#187 Logout error in admin pages
Closed: Fixed None Opened 3 years ago by rcritten.

I had done a kinit as admin, did a bunch of stuff, then did kinit someuser.

I then got busy with other things and came back to the admin page and forgot I was a user.

I deleted an SP with no error!?

Then I tried to add one and got an authorization error so I went to logout and got the following stack trace:

[06/Oct/2015:20:08:06]  DEBUG(ipsilon/login/common.py:287 Logout.root()): Calling logout for provider saml2
[06/Oct/2015:20:08:06]  DEBUG(ipsilon/providers/saml2idp.py:398 IdpProvider.idp_initiated_logout()): IdP-initiated SAML2 logout
[06/Oct/2015:20:08:06] HTTP 
Request Headers:
  COOKIE: ipsilon_default_username=admin; idp_ipsilon_session_id=5019d254667ab2f73bbf43f9e9f364442ac11666
  ACCEPT-LANGUAGE: en-US,en;q=0.5
  USER-AGENT: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
  CONNECTION: keep-alive
  REFERER: https://ipsilon.greyoak.com/idp/admin/providers/saml2/admin/new
  Remote-Addr: 192.168.0.26
  HOST: ipsilon.greyoak.com
  ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  ACCEPT-ENCODING: gzip, deflate
[06/Oct/2015:20:08:06] HTTP Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/lib/python2.7/site-packages/cherrypy/lib/encoding.py", line 217, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/ipsilon/util/page.py", line 91, in __call__
    return op(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/ipsilon/login/common.py", line 289, in root
    obj()
  File "/usr/lib/python2.7/site-packages/ipsilon/providers/saml2idp.py", line 411, in idp_initiated_logout
    logout.initRequest(session.provider_id)
  File "/usr/lib64/python2.7/site-packages/lasso.py", line 6406, in initRequest
    Error.raise_on_rc(rc)
  File "/usr/lib64/python2.7/site-packages/lasso.py", line 56, in raise_on_rc
    raise exception
ServerProviderNotFoundError: <lasso.ServerProviderNotFoundError(-201): The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().>

[06/Oct/2015:20:08:06]  DEBUG(ipsilon/util/errors.py:18 Errors.handler()): ['500 Internal Server Error', 'The server encountered an unexpected condition which prevented it from fulfilling the request.', 'Traceback (most recent call last):\\n  File "/usr/lib/python2.7/site-packages/cherrypy/_cprequest.py", line 670, in respond\\n    response.body self.oldhandler(*args, **kwargs)\\n  File "/usr/lib/python2.7/site-packages/cherrypy/_cpdispatch.py", line 61, in __call__\\n    return self.callable(*self.args, **self.kwargs)\\n  File "/usr/lib/python2.7/site-packages/ipsilon/util/page.py", line 91, in __call__\\n    return op(*args, **kwargs)\\n  File "/usr/lib/python2.7/site-packages/ipsilon/login/common.py", line 289, in root\\n    obj()\\n  File "/usr/lib/python2.7/site-packages/ipsilon/providers/saml2idp.py", line 411, in idp_initiated_logout\\n    logout.initRequest(session.provider_id)\\n  File "/usr/lib64/python2.7/site-packages/lasso.py", line 6406, in initRequest\\n    Error.raise_on_rc(rc)\\n  File "/usr/lib64/python2.7/site-packages/lasso.py", line 56, in raise_on_rc\\n    raise exception\\nServerProviderNotFoundError: &lt;lasso.ServerProviderNotFoundError(-201): The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().&gt;\\n', '3.5.0']
192.168.0.26 - - [06/Oct/2015:20:08:06] "GET /idp/logout HTTP/1.1" 500 1134 "https://ipsilon.greyoak.com/idp/admin/providers/saml2/admin/new" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0"

Fields changed

milestone: => 1.2
priority: major => minor

Fields changed

owner: => rcritten
status: new => accepted

To reproduce:

  • Install IdP
  • Install and register SP
  • Log in to SP as admin
  • Go to IdP and delete the SP
  • Restart httpd on the IdP
  • Logout from IdP

And a more complex scenario that exercises other areas of logout:

  • Install IdP
  • Install and register SP1
  • Install and register SP2
  • Log into SP1 as admin
  • Log into SP2 (SSO)
  • Go to IdP and delete SP2
  • Restart httpd on the IdP
  • Logout from IdP

This will again trigger a stacktrace in logout in the call to logout.initRequest() because the SP is unknown.

And another scenarion worth testing:

  • Install IdP
  • Install and register SP1
  • Install and register SP2
  • Log into SP2 as admin
  • Log into SP1 (SSO)
  • Go to IdP and delete SP1
  • Restart httpd on the IdP
  • Logout from SP1

It should fail.

I considered going ahead and trying to logout the other sessions but this would be a way to force logout of others by supplying an invalid logout request or response to the IdP from an unknown/invalid SP.

Note that deleting the SP as a non-admin user was fixed in ticket #194, CVE-2015-5301

https://pagure.io/ipsilon/pull-request/62

patch_available: 0 => 1

master: 67d0db7

resolution: => fixed
status: accepted => closed

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: 1.2

2 years ago

Login to comment on this ticket.

Metadata