python-keystoneclient

Saml auth plugin should redirect for 303

Bug #1501918 reported by Jamie Lennox on 2015-10-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystoneauth	Fix Released	Medium	Jamie Lennox	keystoneauth 2.1.0 "2.1.0"
	python-keystoneclient	Fix Released	Medium	Jamie Lennox	python-keystoneclient 1.8.0 "1.8.0"

Bug Description

The SAML plugin hooks the http redirect code as ECP doesn't correctly follow the HTTP spec in this regard. Currently the plugin specifically looks for a 302 redirection and handles it however it should also handle the 303 redirect code as this is ambiguous in the specification and what mod_auth_mellon uses.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-01: Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/230151

Changed in python-keystoneclient:
assignee:	nobody → Jamie Lennox (jamielennox)
status:	New → In Progress

Jamie Lennox (jamielennox) on 2015-10-01

tags:	added: liberty-backport-potential
tags:	added: kilo-backport-potential
Changed in keystoneauth:
assignee:	nobody → Jamie Lennox (jamielennox)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-02: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/230151
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=9cd71c064c77a22a0a58084a2abab77b023017b5
Submitter: Jenkins
Branch: master

commit 9cd71c064c77a22a0a58084a2abab77b023017b5
Author: Jamie Lennox <email address hidden>
Date: Fri Oct 2 07:17:21 2015 +1000

Redirect on 303 in SAML plugin

    The SAML plugin handles redirects in a custom manner but currently only
    checks for the 302 redirect code. This doesn't cover the mod_auth_mellon
    case which responds with a 303.

Also handle the 303 redirect case.

Change-Id: Idab5f381fcbfb8c561184845d3aa5c8aab142ecd
Closes-Bug: #1501918

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-02: Fix proposed to python-keystoneclient (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/230231

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-02: Fix proposed to python-keystoneclient (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/230232

Dolph Mathews (dolph) on 2015-10-02

Changed in python-keystoneclient:
importance:	Undecided → Medium
Changed in keystoneauth:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-05: Fix merged to python-keystoneclient (stable/liberty)

Reviewed: https://review.openstack.org/230231
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=90c5838074fcb5d64fa3aaadf4a61eed606cd9d3
Submitter: Jenkins
Branch: stable/liberty

commit 90c5838074fcb5d64fa3aaadf4a61eed606cd9d3
Author: Jamie Lennox <email address hidden>
Date: Fri Oct 2 07:17:21 2015 +1000

Redirect on 303 in SAML plugin

    The SAML plugin handles redirects in a custom manner but currently only
    checks for the 302 redirect code. This doesn't cover the mod_auth_mellon
    case which responds with a 303.

Also handle the 303 redirect case.

    Change-Id: Idab5f381fcbfb8c561184845d3aa5c8aab142ecd
    Closes-Bug: #1501918
    (cherry picked from commit 9cd71c064c77a22a0a58084a2abab77b023017b5)

tags:

added: in-stable-liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-06: Fix merged to python-keystoneclient (stable/kilo)

Reviewed: https://review.openstack.org/230232
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=805c9d6563f5920ed8a1763fa0b1007f549b998e
Submitter: Jenkins
Branch: stable/kilo

commit 805c9d6563f5920ed8a1763fa0b1007f549b998e
Author: Jamie Lennox <email address hidden>
Date: Fri Oct 2 07:17:21 2015 +1000

Redirect on 303 in SAML plugin

    The SAML plugin handles redirects in a custom manner but currently only
    checks for the 302 redirect code. This doesn't cover the mod_auth_mellon
    case which responds with a 303.

Also handle the 303 redirect case.

    Change-Id: Idab5f381fcbfb8c561184845d3aa5c8aab142ecd
    Closes-Bug: #1501918
    (cherry picked from commit 9cd71c064c77a22a0a58084a2abab77b023017b5)

tags:

added: in-stable-kilo

Davanum Srinivas (DIMS) (dims-v) on 2015-10-13

Changed in python-keystoneclient:
milestone:	none → 1.8.0
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Lennox (jamielennox) wrote on 2015-11-21:

Now that we are merging the SAML plugins back into the main repository this affects keystoneauth again. Whilst they were in keystoneauth-saml2 this got merged so the code now in keystoneauth is fixed. The plugins are still marked private though while we rework them. So it's in - but not released.

Changed in keystoneauth:
status:	Triaged → Fix Committed

Davanum Srinivas (DIMS) (dims-v) on 2015-12-06

Changed in keystoneauth:
milestone:	none → 2.1.0
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-25: Related fix proposed to keystoneauth (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/310043

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-28: Related fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/310043
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=1a2a579393a4b7fde168fe42c1b8e8a71660f382
Submitter: Jenkins
Branch: master

commit 1a2a579393a4b7fde168fe42c1b8e8a71660f382
Author: Rodrigo Duarte <email address hidden>
Date: Mon Apr 25 16:19:48 2016 -0300

Add 303 as redirect code for k2k plugin

    Some service providers, like mod_mellon return a 303 response
    upon successful authentication. The "requests" package only
    considers 302, as per the following example::

      >>> import requests
      >>> requests.codes['found']
      302

Change-Id: I5797f490f2e57d1c952e769bc0ef4b96c08f9a83
Related-Bug: 1501918

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.