Bug 1414154 - Using default ports produces bad request error
Summary: Using default ports produces bad request error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: keycloak-httpd-client-install
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: 11.0 (Ocata)
Assignee: John Dennis
QA Contact: Rodrigo Duarte
URL:
Whiteboard:
: 1414152 (view as bug list)
Depends On: 1410938 1414156
Blocks: 1410940 1414152
TreeView+ depends on / blocked
 
Reported: 2017-01-17 22:07 UTC by John Dennis
Modified: 2017-05-17 19:40 UTC (History)
6 users (show)

Fixed In Version: keycloak-httpd-client-install-0.5-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1410938
Environment:
Last Closed: 2017-05-17 19:40:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1245 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 23:01:50 UTC

Description John Dennis 2017-01-17 22:07:23 UTC
+++ This bug was initially created as a clone of Bug #1410938 +++

Explicitly specifying a default port (e.g. http://example.com:80 or
https://example.com:443) will cause Mellon to fail. This occurs
because the port gets embedded into the location URL for each endpoint
in the SP metadata (e.g the Assertion Consumer Service). The IdP sets
the Destination attribute in the SAML response by looking it up in the
SP metadata, thus the Destination will have the default port in it
(e.g. 443). Upon receiving the SAML response the SP compares the URL
of the request to the Destination attribute in the SAML response, they
must match for the response to be considered valid. However when
Mellon asks Apache what the request URL was it won't have the port in
it thus the URL comparison fails causing the server to return a 503
Bad Request error. So why is the port absent? It turns out that most
(all?) browsers will strip the port from a URL if it matches the port
for the scheme (e.g. 80 for http and 443 for https). Thus even if you
include the port in the URL it will never be included in the URL the
browser emits. This also includes stripping the port from the HTTP
host header (which Apache uses to reconstruct the URL).

The fix is to have keycloak-httpd-client-install recognize when a
default port has been specified and remove it from the mellon host
URL so it does not get embedded into any of the SAML endpoints.

--- Additional comment from Fedora Update System on 2017-01-06 18:05:29 EST ---

keycloak-httpd-client-install-0.5-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d3ca5b534b

--- Additional comment from Fedora Update System on 2017-01-07 20:19:38 EST ---

keycloak-httpd-client-install-0.5-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d3ca5b534b

--- Additional comment from Fedora Update System on 2017-01-16 15:49:45 EST ---

keycloak-httpd-client-install-0.5-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 1 John Dennis 2017-01-17 22:15:49 UTC
This should be fixed by rebasing to keycloak-httpd-client-install-0.5

Comment 2 John Dennis 2017-01-17 22:27:16 UTC
*** Bug 1414152 has been marked as a duplicate of this bug. ***

Comment 6 Rodrigo Duarte 2017-02-08 21:31:03 UTC
verified for keycloak-httpd-client-install-0.5-1.el7ost.noarch

- Running the keycloak-httpd-client-install command with a non-default port:

$ sudo keycloak-httpd-client-install    --client-originate-method registration    --mellon-https-port 13000    --mellon-hostname overcloud.localdomain     --mellon-root /v3    --keycloak-server-url https://ipa.rduartes.unknown.test     --keycloak-admin-password  FreeIPA4All    --app-name v3    --keycloak-realm openstack    -l /v3/auth/OS-FEDERATION/websso/saml2    -l /v3/auth/OS-FEDERATION/identity_providers/rhsso/protocols/saml2/websso    -l /v3/OS-FEDERATION/identity_providers/rhsso/protocols/saml2/auth

- The produced sp_metadata correctly contains the port:

...
   <SingleLogoutService
     Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
     Location="https://overcloud.localdomain:13000/v3/mellon/logout" />
   <SingleLogoutService
...

- Now, running with the port set to 443:

$ sudo keycloak-httpd-client-install    --client-originate-method registration    --mellon-https-port 443    --mellon-hostname overcloud.localdomain     --mellon-root /v3    --keycloak-server-url https://ipa.rduartes.unknown.test     --keycloak-admin-password  FreeIPA4All    --app-name v3    --keycloak-realm openstack    -l /v3/auth/OS-FEDERATION/websso/saml2    -l /v3/auth/OS-FEDERATION/identity_providers/rhsso/protocols/saml2/websso    -l /v3/OS-FEDERATION/identity_providers/rhsso/protocols/saml2/auth

- As expected, no port is specified in the Location:

...
   <SingleLogoutService
     Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
     Location="https://overcloud.localdomain/v3/mellon/logout" />
   <SingleLogoutService
...

Comment 7 errata-xmlrpc 2017-05-17 19:40:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245


Note You need to log in before you can comment on or make changes to this bug.