Univention Bugzilla – Bug 44966
Improve error handling if setting "umc/saml/idp-server" fails
Last modified: 2017-07-28 14:28:13 CEST
If downloading of the metadata from the idp fails, the 404 message is saved into: /usr/share/univention-management-console/saml/idp/ucs-sso.univention.intranet.xml The saml login now fails with a parsing error. If possible we should catch that error somehow and tell the admin what to do: check the value from umc/saml/idp-server and set again if the connection is fixed.
Yes, I thought the same some times already. Could you write a short patch which checks the HTTP error status to be 200 and validate the downloaded file to be valid XML syntax?
Created attachment 9023 [details] proposed patch I added some logging to saml/sp.py to make debugging easier. I also added logging for SamlErrors inside univention-management-console-web-server because these errors there often only visible on the saml iframe which is not shown if any errors appear. Or is that to much information?
As discussed, please apply parts of the patch.
r81297: YAML r81296: Improve error handling if setting "umc/saml/idp-server" fails Package: univention-management-console Version: 9.0.80-56A~4.2.0.201707201612 Branch: ucs_4.2-0 Scope: errata4.2-1
r81299: Changed logging for samlErrors r81300: YAML Package: univention-management-console Version: 9.0.80-57A~4.2.0.201707201731 Branch: ucs_4.2-0 Scope: errata4.2-1
OK: error handling in the UCR module OK: syntax validation OK: Now we are hitting Bug #39268. Module: setup_saml_sp Try to download idp metadata (1/60) % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 E: your request could not be fulfilled try `univention-config-registry --help` for more information REOPEN: This introduces a vulnerability, please use defusedxml for the syntax validation.
r81323: Use defusedxml instead of xml.etree Package: univention-management-console Version: 9.0.80-58A~4.2.0.201707241022 Branch: ucs_4.2-0 Scope: errata4.2-1 The dependencies should be ok: univention-management-console-web-server depends on python-pysaml2 depends on python-defusedxml
r81330: Added python-defusedxml dependency Package: univention-management-console Version: 9.0.80-59A~4.2.0.201707241109 Branch: ucs_4.2-0 Scope: errata4.2-1
OK: defusedxml OK: dependency
<http://errata.software-univention.de/ucs/4.2/102.html>
# cat /usr/share/univention-management-console/saml/idp/ucs-sso.phahn.dev.xml <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /saml-bin/php-cgi/simplesamlphp/saml2/idp/metadata.php was not found on this server.</p> <hr> <address>Apache/2.4.10 (Debian) Server at ucs-sso.phahn.dev Port 443</address> </body></html> # less /var/log/daemon.log Jul 28 14:06:23 dc0 systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jul 28 14:06:23 dc0 slapd[24809]: Starting ldap server(s): slapd ... Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Space required after the Public Identifier\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: SystemLiteral \" or ' expected\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: SYSTEM or PUBLIC, the URI is missing\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Opening and ending tag mismatch: hr line 7 and body\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Opening and ending tag mismatch: body line 4 and html\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Premature end of data in tag html line 2\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-WARNING **: 2017-07-28 14:06:23#011Cannot load metadata from /usr/share/univention-management-console/saml/idp/ucs-sso.phahn.dev.xml Jul 28 14:06:23 dc0 slapd[24809]: done. Jul 28 14:06:23 dc0 s44966lapd[24809]: Checking Schema ID: ...done. Don't let `curl` (or whatever) put an error message in that file! Fixed it by `ucr set "umc/saml/idp-server=$(ucr get umc/saml/idp-server)"`
(In reply to Philipp Hahn from comment #11) Yes, that is what we fixed now!?!