Bug 1469589
Summary: | Auth External Auth SAML - Users with custom groups with special chars can't log in. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Matt Pusateri <mpusater> | ||||||
Component: | Appliance | Assignee: | Joe Vlcek <jvlcek> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Antonin Pagac <apagac> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 5.8.0 | CC: | abellott, dajohnso, jhardy, jvlcek, mpusater, obarenbo, simaishi | ||||||
Target Milestone: | GA | Keywords: | TestOnly, ZStream | ||||||
Target Release: | 5.10.0 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | auth:externalauth:saml | ||||||||
Fixed In Version: | 5.10.0.0 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1552792 (view as bug list) | Environment: | |||||||
Last Closed: | 2019-06-18 17:29:07 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1533226 | ||||||||
Bug Blocks: | 1552792 | ||||||||
Attachments: |
|
Description
Matt Pusateri
2017-07-11 14:17:04 UTC
Created attachment 1296266 [details]
audit log
Created attachment 1296267 [details]
evm log
Matt, Is this still happening? If so it is restricted to only SAML or all External Auth? Thanks, JoeV SAML only I believe. still an issue on 5.9.0.15 Still an issue on 5.8.3.2. I did notice if the user has multiple groups, the user can log in with a valid group (ex: built in cfme group), but can't switch to group with special chars in it. Just an FYI:
The fix will be to unescape the group name from the headers.
Something like this:
> git diff app/models/authenticator/httpd.rb
- [user_attrs, (request.headers['X-REMOTE-USER-GROUPS'] || '').split(/[;:,]/)]
+ [user_attrs, (CGI.unescape(request.headers['X-REMOTE-USER-GROUPS']) || '').split(/[;:,]/)]
PR to come soon.
JoeV
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/5963f382efc1be2197298e774ce3ae30af5381ee commit 5963f382efc1be2197298e774ce3ae30af5381ee Author: Joe VLcek <jvlcek> AuthorDate: Tue Feb 13 16:21:29 2018 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Tue Feb 13 16:21:29 2018 -0500 Handle group names with encoded special characters Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1469589 Group names in the headers at index X-REMOTE-USER-GROUPS need to be decoded in order to handle special characters. app/models/authenticator/httpd.rb | 2 +- spec/models/authenticator/httpd_spec.rb | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) *** Bug 1540732 has been marked as a duplicate of this bug. *** Verified with 5.10.5.1 and 5.11.0.7. |