Ticket #1131 (closed defect: fixed)

Opened 9 years ago

Last modified 9 years ago

Error in AuthorisationService when calling from GridFTP SAML callout

Reported by: spascoe Owned by: pjkersha
Priority: major Milestone:
Component: component1 Version:
Keywords: Cc:

Description (last modified by spascoe) (diff)

The apache error log shows the following when I configure the GridFTP SAML callout to contact hyttps://sandstorm.ceda.ac.uk/AuthorisationService/1/. So far I have not been able to capture the request but this
looks like an internal error that should be trapped.

[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] client denied by server configuration: /srv/www/vhosts/sandstorm.ceda.ac.uk/htdocs/
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] mod_wsgi (pid=3535): Exception occurred processing WSGI script '/srv/www/vhosts/sandstorm.ceda.ac.uk/wsgi-scripts/authorisationservice_dap.wsgi'.
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] Traceback (most recent call last):
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_security_server-2.2.0-py2.6.egg/ndg/security/server/wsgi/authz/service.py", line 122, in __call__
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     return self._app(environ, start_response)
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/saml2/binding/soap/server/wsgi/queryinterface.py", line 402, in __call__
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     samlQuery = self.deserialise(queryElem)
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/xml/etree.py", line 1832, in fromXML
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     action = ActionElementTree.fromXML(childElem)
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/xml/etree.py", line 1710, in fromXML
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     action.namespace = namespace
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]   File "/usr/local/ndg-security/eggs/ndg_saml-0.5.5-py2.6.egg/ndg/saml/saml2/core.py", line 2891, in _setNamespace
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207]     self.__actionTypes.keys())
[Fri Oct 14 16:15:49 2011] [error] [client 130.246.191.207] TypeError: not enough arguments for format string

Change History

comment:1 Changed 9 years ago by spascoe

  • Description modified (diff)

The request was:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:protocol">
  <SOAP-ENV:Body>
    <ns1:AuthzDecisionQuery Resource="gsiftp://cmip-bdm1.badc.rl.ac.uk//esg_dataroot/test/sftlf.nc" IssueInstant="2011-10-14T15:26:08Z" Version="2.0" ID="140736355764416">
      <ns2:Subject>
        <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">https://ceda.ac.uk/openid/Stephen.Pascoe</ns2:NameID>
      </ns2:Subject>
      <ns2:Action Namespace="urn:oasis:names:tc:SAML:2.0:assertion">Read</ns2:Action>
    </ns1:AuthzDecisionQuery>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

comment:2 follow-up: ↓ 3 Changed 9 years ago by spascoe

Fix applied in changeset:7938. Not tested yet.

comment:3 in reply to: ↑ 2 Changed 9 years ago by spascoe

Replying to spascoe:

Fix applied in changeset:7938. Not tested yet.

Correction changeset:7939

comment:4 Changed 9 years ago by spascoe

  • Status changed from new to assigned
  • Owner changed from somebody to pjkersha

This doesn't fix the underlying problem that the namespace action type is not recognised.

The request has Namespace="urn:oasis:names:tc:SAML:2.0:assertion" which looks right in this context. However other SAML requests I've seen haven't used this attribute.

Is the request correct or is this a feature missing from NDGSecurity?

comment:5 Changed 9 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed

This is a bug in the GridFTP callout. It should be passed on to Neill.

urn:oasis:names:tc:SAML:2.0:assertion is the assertion namespace rather than an action namespace. The SAML 2.0 core spec gives a number of alternative namespaces. For ESGF we omit it to get the default, urn:oasis:names:tc:SAML:1.0:action:rwedc-negation. This defines a constrained vocab of values for the action:

Read Write Execute Delete Control ~Read ~Write ~Execute ~Delete ~Control
Note: See TracTickets for help on using tickets.