Univention Bugzilla – Full Text Bug Listing |
Summary: | UMC-Webserver: KeyError during SAML logout request, Session still valid | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC (Generic) | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
Severity: | normal | ||
Priority: | P5 | CC: | damrose, gohmann, heidelberger, walkenhorst |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Error handling, External feedback, SAML | |
Max CVSS v3 score: |
Description
Florian Best
2015-11-06 15:35:16 CET
*** Bug 39860 has been marked as a duplicate of this bug. *** 1xMaster / 1xBackup environment. Chrome Browser on Windows 7. Login to http://master/umc -> single sign-on on backup (visible on ucs-sso.) Switch to backup from UMC dropdown on master Logout on Backup -> redirect to master and backup (for logout) Enter http://master/umc in browser -> Get a valid UMC Session! Users can be created! On logout attempt from master the above traceback occurs. Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/cherrypy/_cprequest.py", line 656, in respond response.body = self.handler() File "/usr/lib/python2.7/dist-packages/cherrypy/lib/encoding.py", line 188, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/cherrypy/_cpdispatch.py", line 34, in __call__ return self.callable(*self.args, **self.kwargs) File "/usr/sbin/univention-management-console-web-server", line 1194, in slo if user.saml is None: AttributeError: 'NoneType' object has no attribute 'saml' Ok, here are multiple problems: The first is the KeyError which has been fixed: It happens when you acutally *are already* SAML-logged out but as the tab is still opened you can click on logout. I added a redirection to /logout so everything is fine. The second problem is the AttributeError which happens if you log in via IP address, switch the host to another host, logout there: You get redirected to the FQDN of that host and as your cookie is not valid there you cannot logout and redirect back to the IDP/SP to get to the next logout server. I fixed the AttributeError to just logout locally. This has the drawback that you currently logout at SP-slave1 and get redirected to the login page of SP-master. TODO: check if it's possible to circumvent this. The third problem is that your UMC-session (not the UMC-SAML one) at SP-A seems still valid after the logout of SP-B. But I guess this should be okay. (In reply to Florian Best from comment #4) > Ok, here are multiple problems: > The first is the KeyError which has been fixed: > It happens when you acutally *are already* SAML-logged out but as the tab is > still opened you can click on logout. I added a redirection to /logout so > everything is fine. fixed as said. > The second problem is the AttributeError which happens if you log in via IP > address, switch the host to another host, logout there: > You get redirected to the FQDN of that host and as your cookie is not valid > there you cannot logout and redirect back to the IDP/SP to get to the next > logout server. > I fixed the AttributeError to just logout locally. This has the drawback > that you currently logout at SP-slave1 and get redirected to the login page > of SP-master. > TODO: check if it's possible to circumvent this. I could workaround this, so if the user is already logged out (or has no cookie for the FQDN) she is redirected back to the original host. I think it would not be so easy to preserve the IP and would have to be fixed in simplesamlphp. > The third problem is that your UMC-session (not the UMC-SAML one) at SP-A > seems still valid after the logout of SP-B. > But I guess this should be okay. Nothing done, if you disagree please reopen. univention-management-console-frontend.yaml: r66324 | YAML Bug #39815 univention-management-console-frontend (5.0.63-8): r66323 | Bug #39815: fix error during logout r66288 | Bug #39815: fix error during logout Reported as traceback feedback. OK: KeyError traceback is gone OK: AttributeError traceback is gone Reopen: I think these changes introduced a regression: SSO does not work in the following scenario, tested with IE11 and firefox: Master + Backup Log into master via SSO switch to backup using the dropdown Expected: The browser shows the UMC on backup Observed: The UMC login windows on backup is shown umc-web-server.log on backup shows SessionClient(0x37fafd0): _authenticated: success=True status=200 message=None but nothing else happens. Clicking on the SSO login link then grants UMC login. Reopen: Another regression: Login via http://<master-ipaddress>/umc -> SSO -> Logout Expected: Logged out on master Observed: Get redirected to http://<master-fqdn>/. Trying to access http://<master-ipaddress>/umc grants me a UMC session that i just logged out of. (In reply to Florian Best from comment #4) [...] > The third problem is that your UMC-session (not the UMC-SAML one) at SP-A > seems still valid after the logout of SP-B. > But I guess this should be okay. I still think this is dangerous and not okay. By using SSO i expect to be able to use the 'service' UMC: within the SSO session i can switch to UMCs of different servers, but i am still using the service UMC. If i logout at one endpoint, i expect that every UMC is not accessible for me anymore. Think of another example: If i log into googlemail i can switch to the calendar, use google drive, docs, etc... If i logout at any of there services i can not use the others unless i login again. I do not want to logout at every specific service i used. (In reply to Erik Damrose from comment #7) > OK: KeyError traceback is gone > OK: AttributeError traceback is gone > > Reopen: I think these changes introduced a regression: SSO does not work in > the following scenario, tested with IE11 and firefox: > > Master + Backup > Log into master via SSO > switch to backup using the dropdown > > Expected: The browser shows the UMC on backup > Observed: The UMC login windows on backup is shown > umc-web-server.log on backup shows SessionClient(0x37fafd0): _authenticated: > success=True status=200 message=None but nothing else happens. > Clicking on the SSO login link then grants UMC login. This can't be a regression. nothing changed in the autologin. Check that firefox acceppts all SSL certificates and everywhere the FQDN is used and memcached is running. > Reopen: Another regression: > Login via http://<master-ipaddress>/umc -> SSO -> Logout > > Expected: Logged out on master > Observed: Get redirected to http://<master-fqdn>/. Trying to access > http://<master-ipaddress>/umc grants me a UMC session that i just logged out > of. > (In reply to Florian Best from comment #4) > [...] > > The third problem is that your UMC-session (not the UMC-SAML one) at SP-A > > seems still valid after the logout of SP-B. > > But I guess this should be okay. > > I still think this is dangerous and not okay. By using SSO i expect to be > able to use the 'service' UMC: within the SSO session i can switch to UMCs > of different servers, but i am still using the service UMC. If i logout at > one endpoint, i expect that every UMC is not accessible for me anymore. > > Think of another example: If i log into googlemail i can switch to the > calendar, use google drive, docs, etc... If i logout at any of there > services i can not use the others unless i login again. I do not want to > logout at every specific service i used. No, this are 2 kinds of sessions. You are not anymore logged in at the IDP. But if you logout at the SP-UMC-1 then I wouldn't logout/destroy the running session at SP-UMC-2. If this would be done and one currently installs e.g. a app on SP-UMC-1 the AppCenter module process would be killed resulting in a maybe broken package state. Therefore I won't change this. The session will be destroyed after the session-timeout of 10 minutes. (In reply to Florian Best from comment #8) > > Observed: The UMC login windows on backup is shown > > umc-web-server.log on backup shows SessionClient(0x37fafd0): _authenticated: > > success=True status=200 message=None but nothing else happens. > > Clicking on the SSO login link then grants UMC login. > This can't be a regression. nothing changed in the autologin. Check that > firefox acceppts all SSL certificates and everywhere the FQDN is used and > memcached is running. This could be traced back to a Firefox problem and could not be reproduced every time. > > Reopen: Another regression: > > Login via http://<master-ipaddress>/umc -> SSO -> Logout > > > > Expected: Logged out on master > > Observed: Get redirected to http://<master-fqdn>/. Trying to access > > http://<master-ipaddress>/umc grants me a UMC session that i just logged out > > of. > > (In reply to Florian Best from comment #4) > > [...] > > > The third problem is that your UMC-session (not the UMC-SAML one) at SP-A > > > seems still valid after the logout of SP-B. > > > But I guess this should be okay. > > > > I still think this is dangerous and not okay. By using SSO i expect to be > > able to use the 'service' UMC: within the SSO session i can switch to UMCs > > of different servers, but i am still using the service UMC. If i logout at > > one endpoint, i expect that every UMC is not accessible for me anymore. > > > > Think of another example: If i log into googlemail i can switch to the > > calendar, use google drive, docs, etc... If i logout at any of there > > services i can not use the others unless i login again. I do not want to > > logout at every specific service i used. > No, this are 2 kinds of sessions. You are not anymore logged in at the IDP. > But if you logout at the SP-UMC-1 then I wouldn't logout/destroy the running > session at SP-UMC-2. If this would be done and one currently installs e.g. a > app on SP-UMC-1 the AppCenter module process would be killed resulting in a > maybe broken package state. Therefore I won't change this. The session will > be destroyed after the session-timeout of 10 minutes. Ok, seems to be out of scope for this bug anyway. Its too bad my bug was closed as a duplicate of this one and then not fixed. I will file a new one. -> Verified |