[OPENAM-12531] Running webagent 5.0.0 against OpenAM 5.5.1 which is upgraded from previous version will result in segmentation fault or crash Created: 02/Mar/18  Updated: 04/Sep/19  Resolved: 02/Sep/19

Status: Resolved
Project: OpenAM
Component/s: None
Affects Version/s: 14.5.1, 5.5.1
Fix Version/s: 6.0.0, 5.5.2

Type: Bug Priority: Major
Reporter: Sam Phua Assignee: Adam Heath
Resolution: Fixed Votes: 0
Labels: EDISON, Must-Fix
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screen Shot 2018-03-02 at 12.51.04 PM.png    
Issue Links:
Regression
caused OPENAM-15363 Redirect_uri_mismatch error occurs in... Resolved
Relates
relates to AMAGENTS-1509 Agent5 is crashing with unchecked use... Closed
relates to AMAGENTS-1510 Agent5 is crashing with unchecked use... Closed
Target Version/s:
Sprint: AM Sustaining Sprint 49, AM Sustaining Sprint 50
Story Points: 2
Needs backport:
Yes
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes but I used my own steps. (If so, please add them in a new comment)

 Description   

Bug description

Running webagent 5.0.0 against OpenAM 5.5.1 which is upgraded from previous version will result in segmentation fault or crash

How to reproduce the issue

Setup OpenAM 12.0.4 with a simple webagent profile

Upgrade OpenAM 12.0.4 to AM 5.5.1

Setup Agent 5.0.0 in Apache server v24

and access the protected page

Expected behaviour
The protected page will be redirected for authentication
Current behaviour
The Apache server crashes with a segmentation fault 

[Fri Mar 02 12:52:10.779284 2018] [mpm_event:notice] [pid 26882:tid 140629360584512] AH00489: Apache/2.4.18 (Unix) OpenAM Web Agent/5.0.0 configured -- resuming normal operations
[Fri Mar 02 12:52:10.779364 2018] [core:notice] [pid 26882:tid 140629360584512] AH00094: Command line: '/work/openam12.0.4-5.5.1-agent-upgrade-fails-27992/HTTP-24-5.0.0/bin/httpd'
[Fri Mar 02 12:52:17.786034 2018] [core:notice] [pid 26882:tid 140629360584512] AH00052: child pid 26888 exit signal Segmentation fault (11)

The apache server crashes because some of the attributes were missing. See AMAGENTS-1510  and AMAGENTS-1509.

com.sun.identity.agents.config.cdsso.redirect.uri=agent/cdsso-oauth2

org.forgerock.openam.agents.config.jwt.name=am-auth-jwt

 

Work around

Re-create the web agent profile

 



 Comments   
Comment by Andrew Vinall [ 09/Mar/18 ]

Jonathan Thomas Thanks.

Comment by Alex Levin [ 13/Mar/18 ]

I think this should be a must fix. Customers can have 10s or hundreds of agent profiles, and every one would end up with a crashed (or disabled) agent as soon as they move to agent 5.

Comment by Pilar Gomez [X] (Inactive) [ 28/Mar/18 ]

I am trying to fix this but I found a couple of problems

  • AM12 with agents 5 does not work at all. The agent won't install against AM12- so I can't reproduce the first step
  • We do not support upgrades from AM12 to AM6

Can I get a bit more info about how exactly reproduce it please (Sam Phua Alex Levin )? Thank you!

Comment by Pilar Gomez [X] (Inactive) [ 28/Mar/18 ]

It looks like I missed the label "EDISON". I am putting the bug back in the backlog. After spending some time on it:

  • There is no "export" button anymore in the new agents UI. Rich Riley [X] is discussing with Andy Hall if we need it or not - this may be an actual use case showing the need for it.
  • Even though the versions are not all that compatible one with the other, the issue seems to be in the new agent properties. When creating an agent from scratch in AM6, those new properties are created, but when reusing an old config during an upgrade, those new properties are not added. AM can't make assumptions about the agent version, that is probably why it is not modifying existing config, to keep being compatible with older agents. The possible fix for that is to always add those new properties. Because they are new properties, they will not break older agent installs, as they will just be ignored, and adding them on upgrade will make AM work with new agents too
    Because of the new UI it may be easier to test it &fix it against AM 5.5 that still has the old UI (at least until the export option is added to the XUI)
Comment by Adam Heath [ 17/Apr/18 ]

FWIW: Reproduced this issue by performing the following steps:

  • installing AM 13.5.1
  • Generating a simple web agent config called 'test' (no need to install or configure the agent yet)
  • Upgrading to AM 5.5.1 
  • Installing apache 2.4 + web agent 5.0.0 to protect a simple web page
  • Attempt to access the webpage the web agent has been configured to protect - this will error.
  • View the apache error log (/etc/httpd/logs/err_log) and confirm seg fault occurs

Have also been able to view the AgentService attributes via ApacheDirectoryStudio and confirm that when upgrading from < AM 5.5.0 the highlighted attributes are not present for existing web agent configurations.

Comment by Adam Heath [ 02/Sep/19 ]

Marking this issue back as "Resolved" as the underlying crash which was originally reported in this issue has now been resolved, however, noted that this has then caused the subsequent issue OPENAM-15363 for older versions that have been upgraded and can now potentially have an incorrect redirect uri value present. 

This follow up issue will be handled via OPENAM-15363, which will mean the fixed versions here in this Jira still make sense and the 2 issues have now been linked.

Comment by Ľubomír Mlích [ 04/Sep/19 ]

Reproduced in AM 5.5.1.

Verified as fixed in ForgeRock Access Management 5.5.2-M7 Build 965200a558 (2019-August-20 08:11), there is redirect to AM instead of segmentation fault on apache side. On AM side there is blank page and HTTP 400 error with message in debug:  "The request could not be understood by the server due to malformed syntax" CDSSO URL contains two slashes "&redirect_uri=http://agent.protected.app:80//agent/cdsso-oauth2" which should be solved by OPENAM-15363

Generated at Mon Nov 18 06:15:10 GMT 2019 using Jira 7.13.8#713008-sha1:1606a5c1e7006e1ab135aac81f7a9566b2dbc3a6.