First Last Prev Next    This bug is not in your last search results.
Bug 55719 - python-pysaml2: wrong timeformat
python-pysaml2: wrong timeformat
Status: NEW
Product: UCS
Classification: Unclassified
Component: SAML
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-02-16 14:20 CET by Tim Breidenbach
Modified: 2024-05-22 18:09 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.229
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2024041921000267
Bug group (optional): bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Breidenbach univentionstaff 2023-02-16 14:20:55 CET 
A customer with external keycloak as identity provider saw tracebacks like this when trying to login:

"  File "/usr/lib/python3/dist-packages/saml2/validate.py", line 110, in validate_before
    "<= notbefore=%s" % (now_str, slack, not_before))
saml2.validate.ToEarly: Can&#x27;t use response yet: (now=2023-40-10T11:40:01Z + slack=0) <= notbefore=2023-02-10T11:40:02.147Z"

Rootcause was a typo in the python-pysaml2:

https://github.com/IdentityPython/pysaml2/commit/4f0a45c361bbd46b1f56f468d4712c0ef9797c1b

As no user was able to login the pain was (very) high.
Comment 1 Mika Westphal univentionstaff 2024-05-21 15:45:45 CEST 
Version: 5.0-7 errata1024

Error:
Traceback (most recent call last):
  File "%PY3%/tornado/web.py", line 1595, in _execute
    result = yield result
  File "%PY3%/tornado/gen.py", line 1133, in run
    value = future.result()
  File "%PY3%/univention/management/console/saml.py", line 229, in get
    await acs(binding, message, relay_state)
  File "%PY3%/univention/management/console/saml.py", line 234, in attribute_consuming_service
    response = self.parse_authn_response(message, binding)
  File "%PY3%/univention/management/console/saml.py", line 321, in parse_authn_response
    response = self.sp.parse_authn_request_response(message, binding, self.outstanding_queries)
  File "%PY3%/saml2/client_base.py", line 702, in parse_authn_request_response
    binding, **kwargs)
  File "%PY3%/saml2/entity.py", line 1170, in _parse_response
    response = response.verify(keys)
  File "%PY3%/saml2/response.py", line 1018, in verify
    if self.parse_assertion(keys):
  File "%PY3%/saml2/response.py", line 930, in parse_assertion
    if not self._assertion(assertion, False):
  File "%PY3%/saml2/response.py", line 803, in _assertion
    if not self.condition_ok():
  File "%PY3%/saml2/response.py", line 593, in condition_ok
    validate_before(conditions.not_before, self.timeslack)
  File "%PY3%/saml2/validate.py", line 110, in validate_before
    "<= notbefore=%s" % (now_str, slack, not_before))
saml2.validate.ToEarly: Can't use response yet: (now=2024-40-19T18:40:23Z + slack=0) <= notbefore=2024-04-19T18:40:37Z

 Role: domaincontroller_slave
First Last Prev Next    This bug is not in your last search results.