1296286 – mod_auth_mellon emits CRITICAL warning message in Apache log when doing ECP

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1296286 - mod_auth_mellon emits CRITICAL warning message in Apache log when doing ECP

Summary: mod_auth_mellon emits CRITICAL warning message in Apache log when doing ECP

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_auth_mellon
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	John Dennis
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-06 19:40 UTC by John Dennis
Modified:	2016-11-04 06:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:	mod_auth_mellon-0.11.0-2.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 06:46:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2461	0	normal	SHIPPED_LIVE	mod_auth_mellon bug fix update	2016-11-03 14:05:46 UTC

Description John Dennis 2016-01-06 19:40:07 UTC

While doing the SAML ECP profile mod_auth_mellon will emit this error message into the httpd error_log file:

lasso-CRITICAL **: lasso_provider_get_metadata_list_for_role: assertion '_lasso_provider_get_role_index(role)' failed

This is fixed by the this upstream commit:

commit 5ba9bb72707a90503cd4d042083ea074a0cb6b8a
Author: John Dennis <jdennis>
Date:   Fri Oct 30 15:46:33 2015 -0400

    Role maybe unknown when assertion consumer url is looked up
    
    Replace the call to lasso_provider_get_metadata_one() with
    lasso_provider_get_metadata_one_for_role() so that we can exlicitly
    pass the LASSO_PROVIDER_ROLE_SP role. The former call obtains the
    role from the provider object and then calls
    lasso_provider_get_metadata_one_for_role() using that role. However
    the role will not have been set in the provider until the first request is
    processed. This means the first time we call this routine it won't
    work correctly because the role will not have been set yet, by
    explicitly passing the role we avoid this problem.
    
    Signed-off-by: John Dennis <jdennis>

Comment 3 Namita Soman 2016-04-08 23:46:00 UTC

pls add steps to verify

Comment 4 John Dennis 2016-04-11 19:48:14 UTC

The only hard part of testing this is setting up mellon. I've attached a script called trigger-warning.sh that will configure mellon, restart httpd, and run a test command that will produce the error message in /var/log/httpd/error_log

1) install mod_auth_mellon without the fix.

2) run trigger-warning.sh configure

   This should populate /etc/httpd/saml2 and create
   /etc/httd/conf.d/protected.conf

3) run trigger-warning.sh restart

   This will stop httpd, clear the logs, start httpd, and show the daemon status

4) run trigger-warning.sh test

   This will use curl to send a message that will trigger the warning

5) Verify the message is in the log file

   grep lasso-CRITICAL /var/log/httpd/error_log 

  (process:30458): lasso-CRITICAL **: : assertion '_lasso_provider_get_role_index(role)' failed

6) install new version of mod_auth_mellon with fix

   Redo steps 3,4 and 5. the final grep in step 5 should be empty

Comment 6 Whitney Chadwick 2016-04-12 14:16:54 UTC

Set PM ACK to +

Comment 8 Scott Poore 2016-09-19 16:05:34 UTC

Verified.

Version ::

Failed on mod_auth_mellon-0.11.0-1.el7.x86_64

Worked on mod_auth_mellon-0.11.0-2.el7.x86_64

Results ::

[root@vm3 ~]# ./trigger-warning.sh configure
Output files:
Private key:                              mellon_test.key
Certificate:                              mellon_test.cert
Metadata:                                 mellon_test.xml
Host:                                     vm3.example.com

Endpoints:
SingleLogoutService (SOAP):               http://vm3.example.com/protected/mellon/logout
SingleLogoutService (HTTP-Redirect):      http://vm3.example.com/protected/mellon/logout
AssertionConsumerService (HTTP-POST):     http://vm3.example.com/protected/mellon/postResponse
AssertionConsumerService (HTTP-Artifact): http://vm3.example.com/protected/mellon/artifactResponse
AssertionConsumerService (PAOS):          http://vm3.example.com/protected/mellon/paosResponse



[root@vm3 ~]# ./trigger-warning.sh restart
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-09-19 09:48:49 CDT; 13ms ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 1163 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─1163 /usr/sbin/httpd -DFOREGROUND
           ├─1164 /usr/sbin/httpd -DFOREGROUND
           ├─1165 /usr/sbin/httpd -DFOREGROUND
           ├─1166 /usr/sbin/httpd -DFOREGROUND
           ├─1167 /usr/sbin/httpd -DFOREGROUND
           └─1168 /usr/sbin/httpd -DFOREGROUND

Sep 19 09:48:49 vm3.example.com systemd[1]: Starting The Apache HTTP Server...
Sep 19 09:48:49 vm3.example.com systemd[1]: Started The Apache HTTP Server.


[root@vm3 ~]# ./trigger-warning.sh test
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:paos="urn:liberty:paos:2003-08" xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><s:Header><paos:Request responseConsumerURL="http://vm3.example.com/protected/mellon/paosResponse" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" messageID="_18256E8DC87980721DEDD297A70AD4EC" s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next"/><ecp:Request s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next" IsPassive="false"><saml:Issuer>mellon_test</saml:Issuer></ecp:Request><ecp:RelayState s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next">http://vm3.example.com/protected/foo.html</ecp:RelayState></s:Header><s:Body><samlp:AuthnRequest ID="_69721650412054C8470107C781E2D7C4" Version="2.0" IssueInstant="2016-09-19T14:48:56Z" Destination="http://vm3.example.com/protected/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="http://vm3.example.com/protected/mellon/paosResponse"><saml:Issuer>mellon_test</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_69721650412054C8470107C781E2D7C4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>t/+5x9F8YlQGKeVfLzt+wnnS05I=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Ryd9h1jZdvBPefPWIBjSepIgLb6u6zrtMrj1mWTD7reh1auJ2lhAVoNGC+2uLAn5
W52rdpKDsJsKkO4TWSCs/hzh+xVPJfTPW4aCst33+e56XdresaPpp7VBGUrDSjQM
kz2U2NmTxtDgf24dr8OrUcAppQQh0NWyeqKA9eN2UC6kvarrhpN4Fbp1cRYH2Onj
6auMqxrwGx06qCORDqGgDOqtojOfJv5oBt8DVlZr4PpovQWXJAqCiKjOP9LhrVzJ
7vU8y5J1vsZsU/0PF7vbk8sJSUFb/RgJs4Pf2pBACg15Q/BsKpc0oENEyiJWlFDK
eM9BE598EYBcuvRyGY3wQQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICsDCCAZgCCQCLN9UC4ZbCyTANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw92
bTMuZXhhbXBsZS5jb20wHhcNMTYwOTE5MTQ0ODI4WhcNMjYwOTE5MTQ0ODI4WjAa
MRgwFgYDVQQDEw92bTMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCelXMrCEB3MBeC7WsDO19EVtzSEP9oa5T44bhXS1+k39HrZJ/a
1ra6nPGRrPeVnYzaQ9R3hL9DG/6YS0QS2xnGSYnQoNw376b/u5eid4LSXx9k2/6w
2P38US8SMUrRcvTfdAhBWbLiWLURzaLzj9mfS84yxT4SHeV+uzaQSsBFojbSPDnj
NQznLMpXvoszxfA2frKaKlJJ18bjpjQQKrk1/FSmU50GDszYSInKkRoPlHKRbvB1
sJfuAqKbFAaZZFvCYq25E0eXvyKEY04llSuE6eYoW2PDxqqlhx5Bsh2U4IJxXs26
qQFgiGu05ZL+q7ADJtLBfTc/ZRNr0lnwZeFZAgMBAAEwDQYJKoZIhvcNAQEFBQAD
ggEBACgxjXFeNHA2Zxf8P4jA0i9c4nJpRg1uRltouzZJgdL0PczbKsobNHvx4K4E
tWTKtWUFisIT/L9zvQ6kfJHnu4UQSv2CFsdaqt9PYa1/ikbjT8gfE0Td0iLAwQVM
jQ0bs/IQbClp9lQHVQlBeRitu8y87TPlihAQE9eocHc88UOD1piKoyFy6J3ApeHI
FiQdRmdl4jSufEOBZ+Tw9vOrktG9mWI7tSf+iNlO6OOKgLpvH7A3LC8RQ/pd4HXT
EiTH6kdenbw51LC5bT6F3mAIkcs72JfnaVUl61LeyQ9u6LeAZpWYEGPb4Z60BWPK
ee0gMxnz5XJ+SK5ZRJuYWaGGmwE=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest></s:Body></s:Envelope>


[root@vm3 ~]# grep lasso-CRITICAL /var/log/httpd/error_log 
(process:1168): lasso-CRITICAL **: : assertion '_lasso_provider_get_role_index(role)' failed



[root@vm3 ~]# yum update mod_auth_mellon
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package mod_auth_mellon.x86_64 0:0.11.0-1.el7 will be updated
---> Package mod_auth_mellon.x86_64 0:0.11.0-2.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                   Arch             Version                 Repository                    Size
=======================================================================================================
Updating:
 mod_auth_mellon           x86_64           0.11.0-2.el7            rhel-7.3-candidate            74 k

Transaction Summary
=======================================================================================================
Upgrade  1 Package

Total download size: 74 k
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for rhel-7.3-candidate
mod_auth_mellon-0.11.0-2.el7.x86_64.rpm                                         |  74 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : mod_auth_mellon-0.11.0-2.el7.x86_64                                                 1/2 
  Cleanup    : mod_auth_mellon-0.11.0-1.el7.x86_64                                                 2/2 
  Verifying  : mod_auth_mellon-0.11.0-2.el7.x86_64                                                 1/2 
  Verifying  : mod_auth_mellon-0.11.0-1.el7.x86_64                                                 2/2 

Updated:
  mod_auth_mellon.x86_64 0:0.11.0-2.el7                                                                

Complete!


[root@vm3 ~]# ./trigger-warning.sh restart
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-09-19 09:49:40 CDT; 10ms ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 1197 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─1197 /usr/sbin/httpd -DFOREGROUND
           ├─1198 /usr/sbin/httpd -DFOREGROUND
           ├─1199 /usr/sbin/httpd -DFOREGROUND
           ├─1200 /usr/sbin/httpd -DFOREGROUND
           ├─1201 /usr/sbin/httpd -DFOREGROUND
           └─1202 /usr/sbin/httpd -DFOREGROUND

Sep 19 09:49:40 vm3.example.com systemd[1]: Starting The Apache HTTP Server...
Sep 19 09:49:40 vm3.example.com systemd[1]: Started The Apache HTTP Server.



[root@vm3 ~]# ./trigger-warning.sh test
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:paos="urn:liberty:paos:2003-08" xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><s:Header><paos:Request responseConsumerURL="http://vm3.example.com/protected/mellon/paosResponse" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" messageID="_A48EB31B410D319F1B918FD1ED3F337F" s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next"/><ecp:Request s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next" IsPassive="false"><saml:Issuer>mellon_test</saml:Issuer></ecp:Request><ecp:RelayState s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next">http://vm3.example.com/protected/foo.html</ecp:RelayState></s:Header><s:Body><samlp:AuthnRequest ID="_80FEAC7FF42B6856F1E66A3282F4AAD6" Version="2.0" IssueInstant="2016-09-19T14:49:48Z" Destination="http://vm3.example.com/protected/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="http://vm3.example.com/protected/mellon/paosResponse"><saml:Issuer>mellon_test</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_80FEAC7FF42B6856F1E66A3282F4AAD6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>1R15N6uNrOBKrd6zP4E4/bnQGRM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>VZMp7wAB/8FaZTgZ+pFNJzr7icgLkMDJpC0IL7i3grT6aibmpqMzv8BCupenp15L
cxxnk20YjfOP7Ejfa3RHoKJGEy1mBps29z9lj+Wq6cHmsNTD+uLbvUIF+5IoGznD
JUBCcM2tk39LYEBhfav5cnWSxEFaac3OBVGS/8qJCicPQio1Qk5j2AWbwIMbDXmt
9nt59DehTLt9wH3MpPbPOCBStqGj8T7p4gh3flICyl98TrtEN5V5Xg+CQar5n/yb
mzDzaLyTz6mHnTo7eJzEP3HpAOsrl2aOqu5rDpnrD8GscVuQyCAAC/b3vGeFL9Os
5b0nkgRQGsbTiUzmig8k5w==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIICsDCCAZgCCQCLN9UC4ZbCyTANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw92
bTMuZXhhbXBsZS5jb20wHhcNMTYwOTE5MTQ0ODI4WhcNMjYwOTE5MTQ0ODI4WjAa
MRgwFgYDVQQDEw92bTMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCelXMrCEB3MBeC7WsDO19EVtzSEP9oa5T44bhXS1+k39HrZJ/a
1ra6nPGRrPeVnYzaQ9R3hL9DG/6YS0QS2xnGSYnQoNw376b/u5eid4LSXx9k2/6w
2P38US8SMUrRcvTfdAhBWbLiWLURzaLzj9mfS84yxT4SHeV+uzaQSsBFojbSPDnj
NQznLMpXvoszxfA2frKaKlJJ18bjpjQQKrk1/FSmU50GDszYSInKkRoPlHKRbvB1
sJfuAqKbFAaZZFvCYq25E0eXvyKEY04llSuE6eYoW2PDxqqlhx5Bsh2U4IJxXs26
qQFgiGu05ZL+q7ADJtLBfTc/ZRNr0lnwZeFZAgMBAAEwDQYJKoZIhvcNAQEFBQAD
ggEBACgxjXFeNHA2Zxf8P4jA0i9c4nJpRg1uRltouzZJgdL0PczbKsobNHvx4K4E
tWTKtWUFisIT/L9zvQ6kfJHnu4UQSv2CFsdaqt9PYa1/ikbjT8gfE0Td0iLAwQVM
jQ0bs/IQbClp9lQHVQlBeRitu8y87TPlihAQE9eocHc88UOD1piKoyFy6J3ApeHI
FiQdRmdl4jSufEOBZ+Tw9vOrktG9mWI7tSf+iNlO6OOKgLpvH7A3LC8RQ/pd4HXT
EiTH6kdenbw51LC5bT6F3mAIkcs72JfnaVUl61LeyQ9u6LeAZpWYEGPb4Z60BWPK
ee0gMxnz5XJ+SK5ZRJuYWaGGmwE=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></sa...truncated due to terminal issue...

[root@vm3 ~]# 
[root@vm3 ~]# 
[root@vm3 ~]# grep lasso-CRITICAL /var/log/httpd/error_log 
[root@vm3 ~]#

Comment 10 errata-xmlrpc 2016-11-04 06:46:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2461.html

Note You need to log in before you can comment on or make changes to this bug.