Bug 1375847

Summary: SAML2Auth date checks fail when datetime has a zero in them
Product: [Community] Bugzilla Reporter: Jeff Fearn 🐞 <jfearn>
Component: Bugzilla GeneralAssignee: Jeff Fearn 🐞 <jfearn>
Status: CLOSED NEXTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0CC: huiwang, jfearn, mtahir, qgong
Target Milestone: 5.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.0.3-rh8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-12 10:59:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jeff Fearn 🐞 2016-09-14 05:24:51 UTC 
Description of problem:
If a component of date time has a zero, like 1 minute and zero seconds, then the datetime check fails.

Version-Release number of selected component (if applicable):
5.0

How reproducible:
difficult

Steps to Reproduce:
1. Get a saml datetime check to receive a value with a zero in any datetime position

Actual results:
Check fails with invalid datetime message

Expected results:
Handles zeros

Additional info:
Can be reproduced on a server connected to the fedora prod IDP as it's expiry date has a zero on the month (because January is zero apparently L-/)

You can reset a server by running this SQL:

update saml2auth_idp set metadata = '' where name like 'Fedora%';
Comment 1 Rony Gong 🔥 2016-10-10 02:54:42 UTC 
@Jeff, could you give more detail steps to verify this bug

If i run below in qe server, I'm afraid I can't recover back the data of metadata.
update saml2auth_idp set metadata = '' where name like 'Fedora%';
Comment 2 Jeff Fearn 🐞 2016-10-10 03:35:00 UTC 
(In reply to Rony Gong from comment #1)
> @Jeff, could you give more detail steps to verify this bug
> 
> If i run below in qe server, I'm afraid I can't recover back the data of
> metadata.
> update saml2auth_idp set metadata = '' where name like 'Fedora%';

Fedora is set-up properly so if you just try and login using FAS it will pull the metadata in.
Comment 3 Rony Gong 🔥 2016-10-10 05:18:49 UTC 
After execute: update saml2auth_idp set metadata = '' where name like 'Fedora%';

The try to login by Fedora Account System, click the link 'Fedora Account System', page show error:

Parsing of the IDP's metadata failed: Crypt::OpenSSL::X509: failed to read X509 certificate. at /usr/share/perl5/vendor_perl/Net/SAML2/IdP.pm line 168. .
Comment 4 Jeff Fearn 🐞 2016-10-11 03:18:39 UTC 
Hi Rony, it looks like the metadat athe server is sending is bogus, I had to d/l the metadata, remove the incorrect data, and manually import the metadata. It seems to work fine for loggin in after that. So this isn't a problem with our code AFAICT.
Comment 5 Rony Gong 🔥 2016-10-12 02:32:55 UTC 
Tested on QA environment(5.0.3-rh8)
Result: Pass