Ubuntu
lasso package

Merge ~dmitriis/ubuntu/+source/lasso:1833299-bionic-devel-paos-ecp-destination into ubuntu/+source/lasso:ubuntu/bionic-devel

  1. Git
  2. lp:~dmitriis/ubuntu/+source/lasso
  3. 1833299-bionic-devel-paos-ecp-destination
  4. Merge into ubuntu/bionic-devel
Proposed by Dmitrii Shcherbakov
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 376cd4bbf598f4298509b9b1bc18a35f680ca978
Merge reported by: Christian Ehrhardt 
Merged at revision: 376cd4bbf598f4298509b9b1bc18a35f680ca978
Proposed branch: ~dmitriis/ubuntu/+source/lasso:1833299-bionic-devel-paos-ecp-destination
Merge into: ubuntu/+source/lasso:ubuntu/bionic-devel
Diff against target: 117 lines (+97/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/PAOS-Do-not-populate-Destination-attribute.patch (+89/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+369738@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Dmitri,
I can't do a full review yet, but I have skimmed over things and have a few questions upfront that would block others as well I think.

Changing the source directly will not work but we could convert that for you if needed.
You'll need to use changes in debian/patches/ using (d)quilt.

More importantly this seems to become a maintenance dept forever.
Could you add references that one would add on patch headers
Especially the source of the changes is of interest, to know when we can drop having Delta.

(same applies to the other branches)

To help here my template - pick what applies from below and add it when creating a proper patch in debian/patches/..

--- for own changes ---
Description: <todo-desc>
 long-text
Forwarded: yes/no/not-needed(explain in the desc why)
Author: Christian Ehrhardt <email address hidden>
Origin: <todo-URL-to-git or similar>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/<todo-bug>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=<todo-bug>
Last-Update: 2019-03-17

--- for backports ---
<Carry description from source>

# IF MODIFIED
Author: Christian Ehrhardt <email address hidden>
Original-Author: <todo-author>
Origin: backport, <todo-URL-to-git>
# OTHERWISE
Origin: upstream, <todo-URL-to-git>

Bug-Ubuntu: https://bugs.launchpad.net/bugs/<todo-bug>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=<todo-bug>
Last-Update: 2019-05-19

--- for external fixes that are brough upstream by 3rd party ---
<Carry description from source>
Forwarded: yes/no/not-needed(explain in the desc why)
Author: TODO
Origin: url (explain in desc why this is uncommon e.g. no upstream repo)
Bug-Ubuntu: https://bugs.launchpad.net/bugs/<todo-bug>
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=<todo-bug>
Last-Update: 2019-05-19

review: Needs Fixing
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

> Especially the source of the changes is of interest, to know when we can drop having Delta.

Yes, the source of changes is this patch:
https://dev.entrouvert.org/projects/lasso/repository/revisions/1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56/diff
https://dev.entrouvert.org/issues/34409

The fix should appear in releases >2.6.0 upstream.

I can convert this to a patch and place it under debian/patches/ and add patch headers.

~dmitriis/ubuntu/+source/lasso:1833299-bionic-devel-paos-ecp-destination updated
376cd4b... by Dmitrii Shcherbakov

PAOS: Do not populate "Destination" attribute

When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
populates an AuthnRequest with the "Destination" attribute set to
AssertionConsumerURL of an SP - this leads to IdP-side errors because
the destination attribute in the request does not match the IdP URL.

The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
Post bindings when AuthRequests are signed per saml-bindings-2.0-os
(sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
avoid setting that optional attribute because an ECP decides which IdP
to use, not the SP.

This patch was merged upstream: https://dev.entrouvert.org/issues/34409

New changelog entries:

* d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
  "Destination" attribute (LP: #1833299)

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

Christian,

Updated the change with the patch moved under debian/patches.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for updating this and the other branches.
To further polish you might mention the name of the patch in the changelog.
Like:
  * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate "Destination" attribute (LP: #1833299)

Further you don't need the [ Name ] on top of the changes, a sponsor would create that if he replaces your name at the bottom.

But both of these are "style" and no show stopper.
It LGTM now.

I'll +1 on all MPs but you'll also need a SRU template on the bug before this can be sponsored for pre-Eoan.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for adding the requested details, e.g. SRU template.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Same FYI as on Eoan, changelog and functional commit should be split and target release not be "UNRELEASED".

ANd in this case versioning will not increment the first number after ubuntu to 2 but become 1.1 in this SRU case.

I recommend reading https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation
For now on this MP I have all fixed up prior to the upload.

tag: upload/2.5.1-0ubuntu1.1

Tagged and sponsored into SRU queue.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index dc3e645..85960e6 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+lasso (2.5.1-0ubuntu2) UNRELEASED; urgency=high
7+
8+ * d/p/PAOS-Do-not-populate-Destination-attribute.patch: Do not populate
9+ "Destination" attribute (LP: #1833299)
10+
11+ -- Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com> Thu, 04 Jul 2019 18:42:56 -0500
12+
13 lasso (2.5.1-0ubuntu1) bionic; urgency=medium
14
15 * New upstream stable point release.
16diff --git a/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch b/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch
17new file mode 100644
18index 0000000..459603d
19--- /dev/null
20+++ b/debian/patches/PAOS-Do-not-populate-Destination-attribute.patch
21@@ -0,0 +1,89 @@
22+Description: PAOS: Do not populate "Destination" attribute
23+ When ECP profile (saml-ecp-v2.0-cs01) is used with PAOS binding Lasso
24+ populates an AuthnRequest with the "Destination" attribute set to
25+ AssertionConsumerURL of an SP - this leads to IdP-side errors because
26+ the destination attribute in the request does not match the IdP URL.
27+
28+ The "Destination" attribute is mandatory only for HTTP Redirect and HTTP
29+ Post bindings when AuthRequests are signed per saml-bindings-2.0-os
30+ (sections 3.4.5.2 and 3.5.5.2). Specifically for PAOS it makes sense to
31+ avoid setting that optional attribute because an ECP decides which IdP
32+ to use, not the SP.
33+Author: Dmitrii Shcherbakov <dmitrii.shcherbakov@canonical.com>
34+Origin: upstream, https://repos.entrouvert.org/lasso.git/commit/?id=1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56
35+Bug: https://dev.entrouvert.org/issues/34409
36+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lasso/+bug/1833299
37+Applied-Upstream: https://repos.entrouvert.org/lasso.git/commit/?id=1e85f1b2bd30c0d93b4a2ef37b35abeae3d15b56
38+Reviewed-by: Benjamin Dauvergne <bdauvergne@entrouvert.com>
39+Reviewed-by: John Dennis <jdennis@redhat.com>
40+Last-Update: 2019-07-06
41+---
42+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
43+--- a/lasso/saml-2.0/login.c
44++++ b/lasso/saml-2.0/login.c
45+@@ -222,7 +222,7 @@
46+ gint
47+ lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
48+ {
49+- char *url = NULL;
50++ char *assertionConsumerServiceURL = NULL;
51+ gboolean must_sign = TRUE;
52+ LassoProfile *profile;
53+ LassoSamlp2AuthnRequest *authn_request;
54+@@ -247,29 +247,29 @@
55+ }
56+
57+ if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
58+-
59+ /*
60+ * PAOS is special, the url passed to build_request is the
61+ * AssertionConsumerServiceURL of this SP, not the
62+- * destination.
63++ * destination IdP URL. This is done to fill paos:responseConsumerURL
64++ * appropriately down the line in build_request_msg.
65++ * See https://dev.entrouvert.org/issues/34409 for more information.
66+ */
67+ if (authn_request->AssertionConsumerServiceURL) {
68+- url = authn_request->AssertionConsumerServiceURL;
69++ assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
70+ if (!lasso_saml20_provider_check_assertion_consumer_service_url(
71+- LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
72++ LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
73+ rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
74+ goto cleanup;
75+ }
76+ } else {
77+- url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
78++ assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
79+ LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
80+- lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
81++ lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
82+ }
83+ }
84+
85+-
86+ lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
87+- login->http_method, url));
88++ login->http_method, assertionConsumerServiceURL));
89+
90+ cleanup:
91+ return rc;
92+--- a/lasso/saml-2.0/profile.c
93++++ b/lasso/saml-2.0/profile.c
94+@@ -968,7 +968,15 @@
95+ made_url = url = get_url(provider, service, http_method_to_binding(method));
96+ }
97+
98+- if (url) {
99++
100++ // Usage of the Destination attribute on a request is mandated only
101++ // in "3.4.5.2" and "3.5.5.2" in saml-bindings-2.0-os for signed requests
102++ // and is marked as optional in the XSD schema otherwise.
103++ // PAOS is a special case because an SP does not select an IdP - ECP does
104++ // it instead. Therefore, this attribute needs to be left unpopulated.
105++ if (method == LASSO_HTTP_METHOD_PAOS) {
106++ lasso_release_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination);
107++ } else if (url) {
108+ lasso_assign_string(((LassoSamlp2RequestAbstract*)profile->request)->Destination,
109+ url);
110+ } else {
111diff --git a/debian/patches/series b/debian/patches/series
112index 90e7b19..da56810 100644
113--- a/debian/patches/series
114+++ b/debian/patches/series
115@@ -1 +1,2 @@
116+PAOS-Do-not-populate-Destination-attribute.patch
117 Use-INSTALLDIRS-vendor-for-the-Perl-bindings-as-per-.patch

Subscribers

People subscribed via source and target branches