Skip to content

fix: fetchAndSetEntityDescriptor: return non-nil error if http status is not 200#38825

Merged
flyinghermit merged 2 commits intomasterfrom
sshah/fix-fetchAndSetEntityDescriptor-http-status-handeling
Mar 5, 2024
Merged

fix: fetchAndSetEntityDescriptor: return non-nil error if http status is not 200#38825
flyinghermit merged 2 commits intomasterfrom
sshah/fix-fetchAndSetEntityDescriptor-http-status-handeling

Conversation

@flyinghermit
Copy link
Copy Markdown
Contributor

@flyinghermit flyinghermit commented Mar 1, 2024
edited
Loading

Fixes a bug where fetchAndSetEntityDescriptor returned non-nil error when it failed to set entity descriptor.

Background: fetchAndSetEntityDescriptor tries to fetch and set SAML service provider entity descriptor from given endpoint. It was implemented in a way that it should return error if it fails to fetch and set entity descriptor.

If it fails to set entity descriptor, the generateAndSetEntityDescriptor func will generate the entity descriptor with given entity_id and acs_url values.

Bug: In situation where remote endpoint would return HTTP status code above 200 and below 400, the fetchAndSetEntityDescriptor was returning early with a nil error, even when it still failed to set the entity descriptor. And since the generateAndSetEntityDescriptor is only called if fetchAndSetEntityDescriptor returns error, we would never set the entity descriptor in such case.

Root cause: incorrect use of trace.ReadError().
The trace.ReadError() returns non-nil error if statusCode >= http.StatusOK && statusCode < http.StatusBadRequest. So in scenario where, say a redirect response was received, fetchAndSetEntityDescriptor would return with non-nil error, without setting the entity descriptor, defeating the logic which follows.

The existing test only included 404, empty message and a valid message so it failed to catch the 302 redirect case.

Fix:

  • return trace.BadParameter error regardless of HTTP status code except for 200. We aren't interested in parsing error type as any error in this func means entity descriptor is not set.
  • updated test to also include 302 redirect.

changelog: Fixed an issue in SAML IdP entity descriptor generator process, which would fail to generate entity descriptor if the configured Entity ID endpoint would return HTTP status code above 200 and below 400 .

@github-actions github-actions Bot requested review from atburke and fspmarshall March 1, 2024 00:07
@flyinghermit flyinghermit changed the title fix: fetchAndSetEntityDescriptor: return non-nil error regardless of http status fix: fetchAndSetEntityDescriptor: return non-nil error if http status is not 200 Mar 1, 2024
r0mant
r0mant reviewed Mar 5, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In situation where remote endpoint would return HTTP status code above 200 and below 400, the fetchAndSetEntityDescriptor was returning early with a non-nil error, even it still failed to set the entity descriptor.

@flyinghermit I think in your PR description you wanted to say that it was returning early with a nil error, not with a non-nil error? It threw me off initially trying to understand the logic but I think it's just a typo in your description.

Comment thread lib/services/local/saml_idp_service_provider.go Outdated
Comment thread lib/services/local/saml_idp_service_provider.go
@flyinghermit
Copy link
Copy Markdown
Contributor Author

flyinghermit commented Mar 5, 2024

I think in your PR description you wanted to say that it was returning early with a nil error, not with a non-nil error? It threw me off initially trying to understand the logic but I think it's just a typo in your description.

Haa Thanks for spotting that. Yeah I meant to write nil there.

@flyinghermit
Copy link
Copy Markdown
Contributor Author

flyinghermit commented Mar 5, 2024

Ping @fspmarshall, @atburke

@public-teleport-github-review-bot public-teleport-github-review-bot Bot removed the request for review from atburke March 5, 2024 18:30
@flyinghermit flyinghermit enabled auto-merge March 5, 2024 19:30
@flyinghermit flyinghermit added this pull request to the merge queue Mar 5, 2024
Merged via the queue into master with commit 1f23e3e Mar 5, 2024
@flyinghermit flyinghermit deleted the sshah/fix-fetchAndSetEntityDescriptor-http-status-handeling branch March 5, 2024 19:47
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Mar 5, 2024

@flyinghermit See the table below for backport results.

Branch Result
branch/v14 Create PR
branch/v15 Create PR

This was referenced Mar 5, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@fspmarshall fspmarshall fspmarshall approved these changes

Assignees

No one assigned

Labels

size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@flyinghermit @r0mant @fspmarshall