Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2541

Policy cache mode does not work properly when * is used for parameters in policy on AIX

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.6.0.0
    • Fix Version/s: 5.6.0.0
    • Component/s: Web Agents
    • Environment:
      AIX 7 / IBM HTTP 9 /
      OpenAM Web Agent for Apache Server 2.4.x (IBM HTTP Server 9.0 64bit)
       Version: 6.0.0-SNAPSHOT
       Revision: 5cc66a5
       Build machine: renoir
       Build date: Feb 28 2019 02:51:00

      Description

      Policy cache mode does not work properly when * is used for parameters in policy on AIX

      Steps to reproduce

      1.) Install Policy agent
      2.) Create policy:

      *://*:*/*?*
      

      3.) Enable policy cache mode

      AM_POLICY_CACHE_DIR=/tmp
      AM_POLICY_CACHE_MODE=on
      

      4.) Start agent
      5.) Access to page http://agent.com/index.html?a=nothing
      Expected Result
      200 - access allowed
      Observed Result
      403 - Forbidden

      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/policy/loader.c:355) application aa, URL pattern *://*:*/*?* loaded at index 0
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/authorise.c:298) http://aix7agent.test.forgerock.com:8083/index.html?a=nothing policy match count: 0
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/authorise.c:316) local policy decision: no policy applies
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/apache/agent.c:287) set_user(): demo
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:1904) handle_exit(): (entry status: access denied)
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/apache/agent.c:891) amagent_auth_handler(): exit status: forbidden (3)
      
      Agents debug.log
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/request.c:340) setup_request_data(): client ip: 172.17.200.76
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/request.c:379) setup_request_data(): client hostname: (empty)
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/request.c:387) setup_request_data(): original request url: http://aix7agent.test.forgerock.com:8083/agent/cdsso-oauth2
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/request.c:487) setup_request_data(): 
      method: POST 
      original url: http://aix7agent.test.forgerock.com:8083/agent/cdsso-oauth2
      proto: http
      host: aix7agent.test.forgerock.com
      port: 8083
      path: /agent/cdsso-oauth2
      query: 
      complete: http://aix7agent.test.forgerock.com:8083/agent/cdsso-oauth2
      overridden: http://aix7agent.test.forgerock.com:8083/agent/cdsso-oauth2
      pathinfo: /cdsso-oauth2
      normalized (pathinfo removed): http://aix7agent.test.forgerock.com:8083/agent
      overridden (pathinfo removed): (empty)
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/request.c:509) setup_request_data(): this is an authentication response
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/request.c:1904) handle_exit(): (entry status: authentication post)
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/body_reader.c:93) create_post_body(): created file /tmp/8d18fd71-000f-c7cc-c9ab-687d3669787f
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/apache/agent.c:470) get_request_body(): processed 1268 bytes to /tmp/8d18fd71-000f-c7cc-c9ab-687d3669787f
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/body_reader.c:127) close_post_body(): reading body content to memory
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/oidc.c:411) JWT {"sub":"demo","auditTrackingId":"997b2323-cd70-46cc-a22f-364c4f12f6b5-43991","iss":"http://exotic-am2.test.forgerock.com:8080/openam/oauth2","tokenName":"id_token","nonce":"2F750813AA65B6082C786B011027852C","aud":"aix7-agent","acr":"0","s_hash":"q0Pd9Tr9892ycgRyU9DVhQ","azp":"aix7-agent","auth_time":1551359456,"forgerock":{"ssotoken":"kSVTw42_8Zx1_buudu9kWsJpZCY.*AAJTSQACMDEAAlNLABxYQzhlbThKOENGRkl6MW80NWFQcDZ3d01XNnM9AAR0eXBlAANDVFMAAlMxAAA.*","suid":"997b2323-cd70-46cc-a22f-364c4f12f6b5-43883"},"realm":"/","exp":1551366657,"tokenType":"JWTToken","iat":1551359457,"agent_realm":"/"}
      2019-02-28 13:10:57 UTC DEBUG   [86b2cb58-a18a-08bf-2100-56b001e3b904]: (source/apache/agent.c:891) amagent_auth_handler(): exit status: redirect (1)
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:340) setup_request_data(): client ip: 172.17.200.76
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:379) setup_request_data(): client hostname: (empty)
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:387) setup_request_data(): original request url: http://aix7agent.test.forgerock.com:8083/index.html?a=nothing
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:487) setup_request_data(): 
      method: GET 
      original url: http://aix7agent.test.forgerock.com:8083/index.html?a=nothing
      proto: http
      host: aix7agent.test.forgerock.com
      port: 8083
      path: /index.html
      query: ?a=nothing
      complete: http://aix7agent.test.forgerock.com:8083/index.html?a=nothing
      overridden: http://aix7agent.test.forgerock.com:8083/index.html?a=nothing
      pathinfo: 
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:538) validate_url():
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:555) validate_url(): request url validation feature is not enabled
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:564) validate_fqdn_access():
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:567) validate_fqdn_access(): feature is not enabled
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/oidc.c:411) JWT {"sub":"demo","auditTrackingId":"997b2323-cd70-46cc-a22f-364c4f12f6b5-43991","iss":"http://exotic-am2.test.forgerock.com:8080/openam/oauth2","tokenName":"id_token","nonce":"2F750813AA65B6082C786B011027852C","aud":"aix7-agent","acr":"0","s_hash":"q0Pd9Tr9892ycgRyU9DVhQ","azp":"aix7-agent","auth_time":1551359456,"forgerock":{"ssotoken":"kSVTw42_8Zx1_buudu9kWsJpZCY.*AAJTSQACMDEAAlNLABxYQzhlbThKOENGRkl6MW80NWFQcDZ3d01XNnM9AAR0eXBlAANDVFMAAlMxAAA.*","suid":"997b2323-cd70-46cc-a22f-364c4f12f6b5-43883"},"realm":"/","exp":1551366657,"tokenType":"JWTToken","iat":1551359457,"agent_realm":"/"}
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:666) handle_not_enforced(): application logout url feature is not enabled
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:806) handle_not_enforced(): not enforced client ip validation feature is not enabled
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:809) handle_not_enforced(): validating http://aix7agent.test.forgerock.com:8083/index.html?a=nothing
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:882) handle_not_enforced(): not enforced url validation feature is not enabled
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:927) handle_not_enforced(): extended not enforced url validation feature is not enabled
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:930) handle_not_enforced(): http://aix7agent.test.forgerock.com:8083/index.html?a=nothing is enforced
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/authorise.c:435) session cache: not found
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/utility.c:1401) am_timer(): getaddrinfo took 0 seconds
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/net.c:71) connection status: 55
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/net.c:115) net_connect(): connected to exotic-am2.test.forgerock.com:8080 (IPv4)
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/sdk_base.c:180) http request to exotic-am2.test.forgerock.com:8080
      POST /openam/json/realms/root/sessions?_action=getSessionInfo&tokenId=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkZW1vIiwiYXVkaXRUcmFja2luZ0lkIjoiOTk3YjIzMjMtY2Q3MC00NmNjLWEyMmYtMzY0YzRmMTJmNmI1LTQzOTkxIiwiaXNzIjoiaHR0cDovL2V4b3RpYy1hbTIudGVzdC5mb3JnZXJvY2suY29tOjgwODAvb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwibm9uY2UiOiIyRjc1MDgxM0FBNjVCNjA4MkM3ODZCMDExMDI3ODUyQyIsImF1ZCI6ImFpeDctYWdlbnQiLCJhY3IiOiIwIiwic19oYXNoIjoicTBQZDlUcjk4OTJ5Y2dSeVU5RFZoUSIsImF6cCI6ImFpeDctYWdlbnQiLCJhdXRoX3RpbWUiOjE1NTEzNTk0NTYsImZvcmdlcm9jayI6eyJzc290b2tlbiI6ImtTVlR3NDJfOFp4MV9idXVkdTlrV3NKcFpDWS4qQUFKVFNRQUNNREVBQWxOTEFCeFlRemhsYlRoS09FTkdSa2w2TVc4ME5XRlFjRFozZDAxWE5uTTlBQVIwZVhCbEFBTkRWRk1BQWxNeEFBQS4qIiwic3VpZCI6Ijk5N2IyMzIzLWNkNzAtNDZjYy1hMjJmLTM2NGM0ZjEyZjZiNS00Mzg4MyJ9LCJyZWFsbSI6Ii8iLCJleHAiOjE1NTEzNjY2NTcsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNTUxMzU5NDU3LCJhZ2VudF9yZWFsbSI6Ii8ifQ.SiF2hjJokYgZOMr9NIFwglAP41y1nNCwTzn1ZqBpkOQ5Buhz367881oGPcJjJnKuIYUxtDTcAzNbpux0QPilpVHcu0TEtnjBVJMC9AntLdtcOsXQK1J8XA7ijlSIaPLcQhswwL907lTMxVobJTngXNDroFRcKY0DBC39hjlegN0tTJQGKJxuv5xIDjHSHQApITmzmUsC0HvBg656VIf9ycUHQSqneALsVRywFQTIfwM3-RhZ_YxPq6Fdd7ZgSlA54W2x2WKbGY57Dp5p9Q4GdCCSBPhV9rhDYxhideub6gOXrB-Q4cZwWhyXxTZ3TuWLpO2kvygPZZYT4LldvPVMSQ HTTP/1.1
      Host: exotic-am2.test.forgerock.com:8080
      Cookie: iPlanetDirectoryPro=1GSO1G3fdWxPv5kIWR_j5ibgZH8.*AAJTSQACMDEAAlNLABxJTkhiRk5XWnJITndJSTdYSUlwMlMzdVZsOXc9AAR0eXBlAANDVFMAAlMxAAA.*
      User-Agent: OpenAM Web Agent/6.0.0-SNAPSHOT
      Accept: application/json
      Connection: Close
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: resource=2.0, protocol=1.0
      X-ForgeRock-TransactionId: 15019fa3-80de-1362-63ac-97b1fc0dce14/1
      Content-length: 61
      
      {"properties":["Host","sunIdentityUserPassword","UserToken"]}
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/sdk_base.c:222) http response 200 from exotic-am2.test.forgerock.com:8080
      X-Frame-Options: SAMEORIGIN
      Cache-Control: no-cache
      Content-API-Version: resource=2.1
      X-Content-Type-Options: nosniff
      Content-Type: application/json;charset=UTF-8
      Content-Length: 1320
      Date: Thu, 28 Feb 2019 13:10:56 GMT
      Connection: close
      {"username":"demo","universalId":"id=demo,ou=user,dc=openam,dc=forgerock,dc=org","realm":"/","latestAccessTime":"2019-02-28T13:10:57Z","maxIdleExpirationTime":"2019-02-28T13:40:57Z","maxSessionExpirationTime":"2019-02-28T15:10:56Z","properties":{"Locale":"en_US","authInstant":"2019-02-28T13:10:56Z","Organization":"dc=openam,dc=forgerock,dc=org","UserProfile":"Required","Principals":"demo","successURL":"/openam/console","CharSet":"UTF-8","Service":"ldapService","Host":"172.17.200.76","FullLoginURL":"/openam/UI/Login?goto=http%3A%2F%2Fexotic-am2.test.forgerock.com%3A8080%2Fopenam%2Foauth2%2Fauthorize%3Fresponse_mode%3Dform_post%26state%3Da5928a7f-37d1-8646-1507-5d999866ab45%26redirect_uri%3Dhttp%253A%252F%252Faix7agent.test.forgerock.com%253A8083%252Fagent%252Fcdsso-oauth2%26response_type%3Did_token%26scope%3Dopenid%26client_id%3Daix7-agent%26agent_provider%3Dtrue%26agent_realm%3D%252F%26nonce%3D2F750813AA65B6082C786B011027852C&realm=%2F","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"997b2323-cd70-46cc-a22f-364c4f12f6b5-43883","loginURL":"/openam/UI/Login","UserId":"demo","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=demo,ou=user,dc=openam,dc=forgerock,dc=org","HostName":"172.17.200.76","amlbcookie":"01","Principal":"id=demo,ou=user,dc=openam,dc=forgerock,dc=org","UserToken":"demo"}}
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/utility.c:1401) am_timer(): getaddrinfo took 0 seconds
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/net.c:71) connection status: 55
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/net.c:115) net_connect(): connected to exotic-am2.test.forgerock.com:8080 (IPv4)
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/sdk_base.c:180) http request to exotic-am2.test.forgerock.com:8080
      GET /openam/json/realms/root/users/demo?_fields=Host,sunIdentityUserPassword,UserToken HTTP/1.1
      Host: exotic-am2.test.forgerock.com:8080
      Cookie: iPlanetDirectoryPro=1GSO1G3fdWxPv5kIWR_j5ibgZH8.*AAJTSQACMDEAAlNLABxJTkhiRk5XWnJITndJSTdYSUlwMlMzdVZsOXc9AAR0eXBlAANDVFMAAlMxAAA.*
      User-Agent: OpenAM Web Agent/6.0.0-SNAPSHOT
      Accept: application/json
      Connection: Close
      Content-Type: application/json; charset=UTF-8
      Accept-API-Version: resource=3.0, protocol=1.0
      X-ForgeRock-TransactionId: 15019fa3-80de-1362-63ac-97b1fc0dce14/2
      
      
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/sdk_base.c:222) http response 200 from exotic-am2.test.forgerock.com:8080
      X-Frame-Options: SAMEORIGIN
      Cache-Control: no-cache
      Content-API-Version: resource=3.0
      ETag: "1525741016"
      X-Content-Type-Options: nosniff
      Content-Type: application/json;charset=UTF-8
      Content-Length: 2
      Date: Thu, 28 Feb 2019 13:10:56 GMT
      Connection: close
      {}
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/policy/loader.c:355) application aa, URL pattern *://*:*/*?* loaded at index 0
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/authorise.c:298) http://aix7agent.test.forgerock.com:8083/index.html?a=nothing policy match count: 0
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/authorise.c:316) local policy decision: no policy applies
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/apache/agent.c:287) set_user(): demo
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/request.c:1904) handle_exit(): (entry status: access denied)
      2019-02-28 13:10:57 UTC DEBUG   [15019fa3-80de-1362-63ac-97b1fc0dce14]: (source/apache/agent.c:891) amagent_auth_handler(): exit status: forbidden (3)
      

      if I change policy to:

      *://*:*/*?a=nothing

      and hit the page again, I will get expected behavior (allowed access )

        Attachments

          Activity

            People

            • Assignee:
              nick.james Nicholas James
              Reporter:
              richard.hruza Richard Hruza
              QA Assignee:
              Richard Hruza
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: