lasso includes "Destination" attribute in SAML AuthnRequest populated with SP AssertionConsumerServiceURL when ECP workflow is used which leads to IdP-side errors

https://dev.entrouvert.org/issues/34409

The attachment "0001-PAOS-Do-not-populate-Destination-attribute.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

I have suggested a patch upstream which then got merged: https://dev.entrouvert.org/issues/34409#note-10

The branches related to this bug apply the patch to different distro versions.

Hi,
I reviewed the MPs and they are (aside some potential polishing of the changelog) ok to me.
You'll need an SRU template for these to be kicked off later on.
Thanks for driving the change upstream, that will help to one day be able to drop the Delta.

IMHO Eoan one could sponsor right away, please let me know if you want me to do so now or if there are any last minute changes.

Hi Christian,

Thanks, please do, no last minute changes from my side.

On Thu., Jul. 11, 2019, 06:27 Christian Ehrhardt , <
<email address hidden>> wrote:

> Hi,
> I reviewed the MPs and they are (aside some potential polishing of the
> changelog) ok to me.
> You'll need an SRU template for these to be kicked off later on.
> Thanks for driving the change upstream, that will help to one day be able
> to drop the Delta.
>
> IMHO Eoan one could sponsor right away, please let me know if you want
> me to do so now or if there are any last minute changes.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1833299
>
> Title:
> lasso includes "Destination" attribute in SAML AuthnRequest populated
> with SP AssertionConsumerServiceURL when ECP workflow is used which
> leads to IdP-side errors
>
> Status in lasso package in Ubuntu:
> Confirmed
>
> Bug description:
> See comments on the bug:
> https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134
>
> Lasso is used by libapache2-mod-auth-mellon to create SAML messages.
> When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0
> /saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an
> AuthnRequest with the "Destination" attribute as follows:
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_798F26F73776E684A463559CDB77D080" Version="2.0"
> IssueInstant="2019-06-18T16:54:25Z" Destination="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0"
> SignMethod="0" ForceAuthn="false" IsPassive="false"
> AssertionConsumerServiceURL="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse
> ">
> <saml:Issuer>
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth
> </saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> This triggers the Destination attribute validation logic relevant for
> "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections
> 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
> http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
>
> For example, Shibboleth IdP (samltest.id) errors out as follows as the
> Destination attribute was populated with an SP URL:
>
> 2019-06-18 16:54:25,435 - ERROR
>
> [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?]
> - Message Handler: SAML message intended destination endpoint
> 'https://keystone.maas:5000/v3/OS-
>
> FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse'
> did not match the recipient endpoint
> 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
>
> For ECP it makes sense to avoid inclusion of the "Destination"
> attribute to AuthnRequest (see https://bugs.launchpad.net/charm-
> keystone-saml-mellon/+bug/1833134/comments...

Christian,

I updated the description based on the SRU template and also modified the changelogs and commit messages.

Thank Dmitrii,
it looks ready for uploads now - Eoan at first and once complete there into the SRU queue.
For now I sponsored the Eoan upload.

This bug was fixed in the package lasso - 2.6.0-2ubuntu1

---------------
lasso (2.6.0-2ubuntu1) eoan; urgency=high

  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
    "Destination" attribute (LP: #1833299)

 -- Dmitrii Shcherbakov <email address hidden> Thu, 04 Jul 2019 18:42:56 -0500

All test builds completed and the Eoan transition is done.
I added B/D tasks and sponsored your upload to the -unapproved queue of these releases.

Hello Dmitrii, or anyone else affected,

Accepted lasso into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lasso/2.6.0-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Dmitrii, or anyone else affected,

Accepted lasso into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lasso/2.5.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

@Dmitriis - I'd expect this testing and verification is on you as you have done so before, so give it a go once you have some time.

Will do.

On Wed., Jul. 17, 2019, 01:35 Christian Ehrhardt , <
<email address hidden>> wrote:

> @Dmitriis - I'd expect this testing and verification is on you as you
> have done so before, so give it a go once you have some time.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1833299
>
> Title:
> lasso includes "Destination" attribute in SAML AuthnRequest populated
> with SP AssertionConsumerServiceURL when ECP workflow is used which
> leads to IdP-side errors
>
> Status in lasso package in Ubuntu:
> Fix Released
> Status in lasso source package in Bionic:
> Fix Committed
> Status in lasso source package in Disco:
> Fix Committed
>
> Bug description:
> [Impact]
>
> * Usage of ECP is not possible with mod_auth_mellon because the
> AuthnRequest message has the Destination attribute set incorrectly;
> * https://dev.entrouvert.org/issues/34409;
> * Blocks the enablement of a feature
> https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/1833134;
>
> Lasso is used by libapache2-mod-auth-mellon to create SAML messages.
> When ECP profile (http://docs.oasis-open.org/security/saml/Post2.0
> /saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) is used it populates an
> AuthnRequest with the "Destination" attribute as follows:
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_798F26F73776E684A463559CDB77D080" Version="2.0"
> IssueInstant="2019-06-18T16:54:25Z" Destination="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit" SignType="0"
> SignMethod="0" ForceAuthn="false" IsPassive="false"
> AssertionConsumerServiceURL="
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse
> ">
> <saml:Issuer>
> https://keystone.maas:5000/v3/OS-FEDERATION/identity_providers/samltestid/protocols/saml2/auth
> </saml:Issuer>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>
> This triggers the Destination attribute validation logic relevant for
> "HTTP Redirect" and "HTTP POST" bindings only (per the spec, sections
> 3.4.5.2 and 3.5.5.2), not SOAP or PAOS bindings (sections before 3.4).
> http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
>
> For example, Shibboleth IdP (samltest.id) errors out as follows as the
> Destination attribute was populated with an SP URL:
>
> 2019-06-18 16:54:25,435 - ERROR
>
> [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:?]
> - Message Handler: SAML message intended destination endpoint
> 'https://keystone.maas:5000/v3/OS-
>
> FEDERATION/identity_providers/samltestid/protocols/saml2/auth/mellon/paosResponse'
> did not match the recipient endpoint
> 'https://samltest.id/idp/profile/SAML2/SOAP/ECP'
>
> For ECP it makes sense to avoid inclusion of the "Destination"
> attribute to AuthnRequest (see https://bugs.launchpad.net/charm-
> keystone-saml-mellon/+bug/18331...

Bionic verification:

apt policy liblasso3
liblasso3:
  Installed: 2.5.1-0ubuntu1.1
  Candidate: 2.5.1-0ubuntu1.1
  Version table:
 *** 2.5.1-0ubuntu1.1 1000
        400 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.5.1-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

 env | grep OS_
OS_IDENTITY_PROVIDER_URL=https://samltest.id/idp/profile/SAML2/SOAP/ECP
OS_AUTH_URL=https://keystone.maas:5000/v3
OS_PROTOCOL=saml2
OS_REGION_NAME=RegionOne
OS_PROJECT_NAME=scooper@samltest.id_project
OS_PROJECT_DOMAIN_NAME=samltestid
OS_IDENTITY_API_VERSION=3
OS_AUTH_TYPE=v3samlpassword
OS_IDENTITY_PROVIDER=samltestid
OS_INTERFACE=internal
OS_PASSWORD=<redacted>
OS_USERNAME=sheldon
OS_CACERT=/home/ubuntu/bundles/vault-ca.crt

openstack token issue -v --debug
START with options: token issue -v --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_type='v3samlpassword', auth_url='https://keystone.maas:5000/v3', cacert='/home/ubuntu/bundles/vault-ca.crt', cert='', client_id='', client_secret='***', cloud='', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='samltestid', identity_provider_url='https://samltest.id/idp/profile/SAML2/SOAP/ECP', insecure=None, interface='internal', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', project_domain_id='', project_domain_name='samltestid', project_id='', project_name='scooper@samltest.id_project', protocol='saml2', redirect_uri='', region_name='RegionOne', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='sheldon', verbose_level=3, verify=None)
Auth plugin v3samlpassword selected
auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': '/home/ubuntu/bundles/vault-ca.crt', 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'internal', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'project_domain_name': 'samltestid', 'project_name': 'scooper@samltest.id_project'}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'regio...

Disco verification:

 apt policy liblasso3
liblasso3:
  Installed: 2.6.0-2ubuntu0.1
  Candidate: 2.6.0-2ubuntu0.1
  Version table:
 *** 2.6.0-2ubuntu0.1 1000
        399 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.6.0-2build1 400
        400 http://archive.ubuntu.com/ubuntu disco/main amd64 Packages

env | grep OS_
OS_IDENTITY_PROVIDER_URL=https://samltest.id/idp/profile/SAML2/SOAP/ECP
OS_AUTH_URL=https://keystone.maas:5000/v3
OS_PROTOCOL=saml2
OS_REGION_NAME=RegionOne
OS_PROJECT_NAME=scooper@samltest.id_project
OS_PROJECT_DOMAIN_NAME=samltestid
OS_IDENTITY_API_VERSION=3
OS_AUTH_TYPE=v3samlpassword
OS_IDENTITY_PROVIDER=samltestid
OS_INTERFACE=internal
OS_PASSWORD=bazinga
OS_USERNAME=<redacted>
OS_CACERT=/home/ubuntu/bundles/vault-ca.crt

openstack token issue -v --debug
START with options: token issue -v --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_type='v3samlpassword', auth_url='https://keystone.maas:5000/v3', cacert='/home/ubuntu/bundles/vault-ca.crt', cert='', client_id='', client_secret='***', cloud='', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='samltestid', identity_provider_url='https://samltest.id/idp/profile/SAML2/SOAP/ECP', insecure=None, interface='internal', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', project_domain_id='', project_domain_name='samltestid', project_id='', project_name='scooper@samltest.id_project', protocol='saml2', redirect_uri='', region_name='RegionOne', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='sheldon', verbose_level=3, verify=None)
Auth plugin v3samlpassword selected
auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': '/home/ubuntu/bundles/vault-ca.crt', 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'internal', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'project_domain_name': 'samltestid', 'project_name': 'scooper@samltest.id_project'}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_nam...

This bug was fixed in the package lasso - 2.5.1-0ubuntu1.1

---------------
lasso (2.5.1-0ubuntu1.1) bionic; urgency=high

  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
    "Destination" attribute (LP: #1833299)

 -- Dmitrii Shcherbakov <email address hidden> Thu, 04 Jul 2019 18:42:56 -0500

The verification of the Stable Release Update for lasso has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package lasso - 2.6.0-2ubuntu0.1

---------------
lasso (2.6.0-2ubuntu0.1) disco; urgency=high

  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
    "Destination" attribute (LP: #1833299)

 -- Dmitrii Shcherbakov <email address hidden> Thu, 04 Jul 2019 18:42:56 -0500