Saml auth plugin should redirect for 303

Bug #1501918 reported by Jamie Lennox
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Fix Released
Medium
Jamie Lennox
python-keystoneclient
Fix Released
Medium
Jamie Lennox

Bug Description

The SAML plugin hooks the http redirect code as ECP doesn't correctly follow the HTTP spec in this regard. Currently the plugin specifically looks for a 302 redirection and handles it however it should also handle the 303 redirect code as this is ambiguous in the specification and what mod_auth_mellon uses.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/230151

Changed in python-keystoneclient:
assignee: nobody → Jamie Lennox (jamielennox)
status: New → In Progress
tags: added: liberty-backport-potential
tags: added: kilo-backport-potential
Changed in keystoneauth:
assignee: nobody → Jamie Lennox (jamielennox)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/230151
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=9cd71c064c77a22a0a58084a2abab77b023017b5
Submitter: Jenkins
Branch: master

commit 9cd71c064c77a22a0a58084a2abab77b023017b5
Author: Jamie Lennox <email address hidden>
Date: Fri Oct 2 07:17:21 2015 +1000

    Redirect on 303 in SAML plugin

    The SAML plugin handles redirects in a custom manner but currently only
    checks for the 302 redirect code. This doesn't cover the mod_auth_mellon
    case which responds with a 303.

    Also handle the 303 redirect case.

    Change-Id: Idab5f381fcbfb8c561184845d3aa5c8aab142ecd
    Closes-Bug: #1501918

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/230231

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/230232

Dolph Mathews (dolph)
Changed in python-keystoneclient:
importance: Undecided → Medium
Changed in keystoneauth:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (stable/liberty)

Reviewed: https://review.openstack.org/230231
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=90c5838074fcb5d64fa3aaadf4a61eed606cd9d3
Submitter: Jenkins
Branch: stable/liberty

commit 90c5838074fcb5d64fa3aaadf4a61eed606cd9d3
Author: Jamie Lennox <email address hidden>
Date: Fri Oct 2 07:17:21 2015 +1000

    Redirect on 303 in SAML plugin

    The SAML plugin handles redirects in a custom manner but currently only
    checks for the 302 redirect code. This doesn't cover the mod_auth_mellon
    case which responds with a 303.

    Also handle the 303 redirect case.

    Change-Id: Idab5f381fcbfb8c561184845d3aa5c8aab142ecd
    Closes-Bug: #1501918
    (cherry picked from commit 9cd71c064c77a22a0a58084a2abab77b023017b5)

tags: added: in-stable-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (stable/kilo)

Reviewed: https://review.openstack.org/230232
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=805c9d6563f5920ed8a1763fa0b1007f549b998e
Submitter: Jenkins
Branch: stable/kilo

commit 805c9d6563f5920ed8a1763fa0b1007f549b998e
Author: Jamie Lennox <email address hidden>
Date: Fri Oct 2 07:17:21 2015 +1000

    Redirect on 303 in SAML plugin

    The SAML plugin handles redirects in a custom manner but currently only
    checks for the 302 redirect code. This doesn't cover the mod_auth_mellon
    case which responds with a 303.

    Also handle the 303 redirect case.

    Change-Id: Idab5f381fcbfb8c561184845d3aa5c8aab142ecd
    Closes-Bug: #1501918
    (cherry picked from commit 9cd71c064c77a22a0a58084a2abab77b023017b5)

tags: added: in-stable-kilo
Changed in python-keystoneclient:
milestone: none → 1.8.0
status: Fix Committed → Fix Released
Revision history for this message
Jamie Lennox (jamielennox) wrote :

Now that we are merging the SAML plugins back into the main repository this affects keystoneauth again. Whilst they were in keystoneauth-saml2 this got merged so the code now in keystoneauth is fixed. The plugins are still marked private though while we rework them. So it's in - but not released.

Changed in keystoneauth:
status: Triaged → Fix Committed
Changed in keystoneauth:
milestone: none → 2.1.0
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystoneauth (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/310043

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/310043
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=1a2a579393a4b7fde168fe42c1b8e8a71660f382
Submitter: Jenkins
Branch: master

commit 1a2a579393a4b7fde168fe42c1b8e8a71660f382
Author: Rodrigo Duarte <email address hidden>
Date: Mon Apr 25 16:19:48 2016 -0300

    Add 303 as redirect code for k2k plugin

    Some service providers, like mod_mellon return a 303 response
    upon successful authentication. The "requests" package only
    considers 302, as per the following example::

      >>> import requests
      >>> requests.codes['found']
      302

    Change-Id: I5797f490f2e57d1c952e769bc0ef4b96c08f9a83
    Related-Bug: 1501918

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.