Bug 1469589

Summary: Auth External Auth SAML - Users with custom groups with special chars can't log in.
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED CURRENTRELEASE QA Contact: Antonin Pagac <apagac>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.8.0CC: abellott, dajohnso, jhardy, jvlcek, mpusater, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:externalauth:saml
Fixed In Version: 5.10.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1552792 (view as bug list) Environment:
Last Closed: 2019-06-18 17:29:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1533226    
Bug Blocks: 1552792    
Attachments:
Description Flags
audit log
none
evm log none

Description Matt Pusateri 2017-07-11 14:17:04 UTC 
Description of problem:
Auth External Auth SAML - User with custom group with special characters can't log in. -  User with SR-APP-EPM-Membre-équipe Group get's "Authentication failed for userid test-user3, unable to match user's group membership to an EVM role" error message.

Version-Release number of selected component (if applicable):
5.8.1.0 (probably 5.7.3.0 as well)

How reproducible:


Steps to Reproduce:
1. Configure appliance to use SAML
2. Create user who has a custom group like "SR-APP-EPM-Membre-équipe"
3. Add custom group to cfme and assign role.
4. log in with user.

Actual results:
Login fails with unable to match user's group membershipt to a EVM role

Expected results:
User should be able to log in. 

Additional info:
Comment 2 Matt Pusateri 2017-07-11 14:25:20 UTC 
Created attachment 1296266 [details]
audit log
Comment 3 Matt Pusateri 2017-07-11 14:25:51 UTC 
Created attachment 1296267 [details]
evm log
Comment 4 Joe Vlcek 2017-11-06 21:04:24 UTC 
Matt, Is this still happening? If so it is restricted to only SAML or all External Auth?

Thanks, JoeV
Comment 5 Matt Pusateri 2018-01-10 19:25:55 UTC 
SAML only I believe.

still an issue on 5.9.0.15
Comment 6 Matt Pusateri 2018-02-01 20:45:37 UTC 
Still an issue on 5.8.3.2. I did notice if the user has multiple groups, the user can log in with a valid group (ex: built in cfme group), but can't switch to group with special chars in it.
Comment 7 Joe Vlcek 2018-02-12 22:50:31 UTC 
Just an FYI:

The fix will be to unescape the group name from the headers.

Something like this:

> git diff app/models/authenticator/httpd.rb 
-      [user_attrs, (request.headers['X-REMOTE-USER-GROUPS'] || '').split(/[;:,]/)]
+      [user_attrs, (CGI.unescape(request.headers['X-REMOTE-USER-GROUPS']) || '').split(/[;:,]/)]


PR to come soon.

JoeV
Comment 8 CFME Bot 2018-02-13 21:37:28 UTC 
https://github.com/ManageIQ/manageiq/pull/16998
Comment 9 CFME Bot 2018-02-16 18:21:55 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/5963f382efc1be2197298e774ce3ae30af5381ee

commit 5963f382efc1be2197298e774ce3ae30af5381ee
Author:     Joe VLcek <jvlcek>
AuthorDate: Tue Feb 13 16:21:29 2018 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Tue Feb 13 16:21:29 2018 -0500

    Handle group names with encoded special characters
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1469589
    
    Group names in the headers at index X-REMOTE-USER-GROUPS need to
    be decoded in order to handle special characters.

 app/models/authenticator/httpd.rb       |  2 +-
 spec/models/authenticator/httpd_spec.rb | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
Comment 10 Joe Vlcek 2018-02-16 20:46:12 UTC 
*** Bug 1540732 has been marked as a duplicate of this bug. ***
Comment 12 Antonin Pagac 2019-06-10 13:09:05 UTC 
Verified with 5.10.5.1 and 5.11.0.7.