Bug 1414021
| Summary: | Incorrect Content-Type header in ECP PAOS response, should be application/vnd.paos+xml | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | John Dennis <jdennis> | |
| Component: | mod_auth_mellon | Assignee: | John Dennis <jdennis> | |
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.4 | CC: | enewland, extras-qa, ipa-qe, jdennis, jreznik, nkinder, nsoman, rcritten, snagar, spoore, ssorce, tscherf | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | mod_auth_mellon-0.11.0-4.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1414019 | |||
| : | 1419456 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 20:29:02 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1414019, 1414024 | |||
| Bug Blocks: | 1414020, 1419456 | |||
|
Description
John Dennis
2017-01-17 14:44:41 UTC
*** Bug 1414024 has been marked as a duplicate of this bug. *** Verified. Version :: mod_auth_mellon-0.11.0-4.el7.x86_64 Results :: [root@rhel7-2 ~]# yum -y install httpd mod_auth_mellon mod_ssl openssl ... [root@rhel7-2 ~]# cat > /etc/httpd/conf.d/mellon.conf <<EOF > <Location /mroot > > MellonEnable info > MellonEndpointPath /mroot/mellon/ > MellonSPMetadataFile /etc/httpd/saml2/mellon_metadata.xml > MellonSPPrivateKeyFile /etc/httpd/saml2/mellon.key > MellonSPCertFile /etc/httpd/saml2/mellon.crt > MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml > </Location> > > <Location /mroot/private > > AuthType Mellon > MellonEnable auth > Require valid-user > </Location> > > <Directory /var/www/html/mroot/private> > Options +Includes > AddOutputFilter INCLUDES .html > </Directory> > EOF [root@rhel7-2 ~]# mkdir -p /var/www/html/mroot/private [root@rhel7-2 ~]# echo "KEEP OUT" >> /var/www/html/mroot/private/index.html [root@rhel7-2 ~]# fqdn=`hostname` [root@rhel7-2 ~]# mellon_endpoint_url="https://${fqdn}/mroot/mellon" [root@rhel7-2 ~]# mellon_entity_id="${mellon_endpoint_url}/metadata" [root@rhel7-2 ~]# file_prefix="$(echo "$mellon_entity_id" | sed 's/[^A-Za-z.]/_/g' | sed 's/__*/_/g')" [root@rhel7-2 ~]# /usr/libexec/mod_auth_mellon/mellon_create_metadata.sh $mellon_entity_id $mellon_endpoint_url Output files: Private key: https_rhel_.example.com_mroot_mellon_metadata.key Certificate: https_rhel_.example.com_mroot_mellon_metadata.cert Metadata: https_rhel_.example.com_mroot_mellon_metadata.xml Host: rhel7-2.example.com Endpoints: SingleLogoutService (SOAP): https://rhel7-2.example.com/mroot/mellon/logout SingleLogoutService (HTTP-Redirect): https://rhel7-2.example.com/mroot/mellon/logout AssertionConsumerService (HTTP-POST): https://rhel7-2.example.com/mroot/mellon/postResponse AssertionConsumerService (HTTP-Artifact): https://rhel7-2.example.com/mroot/mellon/artifactResponse AssertionConsumerService (PAOS): https://rhel7-2.example.com/mroot/mellon/paosResponse [root@rhel7-2 ~]# mkdir /etc/httpd/saml2 [root@rhel7-2 ~]# mv ${file_prefix}.cert /etc/httpd/saml2/mellon.crt [root@rhel7-2 ~]# mv ${file_prefix}.key /etc/httpd/saml2/mellon.key [root@rhel7-2 ~]# mv ${file_prefix}.xml /etc/httpd/saml2/mellon_metadata.xml # Here I'm actually using the IDP Metadata file from bug #1447770 [root@rhel7-2 ~]# wget https://bugzilla.redhat.com/attachment.cgi?id=1275970 --2017-05-03 15:18:54-- https://bugzilla.redhat.com/attachment.cgi?id=1275970 Resolving bugzilla.redhat.com (bugzilla.redhat.com)... 10.4.205.4 Connecting to bugzilla.redhat.com (bugzilla.redhat.com)|10.4.205.4|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 3695 (3.6K) [application/xml] Saving to: ‘attachment.cgi?id=1275970’ 100%[=============================================================>] 3,695 --.-K/s in 0s 2017-05-03 15:18:54 (586 MB/s) - ‘attachment.cgi?id=1275970’ saved [3695/3695] [root@rhel7-2 ~]# mv attachment.cgi\?id\=1275970 /etc/httpd/saml2/idp_metadata.xml [root@rhel7-2 ~]# cd /etc/httpd/conf.d/ [root@rhel7-2 conf.d]# restorecon -R /etc/httpd/saml2 [root@rhel7-2 conf.d]# systemctl restart httpd [root@rhel7-2 conf.d]# curl -k -v -H 'Accept:text/html, application/vnd.paos+xml' -H 'PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://$(hostname)/mroot/private/index.html * About to connect() to rhel7-2.example.com port 443 (#0) * Trying 192.168.122.72... * Connected to rhel7-2.example.com (192.168.122.72) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: E=root.com,CN=rhel7-2.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- * start date: May 03 20:06:16 2017 GMT * expire date: May 03 20:06:16 2018 GMT * common name: rhel7-2.example.com * issuer: E=root.com,CN=rhel7-2.example.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=-- > GET /mroot/private/index.html HTTP/1.1 > User-Agent: curl/7.29.0 > Host: rhel7-2.example.com > Accept:text/html, application/vnd.paos+xml > PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" > < HTTP/1.1 200 OK < Date: Wed, 03 May 2017 20:30:45 GMT < Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips < Cache-Control: private, max-age=0, must-revalidate < Content-Length: 3513 < Content-Type: application/vnd.paos+xml < <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:paos="urn:liberty:paos:2003-08" xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><s:Header><paos:Request responseConsumerURL="https://rhel7-2.example.com/mroot/mellon/paosResponse" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" messageID="_D12FE1AB1DF8C79D18D3EFECE89599A3" s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next"/><ecp:Request s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next" IsPassive="false"><saml:Issuer>https://rhel7-2.example.com/mroot/mellon/metadata</saml:Issuer></ecp:Request><ecp:RelayState s:mustUnderstand="true" actor="http://schemas.xmlsoap.org/soap/actor/next">https://rhel7-2.example.com/mroot/private/index.html</ecp:RelayState></s:Header><s:Body><samlp:AuthnRequest ID="_232D92D80D25E0B8C9BF94861B53FB79" Version="2.0" IssueInstant="2017-05-03T20:30:46Z" Destination="https://rhel7-2.example.com/mroot/mellon/paosResponse" Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceURL="https://rhel7-2.example.com/mroot/mellon/paosResponse"><saml:Issuer>https://rhel7-2.example.com/mroot/mellon/metadata</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#_232D92D80D25E0B8C9BF94861B53FB79"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>cJAvFqm7RUyR+0UYazv4GoAF9g4=</DigestValue> </Reference> </SignedInfo> <SignatureValue>W8EDMeU/0DRydRfPMDWKTvmj02f0r64aaWUxgVVgAfO1U/QADkAa7kiWmmKObksC XDXDMmDYGgABc1mBvtn9aiSricTAKkkJmfOoUU8mRW26j7aMJ6jW/HGv2ix5bqqJ A0c0URnnVkXwHj9AQPF9hdXfYaDrPhtXfkHazHybwwXk98M4fFGQs6NLDdwxEnXw iz1+l+oSVhCQaDT3zGbXNdObgXkVSvsHNTDotXTIf746X1+Kkh5SOnheOM3+LU5w LcFUPr1bHfzhB7MF5RN2w9v242eDMDjoeRCV6hgJ/uiz8IRx+GFAGGd4xJ29pjqi ObwiFDA2g+3yo0Cem1zziQ==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIICuDCCAaACCQDDskLgEkCyCTANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNy aGVsNy0yLmV4YW1wbGUuY29tMB4XDTE3MDUwMzIwMTY1MloXDTI3MDUwMzIwMTY1 MlowHjEcMBoGA1UEAwwTcmhlbDctMi5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMQzdj/sTM2MzrKFy0dTLiySzbZMCzSH1byIJ0sf eHv2UgXXJ3FSidwewRMf2gOwLhKTOKM641bWz7r4mQQgbuOD1XTnvurJ7E3i8zNq Cvt8PMFPAYyzBUjgHyY+K6AeAlT5NqXcZYf/CKuRVBWpJcDxK0ydwhQu4J1L4Rox tvBtZQjmtLiTSUpb+ytQVmKDvpQWAob5fh7YG0LDMXQ9jKjSt1K8XR6tIqCq0ntf sQLKYzuJFcdggns+Td7MPGAIMlXlNk/7+BmX9TFv4W7slitLC1QK/64zXqAyFCjo Dm19E/W6kvzcOeUOL21+C1XYQJWJttz394ZMATreokSQG8UCAwEAATANBgkqhkiG 9w0BAQsFAAOCAQEAXX7CaEXhjbjzTQBt9VE0KYGijUsrWiBkGQsADoYwZDhO60Vc G3Ckspq0nT/JZWfrimMpJtnmfh9uD8q+s2tBjef17+jyXJnKu0zDAUc+1YmAPOUX 6ORooBvVtIiK2BWaeiuKBXm7ZfaX9p8nGw4MYHbRRmsyJlENgorjAZpwDfzOO60e uARfzP1UAa0IV0hYpCwQRcu6CiISSdKgAwmeb5R4VYJzphxyQq3Q+0GWaQM39snP kdiUZ6ip0KU21fkXU61ngYX8tuHTzoWDO7/rmyI3mgW6Ni/KVetpjgzogIpjozJt rWOF2ObiWft1ABc7VdQrM+SK9b+6w7+esNzQWw==</X509Certificate> </X509Data> </KeyInfo> * Connection #0 to host rhel7-2.example.com left intact </Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/></samlp:AuthnRequest></s:Body></s:Envelope> [root@rhel7-2 conf.d]# And the short answer is: [root@rhel7-2 conf.d]# curl -k -v -H 'Accept:text/html, application/vnd.paos+xml' -H 'PAOS:ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"' https://$(hostname)/mroot/private/index.html 2>&1|grep Content-Type < Content-Type: application/vnd.paos+xml Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1895 |