Bug 1761774

Summary: mod_auth_mellon fix for AJAX header name X-Requested-With
Product: Red Hat Enterprise Linux 8 Reporter: Jakub Hrozek <jhrozek>
Component: mod_auth_mellonAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.1CC: lakagwu, sgoveas, spoore
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: mod_auth_mellon-0.14.0-11.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1727789 Environment:
Last Closed: 2020-04-28 15:54:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1727789    
Bug Blocks:    

Comment 2 Scott Poore 2020-01-28 22:39:10 UTC 
Verified.

Version ::

mod_auth_mellon-0.14.0-11.el8.x86_64

Results ::

Used an existing IPA Keycloak mod_auth_mellon setup to test.

# curl -k -v --header "X-Requested-With:XMLHttpRequest" https://$(hostname):8443/example_app/private
*   Trying 10.0.153.213...
* TCP_NODELAY set
* Connected to web1.kite.test (10.0.153.213) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):# curl -k -v --header "X-Requested-With:XMLHttpRequest" https://$(hostname):8443/example_app/private
*   Trying 10.0.153.213...
* TCP_NODELAY set
* Connected to web1.kite.test (10.0.153.213) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: O=KITE.TEST; CN=web1.kite.test
*  start date: Jan 28 17:19:52 2020 GMT
*  expire date: Jan 28 17:19:52 2022 GMT
*  issuer: O=KITE.TEST; CN=Certificate Authority
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /example_app/private HTTP/1.1
> Host: web1.kite.test:8443
> User-Agent: curl/7.61.1
> Accept: */*
> X-Requested-With:XMLHttpRequest
> 
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 403 Forbidden
< Date: Tue, 28 Jan 2020 22:14:46 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
< Cache-Control: private, max-age=0, must-revalidate
< Content-Length: 228
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /example_app/private
on this server.<br />
</p>
</body></html>
* Connection #0 to host web1.kite.test left intact

* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: O=KITE.TEST; CN=web1.kite.test
*  start date: Jan 28 17:19:52 2020 GMT
*  expire date: Jan 28 17:19:52 2022 GMT
*  issuer: O=KITE.TEST; CN=Certificate Authority
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET /example_app/private HTTP/1.1
> Host: web1.kite.test:8443
> User-Agent: curl/7.61.1
> Accept: */*
> X-Requested-With:XMLHttpRequest
> 
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 403 Forbidden
< Date: Tue, 28 Jan 2020 22:14:46 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1c
< Cache-Control: private, max-age=0, must-revalidate
< Content-Length: 228
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /example_app/private
on this server.<br />
</p>
</body></html>
* Connection #0 to host web1.kite.test left intact


And with upcoming automation:

# pytest-3 -vs         --idp-realm master         --idp-url https://keycloak.kite.test:8443         --sp-url https://web1.kite.test:8443         --username ipauser1         --password Secret123         --url https://web1.kite.test:8443/example_app/private         --logout-url https://web1.kite.test:8443/example_app/private         --info-url https://web1.kite.test:8443/example_app/private/static         --nested-protected-url https://web1.kite.test:8443/example_app/private/static/private_static         test_mellon.py::test_ajax_header_is_rejected
========================================= test session starts =========================================
platform linux -- Python 3.7.2, pytest-3.6.4, py-1.5.4, pluggy-0.6.0 -- /usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.7.2', 'Platform': 'Linux-4.20.3-200.fc29.x86_64-x86_64-with-fedora-29-Twenty_Nine', 'Packages': {'pytest': '3.6.4', 'py': '1.5.4', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.8.0', 'html': '1.22.0', 'sourceorder': '0.5', 'multihost': '3.0'}}
rootdir: /root/mod_auth_mellon, inifile:
plugins: metadata-1.8.0, html-1.22.0, sourceorder-0.5, multihost-3.0
collected 1 item                                                                                      

test_mellon.py::test_ajax_header_is_rejected PASSED

====================================== 1 passed in 0.14 seconds =======================================
Comment 4 errata-xmlrpc 2020-04-28 15:54:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1660