PAGP (Palo Alto Global Protect) with SAML authentication is broken on Ubuntu desktop

Hello, Bun K Tan.

Do you have more details on how to test and reproduce the problem so we can validate if the fix is really working?

Thank you!

Hi Marcelo,

Unfortunately, we can't grant access to our VPN instance in order for you to test the fix. We've applied the fix manually (by directly editing '/usr/share/gp-saml-gui/gp_saml_gui.py') and it does work.

Would it possible for you to send us the updated package and we can verify for you?

Thanks!

Instructions to reproduce
-------------------------
Assumptions:

1. User has gp-saml-gui installed
2. User has valid PEM-encoded client certificate at '~/.cert/certificate.pem' and PEM-encoded client certificate private key at '~/.cert/vpn-priv-key-plain.pem'
3. Server is configured to use client certificate for authentication
4. Server is configured to also use Microsoft SAML for authentication
5. Server does not require "unsafe legacy negotiation" or user has applied appropriate workaround (see: https://github.com/dlenski/gp-saml-gui/issues/37)
6. Server is located at ${VPN_URL}

Instructions:

1. Run the following command from the shell: gp-saml-gui -g -c ~/.cert/certificate.pem --key ~/.cert/vpn-priv-key-plain.pem -S ${VPN_URL}
2. Authenticate in the pop-up window (see 'login.png'); this might consist of:
        - Login e-mail
        - Login password
        - OTP code
3. Pop-up window changes to "Login Successful!" and stays there indefinitely (see 'login_success.png')

I had a look at the latest debdiffs in comment #8 and did a review.
Looks good, nice work - also great SRU justification!
Thx for your contribution!

I'll start to upload now ...

This bug was fixed in the package gp-saml-gui - 0.0~git20220831-1ubuntu1

---------------
gp-saml-gui (0.0~git20220831-1ubuntu1) mantic; urgency=medium

  * Add d/p/lp-2026771-Handle-headers-case-insensitively.patch to fix broken
    PAPG with SAML authentication working (LP: #2026771)
  * d/control: Changes due to update-maintainer run.

 -- Shane McKee <email address hidden> Wed, 26 Jul 2023 13:17:11 -0600

Hello Bun, or anyone else affected,

Accepted gp-saml-gui into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gp-saml-gui/0.0~git20220831-1ubuntu0.23.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Bun, or anyone else affected,

Accepted gp-saml-gui into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gp-saml-gui/0.0~git20210909-1ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

the focal upload needs an archive admin to process it from the NEW queue

Hello Timo,

Confirmed that the fix works as expected in Mantic and Jammy. We haven't tested Lunar since we don't need it. We're still waiting the package for Focal.

Thanks!

Hello Bun, or anyone else affected,

Accepted gp-saml-gui into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gp-saml-gui/0.0~git20210909-1ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lukasz,

Looks like we're having trouble getting "focal-proposed" to install properly. Dependency issues.

        $ sudo apt-get install gp-saml-gui/focal-proposed
        Reading package lists... Done
        Building dependency tree
        Reading state information... Done
        Selected version '0.0~git20210909-1ubuntu0.20.04.1' (Ubuntu:20.04/focal-proposed [all]) for 'gp-saml-gui'
        Some packages could not be installed. This may mean that you have
        requested an impossible situation or if you are using the unstable
        distribution that some required packages have not yet been created
        or been moved out of Incoming.
        The following information may help to resolve the situation:

        The following packages have unmet dependencies:
         gp-saml-gui : Depends: openconnect (>= 8.06~) but 8.05-1 is to be installed
                       Depends: vpnc-scripts (>= 0.1~git20200226~) but 0.1~git20190117-1 is to be installed
        E: Unable to correct problems, you have held broken packages.

       $ apt-cache policy gp-saml-gui
        gp-saml-gui:
          Installed: (none)
          Candidate: 0.0~git20210909-1ubuntu0.20.04.1
          Version table:
             0.0~git20210909-1ubuntu0.20.04.1 400
                400 http://archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages
                400 http://archive.ubuntu.com/ubuntu focal-proposed/universe i386 Packages

        apt-cache policy openconnect
        openconnect:
          Installed: 8.05-1
          Candidate: 8.05-1
          Version table:
         *** 8.05-1 500
                500 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
                100 /var/lib/dpkg/status

        wtcline@wtcline-desk7:~/wtcline.ansible$ apt-cache policy vpnc-scripts
        vpnc-scripts:
          Installed: 0.1~git20190117-1
          Candidate: 0.1~git20190117-1
          Version table:
         *** 0.1~git20190117-1 500
                500 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
                500 http://us.archive.ubuntu.com/ubuntu focal/universe i386 Packages
                100 /var/lib/dpkg/status

It looks like I missed some dependency version issues in the control file. I built this and installed it successfully in a focal VM, so we should be good on this one.

Hi Bun & others affected,

Since this is a new backport, can you please try my PPA for Focal before we submit a proposed version again?

sudo add-apt-repository ppa:mckeesh/lp2026771
sudo apt update
sudo apt install gp-saml-gui

Tested '0.0~git20220831-1ubuntu0.23.04.1' on Lunar (Ubuntu 23.04) and confirmed that it works!

Hi Shane,

We just tried your PPA and had success with the package!

Thanks!

Quick summary and status:

I first of all tagged version 0.0~git20210909-1ubuntu0.20.04.1 with verification-failed-focal due to the reported dependency issues.

This was fixed in 0.0~git20210909-1ubuntu0.20.04.*2*.
The fixed version 0.0~git20210909-1ubuntu0.20.04.2 was build in PPA, lintian is happy, the installation tested (even on multiple platforms), the initial bug reporter did a successful functional test based on the PPA package and the debdiff checked (should be a diff between 0.0~git20210909-1ubuntu0.20.04.1 and 0.0~git20210909-1ubuntu0.20.04.2, since 0.0~git20210909-1ubuntu0.20.04.1 already hit the archive, even if it was only -proposed - it's attached to this comment).

With that I'm uploading now 0.0~git20210909-1ubuntu0.20.04.2.

Hello @bktan1,

> Confirmed that the fix works as expected in Mantic and Jammy. We haven't tested Lunar since we don't need
> it. We're still waiting the package for Focal.

Can you please confirm that you used the package from the jammy-proposed repository, and not from some ppa or even a local build?

The verification of the Stable Release Update for gp-saml-gui has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package gp-saml-gui - 0.0~git20220831-1ubuntu0.23.04.1

---------------
gp-saml-gui (0.0~git20220831-1ubuntu0.23.04.1) lunar; urgency=medium

  * Add d/p/lp-2026771-Handle-headers-case-insensitively.patch to fix broken
    PAPG with SAML authentication working (LP: #2026771)
  * d/control: Changes due to update-maintainer run.

 -- Shane McKee <email address hidden> Wed, 26 Jul 2023 14:12:25 -0600

@ahasenack

>Can you please confirm that you used the package from the jammy-proposed repository, and not from some ppa >or even a local build?

Yes, we tested the package from jammy-proposed.

Accepting gp-saml-gui 0.0~git20210909-1ubuntu0.20.04.2 into focal-proposed. I don't think _versioned_ depends are necessary at all unless they affect an upgrade path *up to* Focal or gp-saml-gui needs versions newer than in the Focal release pocket. So it seems a bit strange just do move them back to the Focal versions. But they aren't doing any harm there either so no need to change it now.

Hello Bun, or anyone else affected,

Accepted gp-saml-gui into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gp-saml-gui/0.0~git20210909-1ubuntu0.20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

This bug was fixed in the package gp-saml-gui - 0.0~git20210909-1ubuntu0.22.04.1

---------------
gp-saml-gui (0.0~git20210909-1ubuntu0.22.04.1) jammy; urgency=medium

  * Add d/p/lp-2026771-Handle-headers-case-insensitively.patch to fix broken
    PAPG with SAML authentication working (LP: #2026771)
  * d/control: Changes due to update-maintainer run.

 -- Shane McKee <email address hidden> Wed, 26 Jul 2023 14:19:20 -0600

@racb:

> I can confirm that the gp-saml-gui package in Focal works as expected!
>
> Output of 'apt-cache policy gp-saml-gui':
>
> gp-saml-gui:
> Installed: 0.0~git20210909-1ubuntu0.20.04.2
> Candidate: 0.0~git20210909-1ubuntu0.20.04.2
> Version table:
> *** 0.0~git20210909-1ubuntu0.20.04.2 400
> 400 http://archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages
> 400 http://archive.ubuntu.com/ubuntu focal-proposed/universe i386 Packages
> 100 /var/lib/dpkg/status

Marking as verified per comment #29.

This bug was fixed in the package gp-saml-gui - 0.0~git20210909-1ubuntu0.20.04.2

---------------
gp-saml-gui (0.0~git20210909-1ubuntu0.20.04.2) focal; urgency=medium

  * Fix focal verification failure (LP: #2026771).
    - d/control: Change openconnect minimum version to 8.05 to match the
      version available in focal.
    - d/control: Change vpnc-scripts minimum version to 0.1~git20190117 to
      match the version available in focal.

gp-saml-gui (0.0~git20210909-1ubuntu0.20.04.1) focal; urgency=medium

  * Initial upload, requested at (LP: #2026771).
    - Pick latest (SRU-) version from 22.04, but use focal-specific version.
    - d/control: Decrease debhelper-compat to 12 to enable 20.04 builds.
    - d/p/lp-2026771-Handle-headers-case-insensitively.patch is incl. to fix
      broken PAPG with SAML authentication.
    - d/control: Changes due to update-maintainer run

 -- Shane McKee <email address hidden> Mon, 14 Aug 2023 11:25:38 -0600

I believe this can be closed now.