The federation admin UI already (rudimentary) allows the selection of different skins; but that configurable value does not have an actual effect on the end-user interface yet.

Issue type

• [ X] Defect - Crash/memory corruption.

Detail of issue

Link goes to 404

web/diag/action_fedcheck.php:14

require_once(dirname(dirname(dirname(FILE))). "/web/admin/inc/common.inc.php");

(altered the path to find the file)

For better integration and visibility of NROs, the installers should show the federation logo and name where appropriate, together with the institution one.

Issue type

• [ X] Defect - Unexpected behaviour (obvious or has been verified by a project member).

Defect/Feature description

How to reproduce issue

Click on 'Check their authentication server status'.

A page loads but only has

"Profiles with sufficient configuration, not marked as visible (C)

Inst Name Profile Name DNS Checks Cert Checks Reachability Checks RADIUS/TLS Checks"

at the top.

Detail of issue

[Fri Aug 11 08:19:56.043597 2017] [:error] [pid 10644] [client 193.62.24.33:63437] PHP Fatal error: Uncaught TypeError: Argument 1 passed to profilechecks() must be an instance of IdP, instance of core\IdP given, called in /opt/CAT/web/diag/action_fedcheck.php on line 198 and defined in /opt/CAT/web/diag/action_fedcheck.php:18\nStack trace:\n#0 /opt/CAT/web/diag/action_fedcheck.php(198): profilechecks(Object(core\IdP), Object(core\ProfileRADIUS))\n#1 {main}\n thrown in /opt/CAT/web/diag/action_fedcheck.php on line 18, referer: https://cat.govroam.uk/admin/overview_federation.php?

I think that the object being passed is a 'core\IdP' not an 'IdP' but I'm not certain.

The XML device can include latitude and longitude information (). When outputting the coordinates, these are output in the locale of the installer.

For languages like Greek, this means the numbers have a comma instead of a full stop as decimal separator (i.e. what would be a 5.5 is written to XML as a 5,5).

Localisation is not appropriate at that point; the output should always be with a decimal point not a comma.
Note that all non-numeric elements are localisable and should continue to be.

It looks likecore/Profile.php was incorrectly merged
PHP Parse error: syntax error, unexpected '<<' (T_SL) in CAT/core/Profile.php on line 691

Issue type

• Questions about the eduroamCAT or its usage should be sent to the users mailing list.

• Defect - Crash/memory corruption.

• Defect - Non-compliance with a standards document or incorrect OS API usage.

• [X ] Defect - Unexpected behaviour (obvious or has been verified by a project member).

• New feature request.

Defect/Feature description

When running the static configuration tests it reports "The server certificate could not be verified to the root CA you configured in your profile!" even though the certificates match.

How to reproduce issue

Install QuoVadis certificate and run the test.

Detail of issue

See attached files containing the CAs as installed in the profile and a TAR of the temporary directory as requested.

**copy/paste evidence or feature request here. No links to 3rd party sites.

cert_tempdir.tar.gz
CAs.tar.gz

Issue type

Android App for eduroamCAT doesn't install multiple SSIDs when the CAT web interface has such an option enabled.

• Defect - Crash/memory corruption.
• Defect - Non-compliance with a standards document or incorrect OS API usage.
• Defect - Unexpected behaviour (obvious or has been verified by a project member).
• New feature request.

Defect/Feature description

If you define extra SSIDs on the eduroamCAT interface, the Android App doesn't honour the option
(this is a known issue, just ensuring its captured here rather than only known about in an old email)

Windows introduced PassPoint support with Windows 10, see:

https://msdn.microsoft.com/en-us/library/windows/desktop/mt297479(v=vs.85).aspx

When an admin wishes Hotspot 2/ ConsortiumOI support, the appropriate XML tags should be added to Win10 installers.

Issue type

• Questions about the eduroamCAT or its usage should be sent to the users mailing list.

• Defect - Crash/memory corruption.

• Defect - Non-compliance with a standards document or incorrect OS API usage.

• Defect - Unexpected behaviour (obvious or has been verified by a project member).

• New feature request.

Defect/Feature description

I have successfully logged into cat-pilot.eduroam.org as an admin for a new IdP called "HEAnet test IdP". But when I click on the "Continue to Managed IdP properties" button I get "HTTP ERROR 500".

How to reproduce issue

Browse directly to the URL of the page that generates this error: https://cat-pilot.eduroam.org/admin/edit_silverbullet.php?inst_id=31

Detail of issue

It's a new IdP that I created today, it is not linked to an entry in the eduroam database. I can confirm that I have "Enable Managed IdP" set to "on" under federation properties in cat-pilot.

**copy/paste evidence or feature request here. No links to 3rd party sites.

The admin UI allows to configure a name and logo for the federation. There is currently no reserved screen estate on the end-user download UI for this new customisation.

Issue type

• [ X] Defect - Unexpected behaviour (obvious or has been verified by a project member).

Defect/Feature description

The Google Maps aspect shows an error 'Ooops! Something went wrong' on loading the page.

How to reproduce issue

Configure up an institution, go to the mangement page.

Detail of issue

Javascript console shows:

js:35 Google Maps API error: MissingKeyMapError https://developers.google.com/maps/documentation/javascript/error-messages#missing-key-map-error

Can be fixed by adding &key=XXXXXXXX to web/lib/admin/GeoWidgets.php line 40.

From Alan Buxey:

"small CAT buggette - if the admins havent defined their URL correctly,
the system doesnt prepend it with http or https - so, for example
Università degli Studi di Siena,

If you encounter problems, then you can obtain direct assistance from
you home organisation at:
WWW: en.unisi.it/eduroam

link takes you to https://cat.eduroam.org/en.unisi.it/eduroam

would suggest that the URL must be checked on entry to start with at
least "http"
"

• Defect - Crash/memory corruption.
• Defect - Non-compliance with a standards document or incorrect OS API usage.
• Defect - Unexpected behaviour (obvious or has been verified by a project member).
• New feature request.

Needs ~5 LOC around web/lib/admin/OptionParser:356

Issue type

• Defect - Crash/memory corruption.
• Defect - Non-compliance with a standards document or incorrect OS API usage.
• Defect - Unexpected behaviour (obvious or has been verified by a project member).
• New feature request.

Defect description

This import is problematic:

try:
    import dbus
except:
    subprocess.call(['python3'] + sys.argv)
    sys.exit(0)

How to reproduce issue

Run the script on a system on which dbus-python is not installed.

Detail of issue

It keeps creating subprocesses (assuming there is a binary called python3) until the system runs out of memory.

When changing in IdP logo its cached files don't get deleted. I am not 100% sure if we some problem with our installation but from a quick view it seems that this is a real bug:

Cache invalidation upon logo change is done here:

And as far as I can tell the only place where a cached file is used for the web is here

(ultimately leading to here:

)

So the filenames are different and the old logo is shown in the disco-dialogue. I'm not really sure how to fix it correctly while still be able to offer different sizes. I can only find files of this one size in my downloads/logo-folder:

$id_120_40.png

So perhaps one comes around without using some kind of wildcard-file-matching and deleting?

Issue type

• Questions about the eduroamCAT or its usage should be sent to the users mailing list.

• Defect - Crash/memory corruption.

• Defect - Non-compliance with a standards document or incorrect OS API usage.

• Defect - Unexpected behaviour (obvious or has been verified by a project member).

• [x ] New feature request.

Defect/Feature description

current 'Existing IDP' list when registering a new institution is not ordered

How to reproduce issue

click register new institution, select the 'Existing IDP' button

Some federations have a homogeneous certificate landscape: the federation operator may have its own special-purpose CA for all of its clients; or all institutions get certificates from the same commercial CA.
A feature was requested to allow the federation operator to upload the "default root CA" for their federation; every newly created institution would then be primed with that CA during enrollment.

Issue type

• [ X] Defect - Crash/memory corruption.

Detail of issue

overview_federation not being found in the path

web/diag/action_fedcheck.php:202

(added /admin)

• Defect - Unexpected behaviour (obvious or has been verified by a project member).

From a mail on cat-users by Francesco Malvezzi:

"I have changed the radius certificate with a ECDH cert generated from OpenSSL (prime256v1).

The sanity check CAT tool complains it is too short (< 1024 bits). May I ignore the warning?"

There should not be a warning about key lengths when the key type is ECDH.

Issue type

• [X ] Defect - Crash/memory corruption.

Detail of issue

Link goes to 404

web/admin/overview_federation.php:175

echo "" . sprintf(_("Your federation %s contains the following institutions: (Check their authentication server status)"), '' . $thefed->name . '', "/diag/action_fedcheck.php?fed=" . $thefed->identifier) . "";

(added /diag infront of action_fedcheck.php)

This appears to be impossible until NetworkManager provides a D-BUS API call for that. Corresponding documentation would probably be at:

https://developer.gnome.org/NetworkManager/stable/ref-settings.html

once that happens.

• [ X] Defect - Crash/memory corruption.

Text not aligned properly at the top of pages.

web/lib/admin/PageDecoration.php:169

$retval .= "<div id='secondrow' style='border-bottom:5px solid ".CONFIG['APPEARANCE']['colour1']."; min-height:100px;'>
(Missing semicolon after the “)

Issue type

• [X ] Defect - Crash/memory corruption.

Defect/Feature description

The MS Device installer fails to build.

How to reproduce issue

Attempt to generate a Windows device installer

Detail of issue

Extraneous text 'home institution' on line 704 of devices/ms/Files/common.inc

This feature is predominant in enterprise deployments, but some universities are also using this for their own staff/students.
The feature in CAT would only create installers with EAP-based endpoint assessment, and only for NAC software which allows redistribution of the client software.
So far there was only very light interest in such a feature, and it has been given minimal priority.

Issue type

• [ X] Defect - Crash/memory corruption.

Detail of issue

overview_idp not found in path

web/diag/action_realmcheck.php:744

(Added /admin)

Issue type

• [X ] Defect - Unexpected behaviour (obvious or has been verified by a project member).

Defect/Feature description

Unknown Institution/Unknown Profile in mobileconfig installer

How to reproduce issue

Configure up an institution with a name, and a profile with a name.

Download it as a mobileconfig file on an IOS device.

Look a the profile on the device and it lists 'Unknown Institution' and 'Unknown Profile'.

Detail of issue

• missing 'attributes' function in mobileconfigSuperclass?

seems to be some kind of hack. (why rand() and no crypto safe numbers? why explicitly set a maximum? if we don't trust rand() it doesn't really get better by using a hash on top of it and/or using it twice...).

I would propose to change it to either

$token = bin2hex(openssl_random_pseudo_bytes(40,TRUE));

(http://php.net/manual/de/function.openssl-random-pseudo-bytes.php)

or (only PHP 7 and above)

$token = bin2hex(random_bytes(40));

(http://php.net/manual/de/function.random-bytes.php)

The string length would still be 80.

Issue type

• Defect - Crash/memory corruption.
• Defect - Non-compliance with a standards document or incorrect OS API usage.
• [X ] Defect - Unexpected behaviour (obvious or has been verified by a project member).
• New feature request.

Defect/Feature description

Javascript doesn't popup with the Unique ID when clicking on the:
"Unique Identifier click to display" link

How to reproduce issue

Sign in with a UK Federation account. Click the link.
remove this section if this is a new feature request

Detail of issue

Issue type

• Questions about the eduroamCAT or its usage should be sent to the users mailing list.

• Defect - Crash/memory corruption.

• Defect - Non-compliance with a standards document or incorrect OS API usage.

• Defect - Unexpected behaviour (obvious or has been verified by a project member).

• New feature request.

Defect/Feature description

When saving changes to the Federation data, an exception is called.

How to reproduce issue

Edit federation details

Detail of issue

The following exception appears in the log:
PHP Fatal error: Uncaught TypeError: Argument 4 passed to web\lib\admin\OptionParser::sendOptionsToDatabase() must be of the type string, null given, called in /opt/www/CAT-t/web/lib/admin/OptionParser.php on line 394 and defined in /opt/www/CAT-t/web/lib/admin/OptionParser.php:198\nStack trace:\n#0 /opt/www/CAT-t/web/lib/admin/OptionParser.php(394): web\lib\admin\OptionParser->sendOptionsToDatabase(Object(core\Federation), Array, Array, NULL, 0)\n#1 /opt/www/CAT-t/web/admin/edit_federation_result.php(38): web\lib\admin\OptionParser->processSubmittedFields(Object(core\Federation), Array, Array, Array)\n#2 {main}\n thrown in /opt/www/CAT-t/web/lib/admin/OptionParser.php on line 198, referer: https://cat.eduroam.pl/trunk/admin/edit_federation.php

Issue type

• [ X] Defect - Crash/memory corruption.

Detail of issue

Information about users missing.

web/admin/edit_user.php line 45:

echo $optionDisplay->prefilledOptionTable(“user”);

(addition of the $optionDisplay->)

Issue type

• [ X] Defect - Unexpected behaviour (obvious or has been verified by a project member).

Defect/Feature description

List of locations on 'Editing IdP Information' displays the wrong information. All are listed as 'Location 1'.

How to reproduce issue

Create multiple locations for the same profile

Detail of issue

List of locations on 'Editing IdP Information' displays the wrong information. All are listed as 'Location 1'. This is because OptionDisplay/optiontext sets the allLocationCount to 0 each time it's called. This variable needs to be outside of the loop somehow.

This actually exists, but is not the default. Since it slightly complicates the user experience, it's not an easy decision to make the switch.

from cat-users:

"the changelog/release notes should be available as a link from the CAT page "

Issue type

• [ X] New feature request.

Defect/Feature description

It would be handy, at least during the initial setup process of the CAT, to be able to send email through a server with a self-signed certificate.

Detail of issue

Adding something like
$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);
at about line 180 of web/admin/inc/sendinvite.inc.php could do it.

from cat-users:

"I have a question, is it possible to add an input mask on the username filed with the installer? Or just a little help text to remind the user he has to use his [email protected]?"

Issue type

• [ X] Defect - Unexpected behaviour (obvious or has been verified by a project member).

Defect/Feature description

Check for failed send at the end of web/admin/inc/sendinvite.inc.php doesn't appear to work.

How to reproduce issue

Configure receiving MTA to reject an email.

Invite a new institution administrator.

CAT reports that the email has been sent, but it hasn't.

Detail of issue

Check for failed send at the end of web/admin/inc/sendinvite.inc.php doesn't appear to work.
If additional logging is added then it can be seen that errors are produced but the code doesn't appear to
be able to recognise them and deal with them.

When using a mobile browser we get

[Mon Jan 22 10:49:48.516235 2018] [:error] [pid 15106] [client snip:47599] PHP Fatal error:  Uncaught Error: Call to undefined function geoip_record_by_name() in /var/www/CAT-1.1.4/core/UserAPI.php:487\nStack trace:\n#0 /var/www/CAT-1.1.4/web/basic.php(76): UserAPI->locateUser()\n#1 /var/www/CAT-1.1.4/web/basic.php(382): SimpleGUI->__construct()\n#2 {main}\n  thrown in /var/www/CAT-1.1.4/core/UserAPI.php on line 487, referer: https://cat.eduroam.de/basic.php?idp=SNIP&profile=SNIP

(php-geoip was not installed)
although we have GEOIP support turned off:

#> cat config/config.php
[...]
    public static $GEOIP = array(
        'version' => 0,
        'geoip2-path-to-autoloader' => '/usr/share/GeoIP2/vendor/autoload.php',
        'geoip2-path-to-db' => '/usr/share/GeoIP2/DB/GeoLite2-City.mmdb',
    );
[...]

I think the error is also a problem for people using geoip version 2, because in web/basic.php always locateUser() is called which is the hardcoded version for geoip version 1:

        if(isset($_REQUEST['country']) && $_REQUEST['country']) {
            $countryTest = strtoupper($_REQUEST['country']);
        } else {
            $L = $this->locateUser();
            if( $L['status'] == 'ok' ) {
                $countryTest = strtoupper($L['country']);
            } else {
                debug(2, "No coutry provided and unable to locate the address\n");
                $countryTest='NONE';
            }
        }

I fixed it for now by just installing php-geoip. I don't see a huge problem abandoning the support for running without geoip.

For better integration and visibility of NROs, the installers should show the federation logo and name where appropriate, together with the institution one.

Issue type

• Questions about the eduroamCAT or its usage should be sent to the users mailing list.

• Defect - Crash/memory corruption.

• Defect - Non-compliance with a standards document or incorrect OS API usage.

• [X ] Defect - Unexpected behaviour (obvious or has been verified by a project member).

• New feature request.

Defect/Feature description

How to reproduce issue

Perform a static connection test for a realm

Detail of issue

Whilst it all appears to work, these messages appear in the logs:

[Tue Mar 06 10:55:48.475520 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Notice: Undefined index: CN in /opt/CAT/core/diag/RADIUSTests.php on line 646, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5
[Tue Mar 06 10:55:48.475600 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Notice: Undefined index: sAN_DNS in /opt/CAT/core/diag/RADIUSTests.php on line 646, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5
[Tue Mar 06 10:55:48.475668 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Notice: Undefined index: CN in /opt/CAT/core/diag/RADIUSTests.php on line 647, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5
[Tue Mar 06 10:55:48.475682 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Warning: array_search() expects parameter 2 to be array, null given in /opt/CAT/core/diag/RADIUSTests.php on line 647, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5

**copy/paste evidence or feature request here. No links to 3rd party sites.

With the current ChromeOS release (tested v54) it does not appear to load a client certificate for Wi-Fi use in an ONC file. Attaching a screenshot which complains "User certificate must be hardware-backed". The (software) client certificate itself is installed, it is selectable from the drop-down. It is, simply put, not good enough for Chrome's thinking.

Personally I think it's /very/ unreasonable to require hardware backing for a user certificate.

Unless Google/Chromium developers change their mindset, or we find a workaround, we won't be able to support eduroam-as-a-service on that platform.

Issue type

Unsynchronised README file with real content in directory CAT/devices/ms/Files/

Issue type

• [ X] Defect - Crash/memory corruption.
• Defect - Non-compliance with a standards document or incorrect OS API usage.
• Defect - Unexpected behaviour (obvious or has been verified by a project member).
• New feature request.

Defect/Feature description

An error is generated when enrolling a new admin if they have a strangely formed ID.

How to reproduce issue

Login with a UK Federation ID. Enter invitation token.

Detail of issue

PHP Fatal error: Uncaught Exception:

Input validation error: The user identifier is not an ASCII string!

Issue type

• [ X] New feature request.

Feature description

The word 'institution' is associated more with academia than the commercial or public sector. Being able to replace this with a different word (such as 'organisation') would be useful.

Starting from PHP7.1, unset($this) causes a fatal error (see the PHP RFC). There are two instances (I think), in core/IDP.php:230 and in core/AbstractProfile.php:360.

Issue type

• [X ] Defect - Crash/memory corruption.

Defect/Feature description

When sending an email a 404 is returned if an invalid email address is used.

How to reproduce issue

Invite a new institution with an email address of 'd'.

Detail of issue

[Wed Aug 16 15:08:57.016702 2017] [:error] [pid 19179] [client 193.62.24.33:40481] PHP Fatal error: Uncaught Exception: sendinvite: The supplied value for email address is not a valid mail address! in /opt/CAT/web/admin/inc/sendinvite.inc.php:37\nStack trace:\n#0 {main}\n thrown in /opt/CAT/web/admin/inc/sendinvite.inc.php on line 37, referer: https://cat-beta.govroam.uk/admin/overview_federation.php?

Issue type

• [ X] Defect - Crash/memory corruption.

Detail of issue

overview_user not found in path

web/lib/admin/PageDecoration.php:33

" . _("Go to your Profile page") . "

(Added /admin)

People sometimes forget which of the IdPs they logged in with. When logging in with a different alter ego, they are told that they are not managing any institutions, and get confused.

To reduce load on NROs, there should be a reminder function: a (yet unauthenticated) user provides the mail address he signed up with, and if found in the system, is being emailed the IdP he or she logged in with.

This does not reveal actual usernames or passwords, only the entityID of the IdP used, and only to the requester.

Caveats:

• there are circumstances where users are invited with non-email medium; the system might then not know their email addresses at all

• displaying the entityID is not a very readable form. entity Display Name would be nicer, but requires parsing of SAML metadata. First implement feature without going this extra mile.

• New feature request.

I'm opening this issue from a feature request we received both via email and during eduroam meetings, adding some background to explain the dangerousness/evilness of it :-)

As eduroam users roam around the planet, they get access to the local Service Provider's network. That network has its own characteristics; we suggest that the network should be just "open internet".

In some jurisdictions, this poses problems to some user groups. Particularly in countries where eduroam is also a service offered to school pupils, there is sometimes a regulatory requirement to not allow unfiltered access to the internet for underage pupils.

The solution is to send the user traffic through a web proxy and filter undesired content. The problem though is that a majority of Service Provider does not deploy content filtering proxies. However, as soon as a pupil has an eduroam account, all SPs world-wide are available for use.

A straightforward, if slightly naive, argument that is sometimes brought up is: "but that same pupil has a cell phone and gets unfiltered access anyway." That may be true or not, but it's also irrelevant: where a regulatory requirement exists, it needs to be satisfied. The cell phone provider has to do the same as the Wi-Fi provider. Maybe the cell provider does not, but then that's their own legal problem. As a Wi-Fi provider, the safe legal option is to keep the own infrastructure clean, irrespective of other channels.

So, if required to satisfy the filtering requirement, four options are available

a) exclude pupils from eduroam altogether
b) force every SP to implement a content filter proxy, and put such users into a filtered VLAN [requires signalling IdP -> SP "this is a person requiring filtering"]
c) allow SPs to signal to IdP that pupil is about to log into an unfiltered internet access, so that IdP can fail authentication [usability issues, requires signalling SP -> IdP "I do not filter"]
d) configure pupil's device so that a pinned proxy server is used, regardless of Service Provider

b) and c) are not likely to work as they require upgrades to the authentication fabric at all leaves of the infrastructure.
a) is always an option, but is an effective DoS to a large population of potential users

CAT 2.0 is going to implement d). It is not possible to do this perfectly: the following caveats apply

1. The solution leads to long response times for web traffic because all traffic is first routed to an IdP-side proxy and then back
2. Downtimes of the proxy mean a DoS to the user regardless of his actual location. You are adding a new point of possible failure.
3. The proxy needs to be world-reachable on a port not typically filtered.
4. This is just configuration: a savvy user can always remove the proxy server configuration by hand after installation
5. If enough users are unhappy with the configuration as shipped, they might seek other ways of configuring the device; possibly in an insecure way by scrubbing all the vital security parameters contained in the configuration

As an IdP, you should think long and hard if you /really/ need this. Possibly a form signed by parents, waiving liability for you, could also do the trick? Solving this issue in a non-technical way is definitely the wiser option.

Only for cases where an IdP really thinks the only way to solve this problem is a forced HTTP/HTTPS proxy configuration, we are implementing this feature - this becomes a "Media" configuration option. We'll keep this issue updated to report which devices get the support and which are problematic.

The wired support on Linux with NetworkManager seems to be tricky. The issue is that once a port is configured for .1X security, it will not function any more in an open unauthenticated port.

Issue type

• [X ] Defect - Unexpected behaviour (obvious or has been verified by a project member).

Defect/Feature description

'Save Data' in Management of User details removed any fedadmin attributes.

How to reproduce issue

Add a user as a federation administrator (insert via DB)

Go to their profile and 'Save Data'

They're no longer a federation admin

Detail of issue

Saving the data appears to only save the displayed data (and deletes what's currently there, including the fedadmin option).