Bug 51315 – saml/univention-saml: migrate to python3

Bug 51315 - saml/univention-saml: migrate to python3


Summary:	saml/univention-saml: migrate to python3

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0
Assigned To:	Florian Best
QA Contact:	Sebastian Lobinger

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-05-19 14:31 CEST by Florian Best
Modified:	2021-05-25 16:02 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2020-05-19 14:31:12 CEST

The UMC module of saml/univention-saml has to be python3-compatible.

Comment 1 Florian Best

2021-03-02 18:58:25 CET

univention-saml has been migrated to Python 3 in:

univention-saml (7.0.2-1)
b61b7235c4a5 | Bug #51315: fix print syntax in UCR conffile
ee3148964d69 | fixup! Bug #51315: migrate SAML listener to Python 3
877244a3add4 | Bug #51315: migrate SAML listener to Python 3
8f68e5d2bd4d | Bug #51315: fix python 3 issues

changelog-5.0-0.xml
ab46c15bca35 | Changelog Bug #51315

Comment 2 Sebastian Lobinger

2021-03-12 10:29:28 CET

I have tested SAML Identity Provider Module in UMC.
If I activate the https://sp.testshib.org/shibboleth-sp service provider I got the following output on https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/metadata.php
that not seems to be valid:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/metadata.php">
<script/>
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFgDCCBGigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBzTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxOjA4BgNVBAMTMVVuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlciBSb290IENBIChJRD1UUFlsenR5VSkxJTAjBgkqhkiG9w0BCQEWFnNzbEBzbG9iaW5nZXIuaW50cmFuZXQwHhcNMjEwMzExMDkyODU0WhcNMjYwMzEwMDkyODU0WjCBtjELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxIzAhBgNVBAMTGnVjcy1zc28uc2xvYmluZ2VyLmludHJhbmV0MSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkiSx336zhBXJmMVO4ziOqyRxxbLK1c7slPt2fkixk1m69Y8e48Hd789dHO/V1LzjZFVBQGF/bR/1OJNp7AAmpLiJbnPeJXFTHRUiqqce/Q1DoPlArycUWCeEH8bExR+luRou5Z8Kyeq0HIT6hJeGrECfyStlNkeRDBEvM66Ms70BKUf4odLv05NQ6W6mcmEn8pGbCP5PJAZQdoKmxLtznkSWEfTBagMXzCMwLTv1HxPyuVVSUZor4CyLd2BDSp8kkI1uZFX+S89Mx6sXSmmIahwVjluYOKTV5BB7onltZQIaSam3sPr/xXEWdHO26QtY/EfJl6uEe5aESkiw3F4zwIDAQABo4IBfjCCAXowCQYDVR0TBAIwADAdBgNVHQ4EFgQUlodh6w5mLHrWcP+jG2WiYXNxlC8wggEPBgNVHSMEggEGMIIBAoAUzD6o3q2M3WuRThbaR8NOYiFWOcehgdOkgdAwgc0xCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTELMAkGA1UEBxMCREUxGzAZBgNVBAoTEnNsb2Jpbmdlci5pbnRyYW5ldDEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9VFBZbHp0eVUpMSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0ghRFf5AOVWTRRcRxEOQJBdfiKeTzBjALBgNVHQ8EBAMCBeAwLgYDVR0RBCcwJYIadWNzLXNzby5zbG9iaW5nZXIuaW50cmFuZXSCB3Vjcy1zc28wDQYJKoZIhvcNAQELBQADggEBAI7CuvZu0YM5WyO16MxKrkDvhSLMbWqcAai/OB3loT6Dnzfz05GZytehXF6SGURFef/ZjyZ+rNCWS7KryQTat056fLUzuF3x3rvg9qTjjYQEzpmcecio8b1amiCPxdvTkpi71HLxakhtckaChD3iSXsIgFFbLyClNRmqeDBeWPngyVR1HKGS5Hjhnx1YSWsoLo8N+EYE+EjrTCDRBGSo71brRdjJm3HHGHk/0zLhTUGu25juuwSMP13ajR/iRX/UmuhfGCw//Xe4vAZ7calbvWp9TDNEPr04CFrEPcQvtLRuP8gJ5jau7jHazCbB76ucc/DZAao1o/zQzUn/mirSaig=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIFgDCCBGigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBzTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxOjA4BgNVBAMTMVVuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlciBSb290IENBIChJRD1UUFlsenR5VSkxJTAjBgkqhkiG9w0BCQEWFnNzbEBzbG9iaW5nZXIuaW50cmFuZXQwHhcNMjEwMzExMDkyODU0WhcNMjYwMzEwMDkyODU0WjCBtjELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxIzAhBgNVBAMTGnVjcy1zc28uc2xvYmluZ2VyLmludHJhbmV0MSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkiSx336zhBXJmMVO4ziOqyRxxbLK1c7slPt2fkixk1m69Y8e48Hd789dHO/V1LzjZFVBQGF/bR/1OJNp7AAmpLiJbnPeJXFTHRUiqqce/Q1DoPlArycUWCeEH8bExR+luRou5Z8Kyeq0HIT6hJeGrECfyStlNkeRDBEvM66Ms70BKUf4odLv05NQ6W6mcmEn8pGbCP5PJAZQdoKmxLtznkSWEfTBagMXzCMwLTv1HxPyuVVSUZor4CyLd2BDSp8kkI1uZFX+S89Mx6sXSmmIahwVjluYOKTV5BB7onltZQIaSam3sPr/xXEWdHO26QtY/EfJl6uEe5aESkiw3F4zwIDAQABo4IBfjCCAXowCQYDVR0TBAIwADAdBgNVHQ4EFgQUlodh6w5mLHrWcP+jG2WiYXNxlC8wggEPBgNVHSMEggEGMIIBAoAUzD6o3q2M3WuRThbaR8NOYiFWOcehgdOkgdAwgc0xCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTELMAkGA1UEBxMCREUxGzAZBgNVBAoTEnNsb2Jpbmdlci5pbnRyYW5ldDEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9VFBZbHp0eVUpMSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0ghRFf5AOVWTRRcRxEOQJBdfiKeTzBjALBgNVHQ8EBAMCBeAwLgYDVR0RBCcwJYIadWNzLXNzby5zbG9iaW5nZXIuaW50cmFuZXSCB3Vjcy1zc28wDQYJKoZIhvcNAQELBQADggEBAI7CuvZu0YM5WyO16MxKrkDvhSLMbWqcAai/OB3loT6Dnzfz05GZytehXF6SGURFef/ZjyZ+rNCWS7KryQTat056fLUzuF3x3rvg9qTjjYQEzpmcecio8b1amiCPxdvTkpi71HLxakhtckaChD3iSXsIgFFbLyClNRmqeDBeWPngyVR1HKGS5Hjhnx1YSWsoLo8N+EYE+EjrTCDRBGSo71brRdjJm3HHGHk/0zLhTUGu25juuwSMP13ajR/iRX/UmuhfGCw//Xe4vAZ7calbvWp9TDNEPr04CFrEPcQvtLRuP8gJ5jau7jHazCbB76ucc/DZAao1o/zQzUn/mirSaig=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Administrator</md:GivenName>
<md:EmailAddress>root@ucs5master.slobinger.intranet</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>

Comment 3 Florian Best

2021-03-12 11:33:45 CET

(In reply to Sebastian Lobinger from comment #2)
> I have tested SAML Identity Provider Module in UMC.
> If I activate the https://sp.testshib.org/shibboleth-sp service provider I
> got the following output on
> https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/metadata.php
> that not seems to be valid:
> 
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> entityID="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/
> metadata.php">
> <script/>
This is valid. The <script/> tag has been added by your browser.

curl -k https://10.200.63.2/simplesamlphp/saml2/idp/metadata.php  -H 'Host: ucs-sso.slobinger.intranet' | xmllint --pretty 1 -

Comment 4 Sebastian Lobinger

2021-03-12 13:35:05 CET

verified:
- code changes seems plausible
- changelog entries exist
- tested tested SAML Identity Provider Module in UMC metadata provided by curl -k https://10.200.63.2/simplesamlphp/saml2/idp/metadata.php  -H 'Host: ucs-sso.slobinger.intranet' seems valid and no errors in listener .log
- activated SP https://ucs5master.slobinger.intranet/univention/saml/metadata and add it to a testgroup, delete the testgroup after that, also no errors in listener.log

Comment 5 Florian Best

2021-05-25 16:02:50 CEST

UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".