Bug 800867 - Review Request: simplesamlphp - PHP SAML 2.0 service provider and identity provider
Review Request: simplesamlphp - PHP SAML 2.0 service provider and identity pr...
Status: NEW
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On: 974492
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-07 07:23 EST by François Kooman
Modified: 2014-07-07 12:47 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description François Kooman 2012-03-07 07:23:39 EST
Spec URL: http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec
SRPM URL: http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.8.2-5.fc16.src.rpm
Description:

SimpleSAMLphp is an award-winning application written in native PHP 
that deals with authentication. The project is led by UNINETT, has a 
large user base, a helpful user community and a large set of 
external contributors.

SimpleSAMLphp is having a main focus on providing support for:

    SAML 2.0 as a Service Provider.
    SAML 2.0 as a Identity Provider.

But also supports some other identity protocols, such as Shibboleth 
1.3, A-Select, CAS, OpenID, WS-Federation and OAuth.
Comment 1 François Kooman 2012-03-07 07:24:13 EST
# #### Upstream Issues ####
#
# - enable simpleSAMLphp modules through (main) config file
#   ISSUE: http://code.google.com/p/simplesamlphp/issues/detail?id=475
#
# - more configurable paths in config.php
#   ISSUE: http://code.google.com/p/simplesamlphp/issues/detail?id=349
#
# - OAuth in modules/oauth/libextinc/OAuth.php is not the same as the 
#   system-wide OAuth.php from php-oauth package
#
# - Yubico.php in modules/authYubiKey/libextinc/Yubico.php is not the same
#   as the one from the php-pear-Auth-Yubico package, it was modified.
#
# #### Packaging Issues ####
#
# - Follow packaging guidelines for SSL certificates, see
#   http://fedoraproject.org/wiki/PackagingDrafts/Certificates
#
# - Make sure SELinux does not interfere with reading the certificates from 
#   /etc/pki/simplesamlphp/. Should be sufficient to just make them owned by
#   apache.apache with permissions 0640 for the PEM and 0644 for the CRT.
#
# - Figure out the status of the bundled 'xmlseclibs.php', we use 1.3.0 from
#   upstream now in this package
#   ISSUE: http://code.google.com/p/simplesamlphp/issues/detail?id=480
#
# - Deal with bundled JavaScript (jquery, jquery-ui, ...) and also image sets?
#   or just ignore this stuff?
# 
# - Make the log to file in /var/log/simplesamlphp actually work (permissions + 
#   SELinux)
#
# - Allow Apache to write to /var/lib/simplesamlphp/metadata (permissions + 
#   SELinux) for the "metarefresh" and "cron" plugins
#
# - Include a README.dist or similar file explaining the configuration specific
#   items for Fedora (and SELinux)
#
# - Maybe prepare a cron example file (for metarefresh)
#
# - Figure out all licenses used in simpleSAMLphp. Debian package list some
#
# - Figure out what to do with the tmp file location, should this really be 
#   package specific e.g in /var/lib/simplesamlphp/tmp?
#
Comment 2 François Kooman 2012-03-07 07:28:36 EST
[fkooman@localhost SPECS]$ rpmlint simplesamlphp.spec ../SRPMS/simplesamlphp-1.8.2-5.fc16.src.rpm ../RPMS/noarch/simplesamlphp-1.8.2-5.fc16.noarch.rpm 
simplesamlphp.spec:110: W: macro-in-comment %config
simplesamlphp.spec:110: W: macro-in-comment %{_sysconfdir}
simplesamlphp.spec:110: W: macro-in-comment %{name}
simplesamlphp.spec:82: W: mixed-use-of-spaces-and-tabs (spaces: line 82, tab: line 1)
simplesamlphp.spec: W: invalid-url Source0: http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.2.tar.gz HTTP Error 404: Not Found
simplesamlphp.src:110: W: macro-in-comment %config
simplesamlphp.src:110: W: macro-in-comment %{_sysconfdir}
simplesamlphp.src:110: W: macro-in-comment %{name}
simplesamlphp.src:82: W: mixed-use-of-spaces-and-tabs (spaces: line 82, tab: line 1)
simplesamlphp.src: W: invalid-url Source0: http://simplesamlphp.googlecode.com/files/simplesamlphp-1.8.2.tar.gz HTTP Error 404: Not Found
simplesamlphp.noarch: E: explicit-lib-dependency php-xmlseclibs
simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/discopower/dictionaries/tabs.translation.json
simplesamlphp.noarch: W: non-conffile-in-etc /etc/pki/simplesamlphp/server.crt
simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/lib/Auth ../../../../usr/share/pear/Auth_OpenID
simplesamlphp.noarch: W: non-conffile-in-etc /etc/pki/simplesamlphp/server.pem
simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/modules/oauth/libextinc/OAuth.php ../../../../../../../usr/share/php/oauth/OAuth.php
simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/authX509/default-disable
simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/InfoCard/dictionaries/dict-InfoCard.translation.json
simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/modules/authYubiKey/libextinc/Yubico.php ../../../../../../../usr/share/pear/Auth/Yubico.php
simplesamlphp.noarch: W: dangling-relative-symlink /usr/share/simplesamlphp/lib/xmlseclibs.php ../../../../../usr/share/php/xmlseclibs/xmlseclibs.php
simplesamlphp.noarch: E: zero-length /usr/share/simplesamlphp/modules/openid/dictionaries/dictopenid.translation.json
2 packages and 1 specfiles checked; 5 errors, 16 warnings.
Comment 3 Jason Corley 2012-04-13 10:26:58 EDT
not sure how much this matters to you but if you change the find in %setup from:
  find . -type f -executable -not -path '*/bin/*' | xargs chmod -x
to:
  find . -type f -perm /a+x -not -path '*/bin/*' | xargs chmod -x
this package will build on EL5
Comment 4 François Kooman 2012-06-15 04:38:07 EDT
@Jason Corley: simpleSAMLphp 1.9.0 requires PHP >= 5.2. Is that available on EL5?

I upgraded the spec to simpleSAMLphp 1.9.0

http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec
http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.9.0-1.fc16.src.rpm

The xmlseclibs issue from Comment 1 is fixed. The bundled xmlseclibs.php is identical to the one from the xmlseclibs upstream project. The other issues are still open.

I want to look into the certificate business soon. This package works great when simpleSAMLphp is configured as a SP.
Comment 5 François Kooman 2012-06-25 09:11:44 EDT
It seems it also works fine in IdP mode with the certificates in /etc/pki/simplesamlphp without requiring any modifications to SELinux. The problem however is that the file is currently world-readable so it probably needs a chown to httpd user.

Also connecting to an LDAP @ localhost works from PHP immediately.
Comment 6 Jason Corley 2012-07-06 14:03:01 EDT
it's definitely possible to get php >= 5.2 on rhel5, through either the php53 rhel5 packages or through other means (I'm personally using the ius repos and php53u packages). since it's not a standard path though I imagine it's not a big priority for you, I just figured I'd mention that with that one very minor tweak it builds and runs in my random custom configuration. I should note I haven't tried out the 1.9 version though, just the 1.8.2 package thus far.
Comment 7 François Kooman 2012-07-07 04:24:39 EDT
@Jason Corley: I filed the issue upstream, maybe there the permissions can be fixed at the root :)

https://code.google.com/p/simplesamlphp/issues/detail?id=506

In the meantime I also updated the SPEC to use your suggested find/xargs command.

http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec
http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.9.0-2.fc16.src.rpm
Comment 8 Jason Corley 2012-08-01 04:36:54 EDT
and I see they accepted the issue, which is good, but not for 1.9.x, which seems like a bummer. but at least future revisions won't need the modification. I managed to rebuild the package in mock on rhel5.x86_64 with the ius php53 packages/mock config and it built without issue (not counting the incompatible srpm format that requires rpm2cpio and rpmbuild, which has nothing to do with your or this package). will be testing it later, so thanks for the update!
Comment 9 Victoriano Giralt 2012-10-06 08:53:42 EDT
If you try to install the .f16.srpm on a CentOS 5.8 system, you will get an error about md5 sum mismatch for the SimpleSAMLphp source tarball, like this:

rpm -Uvh simplesamlphp-1.10.0-1.fc16.src.rpm
   1:simplesamlphp          warning: user fkooman does not exist - using root
warning: group fkooman does not exist - using root
########################################### [100%]
error: unpacking of archive failed on file /home/devel/redhat/SOURCES/simplesamlphp-1.10.0.tar.gz;507019e2: cpio: MD5 sum mismatch


The fix is simple:
- Get the tarball from upstream:
  http://simplesamlphp.googlecode.com/files/simplesamlphp-%{version}.tar.gz
- Get the .spec from its "home":
  http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec
- Get simplesamlphp-httpd-conf, I did it installing the f16.srpm on a Fedora 16

Build normaly: rpmbuild -ba simplesamlphp.spec 

You obtain valid .rpm AND .srpm for el5.
Comment 10 Victoriano Giralt 2012-10-06 08:56:27 EDT
I forgot. If you do not want to go all the way, just grab my .srpm from:
http://v.uma.es/simplesamlphp-1.10.0-1.el5.src.rpm
Comment 11 François Kooman 2013-06-07 05:09:21 EDT
I upgraded the spec to simpleSAMLphp 1.11.0

http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp.spec
http://fkooman.fedorapeople.org/simplesamlphp/http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.11.0-1.fc18.src.rpm

This version also requires the updated php-xmlseclibs as it adds some additional signature methods:
http://fkooman.fedorapeople.org/php-xmlseclibs/php-xmlseclibs-1.3.0-2.fc18.src.rpm

I've been using this package for quite some time now, both as an IdP and SP, so it works great. Version 1.11.0 also makes it possible to enable modules using the configuration file instead of creating an "enable" file in the /usr/share/simplesamlphp/modules/<module name> directory.
Comment 12 François Kooman 2013-06-07 05:13:43 EDT
The URL of the SRPM is actually:

http://fkooman.fedorapeople.org/simplesamlphp/simplesamlphp-1.11.0-1.fc18.src.rpm
Comment 13 Jason Tibbitts 2013-06-13 17:08:09 EDT
I guess you would need to open a review ticket for php-xmlseclibs and have this ticket depend on that one; as it is, this package is not reviewable as it cannot be installed due to the missing dependency.

Marking as NotReady, please clear the whiteboard if this becomes reviewable in the future.

Note You need to log in before you can comment on or make changes to this bug.