keystoneauth

_SamlAuth does not do any error checking on SAML messages

Bug #1675523 reported by John Dennis on 2017-03-23

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	keystoneauth	Triaged	Medium	Unassigned

Bug Description

_SamlAuth in keystoneauth/keystoneauth1/extras/_saml2/v3/saml2.py does very little error checking of SAML messages, especially in _ecp_retry(). It does not check the status_code nor does it look for a SOAP error or a SAML error. It just feeds whatever it got back into _response_xml() which sometimes is not even be expected xml, e.g. it might be HTML, for example

"<html><head><title>Error</title></head><body>Internal Server Error</body></html>"

Which just happens to be valid XML, so _response_xml() happily parses it but then later it throws an exception

/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL should provide a single element list
IndexError: /S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL should provide a single element list

which is nonsense because it's not even looking at a SOAP message wrapping an ecp:Response. This error is a red-herring, it has nothing to do with ecp data and as such misdirects subsequent investigation into the problem.

Rodrigo Duarte (rodrigodsousa) on 2017-03-23

Changed in keystoneauth:
status:	New → Triaged
importance:	Undecided → Medium

John Dennis (jdennis-a) on 2017-03-23

Changed in keystoneauth:
assignee:	nobody → John Dennis (jdennis-a)

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2017-08-02:

Automatically unassigning due to inactivity.

Changed in keystoneauth:
assignee:	John Dennis (jdennis-a) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.