Hi,
Just updating on the status of the investigation in this thread.
I located the responsible code in the UI.pm module for the webui :
Line 613
my $data;
if ($auth->{envkeys}) {
foreach my $key (keys %{$auth->{envkeys}}) {
my $envkey = $auth->{envkeys}->{$key};
$self->logger()->debug("Try to load $key from $envkey");
next unless defined ($ENV{$envkey});
$data->{$key} = Encode::decode('UTF-8', $ENV{$envkey},
Encode::LEAVE_SRC | Encode::FB_CROAK);
}
# legacy support
} elsif (my $user = $ENV{'OPENXPKI_USER'} || $ENV{'REMOTE_USER'} ||
'') {
$data->{username} = $user;
$data->{role} = $ENV{'OPENXPKI_GROUP'}
if($ENV{'OPENXPKI_GROUP'});
}
It appears that this bit is expecting an answer from the backend with details
on the auth stack selected, thus including the possible envkeys. However, as
displayed during the trace, the answer contains an empty PARAMS field, thus
skipping that part.
## Debug
$self->logger()->debug('ENV Vars -- email:' .
$ENV{'OIDC_CLAIM_unique_name'} . ' role:' . $ENV{'OPENXPKI_SSO_ROLE'});
$self->logger()->debug('Reply: ' . Dumper $reply);
2022/12/13 14:33:18 DEB ENV Vars -- email:[email protected] role:RA
Operator [pid=21570|sid=4d73]
2022/12/13 14:33:18 DEB Reply: $VAR1 = {
'SERVICE_MSG' => 'GET_CLIENT_LOGIN',
'PARAMS' => {}
};
[pid=21570|sid=4d73]
The good news is that I was able to use the legacy OPENXPKI_GROUP and can
confirm the env is indeed working as expected !
The bad news is that I don’t think this empty answer is unexpected, or maybe it
is for NoAuth ?
I’ll continue digging 😊
Please let me know if you think this is a bug and should be logged as such !
Best regards
Florian Cramoisan
PoC Engineer - WW | HPE Aruba Global Solutions | PoC
ACEX #102 – ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
[Image result for aruba logo]
This e-mail may contain confidential and/or legally privileged material for the
sole use of the intended recipient. If you are not the intended recipient (or
authorized to receive for the recipient) please contact the sender by reply
e-mail and delete all copies of this message. If you are receiving this
message internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”.
From: Cramoisan, Florian (Aruba PoC) <[email protected]>
Date: Tuesday, 13 December 2022 at 11:34
To: [email protected] <[email protected]>
Subject: Re: [OpenXPKI-users] Help required trying to pass role information
from SSO on OpenXPKI
Hi Oliver,
Thanks for your answer !
I am still struggling to get these apache ENV variables passed to openXPKI as
role / email.
Current situation
ExternalAuth:
type: NoAuth
BasicAuth:
handler: ExternalAuth
type: client
envkeys:
email: OIDC_CLAIM_email
role: SSO_XPKI_ROLE
I have done a small python and perl script and can confirm that these two
variables are accessible from cgi as environment variables :
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<pre>\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
}
print "</pre>\n";
• Giving me (extract)
OIDC_CLAIM_email = [email protected]<mailto:[email protected]>
SSO_XPKI_ROLE = RA Operator
I am trying to enable some debug and dumper in order to understand where this
is going wrong, and I can see that the “$msg” does not contain anything more
than the “username”, thus resulting in the missing role and UNAUTHORIZED
message.
#### CTX('log')->auth()->debug(Dumper($msg));
2022/12/13 10:16:49 DEBUG $VAR1 = {
'username' => '[email protected]'
};
[pid=17194|sid=n+IJ]
#### CTX('log')->auth()->debug(Dumper($self));
2022/12/13 10:16:49 DEBUG $VAR1 = bless( {
'history' => {},
'prefix' => [
'auth',
'handler',
'ExternalAuth'
],
'authinfo' => {}
}, 'OpenXPKI::Server::Authentication::NoAuth' );
[pid=17194|sid=n+IJ]
Finally within the auth module, when trying to print the current env variables,
none of the apache environment are available, they look a lot like regular
shell environment instead. Is this expected ?
2022/12/13 10:16:49 DEBUG HOME => [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG INVOCATION_ID => 833e09412cf74d23976f1a6327150e6d
[pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG JOURNAL_STREAM => 8:1042596 [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LANG => en_US.UTF-8 [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LANGUAGE => C [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LC_MESSAGES => C [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG LC_TIME => C [pid=17194|sid=n+IJ]
2022/12/13 10:16:49 DEBUG PATH =>
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[pid=17194|sid=n+IJ]
I am trying to understand where these “envkeys” are processed in order to
troubleshoot why these variables are not being passed, and I cannot find a
reference to Stack/envkeys in the code, perhaps I’m looking at it wrong.
Could you please let me know in which module are these environment variables
transferred from the apache2 env to the application ? How can I go ahead and
access these from within the auth stack to confirm ?
I’ll keep investigating as the mention of ‘envkeys’ only seem to happen in
Client/UI.pm Client/Simple.pm and Client/Service/Base.pm 😊
Thanks for your time and support !
Regards,
Florian Cramoisan
PoC Engineer - WW | HPE Aruba Global Solutions | PoC
ACEX #102 – ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
[Image result for aruba logo]
This e-mail may contain confidential and/or legally privileged material for the
sole use of the intended recipient. If you are not the intended recipient (or
authorized to receive for the recipient) please contact the sender by reply
e-mail and delete all copies of this message. If you are receiving this
message internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”.
From: Oliver Welter <[email protected]>
Date: Monday, 12 December 2022 at 08:51
To: [email protected] <[email protected]>
Subject: Re: [OpenXPKI-users] Help required trying to pass role information
from SSO on OpenXPKI
Hello Florian,
welcome to the OpenXPKI Crowd ;)
Basically your approach looks correct, are you sure that your ENV variable gets
populated properly? Raise the loglevel of the "auth" category to debug, that
might show you a more detailed error message indicating where the mapping fails.
Regarding the second part of the question - have a look into the folder
"realm.tl/profile/template/", in the field for "email" you can see "preset:
userinfo.email" - userinfo is a hash that is filled with anything found in
"envkeys".
best regards
Oliver
On 09.12.22 14:42, Cramoisan, Florian (Aruba PoC) wrote:
Hi List,
This is my first ever message out there so please excuse lack of format !
I’m struggling to setup my SSO as source of authentication for OpenXPKI.
The SSO part is handled by an apache plugin, and works fine. I am able to check
the claims and generate a “SSO_ROLE” environment variable containing the
intended role the user should get after authentication.
Now my issue is trying to pass this information to the auth layer so the user
effectively gets that role.
I use NoAuth as per the examples:
Stack:
BasicAuth:
handler: ExternalAuth
type: client
envkeys:
email: OIDC_CLAIM_unique_name
Handler
ExternalAuth:
type: NoAuth
role: User
If I remove the “role” statement from the handler and add an envkey “role”
mapping to my Apache ENV variable, I get an auth error.
What is the “proper” way to
1. Pass the role to the auth layer
2. Store some extra information (such as email or Org Unit) to be used later
in certificate generation
Thanks & Regards,
Florian Cramoisan
PoC Engineer - WW | HPE Aruba Global Solutions | PoC
ACEX #102 – ACMX#831 | ACCX#1261 | ACDX#1282 | ACSX#1475
Mobile : +33 (0)6 14 58 32 45 | Desk :+33 (0)4 80 32 35 16
Hewlett Packard Enterprise | 5 av Raymond CHANAS | 38053 Grenoble | France
[Image result for aruba logo]
This e-mail may contain confidential and/or legally privileged material for the
sole use of the intended recipient. If you are not the intended recipient (or
authorized to receive for the recipient) please contact the sender by reply
e-mail and delete all copies of this message. If you are receiving this
message internally within the Hewlett Packard Enterprise company, you should
consider the contents “CONFIDENTIAL”.
_______________________________________________
OpenXPKI-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
