Bug 2217937 - lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
Summary: lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: lasso
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Simo Sorce
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-27 14:37 UTC by Jan Pazdziora (Red Hat)
Modified: 2023-06-29 13:25 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-06-29 13:09:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora (Red Hat) 2023-06-27 14:37:29 UTC 
When using mod_auth_mellon on rawhide, I now see failures like

www_1                  | lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
Error GETing http://www:8079/saml-redirect-uri/login?ReturnTo=http%3A%2F%2Fwww%3A8079%2Fadmin%2Flogin%2F%3Fnext%3D%2Fadmin%2F&IdP=http%3A%2F%2Fkeycloak%3A8082%2Frealms%2Frealm%2Db: Server closed connection without sending any data back at /test.pl line 21.
www_1                  | [Tue Jun 27 12:46:17.790230 2023] [core:notice] [pid 15:tid 15] AH00051: child pid 19 exit signal Abort (6), possible coredump in /etc/httpd

similar to bug 2142849 comment 3.

Reproducible: Always

Steps to Reproduce:
1. Have mod_auth_mellon configured with something like

    <LocationMatch ^/saml-redirect-uri/|^/admin/login>
        MellonEnable info
        MellonEndpointPath /saml-redirect-uri/
        MellonSPMetadataFile /etc/httpd/saml2/mellon_metadata.xml
        MellonSPPrivateKeyFile /etc/httpd/saml2/mellon.key
        MellonSPCertFile /etc/httpd/saml2/mellon.pem
        MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml
    </LocationMatch>

    <Location /admin/login/>
        <If "%{QUERY_STRING} !~ /^direct$/">
            AuthType Mellon
            MellonEnable auth
            Require valid-user
        </If>

        RewriteEngine on
        RewriteCond %{REMOTE_USER} (.+)
        RewriteRule ^.+$ - [E=REMOTE_USER:%1]
        RequestHeader unset X-REMOTE-USER
        RequestHeader set X-REMOTE-USER %{REMOTE_USER}e env=REMOTE_USER

        MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" "first_name"
        RequestHeader unset X-REMOTE-USER-FIRSTNAME
        RequestHeader set X-REMOTE-USER-FIRSTNAME expr=%{base64:%{env:REMOTE_USER_FIRSTNAME}} env=REMOTE_USER_FIRSTNAME
        MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" "last_name"
        RequestHeader unset X-REMOTE-USER-LASTNAME
        RequestHeader set X-REMOTE-USER-LASTNAME expr=%{base64:%{env:REMOTE_USER_LASTNAME}} env=REMOTE_USER_LASTNAME
        MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" "email"
        RequestHeader unset X-REMOTE-USER-EMAIL
        RequestHeader set X-REMOTE-USER-EMAIL expr=%{base64:%{env:REMOTE_USER_EMAIL}} env=REMOTE_USER_EMAIL
        MellonSetEnvNoPrefix "REMOTE_USER_GROUPS" "groups"
        RequestHeader unset X-REMOTE-USER-GROUPS
        RequestHeader set X-REMOTE-USER-GROUPS expr=%{base64:%{env:REMOTE_USER_GROUPS}} env=REMOTE_USER_GROUPS
        MellonMergeEnvVars On ":"
    </Location>

    <Location /admin/logout/>
        <If "%{QUERY_STRING} == 'keycloak-logged-out'">
            RewriteEngine on
            RewriteRule "^.*" "/"
        </If>
        <Else>
            AddOutputFilterByType SUBSTITUTE text/html
            Substitute 's#</html>#<iframe style="display: none" width="0" height="0" frameborder="0" src="/saml-redirect-uri/logout?ReturnTo=http://www:8079/admin/logout/?keycloak-logged-out"/></html>#ni'
        </Else>
    </Location>

    ProxyPass /saml-redirect-uri/ !
    ProxyPass / http://app:8081/
    ProxyPassReverse / http://app:8081/

with Keycloak as the IdP.
2. Try to log in.
Actual Results:  
www_1                  | 172.19.0.3 - - [27/Jun/2023:12:46:16 +0000] "GET /admin/ HTTP/1.1" 302 - "-" "WWW-Mechanize/2.06"
www_1                  | 172.19.0.3 - - [27/Jun/2023:12:46:16 +0000] "GET /admin/login/?next=/admin/ HTTP/1.1" 303 377 "-" "WWW-Mechanize/2.06"
www_1                  | Bail out! lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
www_1                  | 
www_1                  | ==> /var/log/httpd/error_log <==
www_1                  | **
www_1                  | lasso:ERROR:tools.c:586:lasso_query_sign: assertion failed: (rsa)
Error GETing http://www:8079/saml-redirect-uri/login?ReturnTo=http%3A%2F%2Fwww%3A8079%2Fadmin%2Flogin%2F%3Fnext%3D%2Fadmin%2F&IdP=http%3A%2F%2Fkeycloak%3A8082%2Frealms%2Frealm%2Db: Server closed connection without sending any data back at /test.pl line 21.
www_1                  | [Tue Jun 27 12:46:17.790230 2023] [core:notice] [pid 15:tid 15] AH00051: child pid 19 exit signal Abort (6), possible coredump in /etc/httpd


Expected Results:  
No failure and no aborted httpd child.

I believe this is caused by the fact that xmlsec1 in rawhide is now back at the 1:1.2.37-4.fc39 version, so the fix and build in bug 2142849 which assumes xmlsec 1.3 no longer works.

The revert of the xmlsec1 version was done via bug 2187631.
Comment 1 Simo Sorce 2023-06-29 10:20:42 UTC 
I pushed a rebuild of lasso against the reverted xmalsec1, can you check this fixes the issue?
Comment 2 Jan Pazdziora (Red Hat) 2023-06-29 11:20:36 UTC 
I confirm that with a package fetched from https://koji.fedoraproject.org/koji/buildinfo?buildID=2222725, my tests pass on Fedora rawhide again.

Got bodhi errata where we could give karma?
Comment 3 Jan Pazdziora (Red Hat) 2023-06-29 11:27:09 UTC 
For reference and note to self: the test I used was https://github.com/adelton/django-identity-external/actions/runs/5411625277/jobs/9834612074.
Comment 4 Simo Sorce 2023-06-29 13:09:36 UTC 
I do not think there is a bodhi errata for f39 yet because it has not forked from rawhide yet?

In any case seem fixed so I will close.
Comment 5 Jan Pazdziora (Red Hat) 2023-06-29 13:25:02 UTC 
Ah, there is errata https://bodhi.fedoraproject.org/updates/FEDORA-2023-370708c31d but for rawhide the karma games are not played, so it has been pushed to stable directly, and it is in fact in the repos already. I've updated my test accordingly, no longer need to use the build from koji: https://github.com/adelton/django-identity-external/actions/runs/5412682855/jobs/9837114563

Thank you for the prompt fix!
Note You need to log in before you can comment on or make changes to this bug.