[FFe] [SRU] build mellon with --enable-diagnostics to ease up SSO debugging
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
High
|
Unassigned | ||
Rocky |
Fix Released
|
High
|
Unassigned | ||
Stein |
Fix Released
|
High
|
Unassigned | ||
libapache2-mod-auth-mellon (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Won't Fix
|
High
|
Unassigned | ||
Cosmic |
Fix Released
|
High
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Unassigned |
Bug Description
FFE Section for disco
-------
[Rationale]
This change to mod_auth_mellon adds a very useful capability for enabling diagnostics output from the module:
https:/
It is available as of v0.14.0 (present in Cosmic):
git --no-pager tag --contains=
v0.14.0
v0.14.1
This is generally useful for field engineering and operations teams and other users as SAML exchanges are difficult to debug.
[Build Verification]
https:/
[Installation]
https:/
"MellonDiagnost
int am_diag_
{
for ( ; s ; s = s->next) {
if (!am_diag_
return HTTP_INTERNAL_
}
}
// ...
static int am_diag_
// ...
if (!(diag_cfg->flags & AM_DIAG_
return 1;
// ...
[Upgrades]
No impact
SRU section for cosmic and bionic
-------
[Impact]
See FFE Rationale above.
[Test Case]
To test
Add the following to /etc/apache2/
MellonDiagnosti
MellonDiagnosti
a2enconf mellon
systemctl reload apache2
After browsing to a location that is mod_auth_mellon enabled (see the keystone-
Regression testing can be done using the keystone-
https:/
At the time of this writing the functional tests are not fully automated and still require some manual configuration:
https:/
[Regression Potential]
As mentioned above in the FFE section, "MellonDiagnost
In particular the cosmic regression potential is much lower than the bionic potential since there is much less involved.
For bionic please see [Discussion] below.
[Discussion]
** cosmic SRU **
For the cosmic SRU this will be a fairly straight forward and trivial update to the package to run configure with "--enable-
** bionic SRU **
For the bionic SRU, things are more complicated as bionic is at version 0.13.1 which does not include diagnostics support. What I'd like to do is to update the bionic package to 0.14.0. I know this is not business as usual but I think the regression potential is minimized by updating to 0.14.0 rather than risking any missed code when cherry-picking various patches.
For some analysis regarding updating bionic to 0.14.0, I've analyzed the delta between 0.13.1 and 0.14.0 and I'm seeing mostly bug fixes and 2 new features (1 for diagnostics support, and 1 for MellonSignature
/tmp/mod_
origin https:/
origin https:/
/tmp/mod_
- [29d2872] Bump version to 0.14.0.
- [21f78ab] Add release notes for version 0.14.0.
- [262768a] NEWS: Add consistent whitespace between releases.
- [7bb98cf] Fix config.h.in missing in .tar.gz.
- [aee068f] Fix typos in the user guide
- [8abbcf9] Update User Guide on error responses and ADFS issues
- [9b17e5c] Add MellonSignature
- [582f283] Log SAML status response information
- [524d558] convert README to README.md
- [0851045] Fix consistency, grammar, and usage in user guide
- [70e8abc] Give clear error if building with diagnostics support on old Apache
- [15fcbf7] Fix build error on Apache 2.2.
- [fe8b978] Add example for dual auth support.
- [f865919] Add clarification on using info vs auth
- [5927b5c] Fix Mellon user guide typos
- [86eb344] Fix conditional build of auth_mellon_
- [89a3c81] Add NameID discussion to User Guide
- [93faba4] Update log msg for Invalid Destination and Invalid Audience to show both the expected and received values.
- [de853e1] Add user_guide to distribution, use AC_DEFINE instead of CFLAGS
- [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR
- [e8579f6] Add diagnostic logging
- [6d2ee84] Track file information
- [ee97812] Add Mellon User Guide
- [daa5d1e] If no IdP's are defined explicitly log that fact
- [119cbdd] modify cache functions to take request_rec parameter instead of server_rec
- [c291232] Make MellonUser case-insensitive.
- [2c2e19d] Fix incorrect error check for many `lasso_
- [5c5ed1d] Fix segmentation fault with POST field without a value.
- [4c924d9] Fix some log message typos
Of the commits above, those required for diagnostics support include:
- [582f283] Log SAML status response information
- [70e8abc] Give clear error if building with diagnostics support on old Apache
- [86eb344] Fix conditional build of auth_mellon_
- [8d49ab6] Replace ap_log_rerror with AM_LOG_RERROR
- [e8579f6] Add diagnostic logging
- [6d2ee84] Track file information
And the MellonSignature
- [9b17e5c] Add MellonSignature
MellonSignature
Following is the full commit message for 9b17e5c:
https:/
One upgrade consideration coming from this patch is that it changes the default sha algorithm used by Mellon from rsa-sha1 to rsa-sha256. And as the commit says, this was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. This would likely be a good update anyway.
Related branches
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 27 lines (+8/-0)2 files modifieddebian/changelog (+6/-0)
debian/rules (+2/-0)
description: | updated |
summary: |
- consider building with --enable-diagnostics as of v0.14.0 (cosmic) to - ease up SSO debugging + [FFe] build mellon with --enable-diagnostics to ease up SSO debugging |
description: | updated |
description: | updated |
summary: |
- [FFe] build mellon with --enable-diagnostics to ease up SSO debugging + [FFe] [SRU] build mellon with --enable-diagnostics to ease up SSO + debugging |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in libapache2-mod-auth-mellon (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in libapache2-mod-auth-mellon (Ubuntu Cosmic): | |
status: | New → Triaged |
Changed in libapache2-mod-auth-mellon (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in libapache2-mod-auth-mellon (Ubuntu Cosmic): | |
importance: | Undecided → High |
Changed in libapache2-mod-auth-mellon (Ubuntu Disco): | |
status: | New → Triaged |
importance: | Undecided → High |
description: | updated |
description: | updated |
@Dmitri, thanks for the patch. I've uploaded this to the disco unapproved queue: https:/ /launchpad. net/ubuntu/ disco/+ queue?queue_ state=1& queue_text=