Add documentation in the User Guide on how to determine if a SAML
transaction succeeded or failed and how to determine the cause of the
failure.
Add documentation in the User Guide on known quirks with ADFS
integration.
Signed-off-by: John Dennis <jdennis@redhat.com>
Previously there was no way to control the signature algorithm used
when Mellon signed it's SAML messages. It simply defaulted to whatever
the default was in the LassoServer server object. Currently the lasso
default is LASSO_SIGNATURE_METHOD_RSA_SHA1. Some IdP's require a
different or more secure method (e.g. ADFS). This patch allows
controlling the signature method on a per directory basis via the
MellonSignatureMethod configuration directive.
It currently supports the following configuration values which map to
these Lasso enumerated constants (provided these definition exist in
Lasso):
rsa-sha1: LASSO_SIGNATURE_METHOD_RSA_SHA1
rsa-sha256: LASSO_SIGNATURE_METHOD_RSA_SHA256
rsa-sha384: LASSO_SIGNATURE_METHOD_RSA_SHA384
rsa-sha512: LASSO_SIGNATURE_METHOD_RSA_SHA512
configure.ac was modified to test for the existence of the above
Lasso definitions, support is only compiled into Mellon if they
are defined at build time.
Important: This patch also changes the default used by Mellon from
rsa-sha1 to rsa-sha256. This was done because SHA1 is no longer
considered safe, SHA256 is now the current recommendation.
The patch also includes a few corrections in the diagnostics code
where it failed to use CFG_VALUE. Also fixed the diagnostics code when
an unknown value was encounted to print what that unknown value was.
Signed-off-by: John Dennis <jdennis@redhat.com>
Knowing if a SAML operation failed and the reason why is essential to
diagnose problems. The SAML Status Response is always included in all
SAML responses. In addition to the major reason why a transaction
failed it may also include extra expository information giving
additional details. Unfortunately we never logged any of the status
response information when a failure occurred. This patch adds code to
log the status response information.
In addition the patch adds diagnostic logging of received POST data.
Signed-off-by: John Dennis <jdennis@redhat.com>
The `mi` parameter to `ap_log_rerror()` was added in Apache 2.4. This
makes the macro expansion in `AM_LOG_RERROR()` incorrect on Apache
2.2.
This patch works around this issue by forwarding the `AM_LOG_RERROR()`
macro directly to `ap_log_rerror()`.
Fixes issue 151.
Commit de853e15 introduced using config.h to define optional build
parameters instead of putting them on the compile command
line. Unfortunately that broke the compilation of
auth_mellon_diagostics.c.
We used to have this:
ifdef ENABLE_DIAGNOSTICS
include "auth_mellon.h"
but the flag ENABLE_DIAGNOSTICS is now defined by including
auth_mellon.h (which includes config.h) hence it would be impossible
for the ENABLE_DIAGNOSTICS to be defined during compilation.
The solution is simple, just reverse the order of the two lines such
that the defines are seen before the #ifdef conditional.
Signed-off-by: John Dennis <jdennis@redhat.com>
How NameIDs are used in SAML often confuse people trying to configure
a service provider especially when they try to emulate a userid. This
patch adds several sections describing the concept of a SAML NameID,
how the use of NameIDs are configured in SAML and some suggested
approaches to utilizing NameIDs.
Signed-off-by: John Dennis <jdennis@redhat.com>
This patch corrects a few minor autotool issues.
The user_guide was recently added but that commit failed to include
adding the new documentation to the tarball, Makefile.in was augmented
to include the new files to the list of distribution files.
Formerly the #defines generated by configure were passed to the
compiler on the command line in various CFLAGS values. Although that
works the more -Dxxx that configure generates the longer the compile
command becomes and it starts to get unreadable and possibly exceed
command line length. A more common practice with autotools is to
employ autoheader whereby configure generates a file typically called
config.h which then is included by the C files. The contents of
config.h contains the #defines as generated by configure. configure.ac
was updated to utilize the AC_DEFINE in lieu of adding -Dxxx to CFLAGS
and to generate and output config.h.
Note: autogen.sh needs to be re-run to pick up these changes so that
the configure included in the tarball contains the updated version.
Signed-off-by: John Dennis <jdennis@redhat.com>
If diagnostics is enabled we want error messages written to the
diagnostics log as well as the Apache error_log. AM_LOG_RERROR
replaces the use of ap_log_rerror, it invokes ap_log_rerror as
previously but then also logs the same message to the diagnostics
log. If diagnostics is not enabled it reverts to ap_log_rerror.
Signed-off-by: John Dennis <jdennis@redhat.com>
Field experience with Mellon has demonstrated there are many
opportunities for deployment problems. Although there are tools such
as browser plugins which can capture SAML messages it's onerous for
site personnel to install and capture the relevant information. The
problem with this approach is further compounded by the fact the
external SAML messages are not correlated to Mellon's
requests/responses. Mellon currently can dump the Lasso session and
SAML Response messages and place them in Apache environment variables,
however these do not appear in the log file. To get them into the log
you have to add custom logging to the Apache config. Another issue is
the dumps are not human readable, they are base64 encoded, anyone
looking at the logs after setting up the custom logging will have to
find the base64 text and then manually copy the text into an external
base64 decoder. At that point you'll discover the XML is not pretty
printed making human interpretation difficult.
The Mellon debug messages written to the Apache error are often
insufficient to diagnose problems. And since the Mellon log messages
are written to the Apache error log they are interspersed with a lot
of non-Mellon message.
Compounding the problem of writing Mellon debug messages to the Apache
error log is the fact Apache log messages have a fixed maximum length
(currently 8192) which is insufficient to completely write out such
things as SAML Assertions, metadata, etc. Apache logging also escapes
all control characters with the consequence line breaks are not
preserved and what was a nicely formatted human readable piece of text
becomes a single line with escape characters and may be truncated.
It would be really nice if we could capture diagnostic information
with these properties:
* All relevant data is collected in exactly one file.
* Only information relevant to Mellon appears in the file.
* All information is human readable (pretty printed, decrypted) with
no need to rely on other tools.
* The diagnostic information is grouped by requests.
* The requests can be cross correlated with other Apache logs because
they utilize the same unique request identifier.
This patch adds diagnostic logging to a independent Mellon diagnostics
log file. Every piece of relevant information is captured, including:
* Request information which includes:
- Request method
- Request URL (raw and processed)
- Scheme
- Port
- Request query parameters
- Server name
- Unique request ID
- process ID, thread ID
- Request headers
* Mellon per directory configuration
A complete dump of the entire am_dir_cfg_rec structure keyed using
both the Mellon directive it is associated with and it's internal
name. This is emitted once on first use for a given URL.
The per directory dump includes the pathname of each file read as
well as the file contents. This includes:
- IdP metadata
- SP metadata
- SP cert
- SP key
- IdP public key file
- IdP CA file
* All session management operations
- cookie
- session lookup
- session creation
- session deletion
- cache management
- cache entry information
* All SAML messages
Each SAML message is decrypted, decoded and XML pretty printed in
human readable form.
* Request pipeline operations
What operations Mellon performs, what decisions it makes and what
data is being used to make those decisions.
* Response
- response status
- response headers
- Apache user name
- auth_type
- all Apache environment variables
Diagnostics can be enabled/disabled both at compile time and run
time. Compile time inclusion of diagnostics is managed with the
ENABLE_DIAGNOSTICS preprocssor symbol. The configure script now accepts
the
--enable-diagnostics and --disable-diagnostics
option. Building with diagnostics is disabled by default, you must
specify --enable-diagnostics to enable the run time option of generating
diagnostics.
The following server config directives have been added (e.g. may be
specified in the main server config area or within a <VirtualHost>
directive). If Mellon was not built with diagnostics enabled then
these config directives are no-ops and their use will generated a
warning in the log file indicating they have been ignored and to be
effective you must builld Mellon with diagnostics enabled.
MellonDiagnosticsFile:
The name of the diagnostics file or pipe,
(default is logs/mellon_diagnostics)
MellonDiagnosticsEnable:
Currently either On or Off but it is designed so it can take other
flags in the future to control what type of information is
reported.
Signed-off-by: John Dennis <jdennis@redhat.com>
File information was handled inconsistently. Some configuration
directives which specified a file path replaced the file path with the
contents of the file. This made it impossible to report where the data
was read from. Other file configuration simply recorded the path. The
directives which immediately read the file contents would generate a
configuration error if the file wasn't readable, but those directives
which simply recorded the file path didn't check on the validity of
the path and relied on Lasso to report an error, however these errors
come significantly after configuration parsing because they are
evaluated in a lazy fashion on first use. The Lasso error reporting
can sometimes be cryptic making it difficult to realize the problem is
due to a improperly specified path in a configuration directive.
We want to be able to log the file pathnames where various files are
read from for diagnostic logging purposes.
This patch introduces a new struct am_file_data_t that encapsulates
all information concerning a file including it's pathname, it's stat
information, optionally it's content, when it was read, etc. as well
as maintaing error codes and an error description.
All file specifications and operations now use this mechanism for
consistency.
Signed-off-by: John Dennis <jdennis@redhat.com>
The User Guide is documentation intended to help people get started
with mod_auth_mellon, understand SAML concepts as they directly relate
to mod_auth_mellon, install mellon, understand mellon configuration,
learn how to diagnose deployment problems, address complex deployment
considerations such as behind proxies and load balancers and enumerate
the most common deployment problems and their solutions.
The document is written in AsciiDoc. It aspires to be vendor and
operating system neutral. When there are vendor or operating system
specific considerations those are called out separately.
Instructions on how to edit and render the AsciiDoc are provided in
the README.
Signed-off-by: John Dennis <jdennis@redhat.com>
Sometimes configuration errors are made and a location does have any
IdP's defined for it. Previosly the error message in this case was:
"Error adding IdP to lasso server object. Please verify the following
configuration directives: MellonIdPMetadataFile and
MellonIdPPublicKeyFile."
But this message is misleading, it suggests an attempt was made to add
the IdP but somehow it failed, this will often cause folks to try to
determine what is wrong with the IdP metadata file, which may in fact
be defined in the mellon config but because of location inheritance is
not being included in the per directory config.
It would be much more helpful to indicate no IdP's were defined for
this config location which is clearly a different problem than
suggesting an attempt was made to add an IdP but it failed.
Signed-off-by: John Dennis <jdennis@redhat.com>
The entire point of the cache is to persist state between requests so
conceptually it makes sense the cache functions would receive a
server_rec pointer because the cache is a server level data
structure. However most cache operations occur in the context of a
request. Passing a request_rec to a cache function has the following
advantages:
1) Any logging during a cache operation should be tied to the request.
2) Any need for temporary memory allocation is much easier to handle
with access to the request's memory pool which is cleaned up at the
end of the request as opposed to trying manage memory allocations at
the server level.
3) Any need for access to the server_rec is trivially easy to obtain
from the request_rec via r->server. In fact the caller of cache
functions inside requests simplyy provided the server_rec parameter
via r->server, so why not just pass the request_rec?
These changes are in anticipation of adding enhanced logging and
diagnostics into the cache functions, they will need access to the
request_rec and it's memory pool.
Signed-off-by: John Dennis <jdennis@redhat.com>
MellonUser used to perform its attribute match in a case-sesnsitive
manner, while environment variables are stored in a case-insensitive
table in Apache.
The result is a bit of inconsistency between the way mod_auth_mellon
handles the attribute names and the way they are accessed other places
in Apache.
This patch changes the code to use a case-insensitive match when
processing the MellonUser directive.
Fixes issue #131.
Several places in the code we assumed that Lasso error codes were
negative, however some of them are positive integers. This patch
ensures that we do direct check for a zero return code in all cases.
Fixes issue #128.
This patch fixes a segmentation fault that can occur after the user
has logged in if the server is configured to replay POST data from
before login. If the POST data contained a field without a value we
would attempt to pass a constant string to the
am_urldecode()-function, which would crash with a segmentation fault.
This patch fixes that by using an empty string allocated on the stack
instead of a constant string.
Fixes #115.
This patch fixes a segmentation fault when segmentation is enabled if
MellonPostDirectory is not set. This segmentation fault occurs when
trying to open the POSt directory.
The fix changes the behavior to log an error instead in this case.
mod_auth_mellon did not verify that the site the session was created
for was the same site as the site the user accessed. This allows an
attacker with access to one web site on a server to use the same
session to get access to a different site running on the same server.
This patch fixes this vulnerability by storing the cookie parameters
used when creating the session in the session, and verifying those
parameters when the session is loaded.
Thanks to François Kooman for reporting this vulnerability.
This vulnerability has been assigned CVE-2017-6807.
Olav Morken
Olav Morken
John R. Dennis
David Kretch
Andrew Schulman
Nathan Neulinger
David Kretch
Thijs Kinkhorst