From: Russ Allbery Date: Tue, 10 Nov 2009 23:06:21 +0000 (-0800) Subject: Merge branch 'upstream' into debian X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=adcb97428d45b0782af2d88552c78ce86fc17d30;hp=2b8daf0f4fd3e5035ab3babdc76fe676e8823f93;p=shibboleth%2Fsp.git Merge branch 'upstream' into debian Conflicts: shibsp/paths.h --- diff --git a/configs/Makefile.am b/configs/Makefile.am index 5a18b62..ee604e6 100644 --- a/configs/Makefile.am +++ b/configs/Makefile.am @@ -4,8 +4,8 @@ AUTOMAKE_OPTIONS = foreign pkglibdir = ${libdir}/@PACKAGE@ pkglogdir = ${localstatedir}/log/@PACKAGE@ -pkgdocdir = $(datadir)/doc/@PACKAGE@-@PACKAGE_VERSION@ -shirelogdir = ${localstatedir}/log/httpd +pkgdocdir = ${datadir}/doc/@PACKAGE@ +shirelogdir = ${localstatedir}/log/apache2 pkgxmldir = $(datadir)/xml/@PACKAGE@ pkgrundir = $(localstatedir)/run/@PACKAGE@ pkgsysconfdir = $(sysconfdir)/@PACKAGE@ diff --git a/configs/Makefile.in b/configs/Makefile.in index e621f3c..3563195 100644 --- a/configs/Makefile.in +++ b/configs/Makefile.in @@ -162,6 +162,7 @@ FASTCGI_INCLUDE = @FASTCGI_INCLUDE@ FASTCGI_LDFLAGS = @FASTCGI_LDFLAGS@ FASTCGI_LIBS = @FASTCGI_LIBS@ FFLAGS = @FFLAGS@ +GREP = @GREP@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ @@ -204,21 +205,9 @@ VERSION = @VERSION@ WANT_SUBDIRS = @WANT_SUBDIRS@ XMLSEC_LIBS = @XMLSEC_LIBS@ XMLTOOLINGXMLDIR = @XMLTOOLINGXMLDIR@ -ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_CXX = @ac_ct_CXX@ ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ -ac_pt_DX_DOT = @ac_pt_DX_DOT@ -ac_pt_DX_DOXYGEN = @ac_pt_DX_DOXYGEN@ -ac_pt_DX_DVIPS = @ac_pt_DX_DVIPS@ -ac_pt_DX_EGREP = @ac_pt_DX_EGREP@ -ac_pt_DX_HHC = @ac_pt_DX_HHC@ -ac_pt_DX_LATEX = @ac_pt_DX_LATEX@ -ac_pt_DX_MAKEINDEX = @ac_pt_DX_MAKEINDEX@ -ac_pt_DX_PDFLATEX = @ac_pt_DX_PDFLATEX@ -ac_pt_DX_PERL = @ac_pt_DX_PERL@ acx_pthread_config = @acx_pthread_config@ am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ @@ -236,23 +225,30 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ +htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ +localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ +psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@ @@ -260,8 +256,8 @@ target_alias = @target_alias@ xs = @xs@ AUTOMAKE_OPTIONS = foreign pkglogdir = ${localstatedir}/log/@PACKAGE@ -pkgdocdir = $(datadir)/doc/@PACKAGE@-@PACKAGE_VERSION@ -shirelogdir = ${localstatedir}/log/httpd +pkgdocdir = ${datadir}/doc/@PACKAGE@ +shirelogdir = ${localstatedir}/log/apache2 pkgxmldir = $(datadir)/xml/@PACKAGE@ pkgrundir = $(localstatedir)/run/@PACKAGE@ pkgsysconfdir = $(sysconfdir)/@PACKAGE@ diff --git a/configs/keygen.sh b/configs/keygen.sh index 5ae60db..cd53c9e 100755 --- a/configs/keygen.sh +++ b/configs/keygen.sh @@ -1,5 +1,10 @@ #! /bin/sh +# Added for Debian. The upstream version is installed in /etc/shibboleth and +# for Debian we wanted to move it to /usr/bin, so change directories so that +# it puts files in the correct location. +cd /etc/shibboleth + while getopts h:e:y:bf c do case $c in @@ -26,8 +31,9 @@ if [ -s sp-key.pem -o -s sp-cert.pem ] ; then exit 0 fi +# --fqdn flag added for Debian to generate better names for certificates. if [ -z "$FQDN" ] ; then - FQDN=`hostname` + FQDN=`hostname --fqdn` fi if [ -z "$YEARS" ] ; then diff --git a/configs/metagen.sh b/configs/metagen.sh index faf89af..16c9180 100755 --- a/configs/metagen.sh +++ b/configs/metagen.sh @@ -1,4 +1,4 @@ -#! /bin/sh +#! /bin/bash while getopts a:c:e:h:n:o:s:t: c do diff --git a/configs/native.logger.in b/configs/native.logger.in index 78ff4ff..2927392 100644 --- a/configs/native.logger.in +++ b/configs/native.logger.in @@ -26,10 +26,23 @@ log4j.category.XMLTooling.libcurl=INFO # define the appender -log4j.appender.native_log=org.apache.log4j.RollingFileAppender -log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log -log4j.appender.native_log.maxFileSize=1000000 -log4j.appender.native_log.maxBackupIndex=10 -#log4j.appender.native_log.layout=org.apache.log4j.BasicLayout -log4j.appender.native_log.layout=org.apache.log4j.PatternLayout -log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n +# This is the default, but it's essentially useless under normal +# circumstances since Apache doesn't have access to write to that +# directory. +#log4j.appender.native_log=org.apache.log4j.RollingFileAppender +#log4j.appender.native_log.fileName=@-SHIRELOGDIR-@/native.log +#log4j.appender.native_log.maxFileSize=1000000 +#log4j.appender.native_log.maxBackupIndex=10 +##log4j.appender.native_log.layout=org.apache.log4j.BasicLayout +#log4j.appender.native_log.layout=org.apache.log4j.PatternLayout +#log4j.appender.native_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n + +# Use syslog instead, since then at least the messages will go somewhere. +# That facility is (3 << 3) or LOG_DAEMON, since log4cpp apparently +# doesn't recognize symbolic log facilities. +# +# This is a Debian-specific change. +log4j.appender.native_log=org.apache.log4j.LocalSyslogAppender +log4j.appender.native_log.syslogName=shibboleth-sp +log4j.appender.native_log.facility=24 +log4j.appender.native_log.layout=org.apache.log4j.BasicLayout diff --git a/configs/shibd-debian.in b/configs/shibd-debian.in index 59f0995..6404233 100644 --- a/configs/shibd-debian.in +++ b/configs/shibd-debian.in @@ -7,8 +7,8 @@ # Default-Stop: 0 1 6 # Short-Description: Shibboleth 2 Service Provider Daemon # Description: Starts the separate daemon used by the Shibboleth -# Apache module to manage sessions and to retrieve -# attributes from Shibboleth Identity Providers. +# Apache module to manage sessions and to retrieve +# attributes from Shibboleth Identity Providers. ### END INIT INFO # # Written by Quanah Gibson-Mount @@ -29,6 +29,7 @@ DAEMON=@-PREFIX-@/sbin/$NAME SCRIPTNAME=/etc/init.d/$NAME PIDFILE=@-PKGRUNDIR-@/$NAME.pid DAEMON_OPTS="" +DAEMON_USER=_shibd # Force removal of socket DAEMON_OPTS="$DAEMON_OPTS -f" @@ -51,15 +52,39 @@ DAEMON_OPTS="$DAEMON_OPTS -w 30" # Get the setting of VERBOSE and other rcS variables. [ -f /etc/default/rcS ] && . /etc/default/rcS +prepare_environment () { + # Ensure @-PKGRUNDIR-@ exists. /var/run may be on a tmpfs file system. + [ -d '@-PKGRUNDIR-@' ] || mkdir -p '@-PKGRUNDIR-@' + + if [ -n "$DAEMON_USER" ]; then + if DIAG=$(su -s $DAEMON $DAEMON_USER -- -t $DAEMON_OPTS 2>/dev/null); then + # openssl errstr 200100D (hex for 33558541) says: + # error:0200100D:system library:fopen:Permission denied + if echo "$DIAG" | fgrep -q 'ERROR OpenSSL : error code: 33558541 '; then + unset DAEMON_USER + echo "$NAME warning: file permissions require running as root" + else + chown -R "$DAEMON_USER" '@-PKGRUNDIR-@' '@-PKGLOGDIR-@' + fi + else + unset DAEMON_USER + echo "$NAME error: unable to run config check as user $DAEMON_USER" + fi + unset DIAG + fi +} + case "$1" in start) + prepare_environment + # Don't start shibd if NO_START is set. if [ "$NO_START" = 1 ] ; then echo "Not starting $DESC (see /etc/default/$NAME)" exit 0 fi echo -n "Starting $DESC: " - start-stop-daemon --start --quiet \ + start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS echo "$NAME." ;; @@ -70,11 +95,13 @@ stop) echo "$NAME." ;; restart|force-reload) + prepare_environment + echo -n "Restarting $DESC: " start-stop-daemon --stop --quiet --pidfile $PIDFILE \ --exec $DAEMON sleep 1 - start-stop-daemon --start --quiet \ + start-stop-daemon --start --quiet ${DAEMON_USER:+--chuid $DAEMON_USER} \ --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS echo "$NAME." ;; diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..8a252eb --- /dev/null +++ b/debian/changelog @@ -0,0 +1,146 @@ +shibboleth-sp2 (2.3+dfsg-1) UNRELEASED; urgency=low + + [ Russ Allbery ] + * New upstream release. + - SECURITY: Partial fix for improper handling of URLs that could be + abused for script injection and other cross-site scripting attacks. + The complete fix also requires newer xmltooling and opensaml2 + packages. (Closes: #555608, CVE-2009-3300) + * Fix watch file for the new version mangling. + + [ Ferenc Wagner ] + * Run shibd as non-root. + + -- Russ Allbery Tue, 10 Nov 2009 14:55:56 -0800 + +shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low + + * Change the libapache2-mod-shib2 section to httpd, matching override. + * Add a NEWS.Debian entry for libapache2-mod-shib2 that explains the + recommended configuration update for the 2.2 version. Thanks, Scott + Cantor and Kristof BAJNOK. + + -- Russ Allbery Wed, 09 Sep 2009 12:15:08 -0700 + +shibboleth-sp2 (2.2.1+dfsg-1) unstable; urgency=high + + * New upstream release. + - SECURITY: Fix improper handling of certificate names containing nul + characters. + - SECURITY: Correctly validate the use attribute of KeyDescriptors, + preventing use of a key for signing or for encryption if its use + field says it may not be used for that purpose. + - New shib-metagen script for generating Shibboleth SP metadata. + - Support preserving form data across user authentication. + - Support internal server redirection while maintaining protection. + - Fix incompatibility between lazy sessions and servlet containers. + - Fix some problems with dynamic metadata resolution. + - Fix incompatibility with mod_include. + - Fix single logout via SOAP. + - Fix shibd crash with invalid metadata. + - Fix crash in chaining attribute resolver. + - Avoid infinite loop on empty attribute mapped to REMOTE_USER. + - Fix handling of some Unicode data in relaystate data in URLs. + - Correctly return Success to LogoutRequest where appropriate. + - Avoid chunked encoding in back-channel calls. + - Correctly check Recipient values in assertions. + - Fix attributePrefix handling in some contexts. + - Fix generated metadata DiscoveryResponse. + - Fix handling of unsigned responses with encryption. + - Fix handling of InProcess property. + * Rename library package for upstream SONAME bump. + * Tighten build dependencies and schema package dependencies on + opensaml2 and xmltooling. + * Build against Xerces-C 3.0. + * Dynamically determine the Debian and upstream package versions for + get-orig-source from debian/changelog. + * Update libapache2-mod-shib2's README.Debian for changes to the + TestShib web pages. + * Use the automatically-extracted package version as the version number + for the man pages. + * Update standards version to 3.8.3. + - Create /var/run/shibboleth in the init script if it doesn't exist. + - Don't ship /var/run/shibboleth in the package. + - Remove /var/run/shibboleth in postrm if it exists. + + -- Russ Allbery Mon, 07 Sep 2009 16:14:29 -0700 + +shibboleth-sp2 (2.1.dfsg1-2) unstable; urgency=low + + * Redo the variable quoting in doxygen.m4 so that configure can be + rebuilt with Autoconf 2.63. (Closes: #518039) + + -- Russ Allbery Tue, 03 Mar 2009 15:03:10 -0800 + +shibboleth-sp2 (2.1.dfsg1-1) unstable; urgency=low + + [ Russ Allbery ] + * New upstream version. + - New memory cache storage backend. + - Schema validation is now optional. + - Many bug fixes. + * Bump SONAME of libshibsp following upstream's versioning. + * Build-depend on libsaml2-dev >= 2.1 following the upstream spec file + and libxmltooling-dev 1.1 just in case (required by OpenSAML 2.1). + * Fix the name of the tarball created by get-orig-source. + * Logcheck rules. + * Tighten the dependency versioning; the 2.1 SP library requires the + 2.1 schemas from the Shibboleth SP and OpenSAML and the 1.1 schemas + from XMLTooling. + * Remove duplicate Section field for libapache2-mod-shib2. + + [ Ferenc Wagner ] + * Follow the libshibsp1->2 package rename in the dh_makeshlibs invocation. + * Remove the Shibboleth minor version number from README.Debian. + * Comment out the reference to WS-Trust.xsd from the catalog.xml file in + shibboleth-sp2-schemas and document how to enable it again. + + -- Russ Allbery Fri, 27 Feb 2009 20:54:51 -0800 + +shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low + + [ Ferenc Wagner ] + * Rename debian/shib.load to debian/shib2.load to avoid clashing with the + libapache2-mod-shib package. Otherwise its Apache config file breaks our + module. + * Add directory /var/log/shibboleth to libapache2-mod-shib2 (thanks to Peter + Schober for noticing) + + [ Russ Allbery ] + * Add a postinst to disable the old configuration on upgrade and enable + the module if it had been enabled under the old configuration name. + * Wait for shibd to exit on stop or restart. This fixes a bug in + restart that could lead to no new shibd being started because the old + one had not yet exited. + * Fix a syntax error in the shibd man page. + + -- Russ Allbery Tue, 14 Oct 2008 21:47:36 -0700 + +shibboleth-sp2 (2.0.dfsg1-3) unstable; urgency=low + + [ Ferenc Wagner ] + * Avoid brace expansion in debian/rules, dash does not like it. + (Closes: #493408) + + [ Russ Allbery ] + * Add logcheck rules to ignore some of the routine messages from the + Apache module. This only covers startup and teardown; more will + need to be added. + * Fix watch file for new upstream tarball naming. + + -- Russ Allbery Tue, 19 Aug 2008 19:04:35 -0700 + +shibboleth-sp2 (2.0.dfsg1-2) unstable; urgency=low + + * Apply upstream fix for variable sizes in the ODBC code. Fixes a + FTBFS on 64-bit platforms. (Closes: #492101) + + -- Russ Allbery Thu, 24 Jul 2008 08:44:50 -0700 + +shibboleth-sp2 (2.0.dfsg1-1) unstable; urgency=low + + [ Ferenc Wágner ] + * Initial release (Closes: #480290) + + -- Russ Allbery Wed, 25 Jun 2008 20:06:10 -0700 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7ed6ff8 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +5 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..1ec8cf9 --- /dev/null +++ b/debian/control @@ -0,0 +1,91 @@ +Source: shibboleth-sp2 +Section: web +Priority: extra +Maintainer: Debian Shib Team +Uploaders: Russ Allbery , Ferenc Wagner +Build-Depends: debhelper (>= 5), autotools-dev, autoconf, automake, + libtool, apache2-threaded-dev, doxygen, liblog4cpp5-dev, + libsaml2-dev (>= 2.2), libssl-dev, libxerces-c-dev, + libxml-security-c-dev (>= 1.5), libxmltooling-dev (>= 1.2), + opensaml2-schemas, unixodbc-dev, xmltooling-schemas +Standards-Version: 3.8.3 +Homepage: http://shibboleth.internet2.edu/ +Vcs-Git: git://git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git +Vcs-Browser: http://git.debian.org/?p=pkg-shibboleth/shibboleth-sp2.git + +Package: libapache2-mod-shib2 +Section: httpd +Architecture: any +Depends: adduser, ${shlibs:Depends} +Recommends: apache2, openssl +Conflicts: libapache2-mod-shib +Description: Federated web single sign-on system (Apache module) + The Shibboleth System is a standards based software package for web + single sign-on across or within organizational boundaries. It supports + authorization and attribute exchange using the OASIS SAML 2.0 protocol. + Shibboleth allows sites to make informed authorization decisions for + individual access of protected online resources while allowing users to + establish their identities with their local authentication systems. + . + This package contains the Shibboleth Apache module for service providers + (web servers providing resources protected by Shibboleth) and the + supporting shibd daemon. + +Package: libshibsp3 +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, opensaml2-schemas (>= 2.2), + shibboleth-sp2-schemas (>= 2.2), xmltooling-schemas (>= 1.2) +Description: Federated web single sign-on system (runtime) + The Shibboleth System is a standards based software package for web + single sign-on across or within organizational boundaries. It supports + authorization and attribute exchange using the OASIS SAML 2.0 protocol. + Shibboleth allows sites to make informed authorization decisions for + individual access of protected online resources while allowing users to + establish their identities with their local authentication systems. + . + This package contains the Shibboleth SP runtime library. + +Package: libshibsp-dev +Section: libdevel +Architecture: any +Depends: libshibsp3 (= ${binary:Version}), libsaml2-dev, libxerces-c-dev, + libxmltooling-dev +Suggests: libshib2-doc (= ${source:Version}) +Description: Federated web single sign-on system (development) + The Shibboleth System is a standards based software package for web + single sign-on across or within organizational boundaries. It supports + authorization and attribute exchange using the OASIS SAML 2.0 protocol. + Shibboleth allows sites to make informed authorization decisions for + individual access of protected online resources while allowing users to + establish their identities with their local authentication systems. + . + This package contains the headers and other necessary files to build + applications that use the Shibboleth SP library. + +Package: libshibsp-doc +Section: doc +Architecture: all +Description: Federated web single sign-on system (API docs) + The Shibboleth System is a standards based software package for web + single sign-on across or within organizational boundaries. It supports + authorization and attribute exchange using the OASIS SAML 2.0 protocol. + Shibboleth allows sites to make informed authorization decisions for + individual access of protected online resources while allowing users to + establish their identities with their local authentication systems. + . + This package contains the Shibboleth SP library API documentation. + +Package: shibboleth-sp2-schemas +Section: text +Architecture: all +Conflicts: libapache2-mod-shib +Description: Federated web single sign-on system (schemas) + The Shibboleth System is a standards based software package for web + single sign-on across or within organizational boundaries. It supports + authorization and attribute exchange using the OASIS SAML 2.0 protocol. + Shibboleth allows sites to make informed authorization decisions for + individual access of protected online resources while allowing users to + establish their identities with their local authentication systems. + . + This package contains the additional schemas used by the Shibboleth SP. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..aeac3cd --- /dev/null +++ b/debian/copyright @@ -0,0 +1,156 @@ +Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat +Upstream-Author: Internet2 +Packaged-By: Ferenc Wágner +Packaged-Date: Mon, 28 Apr 2008 14:55:31 +0200 +Original-Source-Location: + http://shibboleth.internet2.edu/downloads/shibboleth/cpp/2.1/ + +The original upstream source was repackaged to remove the WS-Trust.xsd +schema, which was not distributed under a DFSG-free license. + +Files: * +Copyright: 2001-2009 Internet2 +License: Apache-2.0 + +Files: */Makefile.in +Copyright: 2001-2009 Internet2 + 2004 Oren Ben-Kiki + 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 + Free Software Foundation, Inc. +License: other + This Makefile.in is free software; the Free Software Foundation + gives unlimited permission to copy and/or distribute it, + with or without modifications, as long as this notice is preserved. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY, to the extent permitted by law; without + even the implied warranty of MERCHANTABILITY or FITNESS FOR A + PARTICULAR PURPOSE. + +Files: ./aclocal.m4 +Copyright: 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 + Free Software Foundation, Inc. +License: other + This file is free software; the Free Software Foundation + gives unlimited permission to copy and/or distribute it, + with or without modifications, as long as this notice is preserved. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY, to the extent permitted by law; without + even the implied warranty of MERCHANTABILITY or FITNESS FOR A + PARTICULAR PURPOSE. + +Files: ./acx_pthread.m4 +Copyright: 2006 Steven G. Johnson +License: GPL-2+ | other + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2 of the License, or (at your + option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + . + The full text of the GNU General Public License version 2 is available on + Debian systems in /usr/share/common-licenses/GPL-2. + . + As a special exception, the respective Autoconf Macro's copyright owner + gives unlimited permission to copy, distribute and modify the configure + scripts that are the output of Autoconf when processing the Macro. You + need not follow the terms of the GNU General Public License when using or + distributing such scripts, even though portions of the text of the Macro + appear in them. The GNU General Public License (GPL) does govern all + other use of the material that constitutes the Autoconf Macro. + . + This special exception to the GPL applies to versions of the Autoconf + Macro released by the Autoconf Macro Archive. When you make and + distribute a modified version of the Autoconf Macro, you may extend this + special exception to the GPL to apply to your modified version as well. + +Files: ./config.guess, ./config.sub, ./depcomp, ./libtool.m4, ./ltmain.sh, + ./missing +Copyright: 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, + 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +License: GPL-2+ | other + This file is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2 of the License, or (at your + option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + . + The full text of the GNU General Public License version 2 is available on + Debian systems in /usr/share/common-licenses/GPL-2. + . + As a special exception to the GNU General Public License, if you + distribute this file as part of a program that contains a configuration + script generated by Autoconf, you may include it under the same + distribution terms that you use for the rest of that program. + +Files: ./configure +Copyright: 2003 Free Software Foundation, Inc. +License: other + This configure script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it. + +Files: ./debian/* +Copyright: 2008 Ferenc Wágner + 2008, 2009 Russ Allbery +License: Expat + +Files: ./doxygen.{am,m4} +Copyright: 2004 Oren Ben-Kiki +License: other + This file is free software; the Free Software Foundation + gives unlimited permission to copy and/or distribute it, + with or without modifications, as long as this notice is preserved. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY, to the extent permitted by law; without + even the implied warranty of MERCHANTABILITY or FITNESS FOR A + PARTICULAR PURPOSE. + +Files: ./install-sh +Copyright: (C) 1994 X Consortium +License: Expat + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the complete text of the Apache 2.0 license can be + found in the file /usr/share/common-licenses/Apache-2.0. diff --git a/debian/libapache2-mod-shib2.NEWS b/debian/libapache2-mod-shib2.NEWS new file mode 100644 index 0000000..7a44615 --- /dev/null +++ b/debian/libapache2-mod-shib2.NEWS @@ -0,0 +1,33 @@ +shibboleth-sp2 (2.2.1+dfsg-2) unstable; urgency=low + + There are several changes to the configuration syntax and defaults in + Shibboleth 2.2, one of which produce deprecation warnings on startup + until /etc/shibboleth/shibboleth2.xml is updated. + + The most significant change is that tags in the element + should be changed to and a new policy rule added: + + + + + + + + See: + + https://spaces.internet2.edu/display/SHIB2/NativeSPConfigurationChanges + + for all the details and further explanation. + + -- Russ Allbery Tue, 15 Sep 2009 20:44:26 -0700 + +shibboleth-sp2 (2.0.dfsg1-4) unstable; urgency=low + + With this release, the Apache module configuration fragments in + /etc/apache2/mods-available have been renamed to shib2.* from shib.* to + avoid conflicts with libapache2-mod-shib. If you had any customizations + in /etc/apache2/mods-available/shib.load, you will need to move them to + /etc/apache2/mods-available/shib2.load. + + -- Russ Allbery Tue, 14 Oct 2008 20:52:20 -0700 + diff --git a/debian/libapache2-mod-shib2.README.Debian b/debian/libapache2-mod-shib2.README.Debian new file mode 100644 index 0000000..976cdbb --- /dev/null +++ b/debian/libapache2-mod-shib2.README.Debian @@ -0,0 +1,149 @@ + Shibboleth 2 SP for Debian + +Introduction + + This package provides the Shibboleth Apache module and accompanying + daemon for a service provider. In Shibboleth terminology, this is a web + server serving some content that should be secured via Shibboleth. In + order for someone to access protected content from a Shibboleth SP, they + will have to authenticate to a Shibboleth IdP (Identity Provider), + either one that the Shibboleth SP points to directly or one that is part + of a federation that is trusted by the Shibboleth SP. + + This is the Shibboleth 2 version of the SP. For the 1.x version of + the Shibboleth SP (if it is still available), see libapache-mod-shib. + +Installation and Configuration + + After installing this package, the module is available but not enabled. + It's not enabled automatically since some configuration is required + before it will work (at least creating a certificate for the SP to use + to authenticate to IdPs). + + To generate a self-signed certificate for the Shibboleth SP, run + shib-keygen. See its manual page for more information. This may or may + not be what you want to do depending on which federation you plan on + joining; some federations may want you to follow other procedures for + generating a certificate. + + The default error messages from Shibboleth are located in + /etc/shibboleth/*.html. The paths to those error messages are + configured in /etc/shibboleth/shibboleth2.xml in the tag. If + you customize them, you may want to copy them somewhere else and change + /etc/shibboleth/shibboleth2.xml to point to the new locations. Also in + that tag you can set the URLs to the logo and style sheet used + by the default errors. If you want to use the default URL (under + /shibboleth-sp), add this to your Apache configuration: + + + Allow from all + + Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css + Alias /shibboleth-sp/logo.jpg /usr/share/shibboleth/logo.jpg + + For Shibboleth to work properly, you will need to extensively customize + /etc/shibboleth/shibboleth2.xml for your site. In particular, the + section will have to be customized for the + federations your SP will trust and the section of + needs to list the credentials that your SP will use to + authenticate when communicating with IdPs. Your local site may provide + a standard shibboleth2.xml for you to use. + + Finally, you will want to protect some web content with Shibboleth. The + most basic configuration is: + + + AuthType shibboleth + ShibRequireSession On + require valid-user + + + for some , , or block. You can also put + similar code in an .htaccess file. This will require authorization + using the default federation defined in /etc/shibboleth/shibboleth2.xml. + +Changes in Debian Package + + The logging configuration for the native.log file has been changed to + use syslog, since the upstream default tries to write to a file that + Apache has no privileges to write to. See /etc/shibboleth/native.logger + for more details. If you want the other parts of Shibboleth to also log + to syslog, change the other /etc/shibboleth/*.logger files similarly. + + The WS-Trust.xsd schema, which is needed if you use the ADFS support + and turn on schema validation, was removed from the Debian package for + license reasons. To enable it again, do the following: + + 1. Download the original source from + http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/ + + 2. Extract schemas/WS-Trust.xsd to some convenient location, for + example to /etc/shibboleth/WS-Trust.xsd. + + 3. Copy /usr/share/xml/shibboleth/catalog.xml into /etc/shibboleth. + + 4. Uncomment the WS-Trust line and set its uri attribute: + + + 5. Edit /etc/default/shibd to contain + DAEMON_OPTS="$DAEMON_OPTS -x /etc/shibboleth/catalog.xml:/usr/share/xml/opensaml/saml20-catalog.xml:/usr/share/xml/xmltooling/catalog.xml" + + 6. Restart the Shibboleth daemon: /etc/init.d/shibd restart. + +Testing with TestShib + + If you don't have a local Shibboleth Federation you can easily join but + want to test your Shibboleth installation, you can use the TestShib + federation (which exists primarily for this purpose). To do this, use + the following instructions (but test them against the details on the + testshib.org web pages in case anything has changed): + + 1. Go to , click on Register, and log in with + either OpenIDP or ProtectNetwork. If you do not have an identity + with either, create one following the links on that page. + + 2. Click on New Service Provider (unless you've already created an entry + for this host, in which case select Edit and reuse it). Enter your + hostname, your public certificate, and your first and last name, and + then click on Continue. Verify the information and click on Submit. + + 3. Now select Configure, scroll down to Service Provider Configuration, + choose Other for the platform, enter your hostname, and click on + Create Me. Save the resulting configuration file as + /etc/shibboleth/shibboleth2.xml. + + 4. Create some part of your web site that's protected with Shibboleth as + described above, restart Apache with apache2ctl restart, restart + shibd with /etc/init.d/shibd restart, and then go to that URL. You + should be redirected to the testshib.org IdP, and then get a basic + auth dialog box prompting for a username and password. Enter + "myself" and "myself". You should now be redirected back to your + protected page. The best test page to use is a CGI script that + prints out the environment; you can then confirm that you see the + Shibboleth attributes as environment variables. If this doesn't work + immediately, wait a few minutes and try again; sometimes the + testshib.org metadata takes a little bit to update. + + These directions should work as of June 2008, but note that the + testshib.org service may have changed since then. TestShib is useful + *only* for testing, not for any production use. Those of us who have + worked on the Debian package are not affiliated with testshib.org, just + personally find it useful, and make no guarantees that it will work + properly. You should read over the shibboleth2.xml file that you + download from testshib.org before using it to make sure that there's + nothing strange in it. + + If the above instructions don't work or there are changes in the + TestShib service, please file a bug against the Debian + libapache2-mod-shib2 package and let us know. + +Further Information + + For further installation information, see: + + https://spaces.internet2.edu/display/SHIB2/Home + + and in particular the "Configuration" link. + + -- Russ Allbery , Fri, 24 Jul 2009 15:21:41 -0700 diff --git a/debian/libapache2-mod-shib2.dirs b/debian/libapache2-mod-shib2.dirs new file mode 100644 index 0000000..d4aa339 --- /dev/null +++ b/debian/libapache2-mod-shib2.dirs @@ -0,0 +1,4 @@ +usr/lib/apache2/modules +usr/share/man/man1 +usr/share/man/man8 +var/log/shibboleth diff --git a/debian/libapache2-mod-shib2.docs b/debian/libapache2-mod-shib2.docs new file mode 100644 index 0000000..ad0e7d1 --- /dev/null +++ b/debian/libapache2-mod-shib2.docs @@ -0,0 +1,3 @@ +doc/CREDITS.txt +doc/README.txt +doc/RELEASE.txt diff --git a/debian/libapache2-mod-shib2.install b/debian/libapache2-mod-shib2.install new file mode 100644 index 0000000..57f7863 --- /dev/null +++ b/debian/libapache2-mod-shib2.install @@ -0,0 +1,9 @@ +debian/tmp/usr/bin +debian/tmp/usr/sbin +debian/tmp/etc/shibboleth +debian/tmp/usr/lib/shibboleth + +debian/shib2.load etc/apache2/mods-available + +doc/logo.jpg usr/share/shibboleth +doc/main.css usr/share/shibboleth diff --git a/debian/libapache2-mod-shib2.logcheck.ignore.server b/debian/libapache2-mod-shib2.logcheck.ignore.server new file mode 100644 index 0000000..bdd55fe --- /dev/null +++ b/debian/libapache2-mod-shib2.logcheck.ignore.server @@ -0,0 +1,8 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : shibboleth [0-9.]+ library (shutting down|shutdown complete)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth.SessionCache : cleanup thread exiting$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO XMLTooling.XMLToolingConfig : xmltooling [0-9.]+ library shutdown complete$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : building ListenerService of type UnixListener\.\.\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : building RequestMapper of type Native\.\.\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.Config : building SessionCache of type StorageService\.\.\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth\.SessionCache : cleanup thread started\.\.\.run every [0-9]+ secs; timeout after [0-9]+ secs$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ shibboleth-sp: [0-9]+ INFO Shibboleth.SessionCache : purging [0-9]+ old sessions$ diff --git a/debian/libapache2-mod-shib2.postinst b/debian/libapache2-mod-shib2.postinst new file mode 100755 index 0000000..9cd4ce7 --- /dev/null +++ b/debian/libapache2-mod-shib2.postinst @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +# Prior to 2.0.dfsg1-4, we named our Apache configuration files shib instead +# of shib2. We therefore need to unlink the old configuration files, and if +# they were linked in, we should link in the new ones. +# +# We also have to work around a bug in the etch Shibboleth SP 1.x packages +# that caused them to remove the wrong module configuration and hence not +# unlink their configuration. If the 1.x configuration is still linked in, it +# will break the 2.x module, so make sure it's disabled on initial install. +if [ "$1" = "configure" ] ; then + if dpkg --compare-versions "$2" lt-nl 2.0.dfsg1-4 ; then + if [ -f /etc/apache2/mods-enabled/shib.load ] ; then + a2enmod shib2 + fi + a2dismod shib || true + fi + + # Most of the time, this will produce an error message. It only does + # anything if we're replacing a broken libapache2-mod-shib package. + # Suppress the normally useless error message to not confuse people. + if [ -z "$2" ] ; then + a2dismod shib 2>/dev/null || true + fi + + if ! getent passwd _shibd > /dev/null ; then + echo 'Adding system-user for Shibboleth daemon' 1>&2 + adduser --system --group --quiet --home /var/log/shibboleth \ + --no-create-home --disabled-login --force-badname _shibd + fi +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/libapache2-mod-shib2.postrm b/debian/libapache2-mod-shib2.postrm new file mode 100755 index 0000000..976e04f --- /dev/null +++ b/debian/libapache2-mod-shib2.postrm @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +if [ "$1" = purge ] || [ "$1" = remove ] ; then + rm -rf /var/run/shibboleth +fi + +#DEBHELPER# diff --git a/debian/libapache2-mod-shib2.prerm b/debian/libapache2-mod-shib2.prerm new file mode 100755 index 0000000..5b086be --- /dev/null +++ b/debian/libapache2-mod-shib2.prerm @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ] ; then + a2dismod shib2 || true +fi + +#DEBHELPER# + +exit 0 diff --git a/debian/libapache2-mod-shib2.shibd.default b/debian/libapache2-mod-shib2.shibd.default new file mode 100644 index 0000000..133f110 --- /dev/null +++ b/debian/libapache2-mod-shib2.shibd.default @@ -0,0 +1,11 @@ +# /etc/default/shibd -- Defaults for the shibd init script. -*- sh -*- +# +# This file is sourced by /etc/init.d/shibd and is used to configure the +# behavior of the init script. This file must follow standard POSIX shell +# syntax. + +# To not start shibd at boot, uncomment this line. +#NO_START=1 + +# Replace options passed to shibd by the init script. +#DAEMON_OPTS="" diff --git a/debian/libshibsp-dev.install b/debian/libshibsp-dev.install new file mode 100644 index 0000000..90a4881 --- /dev/null +++ b/debian/libshibsp-dev.install @@ -0,0 +1,2 @@ +debian/tmp/usr/include/* +debian/tmp/usr/lib/lib*.so diff --git a/debian/libshibsp-doc.doc-base b/debian/libshibsp-doc.doc-base new file mode 100644 index 0000000..bef0bee --- /dev/null +++ b/debian/libshibsp-doc.doc-base @@ -0,0 +1,13 @@ +Document: libshib2-doc +Title: Shibboleth2 API documentation +Author: Scott Cantor +Abstract: Doxygen generated HTML documentation of the Shibboleth + library version 2. +Section: Programming/C++ + +Format: HTML +Index: /usr/share/doc/libshibsp-doc/html/index.html +Files: /usr/share/doc/libshibsp-doc/html/*.html + /usr/share/doc/libshibsp-doc/html/*.png + /usr/share/doc/libshibsp-doc/html/*.gif + /usr/share/doc/libshibsp-doc/html/*.css diff --git a/debian/libshibsp-doc.docs b/debian/libshibsp-doc.docs new file mode 100644 index 0000000..ad0e7d1 --- /dev/null +++ b/debian/libshibsp-doc.docs @@ -0,0 +1,3 @@ +doc/CREDITS.txt +doc/README.txt +doc/RELEASE.txt diff --git a/debian/libshibsp-doc.install b/debian/libshibsp-doc.install new file mode 100644 index 0000000..0a48a11 --- /dev/null +++ b/debian/libshibsp-doc.install @@ -0,0 +1 @@ +doc/api/* usr/share/doc/libshibsp-doc diff --git a/debian/libshibsp3.install b/debian/libshibsp3.install new file mode 100644 index 0000000..c45ebcf --- /dev/null +++ b/debian/libshibsp3.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/lib*.so.* diff --git a/debian/man-pages/mdquery.pod b/debian/man-pages/mdquery.pod new file mode 100644 index 0000000..b51482b --- /dev/null +++ b/debian/man-pages/mdquery.pod @@ -0,0 +1,95 @@ +=head1 NAME + +mdquery - Query Shibboleth metadata + +=head1 SYNOPSIS + +B B<-e> I [B<-a> I] [B<-nostrict>] + +B B<-e> I B<-r> I B<-p> I [B<-a> I] + [B<-ns> I] [B<-nostrict>] + +=head1 DESCRIPTION + +B queries and displays Shibboleth SP metadata. It is primarily a +debugging tool to use in conjunction with advice from the Shibboleth +mantaininers. It can display either the metadata for an entity or the +metadata for a particular role. + +=head1 OPTIONS + +=over 4 + +=item B<-a> I + +Specifies the application ID for which to retrieve metadata. If not given +the default is C. + +=item B<-e> I + +Specifies the entity ID for which to show metadata. Normally this is the +entity descriptor ID for an entity with which one is having a problem +(such as the entity ID for the local SP). + +=item B<-nostrict> + +Relax the strictness of checking (such as of expiration dates). + +=item B<-ns> I + +When retrieving metadata for a particular role, specify the namespace. If +not given, the default is the SAML20MD namespace. + +=item B<-p> I + +Specify a protocol when retrieving metadata for a particular role. +Normally one would use the B<-saml10>, B<-saml11>, or B<-saml2> options to +specify the protocol name, but this option allows an arbitrary protocol to +be specified. + +=item B<-saml10> + +Specify a protocol of SAML 1.0. + +=item B<-saml11> + +Specify a protocol of SAML 1.1. + +=item B<-saml2> + +Specify a protocol of SAML 2.0. + +=item B<-r> I + +Retrieve the metadata for a particular role. Normally one would use the +B<-idp>, B<-aa>, B<-pdp>, or B<-sp> options to specify the role name, but +this option allows an arbitrary role to be specified. + +=item B<-idp> + +Specify a role of IDPSSODescriptor. + +=item B<-aa> + +Specify a role of AttributeAuthorityDescriptor. + +=item B<-pdp> + +Specify a role of PDPDescriptor. + +=item B<-sp> + +Specify a role of SPSSODescriptor. + +=back + +=head1 AUTHOR + +This manual page was written by Russ Allbery for Debian GNU/Linux. + +=head1 COPYRIGHT + +Copyright 2008 Russ Allbery. This manual page is hereby placed into the +public domain by its author. + +=cut diff --git a/debian/man-pages/resolvertest.pod b/debian/man-pages/resolvertest.pod new file mode 100644 index 0000000..8a216ea --- /dev/null +++ b/debian/man-pages/resolvertest.pod @@ -0,0 +1,69 @@ +=head1 NAME + +resolvertest - Test Shibboleth SP attribute resolver + +=head1 SYNOPSIS + +B B<-n> I B<-i> I B<-p> I + [B<-f> I] [B<-a> I] + +B [B<-a> I] < I + +=head1 DESCRIPTION + +B queries the Shibboleth SP attribute resolver and can be +used to test attribute release policies and related configuration for a +Shibboleth SP. Either a name, IdP, and protocol may be specified on the +command-line or B can take an assertion in XML on standard +input. + +=head1 OPTIONS + +=over 4 + +=item B<-a> I + +The application ID. If not given, the default is C. + +=item B<-i> I + +The Identity Provider to query for attributes. + +=item B<-f> I + +The URI for the attribute format. + +=item B<-n> I + +The name to look up. + +=item B<-p> I + +The protocol to use. Normally, one of the B<-saml10>, B<-saml11>, or +B<-saml2> options should be used to specify the protocol, but B<-p> can be +used to specify an arbitrary protocol. + +=item B<-saml10> + +Use the SAML 1.0 protocol. + +=item B<-saml11> + +Use the SAML 1.1 protocol. + +=item B<-saml2> + +Use the SAML 2 protocol. + +=back + +=head1 AUTHOR + +This manual page was written by Russ Allbery for Debian GNU/Linux. + +=head1 COPYRIGHT + +Copyright 2008 Russ Allbery. This manual page is hereby placed into the +public domain by its author. + +=cut diff --git a/debian/man-pages/shib-keygen.pod b/debian/man-pages/shib-keygen.pod new file mode 100644 index 0000000..078e060 --- /dev/null +++ b/debian/man-pages/shib-keygen.pod @@ -0,0 +1,83 @@ +=head1 NAME + +shib-keygen - Generate a key pair for a Shibboleth SP + +=head1 SYNOPSIS + +B [B<-bf>] [B<-e> I] [B<-h> I] + [B<-y> I] + +=head1 DESCRIPTION + +Generate a self-signed X.509 certificate for a Shibboleth SP. By default, +the certificate will be for the local fully-qualified (as returned by +C) hostname. An entity ID can be specified with the +B<-e> flag. The B command-line client is used to generate the +key pair. The public certificate will be created in +F and the private key in +F. + +=head1 OPTIONS + +=over 4 + +=item B<-b> + +Suppress all standard error output when creating the certificate. This +option is normally only used by the package build. + +=item B<-e> I + +Add I (which should be a URI) as an alternative name for the +certificate. + +=item B<-f> + +Remove F and F +before generating a new certificate. Without this option, if those files +already exist, B prints an error and exits rather than +overwriting them. + +=item B<-h> I + +Specify the fully-qualified domain name for which to generate a +certificate. If this option isn't given, the hostname defaults to the +result of C. + +=item B<-y> I + +The number of years for which the certificate should be valid. The +default expiration time is ten years into the future. + +=back + +=head1 FILES + +=over 4 + +=item F + +The OpenSSL configuration file used for generating the self-signed +certificate. This configuration file is generated when the script is run +and deleted afterwards. + +=item F + +The public certificate created by this script. + +=item F + +The private key for the certificate created by this script. + +=back + +=head1 AUTHOR + +This manual page was written by Russ Allbery for Debian GNU/Linux. + +=head1 COPYRIGHT + +Copyright 2008 Russ Allbery. This manual page is hereby placed into the +public domain by its author. + +=cut diff --git a/debian/man-pages/shib-metagen.pod b/debian/man-pages/shib-metagen.pod new file mode 100644 index 0000000..3da2cae --- /dev/null +++ b/debian/man-pages/shib-metagen.pod @@ -0,0 +1,99 @@ +=head1 NAME + +shib-metagen - Generate metadata for a Shibboleth SP + +=head1 SYNOPSIS + +B [B<-c> I [B<-c> I ...]] [B<-e> I] + [B<-h> I [B<-h> I ...]] [B<-n> I [B<-n> I ...]] + [B<-o> I] [B<-a> I [B<-a> I ...]] + [B<-s> I [B<-s> I ...]] + [B<-t> I [B<-t> I ...]] + +=head1 DESCRIPTION + +Generate metadata for a Shibboleth SP. The metadata is printed to +standard output. Most of the parameters are optional, but at least one of +B<-h> or B<-n> must be given to specify the hostname to use in +constructing URLs for the Shibboleth service for the SP. Other metadata +can be added by using the other command-line parameters. Most parameters +can be given multiple times. + +=head1 OPTIONS + +=over 4 + +=item B<-a> I + +An administrative contact for this Shibboleth SP. This option may be +omitted, in which case administrative contact metadata is not included, or +may be given multiple times to list multiple contacts. I should be +in the form C/I/I> where I is the given name +and I is the surname. + +=item B<-c> I + +Specifies the SSL certificate used to identify this Shibboleth SP. This +option may be given multiple times to specify multiple certificates. If +it is not given, the default certificate is F in the current +working directory. + +=item B<-e> I + +The entity ID for this SP. This must be a unique identifier for this SP +and must be a URL. If B<-o> is given, it is used as the URL for the +organization running this Shibboleth SP. If it is not specified, it +defaults to C/shibboleth> where I is the argument to +the first B<-h> option. + +=item B<-h> I + +A hostname for this SP (possibly a virtual host). Either this option or +B<-n> must be specified at least once. It should be repeated for every +virtual host that responds to the Shibboleth protocol. B<-h> should be +used for hostnames or virtual hosts that use SSL. + +=item B<-n> I + +A hostname for this SP (possibly a virtual host). Either this option or +B<-h> must be specified at least once. It should be repeated for every +virtual host that responds to the Shibboleth protocol. B<-n> should be +used for hostnames or virtual hosts that do not use SSL to protect the +Shibboleth communication. + +=item B<-o> I + +The name of the organization that runs this Shibboleth SP. This option +may be given only once and may be omitted, in which case organization +metadata is not included. This is normally not necessary but may be used +by other software systems for purposes such as displaying lists of +entities with human-readable names. + +=item B<-s> I + +A support contact for this Shibboleth SP. This option may be omitted, in +which case support contact metadata is not included, or may be given +multiple times to list multiple contacts. I should be in the +form C/I/I> where I is the given name and +I is the surname. + +=item B<-t> I + +A technical contact for this Shibboleth SP. This option may be omitted, +in which case technical contact metadata is not included, or may be given +multiple times to list multiple contacts. I should be in the form +C/I/I> where I is the given name and I +is the surname. + +=back + +=head1 AUTHOR + +This manual page was written by Russ Allbery for Debian GNU/Linux. + +=head1 COPYRIGHT + +Copyright 2009 Russ Allbery. This manual page is hereby placed into the +public domain by its author. + +=cut diff --git a/debian/man-pages/shibd.pod b/debian/man-pages/shibd.pod new file mode 100644 index 0000000..3769121 --- /dev/null +++ b/debian/man-pages/shibd.pod @@ -0,0 +1,84 @@ +=head1 NAME + +shibd - Shibboleth daemon + +=head1 SYNOPSIS + +shibd [B<-tfFvh>] [B<-c> I] [B<-d> I] [B<-p> I] +[B<-w> I] [B<-x> I] + +=head1 DESCRIPTION + +B is the Shibboleth daemon. It handles attribute requests from the +Apache Shibboleth module and should run in conjunction with it. + +=head1 OPTIONS + +B takes the following command-line options. + +=over 4 + +=item B<-c> I + +Specifies the pathname of B's configuration file. Defaults to +/etc/shibboleth/shibboleth2.xml or the value of the SHIBSP_CONFIG +environment variable, if it is set. + +=item B<-d> I + +Installation prefix. Defaults to /usr. + +=item B<-F> + +Stay in the foreground. Normally, B backgrounds itself after +starting up. + +=item B<-f> + +Force removal of listener socket. + +=item B<-h> + +Prints out a brief summary of the shibboleth options. + +=item B<-p> I + +Specifies the pathname to use to write out the shibboleth PID file. + +=item B<-w> I + +Seconds to wait for the background B to start up before the +foreground process returns. If not set, the default value is three +seconds. + +=item B<-t> + +Validates the general correctness of the configuration. Not all problems +can be detected this way, but the chance of successful startup is high if +the checking process does not log any errors. + +=item B<-v> + +Prints out the version string. + +=item B<-x> I + +Specifies the XML schema catalog to use. Defaults to +/usr/share/xml/shibboleth/catalog.xml. + +=back + +=head1 AUTHORS + +shibd is part of the Internet 2 Shibboleth project written by +Scott Cantor . + +=head1 COPYRIGHT AND LICENSE + +Copyright 2005, 2006 +Internet2/MACE + +This program is free software; you may redistribute it and/or modify it +under the terms of the Apache 2.0 License . + +=cut diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..b37a9dd --- /dev/null +++ b/debian/rules @@ -0,0 +1,157 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This has to be exported to make some magic below work. +export DH_OPTIONS + +CFLAGS = -g +CXXFLAGS = -g +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + DEBUG = --enable-debug +else + DEBUG = +endif + +# Tell Autoconf the correct system types. +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) + SYSTEM = --build $(DEB_HOST_GNU_TYPE) +else + SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +# These variable is used only by get-orig-source, which will normally only be +# run by maintainers. +DEBVERS := $(shell dpkg-parsechangelog | grep ^Version: | cut -d' ' -f2 \ + | cut -d- -f1) +VERSION := $(shell echo '$(DEBVERS)' | sed -e 's/[+-].*//' -e 's/~//g') +URL = http://shibboleth.internet2.edu/downloads/shibboleth/cppsp + +# Download the upstream source and do the repackaging that we have to do for +# DFSG reasons. Depends on wget. +get-orig-source: + wget $(URL)/$(VERSION)/shibboleth-sp-$(VERSION).tar.gz + tar xfz shibboleth-sp-$(VERSION).tar.gz + rm shibboleth-sp-$(VERSION).tar.gz + rm shibboleth-$(VERSION)/schemas/WS-Trust.xsd + mv shibboleth-$(VERSION) shibboleth-sp2_$(DEBVERS).orig + tar cf shibboleth-sp2_$(DEBVERS).orig.tar \ + shibboleth-sp2_$(DEBVERS).orig + rm -r shibboleth-sp2_$(DEBVERS).orig + gzip -9 shibboleth-sp2_$(DEBVERS).orig.tar + +configure: configure-stamp +configure-stamp: + dh_testdir + cp /usr/share/misc/config.guess config.guess + cp /usr/share/misc/config.sub config.sub + rm -f libtool.m4 + libtoolize --force + autoreconf --force + rm -rf autom4te.cache + CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" ./configure --prefix=/usr \ + --sysconfdir=/etc --libexecdir=/usr/lib/shibboleth \ + --localstatedir=/var --enable-apache-22 \ + --with-apxs2=/usr/bin/apxs2 --disable-dependency-tracking \ + $(SYSTEM) + touch $@ + +build: build-arch build-indep +build-arch: build-stamp +build-indep: +build-stamp: configure-stamp + dh_testdir + $(MAKE) + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f configure-stamp build-stamp install-stamp + [ ! -f Makefile ] || $(MAKE) distclean + find . -name Makefile.in -print0 | xargs -0r rm + dh_clean aclocal.m4 config.h config.h.in config.status configure \ + config.guess config.sub libtool.m4 ltmain.sh \ + debian/libapache2-mod-shib2.shibd.init + +install: install-stamp +install-stamp: + dh_testdir + dh_testroot + dh_clean -k + $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install + rm -r $(CURDIR)/debian/tmp/usr/share/doc/shibboleth* + rm -r $(CURDIR)/debian/tmp/var/run + rm $(CURDIR)/debian/tmp/etc/shibboleth/*.dist + rm $(CURDIR)/debian/tmp/etc/shibboleth/*.config + rm $(CURDIR)/debian/tmp/etc/shibboleth/shibd-osx.plist + rm $(CURDIR)/debian/tmp/etc/shibboleth/shibd-redhat + rm $(CURDIR)/debian/tmp/etc/shibboleth/shibd-suse + rm $(CURDIR)/debian/tmp/etc/shibboleth/sp-*.pem + chmod +x $(CURDIR)/debian/tmp/etc/shibboleth/keygen.sh + mv $(CURDIR)/debian/tmp/etc/shibboleth/keygen.sh \ + $(CURDIR)/debian/tmp/usr/sbin/shib-keygen + mv $(CURDIR)/debian/tmp/etc/shibboleth/metagen.sh \ + $(CURDIR)/debian/tmp/usr/bin/shib-metagen + mv $(CURDIR)/debian/tmp/etc/shibboleth/shibd-debian \ + $(CURDIR)/debian/libapache2-mod-shib2.shibd.init + dh_installdirs -s -i + mv $(CURDIR)/debian/tmp/usr/lib/shibboleth/mod_shib_22.so \ + $(CURDIR)/debian/libapache2-mod-shib2/usr/lib/apache2/modules + rm $(CURDIR)/debian/tmp/usr/lib/shibboleth/mod_shib_22.la + pod2man $(CURDIR)/debian/man-pages/mdquery.pod --section 1 \ + --center 'Shibboleth' --release $(VERSION) \ + $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/mdquery.1 + pod2man $(CURDIR)/debian/man-pages/resolvertest.pod --section 1 \ + --center 'Shibboleth' --release $(VERSION) \ + $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/resolvertest.1 + pod2man $(CURDIR)/debian/man-pages/shib-metagen.pod --section 1 \ + --center 'Shibboleth' --release $(VERSION) \ + $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man1/shib-metagen.1 + pod2man $(CURDIR)/debian/man-pages/shib-keygen.pod --section 8 \ + --center 'Shibboleth' --release $(VERSION) \ + $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man8/shib-keygen.8 + pod2man $(CURDIR)/debian/man-pages/shibd.pod --section 8 \ + --center 'Shibboleth' --release $(VERSION) \ + $(CURDIR)/debian/libapache2-mod-shib2/usr/share/man/man8/shibd.8 + dh_install -s -i --fail-missing + touch $@ + +binary: binary-arch binary-indep +binary-arch: DH_OPTIONS=-a +binary-arch: install-stamp + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs -A doc/NOTICE.txt + dh_installinit --name=shibd + dh_installlogcheck + dh_strip + dh_compress + dh_fixperms + DH_OPTIONS="" dh_makeshlibs -plibshibsp3 + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary-indep: DH_OPTIONS=-i +binary-indep: install-stamp + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs -A doc/NOTICE.txt + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +.PHONY: binary binary-arch binary-indep build build-arch build-indep clean +.PHONY: install diff --git a/debian/shib2.load b/debian/shib2.load new file mode 100644 index 0000000..ae274ea --- /dev/null +++ b/debian/shib2.load @@ -0,0 +1 @@ +LoadModule mod_shib /usr/lib/apache2/modules/mod_shib_22.so diff --git a/debian/shibboleth-sp2-schemas.install b/debian/shibboleth-sp2-schemas.install new file mode 100644 index 0000000..ef73d02 --- /dev/null +++ b/debian/shibboleth-sp2-schemas.install @@ -0,0 +1 @@ +debian/tmp/usr/share/xml/shibboleth diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..12dfb23 --- /dev/null +++ b/debian/watch @@ -0,0 +1,4 @@ +version=3 +opts=dversionmangle=s/\+dfsg\d*$// \ + http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/(2[\d.]+)/ \ + shibboleth-(?:sp-)?([\d.]+)\.tar\.gz diff --git a/schemas/Makefile.am b/schemas/Makefile.am index 561e87f..2651b14 100644 --- a/schemas/Makefile.am +++ b/schemas/Makefile.am @@ -12,8 +12,7 @@ schemafiles = \ shibboleth-2.0-afp-mf-basic.xsd \ shibboleth-2.0-afp-mf-saml.xsd \ shibboleth-2.0-attribute-map.xsd \ - shibboleth-2.0-sp-notify.xsd \ - WS-Trust.xsd + shibboleth-2.0-sp-notify.xsd pkgxml_DATA = \ catalog.xml \ diff --git a/schemas/catalog.xml.in b/schemas/catalog.xml.in index e59eb48..d483854 100644 --- a/schemas/catalog.xml.in +++ b/schemas/catalog.xml.in @@ -8,5 +8,7 @@ + diff --git a/shibsp/paths.h b/shibsp/paths.h index 2f9ac99..c319ac6 100644 --- a/shibsp/paths.h +++ b/shibsp/paths.h @@ -24,7 +24,7 @@ #define __shibsp_paths_h__ /** Default schema catalogs. */ -#define SHIBSP_SCHEMAS "/opt/shibboleth-sp/share/xml/xmltooling/catalog.xml:/opt/shibboleth-sp/share/xml/opensaml/saml20-catalog.xml:/opt/shibboleth-sp/share/xml/opensaml/saml11-catalog.xml:/opt/shibboleth-sp/share/xml/shibboleth/catalog.xml" +#define SHIBSP_SCHEMAS "/usr/share/xml/xmltooling/catalog.xml:/usr/share/xml/opensaml/saml20-catalog.xml:/usr/share/xml/opensaml/saml11-catalog.xml:/usr/share/xml/shibboleth/catalog.xml" /** Default name of SP configuration file. */ #define SHIBSP_CONFIG "shibboleth2.xml" @@ -33,21 +33,21 @@ #define SHIBSP_LOGGING "console.logger" /** Default prefix for installation (used to resolve relative paths). */ -#define SHIBSP_PREFIX "/opt/shibboleth-sp" +#define SHIBSP_PREFIX "/usr" /** Library directory for installation (used to resolve relative paths). */ -#define SHIBSP_LIBDIR "/opt/shibboleth-sp/lib" +#define SHIBSP_LIBDIR "/usr/lib" /** Log directory for installation (used to resolve relative paths). */ -#define SHIBSP_LOGDIR "/opt/shibboleth-sp/var/log" +#define SHIBSP_LOGDIR "/var/log/shibboleth" /** Configuration directory for installation (used to resolve relative paths). */ -#define SHIBSP_CFGDIR "/opt/shibboleth-sp/etc" +#define SHIBSP_CFGDIR "/etc/shibboleth" /** Runtime state directory for installation (used to resolve relative paths). */ -#define SHIBSP_RUNDIR "/opt/shibboleth-sp/var/run" +#define SHIBSP_RUNDIR "/var/run/shibboleth" /** XML directory for installation (used to resolve relative paths). */ -#define SHIBSP_XMLDIR "/opt/shibboleth-sp/share/xml" +#define SHIBSP_XMLDIR "/usr/share/xml/shibboleth" #endif /* __shibsp_paths_h__ */