From: Sam Hartman Date: Wed, 15 Dec 2010 02:12:43 +0000 (-0500) Subject: Merge in upstream/2.4+dfsg into experimental. X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=02d51181ac49dc3d4002ee0a390615c7f03633c5;hp=-c;p=shibboleth%2Fsp.git Merge in upstream/2.4+dfsg into experimental. --- 02d51181ac49dc3d4002ee0a390615c7f03633c5 diff --combined configs/Makefile.am index ee604e6,38f1446..5858307 --- a/configs/Makefile.am +++ b/configs/Makefile.am @@@ -1,11 -1,11 +1,11 @@@ - ## $Id: Makefile.am 3168 2009-10-31 20:34:11Z cantor $ + ## $Id: Makefile.am 3293 2010-08-13 04:23:23Z cantor $ AUTOMAKE_OPTIONS = foreign pkglibdir = ${libdir}/@PACKAGE@ pkglogdir = ${localstatedir}/log/@PACKAGE@ - pkgdocdir = ${datadir}/doc/@PACKAGE@ -pkgdocdir = $(datadir)/doc/@PACKAGE@-@PACKAGE_VERSION@ -shirelogdir = ${localstatedir}/log/httpd ++pkgdocdir = $(datadir)/doc/@PACKAGE@ +shirelogdir = ${localstatedir}/log/apache2 pkgxmldir = $(datadir)/xml/@PACKAGE@ pkgrundir = $(localstatedir)/run/@PACKAGE@ pkgsysconfdir = $(sysconfdir)/@PACKAGE@ @@@ -35,7 -35,10 +35,10 @@@ CONFIGFILES = shibboleth2.xml \ attribute-map.xml \ attribute-policy.xml \ + protocols.xml \ + security-policy.xml \ example-metadata.xml \ + example-shibboleth2.xml \ console.logger \ syslog.logger \ accessError.html \ diff --combined configs/keygen.sh index e68607c,4ee69f6..bb89e80 --- a/configs/keygen.sh +++ b/configs/keygen.sh @@@ -1,39 -1,39 +1,44 @@@ #! /bin/sh +# Added for Debian. The upstream version is installed in /etc/shibboleth and +# for Debian we wanted to move it to /usr/bin, so change directories so that +# it puts files in the correct location. +cd /etc/shibboleth - - while getopts h:e:y:bf c + while getopts h:u:g:o:e:y:bf c do case $c in + u) USER=$OPTARG;; + g) GROUP=$OPTARG;; + o) OUT=$OPTARG;; b) BATCH=1;; f) FORCE=1;; h) FQDN=$OPTARG;; e) ENTITYID=$OPTARG;; y) YEARS=$OPTARG;; - \?) echo keygen [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] + \?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]" exit 1;; esac done + if [ -z "$OUT" ] ; then + OUT=. + fi if [ -n "$FORCE" ] ; then - rm sp-key.pem sp-cert.pem + rm $OUT/sp-key.pem $OUT/sp-cert.pem fi - if [ -s sp-key.pem -o -s sp-cert.pem ] ; then + if [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then if [ -z "$BATCH" ] ; then - echo The files sp-key.pem and/or sp-cert.pem already exist! + echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist! echo Use -f option to force recreation of keypair. exit 2 fi exit 0 fi +# --fqdn flag added for Debian to generate better names for certificates. if [ -z "$FQDN" ] ; then - FQDN=`hostname` + FQDN=`hostname --fqdn` fi if [ -z "$YEARS" ] ; then @@@ -48,7 -48,8 +53,8 @@@ els ALTNAME=DNS:$FQDN,URI:$ENTITYID fi - cat >sp-cert.cnf <$SSLCNF < /dev/null + openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null fi + rm $SSLCNF - rm sp-cert.cnf + if [ -s $OUT/sp-key.pem -a -n "$USER" ] ; then + chown $USER $OUT/sp-key.pem $OUT/sp-cert.pem + fi + + if [ -s $OUT/sp-key.pem -a -n "$GROUP" ] ; then + chgrp $GROUP $OUT/sp-key.pem $OUT/sp-cert.pem + fi diff --combined configs/metagen.sh index 16c9180,e460240..ce71382 --- a/configs/metagen.sh +++ b/configs/metagen.sh @@@ -1,23 -1,55 +1,55 @@@ -#! /bin/sh +#! /bin/bash - while getopts a:c:e:h:n:o:s:t: c + DECLS=1 + + SAML1=0 + SAML2=0 + ARTIFACT=0 + DS=0 + LOGOUT=0 + NAMEIDMGMT=0 + + SAML10PROT="urn:oasis:names:tc:SAML:1.0:protocol" + SAML11PROT="urn:oasis:names:tc:SAML:1.1:protocol" + SAML20PROT="urn:oasis:names:tc:SAML:2.0:protocol" + + SAML20SOAP="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" + SAML20REDIRECT="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + SAML20POST="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + SAML20POSTSS="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" + SAML20ART="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" + SAML20PAOS="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" + + SAML1POST="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" + SAML1ART="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" + + while getopts a:c:e:f:h:n:o:s:t:u:12ADLNO c do case $c in - c) CERTS[${#CERTS[*]}]=$OPTARG;; - e) ENTITYID=$OPTARG;; - h) HOSTS[${#HOSTS[*]}]=$OPTARG;; - n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;; - o) ORGNAME=$OPTARG;; - a) ADMIN[${#ADMIN[*]}]=$OPTARG;; - s) SUP[${#SUP[*]}]=$OPTARG;; - t) TECH[${#TECH[*]}]=$OPTARG;; - \?) echo metagen -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID] - exit 1;; + c) CERTS[${#CERTS[*]}]=$OPTARG;; + e) ENTITYID=$OPTARG;; + f) FORMATS[${#FORMATS[*]}]=$OPTARG;; + h) HOSTS[${#HOSTS[*]}]=$OPTARG;; + n) NAKEDHOSTS[${#NAKEDHOSTS[*]}]=$OPTARG;; + o) ORGNAME=$OPTARG;; + a) ADMIN[${#ADMIN[*]}]=$OPTARG;; + s) SUP[${#SUP[*]}]=$OPTARG;; + t) TECH[${#TECH[*]}]=$OPTARG;; + u) URL=$OPTARG;; + 1) SAML1=1;; + 2) SAML2=1;; + A) ARTIFACT=1;; + D) DS=1;; + L) LOGOUT=1;; + N) NAMEIDMGMT=1;; + O) DECLS=0;; + \?) echo metagen [-12ADLNO] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID] + exit 1;; esac done if [ ${#HOSTS[*]} -eq 0 -a ${#NAKEDHOSTS[*]} -eq 0 ] ; then - echo metagen -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID] + echo metagen [-12ADLN] -c cert1 [-c cert2 ...] -h host1 [-h host2 ...] [-e entityID] exit 1 fi @@@ -34,12 -66,87 +66,87 @@@ d done if [ -z $ENTITYID ] ; then - ENTITYID=https://${HOSTS[0]}/shibboleth + if [ ${#HOSTS[*]} -eq 0 ] ; then + ENTITYID=https://${NAKEDHOSTS[0]}/shibboleth + else + ENTITYID=https://${HOSTS[0]}/shibboleth + fi + fi + + # Establish protocols and bindings. + + if [ $SAML1 -eq 0 -a $SAML2 -eq 0 ] ; then + SAML1=1 + SAML2=1 + fi + + if [ $LOGOUT -eq 1 -o $NAMEIDMGMT -eq 1 ] ; then + SAML2=1 + SLO[${#SLO[*]}]=$SAML20SOAP + SLO[${#SLO[*]}]=$SAML20REDIRECT + SLO[${#SLO[*]}]=$SAML20POST + SLOLOC[${#SLOLOC[*]}]="SOAP" + SLOLOC[${#SLOLOC[*]}]="Redirect" + SLOLOC[${#SLOLOC[*]}]="POST" + if [ $ARTIFACT -eq 1 ] ; then + SLO[${#SLO[*]}]=$SAML20ART + SLOLOC[${#SLOLOC[*]}]="Artifact" + fi + fi + + if [ $SAML1 -eq 1 -a $SAML2 -eq 1 ] ; then + PROTENUM="$SAML20PROT $SAML11PROT" + elif [ $SAML1 -eq 1 ] ; then + PROTENUM="$SAML11PROT" + else + PROTENUM="$SAML20PROT" + fi + + if [ $SAML2 -eq 1 ] ; then + ACS[${#ACS[*]}]=$SAML20POST + ACSLOC[${#ACSLOC[*]}]="SAML2/POST" + ACS[${#ACS[*]}]=$SAML20POSTSS + ACSLOC[${#ACSLOC[*]}]="SAML2/POST-SimpleSign" + if [ $ARTIFACT -eq 1 ] ; then + ACS[${#ACS[*]}]=$SAML20ART + ACSLOC[${#ACSLOC[*]}]="SAML2/Artifact" + fi + ACS[${#ACS[*]}]=$SAML20PAOS + ACSLOC[${#ACSLOC[*]}]="SAML2/ECP" + fi + + if [ $SAML1 -eq 1 ] ; then + ACS[${#ACS[*]}]=$SAML1POST + ACSLOC[${#ACSLOC[*]}]="SAML/POST" + if [ $ARTIFACT -eq 1 ] ; then + ACS[${#ACS[*]}]=$SAML1ART + ACSLOC[${#ACSLOC[*]}]="SAML/Artifact" + fi + fi + + if [ $SAML2 -eq 1 ] ; then + ACS[${#ACS[*]}]=$SAML20PAOS + ACSLOC[${#ACSLOC[*]}]="SAML2/ECP" + fi + + if [ $DECLS -eq 1 ] ; then + DECLS="xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" " + if [ $DS -eq 1 ] ; then + DECLS="${DECLS}xmlns:disco=\"urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol\" " + fi + else + DECLS="" fi cat < - + + + EOF + + # Discovery BEGIN + if [ $DS -eq 1 ] ; then + + cat << EOF EOF @@@ -47,7 -154,7 +154,7 @@@ count= for h in ${HOSTS[@]} do cat << EOF - + EOF let "count++" done @@@ -55,7 -162,7 +162,7 @@@ for h in ${NAKEDHOSTS[@]} do cat << EOF - + EOF let "count++" done @@@ -64,11 -171,14 +171,14 @@@ cat << EO EOF + fi + # Discovery END + for c in ${CERTS[@]} do cat << EOF - + EOF @@@ -81,79 -191,98 +191,98 @@@ cat << EO EOF done + for f in ${FORMATS[@]} + do cat << EOF - - EOF + fi + # NameID Mgmt END - count=0 + index=0 for h in ${HOSTS[@]} do - cat < - - - - - - EOF - let "count+=6" + count=0 + while [ $count -lt ${#ACS[*]} ] + do + cat < + EOF + let "count++" + let "index++" + done done for h in ${NAKEDHOSTS[@]} do - cat < - - - - - - EOF - let "count+=6" + count=0 + while [ $count -lt ${#ACS[*]} ] + do + cat < + EOF + let "count++" + let "index++" + done done cat < $ORGNAME $ORGNAME - $ENTITYID + $URL EOF fi - for c in ${ADMIN[@]} + count=${#ADMIN[*]} + for (( i=0; i ${c[0]} @@@ -182,9 -315,10 +315,10 @@@ EOF done - for c in ${SUP[@]} + count=${#SUP[*]} + for (( i=0; i ${c[0]} @@@ -194,9 -328,10 +328,10 @@@ EOF done - for c in ${TECH[@]} + count=${#TECH[*]} + for (( i=0; i ${c[0]} @@@ -208,4 -343,5 +343,5 @@@ don cat < + EOF diff --combined configs/native.logger.in index 2927392,8c17632..7d2cff2 --- a/configs/native.logger.in +++ b/configs/native.logger.in @@@ -1,5 -1,5 +1,5 @@@ # set overall behavior - log4j.rootCategory=INFO, native_log + log4j.rootCategory=INFO, native_log, warn_log # fairly verbose for DEBUG, so generally leave at INFO log4j.category.XMLTooling.XMLObject=INFO @@@ -26,23 -26,17 +26,29 @@@ log4j.category.XMLTooling.libcurl=INF # define the appender -log4j.appender.native_log=org.apache.log4j.RollingFileAppender -log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log -log4j.appender.native_log.maxFileSize=1000000 -log4j.appender.native_log.maxBackupIndex=10 -log4j.appender.native_log.layout=org.apache.log4j.PatternLayout -log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n +# This is the default, but it's essentially useless under normal +# circumstances since Apache doesn't have access to write to that +# directory. +#log4j.appender.native_log=org.apache.log4j.RollingFileAppender +#log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log +#log4j.appender.native_log.maxFileSize=1000000 +#log4j.appender.native_log.maxBackupIndex=10 - ##log4j.appender.native_log.layout=org.apache.log4j.BasicLayout +#log4j.appender.native_log.layout=org.apache.log4j.PatternLayout +#log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n + log4j.appender.warn_log=org.apache.log4j.RollingFileAppender + log4j.appender.warn_log.fileName=@-SHIRELOGDIR-@/native_warn.log + log4j.appender.warn_log.maxFileSize=1000000 + log4j.appender.warn_log.maxBackupIndex=10 + log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout + log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n + log4j.appender.warn_log.threshold=WARN +# Use syslog instead, since then at least the messages will go somewhere. +# That facility is (3 << 3) or LOG_DAEMON, since log4cpp apparently +# doesn't recognize symbolic log facilities. +# +# This is a Debian-specific change. +log4j.appender.native_log=org.apache.log4j.LocalSyslogAppender +log4j.appender.native_log.syslogName=shibboleth-sp +log4j.appender.native_log.facility=24 +log4j.appender.native_log.layout=org.apache.log4j.BasicLayout diff --combined configs/shibd-debian.in index 75c2fa2,59f0995..da41cd2 --- a/configs/shibd-debian.in +++ b/configs/shibd-debian.in @@@ -7,8 -7,8 +7,8 @@@ # Default-Stop: 0 1 6 # Short-Description: Shibboleth 2 Service Provider Daemon # Description: Starts the separate daemon used by the Shibboleth -# Apache module to manage sessions and to retrieve -# attributes from Shibboleth Identity Providers. +# Apache module to manage sessions and to retrieve +# attributes from Shibboleth Identity Providers. ### END INIT INFO # # Written by Quanah Gibson-Mount @@@ -29,7 -29,6 +29,7 @@@ DAEMON=@-PREFIX-@/sbin/$NAM SCRIPTNAME=/etc/init.d/$NAME PIDFILE=@-PKGRUNDIR-@/$NAME.pid DAEMON_OPTS="" +DAEMON_USER=_shibd # Force removal of socket DAEMON_OPTS="$DAEMON_OPTS -f" @@@ -52,64 -51,30 +52,63 @@@ DAEMON_OPTS="$DAEMON_OPTS -w 30 # Get the setting of VERBOSE and other rcS variables. [ -f /etc/default/rcS ] && . /etc/default/rcS +prepare_environment () { + # Ensure @-PKGRUNDIR-@ exists. /var/run may be on a tmpfs file system. + [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@' + + # If $DAEMON_USER is set, try to run shibd as that user. However, + # versions of the Debian package prior to 2.3+dfsg-1 ran shibd as root, + # and the local administrator may not have made the server's private key + # readable by $DAEMON_USER. We therefore test first by running shibd -t + # and looking for the error code indicating that the private key could not + # be read. If we get that error, we fall back on running shibd as root. + if [ -n "$DAEMON_USER" ]; then + DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null) + if [ $? = 0 ] ; then + # openssl errstr 200100D (hex for 33558541) says: + # error:0200100D:system library:fopen:Permission denied + ERROR='ERROR OpenSSL : error code: 33558541 ' + if echo "$DIAG" | fgrep -q "$ERROR" ; then + unset DAEMON_USER + echo "$NAME warning: file permissions require running as root" + else + chown -Rh "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@' + fi + else + unset DAEMON_USER + echo "$NAME error: unable to run config check as user $DAEMON_USER" + fi + unset DIAG + fi +} + case "$1" in start) + prepare_environment + # Don't start shibd if NO_START is set. if [ "$NO_START" = 1 ] ; then echo "Not starting $DESC (see /etc/default/$NAME)" exit 0 fi echo -n "Starting $DESC: " - start-stop-daemon --start --quiet \ + start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS echo "$NAME." ;; stop) echo -n "Stopping $DESC: " start-stop-daemon --stop --quiet --pidfile $PIDFILE \ -- --exec $DAEMON ++ --retry TERM/30/KILL/5 --exec $DAEMON echo "$NAME." ;; restart|force-reload) + prepare_environment - echo -n "Restarting $DESC: " start-stop-daemon --stop --quiet --pidfile $PIDFILE \ --exec $DAEMON sleep 1 - start-stop-daemon --start --quiet \ + start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS echo "$NAME." ;;