Univention Bugzilla – Full Text Bug Listing |
Summary: | Improve error handling if setting "umc/saml/idp-server" fails | ||
---|---|---|---|
Product: | UCS | Reporter: | Jürn Brodersen <brodersen> |
Component: | SAML | Assignee: | Jürn Brodersen <brodersen> |
Status: | CLOSED FIXED | QA Contact: | Florian Best <best> |
Severity: | normal | ||
Priority: | P5 | CC: | best, hahn |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=39268 | ||
What kind of report is it?: | Feature Request | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Attachments: | proposed patch |
Description
Jürn Brodersen
2017-07-11 13:54:52 CEST
Yes, I thought the same some times already. Could you write a short patch which checks the HTTP error status to be 200 and validate the downloaded file to be valid XML syntax? Created attachment 9023 [details]
proposed patch
I added some logging to saml/sp.py to make debugging easier.
I also added logging for SamlErrors inside univention-management-console-web-server because these errors there often only visible on the saml iframe which is not shown if any errors appear. Or is that to much information?
As discussed, please apply parts of the patch. r81297: YAML r81296: Improve error handling if setting "umc/saml/idp-server" fails Package: univention-management-console Version: 9.0.80-56A~4.2.0.201707201612 Branch: ucs_4.2-0 Scope: errata4.2-1 r81299: Changed logging for samlErrors r81300: YAML Package: univention-management-console Version: 9.0.80-57A~4.2.0.201707201731 Branch: ucs_4.2-0 Scope: errata4.2-1 OK: error handling in the UCR module OK: syntax validation OK: Now we are hitting Bug #39268. Module: setup_saml_sp Try to download idp metadata (1/60) % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 E: your request could not be fulfilled try `univention-config-registry --help` for more information REOPEN: This introduces a vulnerability, please use defusedxml for the syntax validation. r81323: Use defusedxml instead of xml.etree Package: univention-management-console Version: 9.0.80-58A~4.2.0.201707241022 Branch: ucs_4.2-0 Scope: errata4.2-1 The dependencies should be ok: univention-management-console-web-server depends on python-pysaml2 depends on python-defusedxml r81330: Added python-defusedxml dependency Package: univention-management-console Version: 9.0.80-59A~4.2.0.201707241109 Branch: ucs_4.2-0 Scope: errata4.2-1 OK: defusedxml OK: dependency # cat /usr/share/univention-management-console/saml/idp/ucs-sso.phahn.dev.xml <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /saml-bin/php-cgi/simplesamlphp/saml2/idp/metadata.php was not found on this server.</p> <hr> <address>Apache/2.4.10 (Debian) Server at ucs-sso.phahn.dev Port 443</address> </body></html> # less /var/log/daemon.log Jul 28 14:06:23 dc0 systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jul 28 14:06:23 dc0 slapd[24809]: Starting ldap server(s): slapd ... Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Space required after the Public Identifier\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: SystemLiteral \" or ' expected\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: SYSTEM or PUBLIC, the URI is missing\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Opening and ending tag mismatch: hr line 7 and body\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Opening and ending tag mismatch: body line 4 and html\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-CRITICAL **: libxml2: Premature end of data in tag html line 2\n Jul 28 14:06:23 dc0 slapd[24809]: (process:24821): Lasso-WARNING **: 2017-07-28 14:06:23#011Cannot load metadata from /usr/share/univention-management-console/saml/idp/ucs-sso.phahn.dev.xml Jul 28 14:06:23 dc0 slapd[24809]: done. Jul 28 14:06:23 dc0 s44966lapd[24809]: Checking Schema ID: ...done. Don't let `curl` (or whatever) put an error message in that file! Fixed it by `ucr set "umc/saml/idp-server=$(ucr get umc/saml/idp-server)"` (In reply to Philipp Hahn from comment #11) Yes, that is what we fixed now!?! |