Update Shibboleth-sp and its tool chain to 2.5.1.

Note that from 2.5, shibd is run as the user shibd.  The port tries to fix the
key file ownership but if you have changed the file name of the key from the
default sp-key.pem, make sure you chown your key file(s) to user shibd.

Also, take maintainership of the entire tool chain (approved by all previous
maintainers).

Incorporates the ideas suggested by Craig Leres [177668], making sure that the
ssl key is not added to the package.

PR:	177668, 178694

8 files changed, 163 insertions, 57 deletions

diff --git a/security/shibboleth2-sp/Makefile b/security/shibboleth2-sp/Makefile
index 8d573b5b61a6..c20e1b49b365 100644
--- a/security/shibboleth2-sp/Makefile
+++ b/security/shibboleth2-sp/Makefile
@@ -2,53 +2,58 @@
 # $FreeBSD$
 
 PORTNAME=	shibboleth-sp
-PORTVERSION=	2.4.3
-PORTREVISION=	1
+PORTVERSION=	2.5.1
 CATEGORIES=	security www
-MASTER_SITES=	http://www.shibboleth.net/downloads/service-provider/${PORTVERSION}/
+MASTER_SITES=	http://shibboleth.net/downloads/service-provider/${PORTVERSION}/
 
-MAINTAINER=	swills@FreeBSD.org
+MAINTAINER=	girgen@FreeBSD.org
 COMMENT=	C++ Shibboleth Service Provider (Internet2) for Apache
 
-LIB_DEPENDS=	saml.7:${PORTSDIR}/security/opensaml2
-
-OPTIONS_DEFINE=	APACHE22
-APACHE22_DESC=	Use Apache version 2.2 instead of version 2.0
+LIB_DEPENDS=	saml.8:${PORTSDIR}/security/opensaml2
 
 MAKE_JOBS_SAFE=	yes
 USE_GMAKE=	yes
 GNU_CONFIGURE=	yes
+MAKE_ENV=	NOKEYGEN=YES
 USE_LDCONFIG=	yes
 USE_RC_SUBR=	shibboleth-sp
-USE_AUTOTOOLS=	autoconf automake:env libtool:env
-WRKSRC=		${WRKDIR}/shibboleth-${PORTVERSION}
 
 LATEST_LINK=	shibboleth2-sp
 
+USERS=		shibd
+GROUPS=		shibd
+
+USE_APACHE=	22-24
+USE_OPENSSL=	yes
+
 .include <bsd.port.pre.mk>
 
-.if ${PORT_OPTIONS:MAPACHE22}
-USE_APACHE=	22
+.if ${APACHE_VERSION} == 22
 CONFIGURE_ARGS=	--enable-apache-22 --with-apxs22=${APXS}
 PLIST_SUB+=	WITH_APACHE_22=""
-PLIST_SUB+=	WITH_APACHE_20="@comment "
+PLIST_SUB+=	WITH_APACHE_24="@comment "
 .else
-IGNORE=	apache20 is no longer available
-#USE_APACHE=	20
-#CONFIGURE_ARGS=	--enable-apache-20 --with-apxs2=${APXS} --with-apr=${PREFIX}/lib/apache2/apr-config --with-apu=${PREFIX}/lib/apache2/apu-config
+CONFIGURE_ARGS=	--enable-apache-24 --with-apxs24=${APXS}
 PLIST_SUB+=	WITH_APACHE_22="@comment "
-PLIST_SUB+=	WITH_APACHE_20=""
+PLIST_SUB+=	WITH_APACHE_24=""
 .endif
+
+SUB_LIST+=	SH=${SH}
+PLIST_SUB+=	WWWOWN=${WWWOWN} WWWGRP=${WWWGRP}
+
+SUB_LIST+=	SHIBD_USER=${USERS}
+SUB_LIST+=	SHIBD_GROUP=${GROUPS}
+PLIST_SUB+=	SHIBD_USER=${USERS}
+PLIST_SUB+=	SHIBD_GROUP=${GROUPS}
+
 CONFIGURE_ARGS+=	--localstatedir=/var --with-log4shib=${LOCALBASE}
 CONFIGURE_ARGS+=	--with-openssl=${OPENSSLBASE} --with-xmltooling=${LOCALBASE}
 CONFIGURE_ARGS+=	--disable-doxygen-doc
 
-pre-configure:
-	@${REINPLACE_CMD} -e 's|/run|/run/shibboleth|' ${WRKSRC}/configs/Makefile.in
-	@${REINPLACE_CMD} -e 's|/doc/@PACKAGE@-@PACKAGE_VERSION@|/doc/@PACKAGE@|' \
-		${WRKSRC}/configs/Makefile.am ${WRKSRC}/configs/Makefile.in \
-		${WRKSRC}/doc/Makefile.am ${WRKSRC}/doc/Makefile.in
-	${RM} ${WRKSRC}/aclocal.m4
-	@cd ${WRKSRC} && ${AUTORECONF} -fvi
+post-install:
+	${CHOWN} -R ${USERS}:${GROUPS} /var/cache/shibboleth ;\
+	${CHOWN} -R ${USERS}:${GROUPS} /var/log/shibboleth ;\
+       	${CHOWN} -R ${USERS}:${WWWGRP} /var/run/shibboleth ;\
+       	${CHMOD} -R u=rwx,g=rx,o= /var/run/shibboleth
 
 .include <bsd.port.post.mk>
diff --git a/security/shibboleth2-sp/distinfo b/security/shibboleth2-sp/distinfo
index eeba5920b73b..7539abe0ad73 100644
--- a/security/shibboleth2-sp/distinfo
+++ b/security/shibboleth2-sp/distinfo
@@ -1,2 +1,2 @@
-SHA256 (shibboleth-sp-2.4.3.tar.gz) = 9e0b219707046b55d0ca38627fb213b799ac98cf11541845b7e6b036a89dcdcf
-SIZE (shibboleth-sp-2.4.3.tar.gz) = 854326
+SHA256 (shibboleth-sp-2.5.1.tar.gz) = a697034fe56a170602a3907cde6faf822836b1ba23cdc11af315a81df6102f04
+SIZE (shibboleth-sp-2.5.1.tar.gz) = 952815
diff --git a/security/shibboleth2-sp/files/patch-configure.ac b/security/shibboleth2-sp/files/patch-configure.ac
deleted file mode 100644
index 90e629c972da..000000000000
--- a/security/shibboleth2-sp/files/patch-configure.ac
+++ /dev/null
@@ -1,11 +0,0 @@
---- configure.ac.orig	2009-12-01 19:07:37.000000000 +0200
-+++ configure.ac	2010-01-06 19:23:05.000000000 +0200
-@@ -717,7 +717,7 @@
-         AC_MSG_CHECKING(for user-specified apu-config name/location)
-         if test "$withval" != "no" ; then
-             if test "$withval" != "yes"; then
--                APR_CONFIG=$withval
-+                APU_CONFIG=$withval
-                 AC_MSG_RESULT("$withval")
-             fi
-         fi
diff --git a/security/shibboleth2-sp/files/patch-makefiles-docdir b/security/shibboleth2-sp/files/patch-makefiles-docdir
new file mode 100644
index 000000000000..aa62695f5a1d
--- /dev/null
+++ b/security/shibboleth2-sp/files/patch-makefiles-docdir
@@ -0,0 +1,47 @@
+--- doc/Makefile.am.orig	2012-07-23 22:08:29.000000000 +0200
++++ doc/Makefile.am	2013-02-22 10:53:42.000000000 +0100
+@@ -1,7 +1,7 @@
+ AUTOMAKE_OPTIONS = foreign
+ 
+-pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@-@PACKAGE_VERSION@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
++pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@
++pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ 
+ install-data-hook:
+ 	if test -d api ; then \
+--- doc/Makefile.in.orig	2012-12-04 05:50:56.000000000 +0100
++++ doc/Makefile.in	2013-02-22 10:53:42.000000000 +0100
+@@ -288,8 +288,8 @@
+ top_srcdir = @top_srcdir@
+ xs = @xs@
+ AUTOMAKE_OPTIONS = foreign
+-pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@-@PACKAGE_VERSION@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
++pkgdocdir = $(datadir)/doc/@PACKAGE_NAME@
++pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ docfiles = \
+ 	CREDITS.txt \
+ 	LICENSE.txt \
+--- configs/Makefile.am.orig	2012-12-04 05:49:50.000000000 +0100
++++ configs/Makefile.am	2013-02-22 10:53:42.000000000 +0100
+@@ -6,7 +6,7 @@
+ pkglogdir = ${localstatedir}/log/@PACKAGE_NAME@
+ shirelogdir = ${localstatedir}/log/httpd
+ pkgxmldir = $(datadir)/xml/@PACKAGE_NAME@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
++pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ pkgrundir = $(localstatedir)/run/@PACKAGE_NAME@
+ pkgcachedir = $(localstatedir)/cache/@PACKAGE_NAME@
+ pkgsysconfdir = $(sysconfdir)/@PACKAGE_NAME@
+--- configs/Makefile.in.orig	2012-12-04 05:50:56.000000000 +0100
++++ configs/Makefile.in	2013-02-22 10:53:42.000000000 +0100
+@@ -291,7 +291,7 @@
+ pkglogdir = ${localstatedir}/log/@PACKAGE_NAME@
+ shirelogdir = ${localstatedir}/log/httpd
+ pkgxmldir = $(datadir)/xml/@PACKAGE_NAME@
+-pkgwebdir = $(datadir)/@PACKAGE_NAME@
++pkgwebdir = $(datadir)/doc/@PACKAGE_NAME@
+ pkgrundir = $(localstatedir)/run/@PACKAGE_NAME@
+ pkgcachedir = $(localstatedir)/cache/@PACKAGE_NAME@
+ pkgsysconfdir = $(sysconfdir)/@PACKAGE_NAME@
diff --git a/security/shibboleth2-sp/files/patch-shibboleth-spec b/security/shibboleth2-sp/files/patch-shibboleth-spec
new file mode 100644
index 000000000000..532bafccf508
--- /dev/null
+++ b/security/shibboleth2-sp/files/patch-shibboleth-spec
@@ -0,0 +1,26 @@
+--- shibboleth.spec.in.orig	2012-12-04 05:49:49.000000000 +0100
++++ shibboleth.spec.in	2013-06-03 16:19:28.000000000 +0200
+@@ -58,7 +58,7 @@
+ %if "%{_vendor}" == "suse"
+ %define pkgdocdir %{_docdir}/shibboleth
+ %else
+-%define pkgdocdir %{_docdir}/shibboleth-%{version}
++%define pkgdocdir %{_docdir}/shibboleth
+ %endif
+ 
+ %description
+@@ -202,14 +202,6 @@
+ /sbin/ldconfig
+ %endif
+ 
+-# Key generation or ownership fix
+-cd %{_sysconfdir}/shibboleth
+-if [ -f sp-key.pem ] ; then
+-	%{__chown} %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
+-else
+-	sh ./keygen.sh -b -u %{runuser} -g %{runuser}
+-fi
+-
+ # Fix ownership of log files (even on new installs, if they're left from an older one).
+ %{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/shibboleth/* 2>/dev/null || :
+ 
diff --git a/security/shibboleth2-sp/files/shibboleth-sp.in b/security/shibboleth2-sp/files/shibboleth-sp.in
index 5a81e04202f5..65f874747287 100644
--- a/security/shibboleth2-sp/files/shibboleth-sp.in
+++ b/security/shibboleth2-sp/files/shibboleth-sp.in
@@ -11,9 +11,43 @@
 name="shibboleth_sp"
 rcvar=shibboleth_sp_enable
 
+: ${shibboleth_sp_enable:='NO'}
+: ${shibboleth_sp_flags:=''}
+
 command=${shibboleth_sp_program:-%%PREFIX%%/sbin/shibd}
-pidfile="${shibboleth_sp_pidfile:-/var/run/${name}.pid}"
-command_args="-f -p ${pidfile}"
+pidfile="${shibboleth_sp_pidfile:-/var/run/shibboleth/${name}.pid}"
+start_precmd="shibboleth_sp_configtest"
+restart_precmd="shibboleth_sp_configtest"
+configtest_cmd="shibboleth_sp_configtest"
+keygen_cmd="shibboleth_sp_keygen"
+
+shibboleth_sp_user=%%SHIBD_USER%%
+shibboleth_sp_group=%%SHIBD_GROUP%%
 
 load_rc_config $name
+
+command_args="-f -p ${pidfile} -u ${shibboleth_sp_user} -g ${shibboleth_sp_group}"
+confdir=${SHIBSP_CFGDIR:-%%PREFIX%%/etc}/shibboleth
+cert=sp-cert.pem
+key=sp-key.pem
+
+shibboleth_sp_configtest() {
+	if [ ! -s ${confdir}/${key} -o ! -s ${confdir}/${cert} ]; then
+		run_rc_command keygen
+	else
+		# update from 2.4.x, chown %%SHIBD_USER%% the key and cert
+	       	for f in ${confdir}/${key} ${confdir}/${cert}; do
+			set X `stat ${f}`
+			test $6 != ${shibboleth_sp_user} && chown ${shibboleth_sp_user}:${shibboleth_sp_group} ${f}
+		done
+	fi
+	${command} ${shibboleth_sp_flags} -u ${shibboleth_sp_user} -g ${shibboleth_sp_group} -t
+}
+
+shibboleth_sp_keygen() {
+	%%SH%% ${confdir}/keygen.sh -o ${confdir} -u ${shibboleth_sp_user} -g ${shibboleth_sp_group}
+}
+
+extra_commands="configtest keygen"
+
 run_rc_command "$1"
diff --git a/security/shibboleth2-sp/pkg-descr b/security/shibboleth2-sp/pkg-descr
index 69a5d4d6ec80..6ee434a8a710 100644
--- a/security/shibboleth2-sp/pkg-descr
+++ b/security/shibboleth2-sp/pkg-descr
@@ -10,4 +10,4 @@ service provider manages secured resources. User access to resources
 is based on assertions received by the service provider (SP) from
 an identity provider.
 
-WWW:	http://shibboleth.internet2.edu/
+WWW: http://shibboleth.internet2.edu/
diff --git a/security/shibboleth2-sp/pkg-plist b/security/shibboleth2-sp/pkg-plist
index 560d302da628..0e4b0dd03c27 100644
--- a/security/shibboleth2-sp/pkg-plist
+++ b/security/shibboleth2-sp/pkg-plist
@@ -64,11 +64,13 @@ etc/shibboleth/shibd-suse
 etc/shibboleth/shibd-osx.plist
 etc/shibboleth/apache.config
 etc/shibboleth/apache2.config
+@unexec if cmp -s %D/etc/shibboleth/attrChecker.html.dist %D/etc/shibboleth/attrChecker.html; then rm -f %D/etc/shibboleth/attrChecker.html; fi
+etc/shibboleth/attrChecker.html.dist
+@exec if [ ! -f %D/etc/shibboleth/attrChecker.html ] ; then cp -p %D/etc/shibboleth/attrChecker.html.dist %D/etc/shibboleth/attrChecker.html; fi
 etc/shibboleth/apache22.config
+etc/shibboleth/apache24.config
 etc/shibboleth/keygen.sh
 etc/shibboleth/upgrade.xsl
-etc/shibboleth/sp-key.pem
-etc/shibboleth/sp-cert.pem
 @unexec if cmp -s %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; then rm -f %D/etc/shibboleth/postTemplate.html; fi
 etc/shibboleth/postTemplate.html.dist
 @exec if [ ! -f %D/etc/shibboleth/postTemplate.html ] ; then cp -p %D/etc/shibboleth/postTemplate.html.dist %D/etc/shibboleth/postTemplate.html; fi
@@ -88,6 +90,7 @@ include/shibsp/SessionCacheEx.h
 include/shibsp/TransactionLog.h
 include/shibsp/attribute/Attribute.h
 include/shibsp/attribute/AttributeDecoder.h
+include/shibsp/attribute/BinaryAttribute.h
 include/shibsp/attribute/ExtensibleAttribute.h
 include/shibsp/attribute/NameIDAttribute.h
 include/shibsp/attribute/ScopedAttribute.h
@@ -102,10 +105,10 @@ include/shibsp/attribute/resolver/AttributeExtractor.h
 include/shibsp/attribute/resolver/AttributeResolver.h
 include/shibsp/attribute/resolver/ResolutionContext.h
 include/shibsp/base.h
-include/shibsp/config_pub.h
 include/shibsp/binding/ArtifactResolver.h
 include/shibsp/binding/ProtocolProvider.h
 include/shibsp/binding/SOAPClient.h
+include/shibsp/config_pub.h
 include/shibsp/exceptions.h
 include/shibsp/handler/AbstractHandler.h
 include/shibsp/handler/AssertionConsumerService.h
@@ -113,6 +116,7 @@ include/shibsp/handler/Handler.h
 include/shibsp/handler/LogoutHandler.h
 include/shibsp/handler/LogoutInitiator.h
 include/shibsp/handler/RemotedHandler.h
+include/shibsp/handler/SecuredHandler.h
 include/shibsp/handler/SessionInitiator.h
 include/shibsp/lite/CommonDomainCookie.h
 include/shibsp/lite/SAMLConstants.h
@@ -126,21 +130,20 @@ include/shibsp/security/SecurityPolicy.h
 include/shibsp/security/SecurityPolicyProvider.h
 include/shibsp/util/CGIParser.h
 include/shibsp/util/DOMPropertySet.h
+include/shibsp/util/IPRange.h
 include/shibsp/util/PropertySet.h
 include/shibsp/util/SPConstants.h
 include/shibsp/util/TemplateParameters.h
 include/shibsp/version.h
-lib/libshibsp.so.5
+lib/libshibsp.so.6
 lib/libshibsp.so
 lib/shibboleth/adfs.so
-lib/shibboleth/adfs.la
 lib/shibboleth/adfs-lite.so
-lib/shibboleth/adfs-lite.la
+lib/shibboleth/plugins-lite.so
+lib/shibboleth/plugins.so
 %%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.so
-%%WITH_APACHE_22%%lib/shibboleth/mod_shib_22.la
-%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.so
-%%WITH_APACHE_20%%lib/shibboleth/mod_shib_20.la
-lib/libshibsp-lite.so.5
+%%WITH_APACHE_24%%lib/shibboleth/mod_shib_24.so
+lib/libshibsp-lite.so.6
 lib/libshibsp-lite.so
 sbin/shibd
 share/xml/shibboleth/catalog.xml
@@ -155,20 +158,22 @@ share/xml/shibboleth/shibboleth-metadata-1.0.xsd
 share/xml/shibboleth/shibboleth.xsd
 share/xml/shibboleth/WS-Trust.xsd
 share/doc/shibboleth/CREDITS.txt
+share/doc/shibboleth/FASTCGI.LICENSE
 share/doc/shibboleth/LICENSE.txt
+share/doc/shibboleth/LOG4CPP.LICENSE
 share/doc/shibboleth/NOTICE.txt
+share/doc/shibboleth/OPENSSL.LICENSE
 share/doc/shibboleth/README.txt
 share/doc/shibboleth/RELEASE.txt
-share/doc/shibboleth/FASTCGI.LICENSE
-share/doc/shibboleth/OPENSSL.LICENSE
-share/doc/shibboleth/LOG4CPP.LICENSE
 share/doc/shibboleth/main.css
-share/doc/shibboleth/logo.jpg
-@exec mkdir -p %D/data
+@exec mkdir -p /var/cache/shibboleth
+@exec chown -R %%SHIBD_USER%%:%%SHIBD_GROUP%% /var/cache/shibboleth
 @exec mkdir -p /var/log/shibboleth
+@exec chown -R %%SHIBD_USER%%:%%SHIBD_GROUP%% /var/log/shibboleth
 @exec mkdir -p /var/run/shibboleth
-@exec chown www:www /var/run/shibboleth
-@exec chmod -R ug=rwx,o= /var/run/shibboleth
+@exec chown -R %%SHIBD_USER%%:%%WWWGRP%%  /var/run/shibboleth
+@exec chmod -R u=rwx,g=rx,o= /var/run/shibboleth
+@unexec rm -rf /var/cache/shibboleth 2>&1 >/dev/null || true
 @unexec rm -rf /var/run/shibboleth 2>&1 >/dev/null || true
 @dirrmtry share/doc/shibboleth/api
 @dirrmtry share/doc/shibboleth