Bug 1481332

Summary: Rebase to current upstream
Product: Red Hat Enterprise Linux 7 Reporter: John Dennis <jdennis>
Component: mod_auth_mellonAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: nkinder, spoore
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_auth_mellon-0.13.1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:08:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Dennis 2017-08-14 15:37:02 UTC 
RHEL 7 currently ships mod_auth_mellon 0.11.0. Upstream Mellon has made a number of bug fixes and feature enhancements in the interim. It's time to pull this into RHEL 7.
Comment 4 Scott Poore 2018-01-12 21:56:04 UTC 
Verified.

Version ::

mod_auth_mellon-0.13.1-1.el7.x86_64

Results ::

# First Setup IPA/RH-SSO environment
# Setup IPA server
# Setup IPA client
# On IPA Server, create basic user, disabled user, and OTP user
# Setup Trust with AD Domain 
# Setup RH-SSO 7.1.3 standalone server on IPA client
# Realm demorealm created and SSSD Federation Plugin setup
# On SP, install apache and mod_auth_mellon

# SP configuration:

[root@sp1 ~]# keycloak-httpd-client-install \
    --client-originate-method registration \
    --keycloak-server-url https://idp.keycloak.test:8443 \
    --keycloak-admin-username admin \
    --keycloak-admin-password Secret123 \
    --app-name example_app \
    --keycloak-realm demorealm \
    --mellon-root example_app \
    --mellon-https-port 8443 \
    --mellon-protected-locations "/example_app/private" \
    --force

[root@sp1 ~]# cat /var/www/html/example_app/private/index.html 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre><!--#printenv --></pre>

[root@sp1 ~]# cat /var/www/html/example_app/logged_out.html 
<html>
<title>Logout</title>
<p>
Congratulations, you've been logged out!
</p>
<p>
Now try to <a href="/example_app/private/">log back in</a>
</p>
</html>

[root@sp1 ~]# cat /var/www/html/test.html 
<form action = "/example_app/private/test.py" method = "post">
Input: <input type = "text" name = "data">
<input type = "submit" value = "Submit" />
</form>

[root@sp1 ~]# cat /var/www/html/example_app/private/test.py
#!/usr/bin/python

import cgi

form = cgi.FieldStorage()
data = form.getvalue('data')
print """Content-type:text/html\r\n\r\n
<html>
<head>
<title>Test CGI Program</title>
</head>
<body>
<h2>Hello %s</h2>
</body>
</html>
""" % (data)


# Create curl login script for simple testing:

[root@sp1 ~]# cat ./saml_login
# http://www.ssocircle.com/en/developer-tutorial-saml-testing-using-curl-and-ssocheck-api/developer-tutorial-part-i-a-saml-sso-flow-from-the-command-line-with-curl/

rm -f cookies output[1234]

echo "$1 $2 $3"
USER=${1:-ipauser1}
PASS=${2:-Secret123}
SPURL=${3:-"https://sp1.keycloak.test:8443/example_app/private"}

curl -k -L -c cookies -b cookies -s -o output1 ${SPURL}

LOGIN=$(cat output1 | grep id=\"kc-form-login\"|cut -d'"' -f6)

curl -k -L -c cookies -b cookies -s -o output2 --data-urlencode username="${USER}" --data-urlencode password="${PASS}" "${LOGIN}"

URL=$(grep -i "action=" output2|cut -d'"' -f6|recode html)
SAML=$(cat output2|grep -i samlresponse|cut -d'"' -f12|recode html|tr -d '\r\n')
RELAY=$(cat output2|grep -i relaystate|cut -d'"' -f18|recode html)

curl -k -L -c cookies -b cookies  -s -o output3 --data-urlencode SAMLResponse="${SAML}" --data-urlencode RelayState="${RELAY}" $URL

cat output3

# now execute basic tests:

####################################################################
# test1:  basic user login
####################################################################
[root@sp1 ~]# ./saml_login ipauser1 Secret123
ipauser1 Secret123 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre>UNIQUE_ID=WlkTfmdNAylvGBUIcQ1WiwAAAAM
MELLON_NAME_ID=G-710959c9-8d72-472a-8315-6d8e4409273b
MELLON_NAME_ID_0=G-710959c9-8d72-472a-8315-6d8e4409273b
MELLON_groups=ipausers
MELLON_groups_0=ipausers
...trunc...
</pre>

####################################################################
# test2: otp user login
# done with FreeOTP app on smartphone
####################################################################
[root@sp1 ~]# ./saml_login otpuser1 Secret123461082
otpuser1 Secret123461082 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre>UNIQUE_ID=WlkTb6JWg5vCSGScudnI1AAAAAE
MELLON_NAME_ID=G-fb4764c2-1f6b-4947-977c-4ffdfdbcfca3
MELLON_NAME_ID_0=G-fb4764c2-1f6b-4947-977c-4ffdfdbcfca3
MELLON_groups=ipausers
MELLON_groups_0=ipausers
MELLON_groups_1=otpusers
...trunc...
</pre>

####################################################################
# test3: disabled user
####################################################################
[root@sp1 ~]# ./saml_login disableduser1 Secret123
disableduser1 Secret123 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" class="login-pf">
...trunc...
                                <span class="kc-feedback-text">Invalid username or password.</span>
...
    </div>
</body>
</html>

####################################################################
# test4: nonexistent user
####################################################################
[root@sp1 ~]# ./saml_login dneuser1 Secret123
dneuser1 Secret123 
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
cat: output3: No such file or directory

This is an indicator that the lookup failed.

####################################################################
# test5: AD Trusted User
####################################################################
[root@sp1 ~]# ./saml_login aduser1 Secret123
aduser1 Secret123 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre>UNIQUE_ID=WlkVFbRTllJWdOo4LWBnsQAAAAA
MELLON_NAME_ID=G-e0f2786c-6ac0-450a-9eaf-2714dd4f63f3
MELLON_NAME_ID_0=G-e0f2786c-6ac0-450a-9eaf-2714dd4f63f3
MELLON_groups=domain users
MELLON_groups_0=domain users
...trunc...
</pre>

####################################################################
# test6: access with POST as IPA user
####################################################################
# This test was done from a web browser accessing:
https://sp1.keycloak.test:8443/test.html
This presents the form that uses POST via the python script in the protected area.  So, after submitting, the browser is redirected to the IDP:
After entering ipauser1 and Secret123, I'm redirected to the python script in the protected area with the POST data reposted by mellon and processed as expected.
Comment 7 errata-xmlrpc 2018-04-10 17:08:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0927