Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 800867
Summary: | Review Request: simplesamlphp - PHP SAML 2.0 service provider and identity provider | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | François Kooman <fkooman> |
Component: | Package Review | Assignee: | Nobody's working on this, feel free to take it <nobody> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | andrew.elwell, erinn.looneytriggs, jason.corley, jchristi, package-review, victoriano |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-19 09:31:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 974492 | ||
Bug Blocks: |
Description
François Kooman
2012-03-07 12:23:39 UTC
# #### Upstream Issues #### # # - enable simpleSAMLphp modules through (main) config file # ISSUE: http://code.google.com/p/simplesamlphp/issues/detail?id=475 # # - more configurable paths in config.php # ISSUE: http://code.google.com/p/simplesamlphp/issues/detail?id=349 # # - OAuth in modules/oauth/libextinc/OAuth.php is not the same as the # system-wide OAuth.php from php-oauth package # # - Yubico.php in modules/authYubiKey/libextinc/Yubico.php is not the same # as the one from the php-pear-Auth-Yubico package, it was modified. # # #### Packaging Issues #### # # - Follow packaging guidelines for SSL certificates, see # http://fedoraproject.org/wiki/PackagingDrafts/Certificates # # - Make sure SELinux does not interfere with reading the certificates from # /etc/pki/simplesamlphp/. Should be sufficient to just make them owned by # apache.apache with permissions 0640 for the PEM and 0644 for the CRT. # # - Figure out the status of the bundled 'xmlseclibs.php', we use 1.3.0 from # upstream now in this package # ISSUE: http://code.google.com/p/simplesamlphp/issues/detail?id=480 # # - Deal with bundled JavaScript (jquery, jquery-ui, ...) and also image sets? # or just ignore this stuff? # # - Make the log to file in /var/log/simplesamlphp actually work (permissions + # SELinux) # # - Allow Apache to write to /var/lib/simplesamlphp/metadata (permissions + # SELinux) for the "metarefresh" and "cron" plugins # # - Include a README.dist or similar file explaining the configuration specific # items for Fedora (and SELinux) # # - Maybe prepare a cron example file (for metarefresh) # # - Figure out all licenses used in simpleSAMLphp. Debian package list some # # - Figure out what to do with the tmp file location, should this really be # package specific e.g in /var/lib/simplesamlphp/tmp? # [fkooman@localhost SPECS]$ rpmlint simplesamlphp.spec ../SRPMS/simplesamlphp-1.8.2-5.fc16.src.rpm ../RPMS/noarch/simplesamlphp-1.8.2-5.fc16.noarch.rpm simplesamlphp.spec:110: W: macro-in-comment %config simplesamlphp.spec:110: W: macro-in-comment %{_sysconfdir} simplesamlphp.spec:110: W: macro-in-comment %{name} simplesamlphp.spec:82: W: mixed-use-of-spaces-and-tabs (spaces: line 82, tab: line 1) simplesamlphp.spec: W: invalid-url Source0: http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.2.tar.gz HTTP Error 404: Not Found simplesamlphp.src:110: W: macro-in-comment %config simplesamlphp.src:110: W: macro-in-comment %{_sysconfdir} simplesamlphp.src:110: W: macro-in-comment %{name} simplesamlphp.src:82: W: mixed-use-of-spaces-and-tabs (spaces: line 82, tab: line 1) simplesamlphp.src: W: invalid-url Source0: http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.2.tar.gz HTTP Error 404: Not Found simplesamlphp.noarch: E: explicit-lib-dependency php-xmlseclibs simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/discopower/dictionaries/tabs.translation.json simplesamlphp.noarch: W: non-conffile-in-etc /etc/pki/simplesamlphp/server.crt simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/lib/Auth ../../../../usr/share/pear/Auth_OpenID simplesamlphp.noarch: W: non-conffile-in-etc /etc/pki/simplesamlphp/server.pem simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/modules/oauth/libextinc/OAuth.php ../../../../../../../usr/share/php/oauth/OAuth.php simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/authX509/default-disable simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/InfoCard/dictionaries/dict-InfoCard.translation.json simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/modules/authYubiKey/libextinc/Yubico.php ../../../../../../../usr/share/pear/Auth/Yubico.php simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/lib/xmlseclibs.php ../../../../../usr/share/php/xmlseclibs/xmlseclibs.php simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/openid/dictionaries/dictopenid.translation.json 2 packages and 1 specfiles checked; 5 errors, 16 warnings. not sure how much this matters to you but if you change the find in %setup from: find . -type f -executable -not -path '*/bin/*' | xargs chmod -x to: find . -type f -perm /a+x -not -path '*/bin/*' | xargs chmod -x this package will build on EL5 @Jason Corley: simpleSAMLphp 1.9.0 requires PHP >= 5.2. Is that available on EL5? I upgraded the spec to simpleSAMLphp 1.9.0 http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.9.0-1.fc16.src.rpm The xmlseclibs issue from Comment 1 is fixed. The bundled xmlseclibs.php is identical to the one from the xmlseclibs upstream project. The other issues are still open. I want to look into the certificate business soon. This package works great when simpleSAMLphp is configured as a SP. It seems it also works fine in IdP mode with the certificates in /etc/pki/simplesamlphp without requiring any modifications to SELinux. The problem however is that the file is currently world-readable so it probably needs a chown to httpd user. Also connecting to an LDAP @ localhost works from PHP immediately. it's definitely possible to get php >= 5.2 on rhel5, through either the php53 rhel5 packages or through other means (I'm personally using the ius repos and php53u packages). since it's not a standard path though I imagine it's not a big priority for you, I just figured I'd mention that with that one very minor tweak it builds and runs in my random custom configuration. I should note I haven't tried out the 1.9 version though, just the 1.8.2 package thus far. @Jason Corley: I filed the issue upstream, maybe there the permissions can be fixed at the root :) https://code.google.com/p/simplesamlphp/issues/detail?id=506 In the meantime I also updated the SPEC to use your suggested find/xargs command. http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.9.0-2.fc16.src.rpm and I see they accepted the issue, which is good, but not for 1.9.x, which seems like a bummer. but at least future revisions won't need the modification. I managed to rebuild the package in mock on rhel5.x86_64 with the ius php53 packages/mock config and it built without issue (not counting the incompatible srpm format that requires rpm2cpio and rpmbuild, which has nothing to do with your or this package). will be testing it later, so thanks for the update! If you try to install the .f16.srpm on a CentOS 5.8 system, you will get an error about md5 sum mismatch for the SimpleSAMLphp source tarball, like this: rpm -Uvh simplesamlphp-1.10.0-1.fc16.src.rpm 1:simplesamlphp warning: user fkooman does not exist - using root warning: group fkooman does not exist - using root ########################################### [100%] error: unpacking of archive failed on file /home/devel/redhat/SOURCES/simplesamlphp-1.10.0.tar.gz;507019e2: cpio: MD5 sum mismatch The fix is simple: - Get the tarball from upstream: http://simplesamlphp.googlecode.com/files/simplesamlphp-%{version}.tar.gz - Get the .spec from its "home": http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec - Get simplesamlphp-httpd-conf, I did it installing the f16.srpm on a Fedora 16 Build normaly: rpmbuild -ba simplesamlphp.spec You obtain valid .rpm AND .srpm for el5. I forgot. If you do not want to go all the way, just grab my .srpm from: http://v.uma.es/simplesamlphp-1.10.0-1.el5.src.rpm I upgraded the spec to simpleSAMLphp 1.11.0 http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec http://fkooman.fedorapeople.org/simplesamlphp/http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.11.0-1.fc18.src.rpm This version also requires the updated php-xmlseclibs as it adds some additional signature methods: http://fkooman.fedorapeople.org/php-xmlseclibs/php-xmlseclibs-1.3.0-2.fc18.src.rpm I've been using this package for quite some time now, both as an IdP and SP, so it works great. Version 1.11.0 also makes it possible to enable modules using the configuration file instead of creating an "enable" file in the /usr/share/simplesamlphp/modules/<module name> directory. The URL of the SRPM is actually: http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.11.0-1.fc18.src.rpm I guess you would need to open a review ticket for php-xmlseclibs and have this ticket depend on that one; as it is, this package is not reviewable as it cannot be installed due to the missing dependency. Marking as NotReady, please clear the whiteboard if this becomes reviewable in the future. I am no longer interested in packaging this. Shawn Iwinski wants to open a new ticket once his COPR packages are ready. See https://copr.fedorainfracloud.org/coprs/siwinski/simplesamlphp/ |