search

morincer / teamcity-plugin-saml

The plug-in adds ability to authenticate users by SAML-based SSO providers (like Okta, Onelogin etc.)
MIT License
24 stars 16 forks source link

403 Access denied after applying latest CVE fixes #129

Closed Hdom closed 4 months ago

Hdom commented 4 months ago

Applied "Fix CVE-2024-23917, CVE-2024-27198, CVE-2024-27199" to server on "2022.04 (build 108502)" and started receiving "Access denied" eror when attempting to authenticate with the SAML Authentication plugin.

Is there any way to configure teamcity to allow the URL /app/saml/login without auth?

CVE Plugin: Fix CVE-2024-23917, CVE-2024-27198, CVE-2024-27199 (version 1.2) Server Version: 2022.04 (build 108502) SAML Authentication Plugin Version: 1.4.2-SNAPSHOT

Error: [2024-03-05 17:12:36,265] WARN - jetbrains.buildServer.SERVER - Replying with 403 status for the unauthorized request: GET '/app/saml/login/', from client 10.38.212.2 (127.0.0.1:39610), no auth

I also submitted this as a support item on jetbrains' issue tracker https://youtrack.jetbrains.com/issue/TW-86717/403-Access-denied-after-applying-latest-CVE-fixes-and-using-SAML-Authentication

morincer commented 4 months ago

Hi! I really need some logs to troubleshoot the issue. Please refer to https://github.com/morincer/teamcity-plugin-saml?tab=readme-ov-file#troubleshooting

Hdom commented 4 months ago

I enabled debug-auth-saml logging preset and there are no logs generated in teamcity-auth.log. I assume this means that its being blocked somewhere before auth.

I enabled debug-all and only logs inside of teamcity-server.log are:

[2024-03-06 10:02:31,605]  DEBUG - ver.web.ResponseFragmentFilter - Request started: 336bfd89/25b0169b GET https://server.url/app/saml/login/
[2024-03-06 10:02:31,606]   WARN -   jetbrains.buildServer.SERVER - Replying with 403 status for the unauthorized request: GET '/app/saml/login/', from client 10.38.212.2 (127.0.0.1:45334), no auth
[2024-03-06 10:02:31,606]  DEBUG - ver.web.ResponseFragmentFilter - Request finished: 336bfd89/25b0169b

Are there any other relevant log files?

Here is screenshot of SAML Settings configurations: image

Here is the SP metadata:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2024-03-08T15:09:35Z" cacheDuration="PT604800S" entityID="/app/saml/callback/" ID="ONELOGIN_GUID">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://server.url/app/saml/callback/" index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Hdom commented 4 months ago

@morincer We received a response on the issue tracker, looks like it was a problem with our version of Teamcity, after applying a patch from 2022.04 to 2022.04.5 the access denied error went away. I will close this issue.

https://youtrack.jetbrains.com/issue/TW-86717/403-Access-denied-after-applying-latest-CVE-fixes-and-using-SAML-Authentication#focus=Comments-27-9400455.0-0