1429011 – CSRF tokens are erroneously being checked for external authentication

Bug 1429011 - CSRF tokens are erroneously being checked for external authentication

Summary: CSRF tokens are erroneously being checked for external authentication

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	UI - OPS
Sub Component:
Version:	5.7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	GA
Target Release:	5.8.0
Assignee:	Martin Povolny
QA Contact:	Matt Pusateri
Docs Contact:
URL:
Whiteboard:	auth:externalauth
Depends On:
Blocks:	1430835
TreeView+	depends on / blocked

Reported:	2017-03-03 19:53 UTC by Joe Vlcek
Modified:	2017-06-20 16:09 UTC (History)
CC List:	7 users (show)
Fixed In Version:	5.8.0.6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1430835 (view as bug list)
Environment:
Last Closed:	2017-06-12 17:27:19 UTC
Category:	Bug
Cloudforms Team:	CFME Core
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Joe Vlcek 2017-03-03 19:53:34 UTC

Description of problem:

After configuring an appliance to use external authentication logins fail.
A traceback is produced in the production.log

How reproducible:

Configure an appliance to use external authentication.

Attempt to log in as admin.

Login fails

Additional info:

Below is a excerpt from the production.log

...
[----] I, [2017-03-03T13:57:27.121355 #12363:10cd2e8]  INFO -- :   Rendered /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/layouts/_exception_contents.html.haml (0.8ms)
[----] I, [2017-03-03T13:57:27.121855 #12363:10cd2e8]  INFO -- : Completed 200 OK in 3ms (Views: 1.7ms | ActiveRecord: 0.0ms)
[----] I, [2017-03-03T14:00:08.440185 #12363:10cdb44]  INFO -- : Started GET "/" for 127.0.0.1 at 2017-03-03 14:00:08 -0500
[----] I, [2017-03-03T14:00:08.442485 #12363:10cdb44]  INFO -- : Processing by DashboardController#login as HTML
[----] I, [2017-03-03T14:00:08.450362 #12363:10cdb44]  INFO -- :   Rendering /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/dashboard/login.html.haml within layouts/login
[----] I, [2017-03-03T14:00:08.451523 #12363:10cdb44]  INFO -- :   Rendered /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/layouts/_spinner.html.haml (0.6ms)
[----] I, [2017-03-03T14:00:08.452130 #12363:10cdb44]  INFO -- :   Rendered /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/layouts/_flash_msg.html.haml (0.1ms)
[----] I, [2017-03-03T14:00:08.455635 #12363:10cdb44]  INFO -- :   Rendered /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/dashboard/login.html.haml within layouts/login (5.1ms)
[----] I, [2017-03-03T14:00:08.455900 #12363:10cdb44]  INFO -- :   Rendered /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/layouts/_doctype.html.haml (0.0ms)
[----] I, [2017-03-03T14:00:08.456891 #12363:10cdb44]  INFO -- :   Rendered /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/layouts/_i18n_js.html.haml (0.0ms)
[----] I, [2017-03-03T14:00:08.458404 #12363:10cdb44]  INFO -- : Completed 200 OK in 16ms (Views: 7.8ms | ActiveRecord: 0.0ms)
[----] I, [2017-03-03T14:00:20.387283 #12363:10cd6bc]  INFO -- : Started POST "/dashboard/external_authenticate" for 127.0.0.1 at 2017-03-03 14:00:20 -0500
[----] I, [2017-03-03T14:00:20.389612 #12363:10cd6bc]  INFO -- : Processing by DashboardController#external_authenticate as JS
[----] I, [2017-03-03T14:00:20.389706 #12363:10cd6bc]  INFO -- :   Parameters: {"user_name"=>"ldaptest2", "user_password"=>"[FILTERED]", "browser_name"=>"Chrome", "browser_version"=>"56", "browser_os"=>"Mac", "user_TZO"=>"-5"}
[----] W, [2017-03-03T14:00:20.390083 #12363:10cd6bc]  WARN -- : Can't verify CSRF token authenticity.
[----] F, [2017-03-03T14:00:20.390453 #12363:10cd6bc] FATAL -- : Error caught: [ActionController::InvalidAuthenticityToken] ActionController::InvalidAuthenticityToken
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal/request_forgery_protection.rb:195:in `handle_unverified_request'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal/request_forgery_protection.rb:223:in `handle_unverified_request'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal/request_forgery_protection.rb:218:in `verify_authenticity_token'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:382:in `block in make_lambda'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:150:in `block (2 levels) in halting_and_conditional'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/abstract_controller/callbacks.rb:12:in `block (2 levels) in <module:Callbacks>'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:151:in `block in halting_and_conditional'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:454:in `block in call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:454:in `each'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:454:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:101:in `__run_callbacks__'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:750:in `_run_process_action_callbacks'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:90:in `run_callbacks'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/abstract_controller/callbacks.rb:19:in `process_action'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal/rescue.rb:20:in `process_action'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/notifications.rb:164:in `block in instrument'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/notifications.rb:164:in `instrument'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal/params_wrapper.rb:248:in `process_action'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activerecord-5.0.1/lib/active_record/railties/controller_runtime.rb:18:in `process_action'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/abstract_controller/base.rb:126:in `process'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionview-5.0.1/lib/action_view/rendering.rb:30:in `process'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal.rb:190:in `dispatch'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_controller/metal.rb:262:in `dispatch'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/routing/route_set.rb:32:in `serve'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/journey/router.rb:39:in `block in serve'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/journey/router.rb:26:in `each'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/journey/router.rb:26:in `serve'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/routing/route_set.rb:725:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/secure_headers-3.0.3/lib/secure_headers/middleware.rb:10:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/etag.rb:25:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/conditional_get.rb:38:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/head.rb:12:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/session/abstract/id.rb:222:in `context'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/session/abstract/id.rb:216:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/cookies.rb:613:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/callbacks.rb:38:in `block in call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:97:in `__run_callbacks__'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:750:in `_run_call_callbacks'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/callbacks.rb:90:in `run_callbacks'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/callbacks.rb:36:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/debug_exceptions.rb:49:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/railties-5.0.1/lib/rails/rack/logger.rb:36:in `call_app'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/railties-5.0.1/lib/rails/rack/logger.rb:26:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/request_id.rb:24:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/method_override.rb:22:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/runtime.rb:22:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-5.0.1/lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/actionpack-5.0.1/lib/action_dispatch/middleware/executor.rb:12:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rack-2.0.1/lib/rack/sendfile.rb:111:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/railties-5.0.1/lib/rails/engine.rb:522:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/puma-3.3.0/lib/puma/configuration.rb:224:in `call'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/puma-3.3.0/lib/puma/server.rb:561:in `handle_request'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/puma-3.3.0/lib/puma/server.rb:406:in `process_client'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/puma-3.3.0/lib/puma/server.rb:271:in `block in run'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/puma-3.3.0/lib/puma/thread_pool.rb:111:in `block in spawn_thread'
[----] I, [2017-03-03T14:00:20.392162 #12363:10cd6bc]  INFO -- :   Rendered /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-ui-classic-5a6599dc4067/app/views/layouts/_exception_contents.html.haml (0.8ms)
[----] I, [2017-03-03T14:00:20.392699 #12363:10cd6bc]  INFO -- : Completed 200 OK in 3ms (Views: 1.9ms | ActiveRecord: 0.0ms)
...



This issue was introduced with commit:

https://github.com/ManageIQ/manageiq-ui-classic/commit/0f99d9a6b6d348985ae674608ee82b3426e48133


When we manually reverted this commit on the appliance we were able to avoid the problem and were able to log in.

Comment 2 Joe Vlcek 2017-03-03 19:59:27 UTC

This should be a blocking issue as it prevents the use of external authentication.

Comment 3 Martin Povolny 2017-03-09 05:36:57 UTC

https://github.com/ManageIQ/manageiq-ui-classic/pull/595

Comment 5 Matt Pusateri 2017-04-28 15:50:47 UTC

Verified in - 5.8.0.12-rc1

Note You need to log in before you can comment on or make changes to this bug.