geant / cat Goto Github PK
View Code? Open in Web Editor NEWCAT - the Configuration Assistant Tool for Enterprise Wi-Fi networks such as eduroam
License: Other
CAT - the Configuration Assistant Tool for Enterprise Wi-Fi networks such as eduroam
License: Other
Questions about the eduroamCAT or its usage should be sent to the users mailing list.
Defect - Crash/memory corruption.
Defect - Non-compliance with a standards document or incorrect OS API usage.
[X ] Defect - Unexpected behaviour (obvious or has been verified by a project member).
New feature request.
When running the static configuration tests it reports "The server certificate could not be verified to the root CA you configured in your profile!" even though the certificates match.
Install QuoVadis certificate and run the test.
See attached files containing the CAs as installed in the profile and a TAR of the temporary directory as requested.
**copy/paste evidence or feature request here. No links to 3rd party sites.
overview_idp not found in path
web/diag/action_realmcheck.php:744
(Added /admin)
Javascript doesn't popup with the Unique ID when clicking on the:
"Unique Identifier click to display" link
Sign in with a UK Federation account. Click the link.
remove this section if this is a new feature request
This feature is predominant in enterprise deployments, but some universities are also using this for their own staff/students.
The feature in CAT would only create installers with EAP-based endpoint assessment, and only for NAC software which allows redistribution of the client software.
So far there was only very light interest in such a feature, and it has been given minimal priority.
The XML device can include latitude and longitude information (). When outputting the coordinates, these are output in the locale of the installer.
For languages like Greek, this means the numbers have a comma instead of a full stop as decimal separator (i.e. what would be a 5.5 is written to XML as a 5,5).
Localisation is not appropriate at that point; the output should always be with a decimal point not a comma.
Note that all non-numeric elements are localisable and should continue to be.
The admin UI allows to configure a name and logo for the federation. There is currently no reserved screen estate on the end-user download UI for this new customisation.
Some federations have a homogeneous certificate landscape: the federation operator may have its own special-purpose CA for all of its clients; or all institutions get certificates from the same commercial CA.
A feature was requested to allow the federation operator to upload the "default root CA" for their federation; every newly created institution would then be primed with that CA during enrollment.
Questions about the eduroamCAT or its usage should be sent to the users mailing list.
Defect - Crash/memory corruption.
Defect - Non-compliance with a standards document or incorrect OS API usage.
Defect - Unexpected behaviour (obvious or has been verified by a project member).
New feature request.
I have successfully logged into cat-pilot.eduroam.org as an admin for a new IdP called "HEAnet test IdP". But when I click on the "Continue to Managed IdP properties" button I get "HTTP ERROR 500".
Browse directly to the URL of the page that generates this error: https://cat-pilot.eduroam.org/admin/edit_silverbullet.php?inst_id=31
It's a new IdP that I created today, it is not linked to an entry in the eduroam database. I can confirm that I have "Enable Managed IdP" set to "on" under federation properties in cat-pilot.
**copy/paste evidence or feature request here. No links to 3rd party sites.
This actually exists, but is not the default. Since it slightly complicates the user experience, it's not an easy decision to make the switch.
When using a mobile browser we get
[Mon Jan 22 10:49:48.516235 2018] [:error] [pid 15106] [client snip:47599] PHP Fatal error: Uncaught Error: Call to undefined function geoip_record_by_name() in /var/www/CAT-1.1.4/core/UserAPI.php:487\nStack trace:\n#0 /var/www/CAT-1.1.4/web/basic.php(76): UserAPI->locateUser()\n#1 /var/www/CAT-1.1.4/web/basic.php(382): SimpleGUI->__construct()\n#2 {main}\n thrown in /var/www/CAT-1.1.4/core/UserAPI.php on line 487, referer: https://cat.eduroam.de/basic.php?idp=SNIP&profile=SNIP
(php-geoip was not installed)
although we have GEOIP support turned off:
#> cat config/config.php
[...]
public static $GEOIP = array(
'version' => 0,
'geoip2-path-to-autoloader' => '/usr/share/GeoIP2/vendor/autoload.php',
'geoip2-path-to-db' => '/usr/share/GeoIP2/DB/GeoLite2-City.mmdb',
);
[...]
I think the error is also a problem for people using geoip version 2, because in web/basic.php always locateUser() is called which is the hardcoded version for geoip version 1:
if(isset($_REQUEST['country']) && $_REQUEST['country']) {
$countryTest = strtoupper($_REQUEST['country']);
} else {
$L = $this->locateUser();
if( $L['status'] == 'ok' ) {
$countryTest = strtoupper($L['country']);
} else {
debug(2, "No coutry provided and unable to locate the address\n");
$countryTest='NONE';
}
}
I fixed it for now by just installing php-geoip. I don't see a huge problem abandoning the support for running without geoip.
Link goes to 404
web/admin/overview_federation.php:175
echo "" . sprintf(_("Your federation %s contains the following institutions: (Check their authentication server status)"), '' . $thefed->name . '', "/diag/action_fedcheck.php?fed=" . $thefed->identifier) . "";
(added /diag infront of action_fedcheck.php)
overview_federation not being found in the path
web/diag/action_fedcheck.php:202
(added /admin)
The federation admin UI already (rudimentary) allows the selection of different skins; but that configurable value does not have an actual effect on the end-user interface yet.
from cat-users:
"the changelog/release notes should be available as a link from the CAT page "
It would be handy, at least during the initial setup process of the CAT, to be able to send email through a server with a self-signed certificate.
Adding something like
$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);
at about line 180 of web/admin/inc/sendinvite.inc.php could do it.
The MS Device installer fails to build.
Attempt to generate a Windows device installer
Extraneous text 'home institution' on line 704 of devices/ms/Files/common.inc
Click on 'Check their authentication server status'.
A page loads but only has
"Profiles with sufficient configuration, not marked as visible (C)
Inst Name Profile Name DNS Checks Cert Checks Reachability Checks RADIUS/TLS Checks"
at the top.
[Fri Aug 11 08:19:56.043597 2017] [:error] [pid 10644] [client 193.62.24.33:63437] PHP Fatal error: Uncaught TypeError: Argument 1 passed to profilechecks() must be an instance of IdP, instance of core\IdP given, called in /opt/CAT/web/diag/action_fedcheck.php on line 198 and defined in /opt/CAT/web/diag/action_fedcheck.php:18\nStack trace:\n#0 /opt/CAT/web/diag/action_fedcheck.php(198): profilechecks(Object(core\IdP), Object(core\ProfileRADIUS))\n#1 {main}\n thrown in /opt/CAT/web/diag/action_fedcheck.php on line 18, referer: https://cat.govroam.uk/admin/overview_federation.php?
I think that the object being passed is a 'core\IdP' not an 'IdP' but I'm not certain.
Questions about the eduroamCAT or its usage should be sent to the users mailing list.
Defect - Crash/memory corruption.
Defect - Non-compliance with a standards document or incorrect OS API usage.
Defect - Unexpected behaviour (obvious or has been verified by a project member).
New feature request.
When saving changes to the Federation data, an exception is called.
Edit federation details
The following exception appears in the log:
PHP Fatal error: Uncaught TypeError: Argument 4 passed to web\lib\admin\OptionParser::sendOptionsToDatabase() must be of the type string, null given, called in /opt/www/CAT-t/web/lib/admin/OptionParser.php on line 394 and defined in /opt/www/CAT-t/web/lib/admin/OptionParser.php:198\nStack trace:\n#0 /opt/www/CAT-t/web/lib/admin/OptionParser.php(394): web\lib\admin\OptionParser->sendOptionsToDatabase(Object(core\Federation), Array, Array, NULL, 0)\n#1 /opt/www/CAT-t/web/admin/edit_federation_result.php(38): web\lib\admin\OptionParser->processSubmittedFields(Object(core\Federation), Array, Array, Array)\n#2 {main}\n thrown in /opt/www/CAT-t/web/lib/admin/OptionParser.php on line 198, referer: https://cat.eduroam.pl/trunk/admin/edit_federation.php
When changing in IdP logo its cached files don't get deleted. I am not 100% sure if we some problem with our installation but from a quick view it seems that this is a real bug:
Cache invalidation upon logo change is done here:
CAT/web/admin/edit_idp_result.php
Line 73 in 17bffec
And as far as I can tell the only place where a cached file is used for the web is here
Line 135 in 91a84b1
(ultimately leading to here:
Line 352 in 91a84b1
)
So the filenames are different and the old logo is shown in the disco-dialogue. I'm not really sure how to fix it correctly while still be able to offer different sizes. I can only find files of this one size in my downloads/logo-folder:
$id_120_40.png
So perhaps one comes around without using some kind of wildcard-file-matching and deleting?
This import is problematic:
try:
import dbus
except:
subprocess.call(['python3'] + sys.argv)
sys.exit(0)
Run the script on a system on which dbus-python
is not installed.
It keeps creating subprocesses (assuming there is a binary called python3) until the system runs out of memory.
The Google Maps aspect shows an error 'Ooops! Something went wrong' on loading the page.
Configure up an institution, go to the mangement page.
Javascript console shows:
js:35 Google Maps API error: MissingKeyMapError https://developers.google.com/maps/documentation/javascript/error-messages#missing-key-map-error
Can be fixed by adding &key=XXXXXXXX to web/lib/admin/GeoWidgets.php line 40.
People sometimes forget which of the IdPs they logged in with. When logging in with a different alter ego, they are told that they are not managing any institutions, and get confused.
To reduce load on NROs, there should be a reminder function: a (yet unauthenticated) user provides the mail address he signed up with, and if found in the system, is being emailed the IdP he or she logged in with.
This does not reveal actual usernames or passwords, only the entityID of the IdP used, and only to the requester.
Caveats:
there are circumstances where users are invited with non-email medium; the system might then not know their email addresses at all
displaying the entityID is not a very readable form. entity Display Name would be nicer, but requires parsing of SAML metadata. First implement feature without going this extra mile.
New feature request.
From Alan Buxey:
"small CAT buggette - if the admins havent defined their URL correctly,
the system doesnt prepend it with http or https - so, for example
Università degli Studi di Siena,
If you encounter problems, then you can obtain direct assistance from
you home organisation at:
WWW: en.unisi.it/eduroam
link takes you to https://cat.eduroam.org/en.unisi.it/eduroam
would suggest that the URL must be checked on entry to start with at
least "http"
"
Needs ~5 LOC around web/lib/admin/OptionParser:356
For better integration and visibility of NROs, the installers should show the federation logo and name where appropriate, together with the institution one.
Windows introduced PassPoint support with Windows 10, see:
https://msdn.microsoft.com/en-us/library/windows/desktop/mt297479(v=vs.85).aspx
When an admin wishes Hotspot 2/ ConsortiumOI support, the appropriate XML tags should be added to Win10 installers.
Android App for eduroamCAT doesn't install multiple SSIDs when the CAT web interface has such an option enabled.
If you define extra SSIDs on the eduroamCAT interface, the Android App doesn't honour the option
(this is a known issue, just ensuring its captured here rather than only known about in an old email)
The wired support on Linux with NetworkManager seems to be tricky. The issue is that once a port is configured for .1X security, it will not function any more in an open unauthenticated port.
For better integration and visibility of NROs, the installers should show the federation logo and name where appropriate, together with the institution one.
overview_user not found in path
web/lib/admin/PageDecoration.php:33
" . _("Go to your Profile page") . "
(Added /admin)
It looks likecore/Profile.php
was incorrectly merged
PHP Parse error: syntax error, unexpected '<<' (T_SL) in CAT/core/Profile.php on line 691
Questions about the eduroamCAT or its usage should be sent to the users mailing list.
Defect - Crash/memory corruption.
Defect - Non-compliance with a standards document or incorrect OS API usage.
[X ] Defect - Unexpected behaviour (obvious or has been verified by a project member).
New feature request.
Perform a static connection test for a realm
Whilst it all appears to work, these messages appear in the logs:
[Tue Mar 06 10:55:48.475520 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Notice: Undefined index: CN in /opt/CAT/core/diag/RADIUSTests.php on line 646, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5
[Tue Mar 06 10:55:48.475600 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Notice: Undefined index: sAN_DNS in /opt/CAT/core/diag/RADIUSTests.php on line 646, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5
[Tue Mar 06 10:55:48.475668 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Notice: Undefined index: CN in /opt/CAT/core/diag/RADIUSTests.php on line 647, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5
[Tue Mar 06 10:55:48.475682 2018] [:error] [pid 1425] [client 193.62.24.33:41912] PHP Warning: array_search() expects parameter 2 to be array, null given in /opt/CAT/core/diag/RADIUSTests.php on line 647, referer: https://cat-beta.govroam.uk/diag/action_realmcheck.php?inst_id=3&profile_id=5
**copy/paste evidence or feature request here. No links to 3rd party sites.
Link goes to 404
web/diag/action_fedcheck.php:14
require_once(dirname(dirname(dirname(FILE))). "/web/admin/inc/common.inc.php");
(altered the path to find the file)
Unknown Institution/Unknown Profile in mobileconfig installer
Configure up an institution with a name, and a profile with a name.
Download it as a mobileconfig file on an IOS device.
Look a the profile on the device and it lists 'Unknown Institution' and 'Unknown Profile'.
'Save Data' in Management of User details removed any fedadmin attributes.
Add a user as a federation administrator (insert via DB)
Go to their profile and 'Save Data'
They're no longer a federation admin
Saving the data appears to only save the displayed data (and deletes what's currently there, including the fedadmin option).
Check for failed send at the end of web/admin/inc/sendinvite.inc.php doesn't appear to work.
Configure receiving MTA to reject an email.
Invite a new institution administrator.
CAT reports that the email has been sent, but it hasn't.
Check for failed send at the end of web/admin/inc/sendinvite.inc.php doesn't appear to work.
If additional logging is added then it can be seen that errors are produced but the code doesn't appear to
be able to recognise them and deal with them.
An error is generated when enrolling a new admin if they have a strangely formed ID.
Login with a UK Federation ID. Enter invitation token.
PHP Fatal error: Uncaught Exception:
Input validation error: The user identifier is not an ASCII string!
in /opt/CAT/web/lib/common/InputValidation.php:247\nStack trace:\n#0 /opt/CAT/web/admin/action_enrollment.php(86): web\lib\common\InputValidation->User(Object(SAML2\XML\saml\NameID))\n#1 {main}\n thrown in /opt/CAT/web/lib/common/InputValidation.php on line 247Starting from PHP7.1, unset($this)
causes a fatal error (see the PHP RFC). There are two instances (I think), in core/IDP.php:230
and in core/AbstractProfile.php:360
.
Information about users missing.
web/admin/edit_user.php line 45:
echo $optionDisplay->prefilledOptionTable(“user”);
(addition of the $optionDisplay->)
This appears to be impossible until NetworkManager provides a D-BUS API call for that. Corresponding documentation would probably be at:
https://developer.gnome.org/NetworkManager/stable/ref-settings.html
once that happens.
The word 'institution' is associated more with academia than the commercial or public sector. Being able to replace this with a different word (such as 'organisation') would be useful.
With the current ChromeOS release (tested v54) it does not appear to load a client certificate for Wi-Fi use in an ONC file. Attaching a screenshot which complains "User certificate must be hardware-backed". The (software) client certificate itself is installed, it is selectable from the drop-down. It is, simply put, not good enough for Chrome's thinking.
Personally I think it's /very/ unreasonable to require hardware backing for a user certificate.
Unless Google/Chromium developers change their mindset, or we find a workaround, we won't be able to support eduroam-as-a-service on that platform.
From a mail on cat-users by Francesco Malvezzi:
"I have changed the radius certificate with a ECDH cert generated from OpenSSL (prime256v1).
The sanity check CAT tool complains it is too short (< 1024 bits). May I ignore the warning?"
There should not be a warning about key lengths when the key type is ECDH.
I'm opening this issue from a feature request we received both via email and during eduroam meetings, adding some background to explain the dangerousness/evilness of it :-)
As eduroam users roam around the planet, they get access to the local Service Provider's network. That network has its own characteristics; we suggest that the network should be just "open internet".
In some jurisdictions, this poses problems to some user groups. Particularly in countries where eduroam is also a service offered to school pupils, there is sometimes a regulatory requirement to not allow unfiltered access to the internet for underage pupils.
The solution is to send the user traffic through a web proxy and filter undesired content. The problem though is that a majority of Service Provider does not deploy content filtering proxies. However, as soon as a pupil has an eduroam account, all SPs world-wide are available for use.
A straightforward, if slightly naive, argument that is sometimes brought up is: "but that same pupil has a cell phone and gets unfiltered access anyway." That may be true or not, but it's also irrelevant: where a regulatory requirement exists, it needs to be satisfied. The cell phone provider has to do the same as the Wi-Fi provider. Maybe the cell provider does not, but then that's their own legal problem. As a Wi-Fi provider, the safe legal option is to keep the own infrastructure clean, irrespective of other channels.
So, if required to satisfy the filtering requirement, four options are available
a) exclude pupils from eduroam altogether
b) force every SP to implement a content filter proxy, and put such users into a filtered VLAN [requires signalling IdP -> SP "this is a person requiring filtering"]
c) allow SPs to signal to IdP that pupil is about to log into an unfiltered internet access, so that IdP can fail authentication [usability issues, requires signalling SP -> IdP "I do not filter"]
d) configure pupil's device so that a pinned proxy server is used, regardless of Service Provider
b) and c) are not likely to work as they require upgrades to the authentication fabric at all leaves of the infrastructure.
a) is always an option, but is an effective DoS to a large population of potential users
CAT 2.0 is going to implement d). It is not possible to do this perfectly: the following caveats apply
As an IdP, you should think long and hard if you /really/ need this. Possibly a form signed by parents, waiving liability for you, could also do the trick? Solving this issue in a non-technical way is definitely the wiser option.
Only for cases where an IdP really thinks the only way to solve this problem is a forced HTTP/HTTPS proxy configuration, we are implementing this feature - this becomes a "Media" configuration option. We'll keep this issue updated to report which devices get the support and which are problematic.
Unsynchronised README file with real content in directory CAT/devices/ms/Files/
Text not aligned properly at the top of pages.
web/lib/admin/PageDecoration.php:169
$retval .= "<div id='secondrow' style='border-bottom:5px solid ".CONFIG['APPEARANCE']['colour1']."; min-height:100px;'>
(Missing semicolon after the “)
When sending an email a 404 is returned if an invalid email address is used.
Invite a new institution with an email address of 'd'.
[Wed Aug 16 15:08:57.016702 2017] [:error] [pid 19179] [client 193.62.24.33:40481] PHP Fatal error: Uncaught Exception: sendinvite: The supplied value for email address is not a valid mail address! in /opt/CAT/web/admin/inc/sendinvite.inc.php:37\nStack trace:\n#0 {main}\n thrown in /opt/CAT/web/admin/inc/sendinvite.inc.php on line 37, referer: https://cat-beta.govroam.uk/admin/overview_federation.php?
from cat-users:
"I have a question, is it possible to add an input mask on the username filed with the installer? Or just a little help text to remind the user he has to use his [email protected]?"
List of locations on 'Editing IdP Information' displays the wrong information. All are listed as 'Location 1'.
Create multiple locations for the same profile
List of locations on 'Editing IdP Information' displays the wrong information. All are listed as 'Location 1'. This is because OptionDisplay/optiontext sets the allLocationCount to 0 each time it's called. This variable needs to be outside of the loop somehow.
Questions about the eduroamCAT or its usage should be sent to the users mailing list.
Defect - Crash/memory corruption.
Defect - Non-compliance with a standards document or incorrect OS API usage.
Defect - Unexpected behaviour (obvious or has been verified by a project member).
[x ] New feature request.
current 'Existing IDP' list when registering a new institution is not ordered
click register new institution, select the 'Existing IDP' button
Line 250 in eb88385
seems to be some kind of hack. (why rand() and no crypto safe numbers? why explicitly set a maximum? if we don't trust rand() it doesn't really get better by using a hash on top of it and/or using it twice...).
I would propose to change it to either
$token = bin2hex(openssl_random_pseudo_bytes(40,TRUE));
(http://php.net/manual/de/function.openssl-random-pseudo-bytes.php)
or (only PHP 7 and above)
$token = bin2hex(random_bytes(40));
(http://php.net/manual/de/function.random-bytes.php)
The string length would still be 80.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.