shibboleth.spec.in

   1 Name:           shibboleth-sp
   2 Version:        @PACKAGE_VERSION@
   3 Release:        1
   4 Summary:        Open source system for attribute-based Web SSO
   5 Group:          Productivity/Networking/Security
   6 Vendor:         Shibboleth Consortium
   7 License:        Apache 2.0
   8 URL:            http://shibboleth.net/
   9 Source:         %{name}-%{version}.tar.gz
  10 BuildRoot:      %{_tmppath}/%{name}-%{version}-root
  11 Obsoletes:      @PACKAGE_NAME@ < %{version}-%{release}
  12 Requires:       openssl
  13 PreReq:         xmltooling-schemas, opensaml-schemas
  14 %if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130
  15 PreReq:         %{insserv_prereq} %{fillup_prereq}
  16 %endif
  17 BuildRequires:  libxmltooling-devel >= 1.5
  18 BuildRequires:  libsaml-devel >= 2.5
  19 %{?_with_log4cpp:BuildRequires: liblog4cpp-devel >= 1.0}
  20 %{!?_with_log4cpp:BuildRequires: liblog4shib-devel >= 1.0.4}
  21 %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
  22 Requires:               libcurl-openssl >= 7.21.7
  23 BuildRequires:  chrpath
  24 %endif
  25 BuildRequires:  gcc-c++, zlib-devel, boost-devel >= 1.32.0
  26 %{!?_without_doxygen:BuildRequires: doxygen}
  27 %{!?_without_odbc:BuildRequires:unixODBC-devel}
  28 %{?_with_fastcgi:BuildRequires: fcgi-devel}
  29 %if 0%{?centos_version} >= 600
  30 BuildRequires:  libmemcached-devel
  31 %endif
  32 %{?_with_memcached:BuildRequires: libmemcached-devel}
  33 %if "%{_vendor}" == "redhat"
  34 %{!?_without_builtinapache:BuildRequires: httpd-devel}
  35 BuildRequires: redhat-rpm-config
  36 Requires(pre): shadow-utils
  37 Requires(post): chkconfig
  38 Requires(preun): chkconfig, initscripts
  39 %endif
  40 %if "%{_vendor}" == "suse"
  41 Requires(pre): pwdutils
  42 %{!?_without_builtinapache:BuildRequires: apache2-devel}
  43 %endif
  44
  45 %define runuser shibd
  46 %if "%{_vendor}" == "suse"
  47 %define pkgdocdir %{_docdir}/shibboleth
  48 %else
  49 %define pkgdocdir %{_docdir}/shibboleth-%{version}
  50 %endif
  51
  52 %description
  53 Shibboleth is a Web Single Sign-On implementations based on OpenSAML
  54 that supports multiple protocols, federated identity, and the extensible
  55 exchange of rich attributes subject to privacy controls.
  56
  57 This package contains the Shibboleth Service Provider runtime libraries,
  58 daemon, default plugins, and Apache module(s).
  59
  60 %package devel
  61 Summary:        Shibboleth Development Headers
  62 Group:          Development/Libraries/C and C++
  63 Requires:       %{name} = %{version}-%{release}
  64 Obsoletes:      shibboleth-devel < %{version}-%{release}
  65 Requires:       libxmltooling-devel >= 1.5
  66 Requires:       libsaml-devel >= 2.5
  67 %{?_with_log4cpp:Requires: liblog4cpp-devel >= 1.0}
  68 %{!?_with_log4cpp:Requires: liblog4shib-devel >= 1.0.4}
  69
  70 %description devel
  71 Shibboleth is a Web Single Sign-On implementations based on OpenSAML
  72 that supports multiple protocols, federated identity, and the extensible
  73 exchange of rich attributes subject to privacy controls.
  74
  75 This package includes files needed for development with Shibboleth.
  76
  77 %prep
  78 %setup -q
  79
  80 %build
  81 %if 0%{?centos_version} >= 600
  82         %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{!?_without_memcached:--with-memcached} %{?shib_options} --with-gssapi=%{_prefix} --with-xmltooling=%{_prefix} --with-opensaml=%{_prefix}
  83 %else
  84         %configure %{?_without_odbc:--disable-odbc} %{?_without_adfs:--disable-adfs} %{?_with_fastcgi} %{?_with_memcached} %{?shib_options} --with-gssapi=%{_prefix} --with-xmltooling=%{_prefix} --with-opensaml=%{_prefix}
  85 %endif
  86 %{__make} pkgdocdir=%{pkgdocdir}
  87
  88 %install
  89 %{__make} install NOKEYGEN=1 DESTDIR=$RPM_BUILD_ROOT pkgdocdir=%{pkgdocdir}
  90
  91 %if "%{_vendor}" == "suse"
  92         %{__sed} -i "s/\/var\/log\/httpd/\/var\/log\/apache2/g" \
  93                 $RPM_BUILD_ROOT%{_sysconfdir}/shibboleth/native.logger
  94 %endif
  95
  96 # Plug the SP into the built-in Apache on a recognized system.
  97 touch rpm.filelist
  98 APACHE_CONFIG="no"
  99 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_13.so ] ; then
 100         APACHE_CONFIG="apache.config"
 101 fi
 102 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_20.so ] ; then
 103         APACHE_CONFIG="apache2.config"
 104 fi
 105 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_22.so ] ; then
 106         APACHE_CONFIG="apache22.config"
 107 fi
 108 if [ -f $RPM_BUILD_ROOT%{_libdir}/shibboleth/mod_shib_24.so ] ; then
 109         APACHE_CONFIG="apache24.config"
 110 fi
 111 %{?_without_builtinapache:APACHE_CONFIG="no"}
 112 if [ "$APACHE_CONFIG" != "no" ] ; then
 113         APACHE_CONFD="no"
 114         if [ -d %{_sysconfdir}/httpd/conf.d ] ; then
 115                 APACHE_CONFD="%{_sysconfdir}/httpd/conf.d"
 116         fi
 117         if [ -d %{_sysconfdir}/apache2/conf.d ] ; then
 118                 APACHE_CONFD="%{_sysconfdir}/apache2/conf.d"
 119         fi
 120         if [ "$APACHE_CONFD" != "no" ] ; then
 121                 %{__mkdir} -p $RPM_BUILD_ROOT$APACHE_CONFD
 122                 %{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/shibboleth/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf
 123                 echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist
 124         fi
 125 fi
 126
 127 # Establish location of sysconfig file, if any.
 128 SYSCONFIG_SHIBD="no"
 129 %if "%{_vendor}" == "redhat"
 130         %{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
 131         echo "%config(noreplace) %{_sysconfdir}/sysconfig/shibd" >> rpm.filelist
 132         SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/shibd"
 133 %endif
 134 %if "%{_vendor}" == "suse"
 135         %{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates
 136         echo "%{_localstatedir}/adm/fillup-templates/sysconfig.shibd" >> rpm.filelist
 137         SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.shibd"
 138 %endif
 139 if [ "$SYSCONFIG_SHIBD" != "no" ] ; then
 140         # Populate the sysconfig file.
 141         cat > $SYSCONFIG_SHIBD <<EOF
 142 # Shibboleth SP init script customization
 143
 144 # User account for shibd
 145 SHIBD_USER=%{runuser}
 146 EOF
 147         %if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600
 148                 cat >> $SYSCONFIG_SHIBD <<EOF
 149
 150 # Override OS-supplied libcurl
 151 export LD_LIBRARY_PATH=/opt/shibboleth/%{_lib}
 152 EOF
 153                 # Strip existing rpath to libcurl.
 154                 chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd
 155                 chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery
 156                 chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest
 157         %endif
 158 fi
 159
 160 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "suse"
 161         # %{_initddir} not yet in RHEL5, use deprecated %{_initrddir}
 162         install -d -m 0755 $RPM_BUILD_ROOT%{_initrddir}
 163         install -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/shibboleth/shibd-%{_vendor} $RPM_BUILD_ROOT%{_initrddir}/shibd
 164 %if "%{_vendor}" == "suse"
 165         install -d -m 0755 $RPM_BUILD_ROOT/%{_sbindir}
 166         %{__ln_s} -f %{_initrddir}/shibd $RPM_BUILD_ROOT%{_sbindir}/rcshibd
 167 %endif
 168 %endif
 169
 170 %check
 171 %{__make} check
 172
 173 %clean
 174 [ "$RPM_BUILD_ROOT" != "/" ] && %{__rm} -rf $RPM_BUILD_ROOT
 175
 176 %pre
 177 getent group %{runuser} >/dev/null || groupadd -r %{runuser}
 178 getent passwd %{runuser} >/dev/null || useradd -r -g %{runuser} \
 179         -d  %{_localstatedir}/run/shibboleth -s /sbin/nologin -c "Shibboleth SP daemon" %{runuser}
 180 exit 0
 181
 182 %post
 183 %ifnos solaris2.8 solaris2.9 solaris2.10
 184 /sbin/ldconfig
 185 %endif
 186
 187 # Key generation or ownership fix
 188 cd %{_sysconfdir}/shibboleth
 189 if [ -f sp-key.pem ] ; then
 190         %{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
 191 else
 192         sh ./keygen.sh -b -u %{runuser} -g %{runuser}
 193 fi
 194
 195 # Fix ownership of log files (even on new installs, if they're left from an older one).
 196 %{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/shibboleth/* 2>/dev/null || :
 197
 198 %if "%{_vendor}" == "redhat"
 199         if [ "$1" -gt "1" ] ; then
 200                 # On Red Hat with shib.conf installed, clean up old Alias commands
 201                 # by pointing them at new version-independent /usr/share/share tree.
 202                 # Any Aliases we didn't create we assume are custom files.
 203                 # This is to accomodate making shib.conf a noreplace config file.
 204                 # We can't do this for SUSE, because they disallow changes to
 205                 # packaged files in scriplets.
 206                 APACHE_CONF="no"
 207                 if [ -f %{_sysconfdir}/httpd/conf.d/shib.conf ] ; then
 208                         APACHE_CONF="%{_sysconfdir}/httpd/conf.d/shib.conf"
 209                 fi
 210                 if [ "$APACHE_CONF" != "no" ] ; then
 211                         %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/main\.css/\/usr\/share\/shibboleth\/main.css/g" \
 212                                 $APACHE_CONF
 213                         %{__sed} -i "s/\/usr\/share\/doc\/shibboleth\(\-\(.\)\{1,\}\)\{0,1\}\/logo\.jpg/\/usr\/share\/shibboleth\/logo.jpg/g" \
 214                                 $APACHE_CONF
 215                 fi
 216         fi
 217
 218         # This adds the proper /etc/rc*.d links for the script
 219         /sbin/chkconfig --add shibd
 220 %endif
 221 %if "%{_vendor}" == "suse"
 222         # This adds the proper /etc/rc*.d links for the script
 223         # and populates the sysconfig/shibd file.
 224         cd /
 225         %{fillup_only -n shibd}
 226         %insserv_force_if_yast shibd
 227 %endif
 228
 229 %preun
 230 # On final removal, stop shibd and remove service, restart Apache if running.
 231 %if "%{_vendor}" == "redhat"
 232         if [ "$1" -eq 0 ] ; then
 233                 /sbin/service shibd stop >/dev/null 2>&1
 234                 /sbin/chkconfig --del shibd
 235                 %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
 236         fi
 237 %endif
 238 %if "%{_vendor}" == "suse"
 239         %stop_on_removal shibd
 240         if [ "$1" -eq 0 ] ; then
 241                 %{!?_without_builtinapache:/etc/init.d/apache2 status 1>/dev/null && /etc/init.d/apache2 restart 1>/dev/null}
 242         fi
 243 %endif
 244 exit 0
 245
 246 %postun
 247 %ifnos solaris2.8 solaris2.9 solaris2.10
 248 /sbin/ldconfig
 249 %endif
 250 %if "%{_vendor}" == "redhat"
 251         # On upgrade, restart components if they're already running.
 252         if [ "$1" -ge "1" ] ; then
 253                 /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null
 254                 %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null}
 255                 exit 0
 256         fi
 257 %endif
 258 %if "%{_vendor}" == "suse"
 259         cd /
 260         %restart_on_update shibd
 261         %{!?_without_builtinapache:%restart_on_update apache2}
 262         %{insserv_cleanup}
 263 %endif
 264
 265 %posttrans
 266 # ugly hack if init script got removed during %postun by upgraded (buggy/2.1) package
 267 %if "%{_vendor}" == "redhat"
 268         if [ ! -f %{_initrddir}/shibd ] ; then
 269                 if [ -f %{_sysconfdir}/shibboleth/shibd-%{_vendor} ] ; then
 270                         %{__cp} -p %{_sysconfdir}/shibboleth/shibd-%{_vendor} %{_initrddir}/shibd
 271                         %{__chmod} 755 %{_initrddir}/shibd
 272                         /sbin/chkconfig --add shibd
 273         fi
 274 fi
 275 %endif
 276
 277 %files -f rpm.filelist
 278 %defattr(-,root,root,-)
 279 %{_sbindir}/shibd
 280 %{_bindir}/mdquery
 281 %{_bindir}/resolvertest
 282 %{_libdir}/libshibsp.so.*
 283 %{_libdir}/libshibsp-lite.so.*
 284 %dir %{_libdir}/shibboleth
 285 %{_libdir}/shibboleth/*
 286 %attr(0750,%{runuser},%{runuser}) %dir %{_localstatedir}/log/shibboleth
 287 %attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/run/shibboleth
 288 %attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/cache/shibboleth
 289 %dir %{_datadir}/xml/shibboleth
 290 %{_datadir}/xml/shibboleth/*
 291 %dir %{_datadir}/shibboleth
 292 %{_datadir}/shibboleth/*
 293 %dir %{_sysconfdir}/shibboleth
 294 %config(noreplace) %{_sysconfdir}/shibboleth/*.xml
 295 %config(noreplace) %{_sysconfdir}/shibboleth/*.html
 296 %config(noreplace) %{_sysconfdir}/shibboleth/*.logger
 297 %if "%{_vendor}" == "redhat" || "%{_vendor}" == "suse"
 298 %config %{_initrddir}/shibd
 299 %endif
 300 %if "%{_vendor}" == "suse"
 301 %{_sbindir}/rcshibd
 302 %endif
 303 %{_sysconfdir}/shibboleth/*.dist
 304 %{_sysconfdir}/shibboleth/apache*.config
 305 %{_sysconfdir}/shibboleth/shibd-*
 306 %attr(0755,root,root) %{_sysconfdir}/shibboleth/keygen.sh
 307 %attr(0755,root,root) %{_sysconfdir}/shibboleth/metagen.sh
 308 %{_sysconfdir}/shibboleth/*.xsl
 309 %doc %{pkgdocdir}
 310 %exclude %{pkgdocdir}/api
 311
 312 %files devel
 313 %defattr(-,root,root,-)
 314 %{_includedir}/*
 315 %{_libdir}/libshibsp.so
 316 %{_libdir}/libshibsp-lite.so
 317 %doc %{pkgdocdir}/api
 318
 319 %changelog
 320 * Thu Mar 1 2012  Scott Cantor  <cantor.2@osu.edu>  - 2.5-1
 321 - Move logo and stylesheet to version-independent tree
 322 - Make shib.conf noreplace
 323 - Post-fixup of Alias commands in older shib.conf
 324 - Changes to run shibd as non-root shibboleth user
 325 - Move init customizations to /etc/sysconfig/shibd
 326 - Copy shibd restart for Red Hat to postun
 327 - Add boost-devel dependency
 328 - Build memcache plugin on RH6
 329 - Add cachedir to install
 330 - Add Apache 2.4 to install
 331
 332 * Sun Jun 26 2011  Scott Cantor  <cantor.2@osu.edu>  - 2.4.3-1
 333 - Log files shouldn't be world readable.
 334 - Explicit requirement for libcurl-openssl on RHEL6
 335 - Uncomment LD_LIBRARY_PATH in init script for RHEL6
 336 - Remove rpath from binaries for RHEL6
 337
 338 * Fri Dec 25 2009  Scott Cantor  <cantor.2@osu.edu>  - 2.4-1
 339 - Update dependencies.
 340
 341 * Mon Nov 23 2009 Scott Cantor  <cantor.2@osu.edu>  - 2.3.1-1
 342 - Reset revision for 2.3.1 release
 343
 344 * Wed Aug 19 2009 Scott Cantor  <cantor.2@osu.edu>  - 2.2.1-2
 345 - SuSE init script changes
 346 - Restart Apache on removal, not just upgrade
 347 - Fix scriptlet exit values when Apache is stopped
 348
 349 * Mon Aug 10 2009 Scott Cantor  <cantor.2@osu.edu>  - 2.2.1-1
 350 - Doc handling changes
 351 - SuSE init script
 352
 353 * Tue Aug 4 2009 Scott Cantor  <cantor.2@osu.edu>  - 2.2.1-1
 354 - Initial version for 2.2.1, with shibd/httpd restart on upgrade
 355
 356 * Thu Jun 25 2009 Scott Cantor  <cantor.2@osu.edu>  - 2.2-3
 357 - Add additional cleanup to posttrans fix
 358
 359 * Tue Jun 23 2009 Scott Cantor  <cantor.2@osu.edu>  - 2.2-2
 360 - Reverse without_builtinapache macro test
 361 - Fix init script handling on Red Hat to handle upgrades
 362
 363 * Wed Dec 3 2008  Scott Cantor  <cantor.2@osu.edu>  - 2.2-1
 364 - Bump minor version.
 365 - Make keygen.sh executable.
 366 - Fixing SUSE Xerces dependency name.
 367 - Optionally package shib.conf.
 368
 369 * Tue Jun 10 2008  Scott Cantor  <cantor.2@osu.edu>  - 2.1-1
 370 - Change shib.conf handling to treat as config file.
 371
 372 * Mon Mar 17 2008  Scott Cantor  <cantor.2@osu.edu>  - 2.0-6
 373 - Official release.
 374
 375 * Fri Jan 18 2008  Scott Cantor  <cantor.2@osu.edu>  - 2.0-5
 376 - Release candidate 1.
 377
 378 * Sun Oct 21 2007 Scott Cantor  <cantor.2@osu.edu>  - 2.0-4
 379 - libexec -> lib/shibboleth changes
 380 - Added doc subpackage
 381
 382 * Thu Aug 16 2007 Scott Cantor  <cantor.2@osu.edu>  - 2.0-3
 383 - First public beta.
 384
 385 * Fri Jul 13 2007 Scott Cantor  <cantor.2@osu.edu>  - 2.0-2
 386 - Second alpha release.
 387
 388 * Sun Jun 10 2007 Scott Cantor  <cantor.2@osu.edu>  - 2.0-1
 389 - First alpha release.
 390
 391 * Mon Oct 2 2006 Scott Cantor   <cantor.2@osu.edu>  - 1.3-11
 392 - Applied fix for secadv 20061002
 393 - Fix for metadata loader loop
 394
 395 * Wed Jun 15 2006 Scott Cantor  <cantor.2@osu.edu>  - 1.3-10
 396 - Applied fix for sec 20060615
 397
 398 * Fri Apr 15 2006 Scott Cantor  <cantor.2@osu.edu>  - 1.3-9
 399 - Misc. patches, SuSE, Apache 2.2, gcc 4.1, and 64-bit support
 400
 401 * Mon Jan 9 2006 Scott Cantor  <cantor.2@osu.edu>  - 1.3-8
 402 - Applied new fix for secadv 20060109
 403
 404 * Tue Nov 8 2005 Scott Cantor  <cantor.2@osu.edu>  - 1.3-7
 405 - Applied new fix for secadv 20050901 plus rollup
 406
 407 * Fri Sep 23 2005 Scott Cantor  <cantor.2@osu.edu>  - 1.3-6
 408 - Minor patches and default config changes
 409 - pidfile patch
 410 - Fix shib.conf creation
 411 - Integrated init.d script
 412 - Prevent replacement of config files
 413
 414 * Thu Sep 1 2005  Scott Cantor  <cantor.2@osu.edu>  - 1.3-5
 415 - Applied fix for secadv 20050901 plus rollup of NSAPI fixes
 416
 417 * Sun Apr 24 2005  Scott Cantor  <cantor.2@osu.edu>  - 1.3-1
 418 - Updated test programs and location of schemas.
 419 - move siterefresh to to sbindir
 420
 421 * Fri Apr  1 2005  Derek Atkins  <derek@ihtfp.com>  - 1.3-1
 422 - Add selinux-targeted-policy package
 423 - move shar to sbindir
 424
 425 * Tue Oct 19 2004  Derek Atkins  <derek@ihtfp.com>  - 1.2-1
 426 - Create SPEC file based on various versions in existence.