPM_BUILD_ROOT%{systemdtmpfilesdir}/%{name}.conf
+cp -p %{SOURCE4} $RPM_BUILD_ROOT%{_libdir}
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(644,root,root,755)
+%doc README COPYING
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/*_mod_%{mod_name}.conf
+%attr(755,root,root) %{_pkglibdir}/mod_%{mod_name}.so
+%attr(755,root,root) %{_libdir}/mellon_create_metadata.sh
+%dir %attr(755,http,http) /var/run/mod_%{mod_name}
+%{systemdtmpfilesdir}/%{name}.conf

diff --git a/auth_mellon.conf b/auth_mellon.conf
new file mode 100644 (file)
index 0000000..4b75e5e
--- /dev/null
+++ b/auth_mellon.conf
@@ -0,0 +1,6 @@
+LoadModule auth_mellon_module modules/mod_auth_mellon.so
+
+<IfModule mod_auth_mellon.c>
+       MellonCacheSize 100
+       MellonLockFile "/var/run/mod_auth_mellon/lock"
+</IfModule>

diff --git a/mellon_create_metadata.sh b/mellon_create_metadata.sh
new file mode 100644 (file)
index 0000000..4eb0baf
--- /dev/null
+++ b/mellon_create_metadata.sh
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+set -e
+
+PROG="$(basename "$0")"
+
+printUsage() {
+    echo "Usage: $PROG ENTITY-ID ENDPOINT-URL"
+    echo ""
+    echo "Example:"
+    echo "  $PROG urn:someservice https://sp.example.org/mellon"
+    echo ""
+}
+
+if [ "$#" -lt 2 ]; then
+    printUsage
+    exit 1
+fi
+
+ENTITYID="$1"
+if [ -z "$ENTITYID" ]; then
+    echo "$PROG: An entity ID is required." >&2
+    exit 1
+fi
+
+BASEURL="$2"
+if [ -z "$BASEURL" ]; then
+    echo "$PROG: The URL to the MellonEndpointPath is required." >&2
+    exit 1
+fi
+
+if ! echo "$BASEURL" | grep -q '^https\?://'; then
+    echo "$PROG: The URL must start with \"http://\" or \"https://\"." >&2
+    exit 1
+fi
+
+HOST="$(echo "$BASEURL" | sed 's#^[a-z]*://\([^/]*\).*#\1#')"
+BASEURL="$(echo "$BASEURL" | sed 's#/$##')"
+
+OUTFILE="$(echo "$ENTITYID" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')"
+echo "Output files:"
+echo "Private key:               $OUTFILE.key"
+echo "Certificate:               $OUTFILE.cert"
+echo "Metadata:                  $OUTFILE.xml"
+echo "Host:                      $HOST"
+echo
+echo "Endpoints:"
+echo "SingleLogoutService:       $BASEURL/logout"
+echo "AssertionConsumerService:  $BASEURL/postResponse"
+echo
+
+# No files should not be readable by the rest of the world.
+umask 0077
+
+TEMPLATEFILE="$(mktemp -t mellon_create_sp.XXXXXXXXXX)"
+
+cat >"$TEMPLATEFILE" <<EOF
+RANDFILE           = /dev/urandom
+[req]
+default_bits       = 2048
+default_keyfile    = privkey.pem
+distinguished_name = req_distinguished_name
+prompt             = no
+policy             = policy_anything
+[req_distinguished_name]
+commonName         = $HOST
+EOF
+
+openssl req -utf8 -batch -config "$TEMPLATEFILE" -new -x509 -days 3652 -nodes -out "$OUTFILE.cert" -keyout "$OUTFILE.key" 2>/dev/null
+
+rm -f "$TEMPLATEFILE"
+
+CERT="$(grep -v '^-----' "$OUTFILE.cert")"
+
+cat >"$OUTFILE.xml" <<EOF
+<EntityDescriptor entityID="$ENTITYID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>$CERT</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/logout"/>
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/postResponse" index="0"/>
+  </SPSSODescriptor>
+</EntityDescriptor>
+EOF
+
+umask 0777
+chmod go+r "$OUTFILE.xml"
+chmod go+r "$OUTFILE.cert"

diff --git a/mod_auth_mellon.tmpfiles b/mod_auth_mellon.tmpfiles
new file mode 100644 (file)
index 0000000..e68dd80
--- /dev/null
+++ b/mod_auth_mellon.tmpfiles
@@ -0,0 +1,2 @@
+# mod_auth_mellon lock file is created in this directory
+d /var/run/mod_auth_mellon 755 http http