Univention Bugzilla – Bug 55248
hidden saml2.s_utils.UnravelError in unknown condition during SAML login
Last modified: 2022-11-16 18:03:59 CET
An error in the UMC-Web-Server during SAML login might happen if we give a wrong data type to pysaml2. In a customer debug session we patched pysaml2 to not ignore exceptions and return None in "parse_authn_request_response" but to raise an exception: ``` 127.0.0.1 - - [06/Oct/2022:15:46:28] "POST /saml/ HTTP/1.1" 500 2227 "https://.../simplesamlphp/module.php/core/loginuserpass.php?, https://.../simplesamlphp/module.php/core/loginuserpass.php?" [06/Oct/2022:15:46:29] HTTP Traceback (most recent call last): File "/usr/lib/python3/dist-packages/saml2/entity.py", line 387, in unravel xmlstr = base64.b64decode(txt) File "/usr/lib/python3.7/base64.py", line 80, in b64decode s = _bytes_from_decode_data(s) File "/usr/lib/python3.7/base64.py", line 46, in _bytes_from_decode_data "string, not %r" % s.__class__.__name__) from None TypeError: argument should be a bytes-like object or ASCII string, not 'list' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/usr/lib/python3/dist-packages/cherrypy/lib/encoding.py", line 220, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python3/dist-packages/cherrypy/_cpdispatch.py", line 60, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1261, in index return acs(binding, message, relay_state) File "/usr/sbin/univention-management-console-web-server", line 1269, in attribute_consuming_service response = self.acs(message, binding) File "/usr/sbin/univention-management-console-web-server", line 1399, in acs response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries) File "/usr/lib/python3/dist-packages/saml2/client_base.py", line 702, in parse_authn_request_response binding, **kwargs) File "/usr/lib/python3/dist-packages/saml2/entity.py", line 1132, in _parse_response xmlstr = self.unravel(xmlstr, binding, response_cls.msgtype) File "/usr/lib/python3/dist-packages/saml2/entity.py", line 397, in unravel raise UnravelError("Unravelling binding '%s' failed" % binding) saml2.s_utils.UnravelError: Unravelling binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' failed ``` The curl command to trigger this did not contain two `SAMLResponse` HTTP POST form data but the UMC-Webserver somehow had `message == [saml_response, saml_response]`. A fix which worked for us was: diff --git management/univention-management-console/univention-management-console-web-server management/univention-management-console/univention-management-console-web-server index eecd8e85fb..8bb58ae8a2 100755 --- management/univention-management-console/univention-management-console-web-server +++ management/univention-management-console/univention-management-console-web-server @@ -1303,7 +1303,8 @@ class SAML(Ressource): @@ -1391,6 +1392,9 @@ class SAML(Ressource): message = self.sp.artifact2message(message, 'spsso') binding = BINDING_HTTP_ARTIFACT + if isinstance(message, list): + message = message[0] + return binding, message, relay_state def acs(self, message, binding): # attribute consuming service # TODO: rename into parse
This was seen in 2 more environments.
MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/558
It is now ensured that no list is passed to pysaml2. univention-management-console.yaml 04230a180c44 | fix(umc-saml): handle duplicated SAML messages as one univention-management-console (12.0.13-3) 04230a180c44 | fix(umc-saml): handle duplicated SAML messages as one
No regressions: OK Reproducing the problem: ~Not without monkey patching YAML: OK
<https://errata.software-univention.de/#/?erratum=5.0x485>