Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62200

MF Application Automation Tools plugin: violation of RFC7230

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The plugin is unable to authenticate inside ALM during "Execute tests using ALM Lab Management" step if ALM server is behind haproxy v2.0 and above.

      The root cause is that the plugin expects Case-Sensitive http headers and by doing that violates RFC7230:
      https://tools.ietf.org/html/rfc7230#section-3.2

      Each header field consists of a case-insensitive field name followed
      by a colon (":"), optional leading whitespace, the field value, and
      optional trailing whitespace.

      And as we see in code, there are many places that violate this:

      For Set-Cookie header:

      For WWW-Authenticate header:

      Maybe there are other places and headers as well.

      We've faced the issue because newer versions of haproxy (2.0+) now use the new http processing mechanism internally (h2) by default. And because of this, all the http headers are now lowercased by default. So haproxy outputs "www-authenticate" instead of the original "WWW-Authenticate" which is perfectly compliant with RFC. But not with the plugin.

      Workaround

      There is a haproxy config option to override this behavior for some headers: https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-h1-case-adjust. You should use 2 haproxy configuration options in conjunction: "h1-case-adjust" and "option h1-case-adjust-bogus-client".

      We used it and I can prove that this is a valid workaround.

        Attachments

          Activity

          fff Fedor Radzievskiy created issue -
          fff Fedor Radzievskiy made changes -
          Field Original Value New Value
          Description The plugin is unable to authenticate inside ALM during "Execute tests using ALM Lab Management" step if ALM server is behind haproxy v2.0 and above.

          The root cause is that the plugin expects Case-Sensitive http headers and by doing that violates RFC7230:
           [https://tools.ietf.org/html/rfc7230#section-3.2]
          {quote}Each header field consists of a *case-insensitive field name* followed
           by a colon (":"), optional leading whitespace, the field value, and
           optional trailing whitespace.
          {quote}
          And as we see in code, there are many places that violate this:
          h3. For Set-Cookie header:
           * Constant declaration: [https://github.com/MicroFocus/performance-center-plugins-common/blob/b045d4f57faef0661588334e7fe71b3a1c77af15/src/main/java/com/microfocus/adm/performancecenter/plugins/common/rest/RESTConstants.java#L29]
           * Usage: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/rest/RestClient.java#L374]

          h3. For WWW-Authenticate header:
           * Constant declaration: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L45]
           * Usage: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L230]

          Maybe there are other places and headers as well.

          We've faced the issue because newer versions of haproxy (2.0+) now use the new http processing mechanism internally (h2) by default. And because of this, all the http headers are now lowercased by default. So haproxy outputs "www-authenticate" instead of the original "WWW-Authenticate" which is perfectly compliant with RFC. But not with the plugin.
          h3. Workaround

          There is a haproxy config option to override this behavior for some headers: [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-h1-case-adjust].
           We used it and I can prove that this is a valid workaround.
          The plugin is unable to authenticate inside ALM during "Execute tests using ALM Lab Management" step if ALM server is behind haproxy v2.0 and above.

          The root cause is that the plugin expects Case-Sensitive http headers and by doing that violates RFC7230:
           [https://tools.ietf.org/html/rfc7230#section-3.2]
          {quote}Each header field consists of a *case-insensitive field name* followed
           by a colon (":"), optional leading whitespace, the field value, and
           optional trailing whitespace.
          {quote}
          And as we see in code, there are many places that violate this:
          h3. For Set-Cookie header:
           * Constant declaration: [https://github.com/MicroFocus/performance-center-plugins-common/blob/b045d4f57faef0661588334e7fe71b3a1c77af15/src/main/java/com/microfocus/adm/performancecenter/plugins/common/rest/RESTConstants.java#L29]
           * Usage: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/rest/RestClient.java#L374]

          h3. For WWW-Authenticate header:
           * Constant declaration: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L45]
           * Usage: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L230]

          Maybe there are other places and headers as well.

          We've faced the issue because newer versions of haproxy (2.0+) now use the new http processing mechanism internally (h2) by default. And because of this, all the http headers are now lowercased by default. So haproxy outputs "www-authenticate" instead of the original "WWW-Authenticate" which is perfectly compliant with RFC. But not with the plugin.
          h3. Workaround

          There is a haproxy config option to override this behavior for some headers: [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-h1-case-adjust]. You should use 2 haproxy configuration options in conjunction: "h1-case-adjust" and "option h1-case-adjust-bogus-client".

          We used it and I can prove that this is a valid workaround.
          ptofan Paul-Adrian Tofan made changes -
          Assignee Maria Narcisa Galan [ narcisamgalan ] Roy Lu [ roy_lu ]
          roy_lu Roy Lu made changes -
          Status Open [ 1 ] In Progress [ 3 ]

            People

            Assignee:
            roy_lu Roy Lu
            Reporter:
            fff Fedor Radzievskiy
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: