Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-1167

C Agent 5 does not ignore path info although is enabled for policy evaluation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.0.0
    • Fix Version/s: 5.0.0.0
    • Component/s: Web Agents
    • Labels:
    • Environment:
      Centos 6.9 / Apache 2.4.28 / OpenAM Web Agent for Apache Server 2.4.x 64bit, Version: 5.0.0-SNAPSHOT, Revision: 12cec1b, Build machine: delacroix, Build date: Oct 12 2017 07:07:51

      Description

      C Agent 5 does not ignore path info although is enabled for policy evaluation.

      Steps to reproduce

      1.) Enable path Info
      <Agent Profile> / Miscellaneous / Ignore Path Info in Request URL = true
      2.) Set policy(in my case): http://centos6-64.example.com:80/*.gif
      4.) Hit the page with path info (/test.gif) http://centos6-64.example.com:80/index.html/test.gif and login

      Observed Result:

      Access was allowed and got 404 because /index.html/test.gif does not exist

      Expected Result:

      Access forbidden, path info should be deleted from URL for policy evaluation and
      URL: http://centos6-64.example.com:80/index.html
      does not match policy rule:
      http://centos6-64.example.com:80/*.gif

      As is possible to see from following debug log, path info is recognized, but it is not stripped for policy evaluation:
      pathinfo: /test.gif
      ...
      POST /am/json/realms/root/policies?_action=evaluate HTTP/1.1
      "resources":["http://centos6-64.example.com:80/index.html/test.gif"]

      Complete agent debug log:

      2017-10-12 09:12:19.834 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:263] setup_request_data(): client ip: 192.168.56.1
      2017-10-12 09:12:19.834 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:302] setup_request_data(): client hostname: (empty)
      2017-10-12 09:12:19.834 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:310] setup_request_data(): original request url: http://centos6-64.example.com/index.html/test.gif
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:398] setup_request_data(): 
      method: GET 
      original url: http://centos6-64.example.com/index.html/test.gif
      proto: http
      host: centos6-64.example.com
      port: 80
      path: /index.html/test.gif
      query: 
      complete: http://centos6-64.example.com:80/index.html/test.gif
      overridden: http://centos6-64.example.com:80/index.html/test.gif
      pathinfo: /test.gif
      normalized (pathinfo removed): http://centos6-64.example.com:80/index.html
      overridden (pathinfo removed): http://centos6-64.example.com:80/index.html
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:426] validate_url():
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:443] validate_url(): request url validation feature is not enabled
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:452] validate_fqdn_access():
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:455] validate_fqdn_access(): feature is not enabled
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/oidc.c:375] header {"typ":"JWT","alg":"RS256"} (27)
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/oidc.c:408] JWT {"sub":"demo","auditTrackingId":"b938571f-5cc0-4445-a665-52b8f0ed18dd-7726","iss":"http://centos6-64.example.com:8080/am/oauth2","tokenName":"id_token","nonce":"4233c387758b8c99dca0dad1b6279039","aud":"apache24","s_hash":"k920GSjW-t0geHRABch2LA","azp":"apache24","auth_time":1507792154,"forgerock":{"ssotoken":"ugdkQBHoSwQa_Lymwe_wovUuTB4.*AAJTSQACMDEAAlNLABxoSDhxd3J1Z1VobFZKNDExdFRXSExOV3dBdHM9AAJTMQAA*","suid":"b938571f-5cc0-4445-a665-52b8f0ed18dd-7632"},"realm":"/","exp":1507828154,"tokenType":"JWTToken","iat":1507792154,"agent_realm":"/"}
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:671] handle_not_enforced(): client ip address 192.168.56.1 does not match 
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:697] handle_not_enforced(): validating http://centos6-64.example.com:80/index.html/test.gif
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:818] handle_not_enforced(): extended not enforced url validation feature is not enabled
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:821] handle_not_enforced(): http://centos6-64.example.com:80/index.html/test.gif is enforced
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:1138] session cache: interval expires
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/utility.c:1648] am_timer(): getaddrinfo took 0 seconds
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/net.c:85] net_connect(): connected to centos6-64.example.com:8080 (IPv4)
      2017-10-12 09:12:19.835 +0200   DEBUG [0x7ff87e1fc700:2583][source/sdk_base.c:170] http request to centos6-64.example.com..
      POST /am/json/realms/root/sessions?_action=getSessionInfo&tokenId=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJkZW1vIiwiYXVkaXRUcmFja2luZ0lkIjoiYjkzODU3MWYtNWNjMC00NDQ1LWE2NjUtNTJiOGYwZWQxOGRkLTc3MjYiLCJpc3MiOiJodHRwOi8vY2VudG9zNi02NC5leGFtcGxlLmNvbTo4MDgwL2FtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwibm9uY2UiOiI0MjMzYzM4Nzc1OGI4Yzk5ZGNhMGRhZDFiNjI3OTAzOSIsImF1ZCI6ImFwYWNoZTI0Iiwic19oYXNoIjoiazkyMEdTalctdDBnZUhSQUJjaDJMQSIsImF6cCI6ImFwYWNoZTI0IiwiYXV0aF90aW1lIjoxNTA3NzkyMTU0LCJmb3JnZXJvY2siOnsic3NvdG9rZW4iOiJ1Z2RrUUJIb1N3UWFfTHltd2Vfd292VXVUQjQuKkFBSlRTUUFDTURFQUFsTkxBQnhvU0RoeGQzSjFaMVZvYkZaS05ERXhkRlJYU0V4T1YzZEJkSE05QUFKVE1RQUEqIiwic3VpZCI6ImI5Mzg1NzFmLTVjYzAtNDQ0NS1hNjY1LTUyYjhmMGVkMThkZC03NjMyIn0sInJlYWxtIjoiLyIsImV4cCI6MTUwNzgyODE1NCwidG9rZW5UeXBlIjoiSldUVG9rZW4iLCJpYXQiOjE1MDc3OTIxNTQsImFnZW50X3JlYWxtIjoiLyJ9.aR7SdAnHDzTsGj9N1wMHnIdadUXN5QddjDgIE-wHE4Q2iKbJ8J2EQR5QL7-w7VWa2hw8ExPN83RK-9uIqwQql6hVhf5dJX-J8qh0JCqege-_JnG3iTv-DcLGqVs9JbDNdMmRqCxTqIO3flQP_5FlLS0MhgqaKW34MH7pgQ60tbi3LKBQc_7Vag10SkpfNTSOzPXTMNxfeR91u2roSja2OKNCxISG8AHsnX3nri5JnIccHEUPzhBCWHh4okcx6z03Pk45sZywQZYMXdokARypPvYlcJcbet7LI2e7uZ-Z9tPGP7cWHKgXe9dwaZsqJQRGaN3Otc8oenxwiDnFbI3eKA HTTP/1.1
      Host: centos6-64.example.com:8080
      User-Agent: OpenAM Web Agent/5.0.0-SNAPSHOT
      Accept: application/json
      Connection: Close
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: resource=2.0, protocol=1.0
      iPlanetDirectoryPro: 1aWdYY35acnjOS4QgyRLHFzeM1U.*AAJTSQACMDEAAlNLABxuYkZINkdmcm9Ncjc4eUw1a2VWTkdBamhBOFE9AAJTMQAA*
      X-ForgeRock-TransactionId: bb35e09e-14d7-024b-8c2d-df2a3624b2dd/1
      Content-length: 61
      
      {"properties":["Host","UserToken","sunIdentityUserPassword"]}
      2017-10-12 09:12:19.854 +0200   DEBUG [0x7ff87e1fc700:2583][source/sdk_base.c:200] http response 200 from centos6-64.example.com...
      {"username":"demo","universalId":"id=demo,ou=user,dc=openam,dc=forgerock,dc=org","realm":"/","latestAccessTime":"2017-10-12T07:12:19Z","maxIdleExpirationTime":"2017-10-12T09:12:19Z","maxSessionExpirationTime":"2017-10-12T17:09:13Z","properties":{"Locale":"en_US","authInstant":"2017-10-12T07:09:14Z","Organization":"dc=openam,dc=forgerock,dc=org","UserProfile":"Required","Principals":"demo","successURL":"/am/console","CharSet":"UTF-8","Service":"ldapService","Host":"192.168.56.1","FullLoginURL":"/am/UI/Login?goto=http%3A%2F%2Fcentos6-64.example.com%3A8080%2Fam%2Foauth2%2Fauthorize%3Frealm%3D%252F%26response_type%3Did_token%26scope%3Dopenid%26client_id%3Dapache24%26redirect_uri%3Dhttp%253A%252F%252Fcentos6-64.example.com%253A80%252Fagent%252Fcdsso-oauth2%26state%3D9a9c6b5e-6c85-3a4b-8b0c-f98624405f6a%26nonce%3D4233c387758b8c99dca0dad1b6279039%26response_mode%3Dform_post%26agent_provider%3Dtrue&realm=%2F","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"b938571f-5cc0-4445-a665-52b8f0ed18dd-7632","loginURL":"/am/UI/Login","UserId":"demo","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=demo,ou=user,dc=openam,dc=forgerock,dc=org","amlbcookie":"01","HostName":"192.168.56.1","Principal":"id=demo,ou=user,dc=openam,dc=forgerock,dc=org","UserToken":"demo"}}
      2017-10-12 09:12:19.854 +0200   DEBUG [0x7ff87e1fc700:2583][source/utility.c:1648] am_timer(): getaddrinfo took 0 seconds
      2017-10-12 09:12:19.854 +0200   DEBUG [0x7ff87e1fc700:2583][source/net.c:85] net_connect(): connected to centos6-64.example.com:8080 (IPv4)
      2017-10-12 09:12:19.854 +0200   DEBUG [0x7ff87e1fc700:2583][source/sdk_base.c:170] http request to centos6-64.example.com..
      GET /am/json/realms/root/users/demo HTTP/1.1
      Host: centos6-64.example.com:8080
      User-Agent: OpenAM Web Agent/5.0.0-SNAPSHOT
      Accept: application/json
      Connection: Close
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: resource=3.0, protocol=1.0
      iPlanetDirectoryPro: 1aWdYY35acnjOS4QgyRLHFzeM1U.*AAJTSQACMDEAAlNLABxuYkZINkdmcm9Ncjc4eUw1a2VWTkdBamhBOFE9AAJTMQAA*
      X-ForgeRock-TransactionId: bb35e09e-14d7-024b-8c2d-df2a3624b2dd/2
      
      
      2017-10-12 09:12:19.863 +0200   DEBUG [0x7ff87e1fc700:2583][source/sdk_base.c:200] http response 200 from centos6-64.example.com...
      {"username":"demo","realm":"/","uid":["demo"],"universalid":["id=demo,ou=user,dc=openam,dc=forgerock,dc=org"],"objectClass":["iplanet-am-managed-person","inetuser","sunFederationManagerDataStore","sunFMSAML2NameIdentifier","devicePrintProfilesContainer","inetorgperson","sunIdentityServerLibertyPPService","iPlanetPreferences","pushDeviceProfilesContainer","iplanet-am-user-service","forgerock-am-dashboard-service","organizationalperson","top","kbaInfoContainer","sunAMAuthAccountLockout","person","oathDeviceProfilesContainer","iplanet-am-auth-configuration-service"],"dn":["uid=demo,ou=people,dc=openam,dc=forgerock,dc=org"],"inetUserStatus":["Active"],"cn":["demo"],"sn":["demo"],"createTimestamp":["20171010073023Z"]}
      2017-10-12 09:12:19.864 +0200   DEBUG [0x7ff87e1fc700:2583][source/utility.c:1648] am_timer(): getaddrinfo took 0 seconds
      2017-10-12 09:12:19.864 +0200   DEBUG [0x7ff87e1fc700:2583][source/net.c:85] net_connect(): connected to centos6-64.example.com:8080 (IPv4)
      2017-10-12 09:12:19.864 +0200   DEBUG [0x7ff87e1fc700:2583][source/sdk_base.c:170] http request to centos6-64.example.com..
      POST /am/json/realms/root/policies?_action=evaluate HTTP/1.1
      Host: centos6-64.example.com:8080
      User-Agent: OpenAM Web Agent/5.0.0-SNAPSHOT
      Accept: application/json
      Connection: Close
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: resource=2.0, protocol=1.0
      iPlanetDirectoryPro: 1aWdYY35acnjOS4QgyRLHFzeM1U.*AAJTSQACMDEAAlNLABxuYkZINkdmcm9Ncjc4eUw1a2VWTkdBamhBOFE9AAJTMQAA*
      X-ForgeRock-TransactionId: bb35e09e-14d7-024b-8c2d-df2a3624b2dd/3
      Content-length: 1290
      
      {"subject":{"ssoToken":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJkZW1vIiwiYXVkaXRUcmFja2luZ0lkIjoiYjkzODU3MWYtNWNjMC00NDQ1LWE2NjUtNTJiOGYwZWQxOGRkLTc3MjYiLCJpc3MiOiJodHRwOi8vY2VudG9zNi02NC5leGFtcGxlLmNvbTo4MDgwL2FtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwibm9uY2UiOiI0MjMzYzM4Nzc1OGI4Yzk5ZGNhMGRhZDFiNjI3OTAzOSIsImF1ZCI6ImFwYWNoZTI0Iiwic19oYXNoIjoiazkyMEdTalctdDBnZUhSQUJjaDJMQSIsImF6cCI6ImFwYWNoZTI0IiwiYXV0aF90aW1lIjoxNTA3NzkyMTU0LCJmb3JnZXJvY2siOnsic3NvdG9rZW4iOiJ1Z2RrUUJIb1N3UWFfTHltd2Vfd292VXVUQjQuKkFBSlRTUUFDTURFQUFsTkxBQnhvU0RoeGQzSjFaMVZvYkZaS05ERXhkRlJYU0V4T1YzZEJkSE05QUFKVE1RQUEqIiwic3VpZCI6ImI5Mzg1NzFmLTVjYzAtNDQ0NS1hNjY1LTUyYjhmMGVkMThkZC03NjMyIn0sInJlYWxtIjoiLyIsImV4cCI6MTUwNzgyODE1NCwidG9rZW5UeXBlIjoiSldUVG9rZW4iLCJpYXQiOjE1MDc3OTIxNTQsImFnZW50X3JlYWxtIjoiLyJ9.aR7SdAnHDzTsGj9N1wMHnIdadUXN5QddjDgIE-wHE4Q2iKbJ8J2EQR5QL7-w7VWa2hw8ExPN83RK-9uIqwQql6hVhf5dJX-J8qh0JCqege-_JnG3iTv-DcLGqVs9JbDNdMmRqCxTqIO3flQP_5FlLS0MhgqaKW34MH7pgQ60tbi3LKBQc_7Vag10SkpfNTSOzPXTMNxfeR91u2roSja2OKNCxISG8AHsnX3nri5JnIccHEUPzhBCWHh4okcx6z03Pk45sZywQZYMXdokARypPvYlcJcbet7LI2e7uZ-Z9tPGP7cWHKgXe9dwaZsqJQRGaN3Otc8oenxwiDnFbI3eKA"},"application":"iPlanetAMWebAgentService","resources":["http://centos6-64.example.com:80/index.html/test.gif"],"environment":{"requestIp":["192.168.56.1"]}}
      2017-10-12 09:12:19.878 +0200   DEBUG [0x7ff87e1fc700:2583][source/sdk_base.c:200] http response 200 from centos6-64.example.com...
      [{"advices":{},"ttl":9223372036854775807,"resource":"http://centos6-64.example.com:80/index.html/test.gif","actions":{"POST":true,"GET":true},"attributes":{}}]
      2017-10-12 09:12:19.879 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:1052] scan_policy_decisions(): method: GET, decision: allow
      2017-10-12 09:12:19.879 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:2033] handle_exit(): (entry status: success)
      2017-10-12 09:12:19.879 +0200   DEBUG [0x7ff87e1fc700:2583][source/request.c:1580] set_user_attributes(): all set user attribute options are set to none
      2017-10-12 09:12:19.879 +0200   DEBUG [0x7ff87e1fc700:2583][source/apache/agent.c:873] amagent_auth_handler(): exit status: success (0)
      

        Attachments

          Activity

            People

            Assignee:
            nick.james Nicholas James
            Reporter:
            richard.hruza Richard Hruza
            QA Assignee:
            Richard Hruza Richard Hruza
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: