Bug 1456855

Summary: mellon-root and mellon-protected-locations need to be validated
Product: [Fedora] Fedora Reporter: John Dennis <jdennis>
Component: keycloak-httpd-client-installAssignee: John Dennis <jdennis>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: jdennis, spoore
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: keycloak-httpd-client-install-0.8-1.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1481322 (view as bug list) Environment:
Last Closed: 2018-01-10 17:51:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1481322    

Description John Dennis 2017-05-30 14:16:37 UTC 
keycloak-httpd-client-install will permit creating a non-working configuration if mellon-protected-locations are not equal to or ancestors of mellon-root. The relationship between mellon-root and mellon-protected-locations should be validated.

This error was evident in this bug #1447770 which ran keycloak-httpd-client-install this way:

[root@sp1 ~]# keycloak-httpd-client-install   \
      --client-originate-method registration \
      --keycloak-server-url https://idp.keycloak.test:8443 \
      --keycloak-admin-username admin \
      --keycloak-admin-password Secret1230 \
      --app-name testapp \
      --keycloak-realm test_realm \
      --mellon-protected-locations "/private" \
      --mellon-root mellon_root \
      --force

It produced this run time error message in the error_log:

"Error adding IdP to lasso server object. Please verify the following configuration directives: MellonIdPMetadataFile and MellonIdPPublicKeyFile."

And a server 500 error during access to the protected location.

The fundamental problem is there were no IdP's defined for the protected location.

The error message is cryptic and misleading, it implies there is a problem loading the IdP metadata, e.g. file access permissions, bad XML etc. when in fact the problem is there was no metadata to load, not that the metadata file was the problem. We need to check the count of IdP metadata and emit a different message if no IdP metadata is defined. The reason this is confusing is because the IdP metadata often is defined, it's just not available to the protected location. Also there probably should be a better error than server 500, is there an HTTP error for server misconfiguration? If not then the configuration should be validated at mellon load time so the server fails to start rather than a lazy load which permits the server to start with a non-functioning configuration.
Comment 1 Jan Kurik 2017-08-15 07:55:08 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.