Bug 2217937

Summary: lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
Product: [Fedora] Fedora Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: lassoAssignee: Simo Sorce <ssorce>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: jhrozek, jpazdziora, rcritten, ssorce
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-29 13:09:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2023-06-27 14:37:29 UTC 
When using mod_auth_mellon on rawhide, I now see failures like

www_1                  | lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
Error GETing http://www:8079/saml-redirect-uri/login?ReturnTo=http%3A%2F%2Fwww%3A8079%2Fadmin%2Flogin%2F%3Fnext%3D%2Fadmin%2F&IdP=http%3A%2F%2Fkeycloak%3A8082%2Frealms%2Frealm%2Db: Server closed connection without sending any data back at /test.pl line 21.
www_1                  | [Tue Jun 27 12:46:17.790230 2023] [core:notice] [pid 15:tid 15] AH00051: child pid 19 exit signal Abort (6), possible coredump in /etc/httpd

similar to bug 2142849 comment 3.

Reproducible: Always

Steps to Reproduce:
1. Have mod_auth_mellon configured with something like

    <LocationMatch ^/saml-redirect-uri/|^/admin/login>
        MellonEnable info
        MellonEndpointPath /saml-redirect-uri/
        MellonSPMetadataFile /etc/httpd/saml2/mellon_metadata.xml
        MellonSPPrivateKeyFile /etc/httpd/saml2/mellon.key
        MellonSPCertFile /etc/httpd/saml2/mellon.pem
        MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml
    </LocationMatch>

    <Location /admin/login/>
        <If "%{QUERY_STRING} !~ /^direct$/">
            AuthType Mellon
            MellonEnable auth
            Require valid-user
        </If>

        RewriteEngine on
        RewriteCond %{REMOTE_USER} (.+)
        RewriteRule ^.+$ - [E=REMOTE_USER:%1]
        RequestHeader unset X-REMOTE-USER
        RequestHeader set X-REMOTE-USER %{REMOTE_USER}e env=REMOTE_USER

        MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" "first_name"
        RequestHeader unset X-REMOTE-USER-FIRSTNAME
        RequestHeader set X-REMOTE-USER-FIRSTNAME expr=%{base64:%{env:REMOTE_USER_FIRSTNAME}} env=REMOTE_USER_FIRSTNAME
        MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" "last_name"
        RequestHeader unset X-REMOTE-USER-LASTNAME
        RequestHeader set X-REMOTE-USER-LASTNAME expr=%{base64:%{env:REMOTE_USER_LASTNAME}} env=REMOTE_USER_LASTNAME
        MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" "email"
        RequestHeader unset X-REMOTE-USER-EMAIL
        RequestHeader set X-REMOTE-USER-EMAIL expr=%{base64:%{env:REMOTE_USER_EMAIL}} env=REMOTE_USER_EMAIL
        MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" "groups"
        RequestHeader unset X-REMOTE-USER-GROUPS
        RequestHeader set X-REMOTE-USER-GROUPS expr=%{base64:%{env:REMOTE_USER_GROUPS}} env=REMOTE_USER_GROUPS
        MellonMergeEnvVars On ":"
    </Location>

    <Location /admin/logout/>
        <If "%{QUERY_STRING} == 'keycloak-logged-out'">
            RewriteEngine on
            RewriteRule "^.*" "/"
        </If>
        <Else>
            AddOutputFilterByType SUBSTITUTE text/html
            Substitute 's#</html>#<iframe style="display: none" width="0" height="0" frameborder="0" src="/saml-redirect-uri/logout?ReturnTo=http://www:8079/admin/logout/?keycloak-logged-out"/></html>#ni'
        </Else>
    </Location>

    ProxyPass /saml-redirect-uri/ !
    ProxyPass / http://app:8081/
    ProxyPassReverse / http://app:8081/

with Keycloak as the IdP.
2. Try to log in.
Actual Results:  
www_1                  | 172.19.0.3 - - [27/Jun/2023:12:46:16 +0000] "GET /admin/ HTTP/1.1" 302 - "-" "WWW-Mechanize/2.06"
www_1                  | 172.19.0.3 - - [27/Jun/2023:12:46:16 +0000] "GET /admin/login/?next=/admin/ HTTP/1.1" 303 377 "-" "WWW-Mechanize/2.06"
www_1                  | Bail out! lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
www_1                  | 
www_1                  | ==> /var/log/httpd/error_log <==
www_1                  | **
www_1                  | lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
Error GETing http://www:8079/saml-redirect-uri/login?ReturnTo=http%3A%2F%2Fwww%3A8079%2Fadmin%2Flogin%2F%3Fnext%3D%2Fadmin%2F&IdP=http%3A%2F%2Fkeycloak%3A8082%2Frealms%2Frealm%2Db: Server closed connection without sending any data back at /test.pl line 21.
www_1                  | [Tue Jun 27 12:46:17.790230 2023] [core:notice] [pid 15:tid 15] AH00051: child pid 19 exit signal Abort (6), possible coredump in /etc/httpd


Expected Results:  
No failure and no aborted httpd child.

I believe this is caused by the fact that xmlsec1 in rawhide is now back at the 1:1.2.37-4.fc39 version, so the fix and build in bug 2142849 which assumes xmlsec 1.3 no longer works.

The revert of the xmlsec1 version was done via bug 2187631.
Comment 1 Simo Sorce 2023-06-29 10:20:42 UTC 
I pushed a rebuild of lasso against the reverted xmalsec1, can you check this fixes the issue?
Comment 2 Jan Pazdziora (Red Hat) 2023-06-29 11:20:36 UTC 
I confirm that with a package fetched from https://koji.fedoraproject.org/koji/buildinfo?buildID=2222725, my tests pass on Fedora rawhide again.

Got bodhi errata where we could give karma?
Comment 3 Jan Pazdziora (Red Hat) 2023-06-29 11:27:09 UTC 
For reference and note to self: the test I used was https://github.com/adelton/django-identity-external/actions/runs/5411625277/jobs/9834612074.
Comment 4 Simo Sorce 2023-06-29 13:09:36 UTC 
I do not think there is a bodhi errata for f39 yet because it has not forked from rawhide yet?

In any case seem fixed so I will close.
Comment 5 Jan Pazdziora (Red Hat) 2023-06-29 13:25:02 UTC 
Ah, there is errata https://bodhi.fedoraproject.org/updates/FEDORA-2023-370708c31d but for rawhide the karma games are not played, so it has been pushed to stable directly, and it is in fact in the repos already. I've updated my test accordingly, no longer need to use the build from koji: https://github.com/adelton/django-identity-external/actions/runs/5412682855/jobs/9837114563

Thank you for the prompt fix!