1481332 – Rebase to current upstream

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1481332 - Rebase to current upstream

Summary: Rebase to current upstream

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_auth_mellon
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	John Dennis
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-14 15:37 UTC by John Dennis
Modified:	2018-04-10 17:08 UTC (History)
CC List:	2 users (show)
Fixed In Version:	mod_auth_mellon-0.13.1-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 17:08:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0927	0	None	None	None	2018-04-10 17:08:52 UTC

Description John Dennis 2017-08-14 15:37:02 UTC

RHEL 7 currently ships mod_auth_mellon 0.11.0. Upstream Mellon has made a number of bug fixes and feature enhancements in the interim. It's time to pull this into RHEL 7.

Comment 4 Scott Poore 2018-01-12 21:56:04 UTC

Verified.

Version ::

mod_auth_mellon-0.13.1-1.el7.x86_64

Results ::

# First Setup IPA/RH-SSO environment
# Setup IPA server
# Setup IPA client
# On IPA Server, create basic user, disabled user, and OTP user
# Setup Trust with AD Domain 
# Setup RH-SSO 7.1.3 standalone server on IPA client
# Realm demorealm created and SSSD Federation Plugin setup
# On SP, install apache and mod_auth_mellon

# SP configuration:

[root@sp1 ~]# keycloak-httpd-client-install \
    --client-originate-method registration \
    --keycloak-server-url https://idp.keycloak.test:8443 \
    --keycloak-admin-username admin \
    --keycloak-admin-password Secret123 \
    --app-name example_app \
    --keycloak-realm demorealm \
    --mellon-root example_app \
    --mellon-https-port 8443 \
    --mellon-protected-locations "/example_app/private" \
    --force

[root@sp1 ~]# cat /var/www/html/example_app/private/index.html 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre><!--#printenv --></pre>

[root@sp1 ~]# cat /var/www/html/example_app/logged_out.html 
<html>
<title>Logout</title>
<p>
Congratulations, you've been logged out!
</p>
<p>
Now try to <a href="/example_app/private/">log back in</a>
</p>
</html>

[root@sp1 ~]# cat /var/www/html/test.html 
<form action = "/example_app/private/test.py" method = "post">
Input: <input type = "text" name = "data">
<input type = "submit" value = "Submit" />
</form>

[root@sp1 ~]# cat /var/www/html/example_app/private/test.py
#!/usr/bin/python

import cgi

form = cgi.FieldStorage()
data = form.getvalue('data')
print """Content-type:text/html\r\n\r\n
<html>
<head>
<title>Test CGI Program</title>
</head>
<body>
<h2>Hello %s</h2>
</body>
</html>
""" % (data)


# Create curl login script for simple testing:

[root@sp1 ~]# cat ./saml_login
# http://www.ssocircle.com/en/developer-tutorial-saml-testing-using-curl-and-ssocheck-api/developer-tutorial-part-i-a-saml-sso-flow-from-the-command-line-with-curl/

rm -f cookies output[1234]

echo "$1 $2 $3"
USER=${1:-ipauser1}
PASS=${2:-Secret123}
SPURL=${3:-"https://sp1.keycloak.test:8443/example_app/private"}

curl -k -L -c cookies -b cookies -s -o output1 ${SPURL}

LOGIN=$(cat output1 | grep id=\"kc-form-login\"|cut -d'"' -f6)

curl -k -L -c cookies -b cookies -s -o output2 --data-urlencode username="${USER}" --data-urlencode password="${PASS}" "${LOGIN}"

URL=$(grep -i "action=" output2|cut -d'"' -f6|recode html)
SAML=$(cat output2|grep -i samlresponse|cut -d'"' -f12|recode html|tr -d '\r\n')
RELAY=$(cat output2|grep -i relaystate|cut -d'"' -f18|recode html)

curl -k -L -c cookies -b cookies  -s -o output3 --data-urlencode SAMLResponse="${SAML}" --data-urlencode RelayState="${RELAY}" $URL

cat output3

# now execute basic tests:

####################################################################
# test1:  basic user login
####################################################################
[root@sp1 ~]# ./saml_login ipauser1 Secret123
ipauser1 Secret123 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre>UNIQUE_ID=WlkTfmdNAylvGBUIcQ1WiwAAAAM
MELLON_NAME_ID=G-710959c9-8d72-472a-8315-6d8e4409273b
MELLON_NAME_ID_0=G-710959c9-8d72-472a-8315-6d8e4409273b
MELLON_groups=ipausers
MELLON_groups_0=ipausers
...trunc...
</pre>

####################################################################
# test2: otp user login
# done with FreeOTP app on smartphone
####################################################################
[root@sp1 ~]# ./saml_login otpuser1 Secret123461082
otpuser1 Secret123461082 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre>UNIQUE_ID=WlkTb6JWg5vCSGScudnI1AAAAAE
MELLON_NAME_ID=G-fb4764c2-1f6b-4947-977c-4ffdfdbcfca3
MELLON_NAME_ID_0=G-fb4764c2-1f6b-4947-977c-4ffdfdbcfca3
MELLON_groups=ipausers
MELLON_groups_0=ipausers
MELLON_groups_1=otpusers
...trunc...
</pre>

####################################################################
# test3: disabled user
####################################################################
[root@sp1 ~]# ./saml_login disableduser1 Secret123
disableduser1 Secret123 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" class="login-pf">
...trunc...
                                <span class="kc-feedback-text">Invalid username or password.</span>
...
    </div>
</body>
</html>

####################################################################
# test4: nonexistent user
####################################################################
[root@sp1 ~]# ./saml_login dneuser1 Secret123
dneuser1 Secret123 
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
cat: output3: No such file or directory

This is an indicator that the lookup failed.

####################################################################
# test5: AD Trusted User
####################################################################
[root@sp1 ~]# ./saml_login aduser1 Secret123
aduser1 Secret123 
<html><title>Secure</title>Hello there...from SP ...<br>
<a href="https://sp1.keycloak.test:8443/example_app/mellon/logout?ReturnTo=https://sp1.keycloak.test:8443/example_app/logged_out.html">Log out</a>
<hr>
<pre>UNIQUE_ID=WlkVFbRTllJWdOo4LWBnsQAAAAA
MELLON_NAME_ID=G-e0f2786c-6ac0-450a-9eaf-2714dd4f63f3
MELLON_NAME_ID_0=G-e0f2786c-6ac0-450a-9eaf-2714dd4f63f3
MELLON_groups=domain users
MELLON_groups_0=domain users
...trunc...
</pre>

####################################################################
# test6: access with POST as IPA user
####################################################################
# This test was done from a web browser accessing:
https://sp1.keycloak.test:8443/test.html
This presents the form that uses POST via the python script in the protected area.  So, after submitting, the browser is redirected to the IDP:
After entering ipauser1 and Secret123, I'm redirected to the python script in the protected area with the POST data reposted by mellon and processed as expected.

Comment 7 errata-xmlrpc 2018-04-10 17:08:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0927

Note You need to log in before you can comment on or make changes to this bug.