Issuer of issuer, user of user@issuer fails
Bug #1500945 reported by
Sam Hartman
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Moonshot ID Selector |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Adam reported an issue where issuer of issuer and user of user@issuer (resulting in nai of user@issuer@issuer) failed to even send a token and falls back to gss_eap_id.
tags: | added: all-platforms |
To post a comment you must log in.
I asked Mark for guidance on this issue; here's his response: ------- ------- ----
-------
You can find the basic discussion at
https:/ /www.jiscmail. ac.uk/cgi- bin/webadmin? A1=ind1509& L=moonshot- community# 3 ,
and the best problem descriptions at
https:/ /www.jiscmail. ac.uk/cgi- bin/webadmin? A2=ind1509& L=moonshot- community& F=&S=&P= 2897
- and -
https:/ /www.jiscmail. ac.uk/cgi- bin/webadmin? A2=ind1509& L=moonshot- community& F=&S=&P= 12757
So, with that in mind, my reproduction steps are: ------- ------- ------- ------- ------- ------- ------- ------- ----
-------
1. Set up an identity in the manager to be something like this:
Display Name: Messed Up Identity
Issuer: <email address hidden>
Username: mark
Password: <whatever>
2. Connect to a new service using ABFAB, so that the identity selector
is shown.
3. Select "Messed Up Identity"
Expected results: ------- ------- ------- ------- ------- ------- ------- ------- ----
-------
The identity selector should send the identity "<email address hidden>@mark", which should fail all authentications.
Actual results: ------- ------- ------- ------- ------- ------- ------- ------- ----
-------
The identity is not sent to the server. The moonshot libraries look for a file named .gss_eap_id (which was used before the identity selector existed), which suggests that the identity selector did not return an identity to the moonshot libraries.
Were I to debug this, I'd start looking towards the end of the lifecycle of a request for an identity, where the user has already made a selection. Somewhere along the line, the user selection is transformed into a GSS credential, and that's where this is likely failing. What I don't know is whether that's happening in the selector code, or in the library code.
If the selector hands back strings for the library to transform into the GSS credential, then I don't know that there's a lot else for the library to do at that point. It is dealing with some unusable data, and tries to fall back, and fails when it can't.
If the selector hands back the GSS credential, then there's probably a call in there to gss_import_name that is failing, because the name string (<email address hidden>@mark) does not meet the expected format. I would guess that the selector code assumes that call will always succeed.
Were I to fix this, I'd work this along two axes. First, I'd look to constrain the input field to disallow the presence of "@" or "/", which are used as delimiters that we aren't looking to have. Second, I'd look to make sure that the selector never tries to put together an identifier that has two "@" in it, even if such an identifier already got into its database somehow.