search

emory-libraries / blacklight-catalog

1 stars 2 forks source link

SPIKE: Investigate and prototype iFrame work around #513

Closed lovinscari closed 3 years ago

lovinscari commented 3 years ago

As discussed in a previous meeting to investigate possible mitigations to the current iFrame problem, Mark Bussey and Collin Brittle have determined a possible path forward regarding how sign in would be handled utilizing Alma and then Shibboleth in an effort to get a Rec ID from Alma that would be sent back to the Alma iFrame. This ticket is a placeholder for that work with specific details to be documented by Collin Brittle and Mark Bussey.

The goal of this Spike ticket is to determine if the solution is a viable work around, and if so to develop a proof of concept that can be reviewed by product owner.

Assuming the solution is viable and approved, the work involved should be detailed in new tickets and added as high priority work in the backlog.

mlooney commented 3 years ago

The Summary

XHR/CORs/CSP/X-Frame specifications preclude us from using iframe or xmlhttp requests to load anything that is not a "simple http GET" request.

The Long Version

Since we do not control the servers providing the information (ex-libris & emory IT do), we cannot alter the security headers noted above, and thusly cannot display the requests page in an iframe, nor can we make the request using XMLHTTPRequest.

All access to authenticated pages are intermediated by the browser, which we don't control, which obeys CSP headers that we don't control either.

Proxying back to the authenticated pages was attempted, but ultimately wound up at the shibboleth login page, despite sending the appropriate cookies back and forth.

An demo was provided to @rotated8, which showed that we could actually fetch the authenticated page, but only via standard browser requests (and not via XHR or backend proxy)

Annotated proxy flow log follows below. As one can see, the process continues a number of levels in, but eventually bounces to a shibboleth login screen.

# Logfile created on 2021-05-10 19:09:00 +0000 by logger.rb/66358
# This first request tries to load the info we want from na03.alma.exlibrisgroup
I, [2021-05-10T19:09:00.928459 #20375]  INFO -- : Net::HTTP::Get: /view/uresolver/01GALI_EMORY/openurl?rfr_id=info:sid/primo.exlibrisgroup.com&u.ignore_date_coverage=true&svc_dat=getit&rft.mms_id=9936601001902486&sso=true&token=bc5e54cb424eede4f829e911d14e6d29
D, [2021-05-10T19:09:00.928516 #20375] DEBUG -- : request-header: accept-encoding => gzip,deflate,identity
D, [2021-05-10T19:09:00.928531 #20375] DEBUG -- : request-header: accept => */*
D, [2021-05-10T19:09:00.928544 #20375] DEBUG -- : request-header: user-agent => Mechanize/2.7.7 Ruby/2.6.7p197 (http://github.com/sparklemotion/mechanize/)
D, [2021-05-10T19:09:00.928556 #20375] DEBUG -- : request-header: accept-charset => ISO-8859-1,utf-8;q=0.7,*;q=0.7
D, [2021-05-10T19:09:00.928570 #20375] DEBUG -- : request-header: accept-language => en-us,en;q=0.5
D, [2021-05-10T19:09:00.928580 #20375] DEBUG -- : request-header: host => na03.alma.exlibrisgroup.com
#here the JSESSION id is set, which identifies us to ex-libris domain
# below, response data from exlibris , we've been served a a document with a form that is automagically submitted for us
# also some ex-libris cookies are set
I, [2021-05-10T19:09:01.214007 #20375]  INFO -- : status: Net::HTTPOK 1.1 200 
D, [2021-05-10T19:09:01.214091 #20375] DEBUG -- : response-header: p3p => CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
D, [2021-05-10T19:09:01.214110 #20375] DEBUG -- : response-header: set-cookie => JSESSIONID="107686D5BB6143780C942DE087FF37A8.app02.na03.prod.alma.dc04.hosted.exlibrisgroup.com:1801"; Version=1; Path=/; HttpOnly; SameSite=None; Secure, urm_st=1620673741180; Path=/; SameSite=None; Secure, urm_se=1620674341180; Path=/; SameSite=None; Secure, X-Persist=8043dd88ece71c468fab4fb959d565cd;Path=/;SameSite=None;Secure
D, [2021-05-10T19:09:01.214125 #20375] DEBUG -- : response-header: content-type => text/html;charset=UTF-8
D, [2021-05-10T19:09:01.214138 #20375] DEBUG -- : response-header: content-length => 1856
D, [2021-05-10T19:09:01.214150 #20375] DEBUG -- : response-header: date => Mon, 10 May 2021 19:09:01 GMT
D, [2021-05-10T19:09:01.214162 #20375] DEBUG -- : response-header: keep-alive => timeout=20
D, [2021-05-10T19:09:01.214174 #20375] DEBUG -- : response-header: connection => keep-alive
D, [2021-05-10T19:09:01.214229 #20375] DEBUG -- : Read 0 bytes (0 total)
D, [2021-05-10T19:09:01.218640 #20375] DEBUG -- : Read 1856 bytes (1856 total)
#cookie is saved, note it starts with "10"
D, [2021-05-10T19:09:01.219232 #20375] DEBUG -- : saved cookie: JSESSIONID=107686D5BB6143780C942DE087FF37A8.app02.na03.prod.alma.dc04.hosted.exlibrisgroup.com:1801
D, [2021-05-10T19:09:01.219333 #20375] DEBUG -- : saved cookie: urm_st=1620673741180
D, [2021-05-10T19:09:01.219400 #20375] DEBUG -- : saved cookie: urm_se=1620674341180
D, [2021-05-10T19:09:01.219462 #20375] DEBUG -- : saved cookie: X-Persist=8043dd88ece71c468fab4fb959d565cd
I, [2021-05-10T19:09:01.220833 #20375]  INFO -- : form encoding: UTF-8
SECOND REQUEST
#this is the form submission from above, which sends a GET request to login.emory.edu, with various parameters for authentication
I, [2021-05-10T19:09:01.221351 #20375]  INFO -- : Net::HTTP::Get: /idp/profile/SAML2/Redirect/SSO?SAMLRequest=jZJNb%2BIwEIb%2FiuU7sWMoZS1CFZFGi0S7lLR72JubDNSSY2c9Dm3%2FfU0QWvZSIfnk%2BXrfZ2Z%2B99EacgCP2tmMpgmnBGztGm33GX15LkczereYo2pNJ%2FM%2BvNkt%2FO0BA4l1FuUQyGjvrXQKNUqrWkAZalnlD2spEi4774KrnaEkRwQf4qCls9i34CvwB13Dy3ad0bcQOpSMWcXHiTKtSuDD6Fevce9d3yW1a1lr96xr8KeyjYG122tLSRHFaKvCoP%2FcxBxjCbTOfybQ9Ew3HYs6dtoAOwoTbAuN9lAHVlW%2FKCmdr2Gwl9GdMgiUrIqM5vlNKcpJyce3k3E6nRZLMb2%2FLSe8KGfTvMwL1XVcxFzcKER9gH%2FViD2sLAZlQ0YFF%2BmI34xS%2Fpz%2BkDy%2BNElnkz%2BU%2FD6Tj6ToibMcav0F4O%2F5qjNVuriW4YBnzi6mnUaLTj7G%2Fqti44yuPy8kiOuXbIx7X3pQIdIIvoeBbqvC9w2OP7oZ7YZUGbyyqMEGSqrNUdJTr4zeafDXH8pgkrLFyef%2F17v4Ag%3D%3D&RelayState=%2Fview%2Furesolver%2F01GALI_EMORY%2Fopenurl%3Frfr_id%3Dinfo%3Asid%2Fprimo.exlibrisgroup.com%26u.ignore_date_coverage%3Dtrue%26svc_dat%3Dgetit%26rft.mms_id%3D9936601001902486%26sso%3Dtrue%26token%3Dbc5e54cb424eede4f829e911d14e6d29
D, [2021-05-10T19:09:01.221385 #20375] DEBUG -- : request-header: accept-encoding => gzip,deflate,identity
D, [2021-05-10T19:09:01.221453 #20375] DEBUG -- : request-header: accept => */*
D, [2021-05-10T19:09:01.221471 #20375] DEBUG -- : request-header: user-agent => Mechanize/2.7.7 Ruby/2.6.7p197 (http://github.com/sparklemotion/mechanize/)
D, [2021-05-10T19:09:01.221483 #20375] DEBUG -- : request-header: accept-charset => ISO-8859-1,utf-8;q=0.7,*;q=0.7
D, [2021-05-10T19:09:01.221526 #20375] DEBUG -- : request-header: accept-language => en-us,en;q=0.5
# here we see the shibsession, which we harvested from the browser being sent
D, [2021-05-10T19:09:01.221539 #20375] DEBUG -- : request-header: cookie => _shibsession_64656661756c7468747470733a2f2f626c61636b6361742d617263682e6c6962726172792e656d6f72792e656475=_f8df3b8ebd3e7581f575ff1731fe0d5a
D, [2021-05-10T19:09:01.221550 #20375] DEBUG -- : request-header: host => login.emory.edu
D, [2021-05-10T19:09:01.221562 #20375] DEBUG -- : request-header: referer => https://na03.alma.exlibrisgroup.com/view/uresolver/01GALI_EMORY/openurl?rfr_id=info:sid/primo.exlibrisgroup.com&u.ignore_date_coverage=true&svc_dat=getit&rft.mms_id=9936601001902486&sso=true&token=bc5e54cb424eede4f829e911d14e6d29
# we get a 302 redirect...
I, [2021-05-10T19:09:01.326309 #20375]  INFO -- : status: Net::HTTPFound 1.1 302 302
D, [2021-05-10T19:09:01.326397 #20375] DEBUG -- : response-header: date => Mon, 10 May 2021 19:09:01 GMT
D, [2021-05-10T19:09:01.326415 #20375] DEBUG -- : response-header: strict-transport-security => max-age=31536000, max-age=0
D, [2021-05-10T19:09:01.326428 #20375] DEBUG -- : response-header: cache-control => no-store
D, [2021-05-10T19:09:01.326440 #20375] DEBUG -- : response-header: expires => 
# along with another jsessionid from shibboleth idp!
#this jsessionid cookie from login.emory.edu, (different than the one exlibris sent us before (naturally!) (starts 12C))
#further requests to login.emory.edu should include this cookie, as well as the _shibsession cookie.
D, [2021-05-10T19:09:01.326451 #20375] DEBUG -- : response-header: set-cookie => JSESSIONID=12CD026BCEB954115603014F425C8A68; Path=/idp; Secure; HttpOnly
D, [2021-05-10T19:09:01.326462 #20375] DEBUG -- : response-header: x-frame-options => ''
D, [2021-05-10T19:09:01.326472 #20375] DEBUG -- : response-header: content-security-policy => ''
D, [2021-05-10T19:09:01.326483 #20375] DEBUG -- : response-header: location => /idp/profile/SAML2/Redirect/SSO?execution=e1s1
D, [2021-05-10T19:09:01.326493 #20375] DEBUG -- : response-header: content-length => 0
D, [2021-05-10T19:09:01.326504 #20375] DEBUG -- : response-header: connection => close
D, [2021-05-10T19:09:01.326534 #20375] DEBUG -- : response-header: content-type => text/plain; charset=UTF-8
D, [2021-05-10T19:09:01.326587 #20375] DEBUG -- : Read 0 bytes (0 total)
D, [2021-05-10T19:09:01.326962 #20375] DEBUG -- : saved cookie: JSESSIONID=12CD026BCEB954115603014F425C8A68
#here we follow the redirect 
I, [2021-05-10T19:09:01.327017 #20375]  INFO -- : follow redirect to: /idp/profile/SAML2/Redirect/SSO?execution=e1s1
I, [2021-05-10T19:09:01.327484 #20375]  INFO -- : Net::HTTP::Get: /idp/profile/SAML2/Redirect/SSO?execution=e1s1
D, [2021-05-10T19:09:01.327513 #20375] DEBUG -- : request-header: accept-encoding => gzip,deflate,identity
D, [2021-05-10T19:09:01.327527 #20375] DEBUG -- : request-header: accept => */*
D, [2021-05-10T19:09:01.327538 #20375] DEBUG -- : request-header: user-agent => Mechanize/2.7.7 Ruby/2.6.7p197 (http://github.com/sparklemotion/mechanize/)
D, [2021-05-10T19:09:01.327550 #20375] DEBUG -- : request-header: accept-charset => ISO-8859-1,utf-8;q=0.7,*;q=0.7
D, [2021-05-10T19:09:01.327561 #20375] DEBUG -- : request-header: accept-language => en-us,en;q=0.5
#
#now we are sending the 12c jsession id and shibsession cookies along during the redirect, like we are supposed to 
D, [2021-05-10T19:09:01.327572 #20375] DEBUG -- : request-header: cookie => JSESSIONID=12CD026BCEB954115603014F425C8A68; _shibsession_64656661756c7468747470733a2f2f626c61636b6361742d617263682e6c6962726172792e656d6f72792e656475=_f8df3b8ebd3e7581f575ff1731fe0d5a
D, [2021-05-10T19:09:01.327583 #20375] DEBUG -- : request-header: host => login.emory.edu
D, [2021-05-10T19:09:01.327595 #20375] DEBUG -- : request-header: referer => https://na03.alma.exlibrisgroup.com/view/uresolver/01GALI_EMORY/openurl?rfr_id=info:sid/primo.exlibrisgroup.com&u.ignore_date_coverage=true&svc_dat=getit&rft.mms_id=9936601001902486&sso=true&token=bc5e54cb424eede4f829e911d14e6d29
#
#now we get a code http 200, and it's the login page :(
#
I, [2021-05-10T19:09:01.410502 #20375]  INFO -- : status: Net::HTTPOK 1.1 200 200
D, [2021-05-10T19:09:01.410610 #20375] DEBUG -- : response-header: date => Mon, 10 May 2021 19:09:01 GMT
D, [2021-05-10T19:09:01.410629 #20375] DEBUG -- : response-header: strict-transport-security => max-age=31536000, max-age=0
D, [2021-05-10T19:09:01.410642 #20375] DEBUG -- : response-header: cache-control => no-store
D, [2021-05-10T19:09:01.410654 #20375] DEBUG -- : response-header: expires => 
D, [2021-05-10T19:09:01.410675 #20375] DEBUG -- : response-header: x-frame-options => ''
D, [2021-05-10T19:09:01.410686 #20375] DEBUG -- : response-header: content-security-policy => ''
D, [2021-05-10T19:09:01.410697 #20375] DEBUG -- : response-header: content-type => text/html;charset=utf-8
D, [2021-05-10T19:09:01.410708 #20375] DEBUG -- : response-header: connection => close
D, [2021-05-10T19:09:01.410718 #20375] DEBUG -- : response-header: transfer-encoding => chunked
D, [2021-05-10T19:09:01.410805 #20375] DEBUG -- : Read 0 bytes (0 total)
D, [2021-05-10T19:09:01.430085 #20375] DEBUG -- : Read 8184 bytes (8184 total)
D, [2021-05-10T19:09:01.430347 #20375] DEBUG -- : Read 0 bytes (8184 total)
D, [2021-05-10T19:09:01.430401 #20375] DEBUG -- : Read 3967 bytes (12151 total)