SAML2 ECP Accept header incorrect

Bug #1488722 reported by Jamie Lennox
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Fix Released
High
Jamie Lennox
python-keystoneclient
Fix Released
High
Jamie Lennox

Bug Description

The first SAML ECP request is to the endpoint with an Accept value containing application/vnd.paos+xml. In the spec example and in keystoneclient we send "text/html; application/vnd.paos+xml" however this is incorrect because the mime-type separator in Accept headers is a , (comma), where a ; provides parameters to the type[2].

This has been confirmed by SAML2 working group as a bug in the spec. (Will provide reference for this soon).

This works in Sibolleth because the accept matcher simply does

if 'application/vnd.paos+xml' in req.headers.accept

but fails in mod_auth_mellon which does a more strict type check.

[1] http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.html#_Toc366664721
[2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/216928

Changed in python-keystoneclient:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
tags: added: kilo-backport-potential
Changed in keystoneauth:
status: New → In Progress
assignee: nobody → Jamie Lennox (jamielennox)
Changed in python-keystoneclient:
assignee: Jamie Lennox (jamielennox) → Steve Martinelli (stevemar)
Changed in python-keystoneclient:
assignee: Steve Martinelli (stevemar) → Jamie Lennox (jamielennox)
Dolph Mathews (dolph)
Changed in keystoneauth:
importance: Undecided → High
Changed in python-keystoneclient:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/216928
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=e0276c65364bcb8a4a3fe1ad1c91899b1325836c
Submitter: Jenkins
Branch: master

commit e0276c65364bcb8a4a3fe1ad1c91899b1325836c
Author: Jamie Lennox <email address hidden>
Date: Wed Aug 26 12:25:31 2015 +1000

    Fix Accept header in SAML2 requests

    The ; separator allows providing parameters to a type not separating
    type options. This means that in strict type checks like those performed
    by mod_auth_mellon the check for accept type fails.

    Change-Id: Ieeaa74b304921daef68497fec77cc6629ab2f0a2
    Closes-Bug: #1488722

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/217450

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (feature/keystoneauth_integration)

Fix proposed to branch: feature/keystoneauth_integration
Review: https://review.openstack.org/218269

Changed in python-keystoneclient:
milestone: none → 1.7.0
status: Fix Committed → Fix Released
Revision history for this message
Steve Martinelli (stevemar) wrote :

this won't go into keystoneauth, but it went into keystoneauth-saml2 - https://review.openstack.org/#/c/216929/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (stable/kilo)

Reviewed: https://review.openstack.org/217450
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=3cc752937e322e4f16eebf048f74c58aec2b2f73
Submitter: Jenkins
Branch: stable/kilo

commit 3cc752937e322e4f16eebf048f74c58aec2b2f73
Author: Jamie Lennox <email address hidden>
Date: Wed Aug 26 12:25:31 2015 +1000

    Fix Accept header in SAML2 requests

    The ; separator allows providing parameters to a type not separating
    type options. This means that in strict type checks like those performed
    by mod_auth_mellon the check for accept type fails.

    Change-Id: Ieeaa74b304921daef68497fec77cc6629ab2f0a2
    Closes-Bug: #1488722
    (cherry picked from commit e0276c65364bcb8a4a3fe1ad1c91899b1325836c)

tags: added: in-stable-kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-keystoneclient (feature/keystoneauth_integration)

Change abandoned by Steve Martinelli (<email address hidden>) on branch: feature/keystoneauth_integration
Review: https://review.openstack.org/218269
Reason: need to abandon in order to delete branch

Revision history for this message
Jamie Lennox (jamielennox) wrote :

Now that we are merging the SAML plugins back into the main repository this affects keystoneauth again. Whilst they were in keystoneauth-saml2 this got merged so the code now in keystoneauth is fixed. The plugins are still marked private though while we rework them. So it's in - but not released.

Changed in keystoneauth:
status: In Progress → Fix Committed
Changed in keystoneauth:
milestone: none → 2.1.0
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.