Bug 1727789

Summary: mod_auth_mellon fix for AJAX header name X-Requested-With
Product: Red Hat Enterprise Linux 7 Reporter: Lami Akagwu <lakagwu>
Component: mod_auth_mellonAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.6CC: sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: mod_auth_mellon-0.14.0-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1761774 (view as bug list) Environment:
Last Closed: 2020-03-31 19:10:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1761774    

Description Lami Akagwu 2019-07-08 07:54:05 UTC 
Description of problem:
Fix needed for AJAX header name X-Requested-With . This has already been addressed in 0.14.1, but not in Red Hat's 0.14.0-02

[1] AJAX header name has been fixed in version 0.14.1 
https://github.com/Uninett/mod_auth_mellon/blob/v0.14.0/auth_mellon_handler.c#L3661 
[2]https://github.com/Uninett/mod_auth_mellon/blob/v0.14.1/auth_mellon_handler.c#L3661
[3] https://github.com/UNINETT/mod_auth_mellon/commit/6358a5169762ef7b89d8b6d0f1a99b006f0fdd2f

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 4 Jakub Hrozek 2019-10-09 12:36:17 UTC 
To reproduce, send a request with the X-Requested-With header set:

curl -v --header "X-Requested-With:XMLHttpRequest" https://saml.federation.test/example_app/private

Without the patch, mellon would start the request flow, which would typically redirect you to the IDP with a 303 return code, like this:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>303 See Other</title>
</head><body>
<h1>See Other</h1>
<p>The answer to your request is located <a href="https://saml.federation.test/mellon/login?ReturnTo=https%3A%2F%2Fsaml.federation.test%2Fexample_app%2Fprivate&amp;IdP=https%3A%2F%2Fkeycloak.federation.test%3A8443%2Fauth%2Frealms%2Ffederation.test">here</a>.</p>
</body></html>

With the patch, mellon would deny such request:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

This header would normally be added by recent browsers in case the request was made through some AJAX request.
Comment 5 Scott Poore 2019-10-09 14:57:33 UTC 
Verified.

Version ::

mod_auth_mellon-0.14.0-7.el7.x86_64

Results ::

test env used was existing IPA with IdP of RH-SSO 7.3 with SSSD Provider.  Then install mod_auth_mellon and configure with keycloak-httpd-client-install.  Setup /var/www/html paths for protected area and run tests below.

Reproducing first:

[root@sp1 yum.repos.d]# rpm -q mod_auth_mellon
mod_auth_mellon-0.14.0-6.el7.x86_64
[root@sp1 yum.repos.d]# curl -k -v --header "X-Requested-With:XMLHttpRequest" https://sp1.keycloak.test:60443/private
* About to connect() to sp1.keycloak.test port 60443 (#0)
*   Trying 192.168.122.192...
* Connected to sp1.keycloak.test (192.168.122.192) port 60443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=sp1.keycloak.test,OU=Example Test,O=Example
* 	start date: Oct 09 14:09:44 2019 GMT
* 	expire date: Oct 08 14:09:44 2020 GMT
* 	common name: sp1.keycloak.test
* 	issuer: CN=Example Test CA,OU=Example Test,O=Example
> GET /private HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sp1.keycloak.test:60443
> Accept: */*
> X-Requested-With:XMLHttpRequest
> 
< HTTP/1.1 303 See Other
< Date: Wed, 09 Oct 2019 14:53:46 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Cache-Control: private, max-age=0, must-revalidate
< Location: https://sp1.keycloak.test:60443/mellon/login?ReturnTo=https%3A%2F%2Fsp1.keycloak.test%3A60443%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Fmaster
< Content-Length: 382
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>303 See Other</title>
</head><body>
<h1>See Other</h1>
<p>The answer to your request is located <a href="https://sp1.keycloak.test:60443/mellon/login?ReturnTo=https%3A%2F%2Fsp1.keycloak.test%3A60443%2Fprivate&amp;IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Fmaster">here</a>.</p>
</body></html>
* Connection #0 to host sp1.keycloak.test left intact


Now updating and verifying fix:

[root@sp1 yum.repos.d]# curl -k -v --header "X-Requested-With:XMLHttpRequest" https://sp1.keycloak.test:60443/private
* About to connect() to sp1.keycloak.test port 60443 (#0)
*   Trying 192.168.122.192...
* Connected to sp1.keycloak.test (192.168.122.192) port 60443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=sp1.keycloak.test,OU=Example Test,O=Example
* 	start date: Oct 09 14:09:44 2019 GMT
* 	expire date: Oct 08 14:09:44 2020 GMT
* 	common name: sp1.keycloak.test
* 	issuer: CN=Example Test CA,OU=Example Test,O=Example
> GET /private HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sp1.keycloak.test:60443
> Accept: */*
> X-Requested-With:XMLHttpRequest
> 
< HTTP/1.1 403 Forbidden
< Date: Wed, 09 Oct 2019 14:55:00 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Cache-Control: private, max-age=0, must-revalidate
< Content-Length: 209
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /private
on this server.</p>
</body></html>
* Connection #0 to host sp1.keycloak.test left intact


Also ran upcoming automation:

# ${PYTEST} -vs --idp-realm master --idp-url https://idp.keycloak.test:8443 --sp-url https://sp1.keycloak.test:60443 --username ipauser1 --password Secret123 --url https://sp1.keycloak.test:60443/private --logout-url https://sp1.keycloak.test:60443/private --info-url https://sp1.keycloak.test:60443/private/static --nested-protected-url https://sp1.keycloak.test:60443/private/static/private_static test_mellon.py::test_ajax_header_is_rejected
========================================= test session starts =========================================
platform linux2 -- Python 2.7.5 -- py-1.4.32 -- pytest-2.7.0 -- /usr/bin/python
rootdir: /root/mod_auth_mellon, inifile: 
collected 6 items 

test_mellon.py::test_ajax_header_is_rejected PASSED

====================================== 1 passed in 0.03 seconds =======================================
Comment 7 errata-xmlrpc 2020-03-31 19:10:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1003