[JIRA] (JENKINS-62200) MF Application Automation Tools plugin: violation of RFC7230

[fedor.radzievskiy@gmail.com (JIRA)]

Fedor Radzievskiy created an issue

Jenkins / JENKINS-62200 MF Application Automation Tools plugin: violation of RFC7230 Issue Type: Bug Assignee: Maria Narcisa Galan Components: hp-application-automation-tools-plugin Created: 2020-05-07 09:16 Labels: plugin Priority: Minor Reporter: Fedor Radzievskiy The plugin is unable to authenticate inside ALM during "Execute tests using ALM Lab Management" step if ALM server is behind haproxy v2.0 and above. The root cause is that the plugin expects Case-Sensitive http headers and by doing that violates RFC7230: https://tools.ietf.org/html/rfc7230#section-3.2 Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace. And as we see in code, there are many places that violate this: For Set-Cookie header: Constant declaration: https://github.com/MicroFocus/performance-center-plugins-common/blob/b045d4f57faef0661588334e7fe71b3a1c77af15/src/main/java/com/microfocus/adm/performancecenter/plugins/common/rest/RESTConstants.java#L29 Usage: https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/rest/RestClient.java#L374 For WWW-Authenticate header: Constant declaration: https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L45 Usage: https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L230 Maybe there are other places and headers as well. We've faced the issue because newer versions of haproxy (2.0+) now use the new http processing mechanism internally (h2) by default. And because of this, all the http headers are now lowercased by default. So haproxy outputs "www-authenticate" instead of the original "WWW-Authenticate" which is perfectly compliant with RFC. But not with the plugin. Workaround There is a haproxy config option to override this behavior for some headers: https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-h1-case-adjust. We used it and I can prove that this is a valid workaround. Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[fedor.radzievskiy@gmail.com (JIRA)]

Fedor Radzievskiy updated an issue

Jenkins / JENKINS-62200 MF Application Automation Tools plugin: violation of RFC7230

Change By: Fedor Radzievskiy

The plugin is unable to authenticate inside ALM during "Execute tests using ALM Lab Management" step if ALM server is behind haproxy v2.0 and above. The root cause is that the plugin expects Case-Sensitive http headers and by doing that violates RFC7230:

[https://tools.ietf.org/html/rfc7230#section-3.2] {quote}Each header field consists of a *case-insensitive field name* followed

by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

{quote}

And as we see in code, there are many places that violate this:

h3. For Set-Cookie header: * Constant declaration: [https://github.com/MicroFocus/performance-center-plugins-common/blob/b045d4f57faef0661588334e7fe71b3a1c77af15/src/main/java/com/microfocus/adm/performancecenter/plugins/common/rest/RESTConstants.java#L29] * Usage: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/rest/RestClient.java#L374] h3. For WWW-Authenticate header: * Constant declaration: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L45] * Usage: [https://github.com/jenkinsci/hpe-application-automation-tools-plugin/blob/f15aeecc59b287e4a678ba6680ec4f41b7f05fbe/src/main/java/com/microfocus/application/automation/tools/sse/sdk/authenticator/RestAuthenticator.java#L230]

Maybe there are other places and headers as well. We've faced the issue because newer versions of haproxy (2.0+) now use the new http processing mechanism internally (h2) by default. And because of this, all the http headers are now lowercased by default. So haproxy outputs "www-authenticate" instead of the original "WWW-Authenticate" which is perfectly compliant with RFC. But not with the plugin.

h3. Workaround There is a haproxy config option to override this behavior for some headers: [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.1-h1-case-adjust]. You should use 2 haproxy configuration options in conjunction: "h1-case-adjust" and "option h1-case-adjust-bogus-client".

We used it and I can prove that this is a valid workaround.

Add Comment

[paul-adrian.tofan@microfocus.com (JIRA)]

Paul-Adrian Tofan assigned an issue to Roy Lu

Jenkins / JENKINS-62200 MF Application Automation Tools plugin: violation of RFC7230

Change By: Paul-Adrian Tofan Assignee: Maria Narcisa Galan Roy Lu

Add Comment

[li.lu2@hpe.com (JIRA)]

Roy Lu commented on JENKINS-62200

Re: MF Application Automation Tools plugin: violation of RFC7230 This is not something we could fix at the plugin side. The header is in the response of ALM.

Add Comment

[li.lu2@hpe.com (JIRA)]

Roy Lu edited a comment on JENKINS-62200

Re: MF Application Automation Tools plugin: violation of RFC7230

This is not something we could fix at the plugin side. The header is in the response of ALM. Should rise an ticket to ALM.

Add Comment