[AMAGENTS-267] not enforced IP processing broken Created: 14/Nov/16  Updated: 28/Aug/18  Resolved: 28/Aug/18

Status: Closed
Project: OpenAM Agents
Component/s: Web Agents
Affects Version/s: 4.0.0, 4.0.1
Fix Version/s: 5.0.0.0, 4.2.0.0

Type: Bug Priority: Critical
Reporter: Bernhard Thalmayr Assignee: Mareks Malnacs
Resolution: Fixed Votes: 0
Labels: 4p1-known-issue, QA-Agent5, release-notes, test-candidate
Remaining Estimate: 0h
Time Spent: 40m
Original Estimate: 0h
Environment:

Ubuntu 12.04.3 LTS

Server version: Apache/2.2.22 (Ubuntu)
Server built: Jul 12 2013 13:37:15
Server's Module Magic Number: 20051115:30
Server loaded: APR 1.4.6, APR-Util 1.3.12
Compiled using: APR 1.4.6, APR-Util 1.3.12
Architecture: 64-bit
Server MPM: Worker
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

######################################################^M

  1. OpenAM Web Agent #^M
  2. Version: 4.0.1-14 #^M
  3. Revision: ff92922 #^M
  4. Container: Apache 2.2 Linux 64bit #^M
  5. Build date: Oct 26 2016 15:10:28 #^M
    ######################################################^M

Verified Version/s:
QA Assignee: edwardb
Cases: 16700
Support Ticket IDs:
Epic Link: Web Agent 4.1.1 Release

 Description   

Configure not enforce IP processing that matches the client IP from the incoming request

excerpt from Apache http server access.log
192.168.56.1 - - [14/Nov/2016:10:27:35 +0100] "GET / HTTP/1.1" 302 618 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0"
excerpt from central agent profile
com.sun.identity.agents.config.notenforced.ip[0]=192.168.56.1

Although the IP is not enforced the agent enforces the request and access is denied.

excerpt from agent debug log
...
2016-11-14 10:38:12.463 +0100   DEBUG [0x7fe2791f1700:3762][source/config_xml.c:263] am_parse_config_xml() com.sun.identity.agents.config.notenforced.ip is set to 1 value(s)
...
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:552] handle_not_enforced():
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:613] handle_not_enforced(): application logout url feature is not enabled
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:665] handle_not_enforced(): attempting match with absolute access denied url http://ubuntu1204.test.xyz/403.html
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:691] handle_not_enforced(): created normalised access denied url http://ubuntu1204.test.xyz:80/403.html ready for matching with http://ubuntu1204.test.xyz:80/
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:730] handle_not_enforced(): client ip address 192.168.56.1 does not match 192.168.56.1
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:756] handle_not_enforced(): validating http://ubuntu1204.test.xyz:80/
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:765] handle_not_enforced(): trying not enforced pattern /403.html
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:785] handle_not_enforced(): validating http://ubuntu1204.test.xyz:80/ ignoring query attributes
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:874] handle_not_enforced(): extended not enforced url validation feature is not enabled
2016-11-14 10:38:12.464 +0100   DEBUG [0x7fe2791f1700:3762][source/process.c:877] handle_not_enforced(): http://ubuntu1204.test.xyz:80/ is enforced


 Comments   
Comment by Mareks Malnacs [ 14/Nov/16 ]

Agent4 supports only either the CIDR specification:
192.168.1.2/24
or the IP range:
192.168.1.1-192.168.2.3

Comment by Charles Sparey [ 21/Nov/16 ]

Either this is a case where the legacy functionality needs to be restored OR the docs need to be corrected / updated.

Comment by Andy Hall [ 21/Nov/16 ]

Mareks Malnacs What is the process for customers with 3.x agents and legacy not-enforced config, to move to 4.x?
We cannot break existing functionality.

Comment by Mareks Malnacs [ 21/Nov/16 ]

Single IP address rules should be changed to CIDR specification:

  • instead of writing 192.168.1.2 one should write 192.168.1.2/24.

Wildcard rules are not supported in agent 4. But they can be changed to CIDR notation.

Address range rule works as before.

Comment by Andy Hall [ 21/Nov/16 ]

We either need to write upgrade tasks to do this, or support the legacy format.
We cannot expect customers to do this themselves on, in some cases, 600+ agents.

Comment by edwardb [ 25/Oct/17 ]

Functional Test added

Comment by Charles Sparey [ 14/Aug/18 ]

Changing versions from 4.1.x. to 4.2 as that will be the next and final 4 series agent release.

Comment by Ľubomír Mlích [ 28/Aug/18 ]

this works according to latest 4.x test, reopening to mark as verified

Generated at Sat Feb 27 04:03:32 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.