CAS validation issue with synapse

[tyxieblub]

Hello,

Description

It seems there is a problem with how CAS validation is handled in login.py#L420.

Steps to reproduce

• Install and configure CAS 5.1.x (I didn't try with earlier ones)
• Install matrix-synapse
• Configure matrix-synapse to use CAS to connect with service_url: https://matrix.domain
• Try to login!

You'll see it doesn't work and if I'm not mistaken it is because in login.py#L397 we ask for a ticket with a service in the form of https://matrix.domain/_matrix/client/api/v1/login/cas/ticket?redirectUrl=***.
But when we validate the ticket, we only send cas_service_url which lacks the /_matrix/client/api/v1/login/cas/ticket?redirectUrl=*** part so CAS fails the validation saying the ticket was used for another service than the one it was created for.

I don't know if earlier versions were more lenient on validation, but I got it to work by replacing line 420 by this line:

"service": self.cas_service_url + request.uri[:request.uri.find("&ticket")]

But I'm sure there's a better way to do it...

I believe #2404 may be related to this problem.

Version information

• Homeserver: local homeserver

If not matrix.org:

• Version: matrix-synapse 0.24.1-1
• Install method: Debian repository
• Platform: VM on Debian9

[johappel]

same issue

[mijutu]

The problem still exists in matrix-synapse-py3 0.99.2+stretch1

matrix-synapse-0.99.2-CAS-fix.diff.gz

The service URL given to CAS is not supposed to change as long as synapse configuration stays the same, so we can have CasRedirectServlet store the url somewhere and later get it back in CasTicketServlet

[quorak]

This ticket is s old. I came across the same problem. So how are others using cas. It seems impossible to me, or can there be a less strict validation on the cas side?

we should implement the patch though! thanks @mijutu

[mikifus]

I had the same problem. I can confirm the patch works.

[SeaLife]

// EDIT:

After we implemented JSON in our CAS Server, it seems to be working BUT we had to disable the service url validation in our case to get this working. So this Bug is still there.

Why is no one fixing it or applying the provided workaround/fix?

[mijutu]

The old patch didn't apply, so I made a new one.

matrix-synapse-1.5.1-CAS-fix.diff.gz

[richvdh]

so somebody opened a pull request with @mijutu's patch at #5044; however I had questions about it which were never answered so we had to close the PR.

@mijutu: perhaps you could open a PR so that we can work on landing your changes?

[mijutu]

We had a pull request and there richvdh commented that the solution I used was wrong. I think he is correct. If two CAS logins happen at the same time, then users might end up at a wrong url.

Probability of two simultaneous CAS logins is small because CAS is used only at the initial login. Browsers remember access tokens and CAS is rarely used.

Homeserver owners might be able to use my patch for months or years without having issues, but if it's wrong, then it's wrong and shouldn't be merged.

[mijutu]

matrix-synapse-1.7.2-CAS-fix.diff.gz

Here is a better fix for the problem. CasTicketServlet generates the service parameter from synapse config and redirectUrl parameter of the request.

[richvdh]

@mijutu please could you open a PR with your patch so that we can read and discuss it?

[richvdh]

fixed by #6634. Thanks @Naugrimm!