[Bug 1867676] Re: Fetching by secret container doesn't raises 404 exception

Robie Basak 1867676 at bugs.launchpad.net
Wed Mar 25 16:35:27 UTC 2020 

SRU review:

Next time, please include dep3 headers such as Origin:. Given that you
pinged in #ubuntu-devel to get this looked at, it would really help if
you did the things that make SRU reviews easier. However this isn't a
blocker. Apart from this the upload itself looks good.

> As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.

> This causes the code to not fall back into the legacy mode

I don't understand how this justifies this bug for an SRU. Please could
you explain the actual user impact, so I can measure that against SRU
criteria? See https://wiki.ubuntu.com/StableReleaseUpdates#Procedure "An
explanation of the bug on users and justification for backporting the
fix to the stable release"

> [Regression Potential]

This is missing "a discussion of how regressions are most likely to
manifest, or may manifest even if it is unlikely, as a result of this
change". See https://wiki.ubuntu.com/StableReleaseUpdates#Procedure

Please update the bug description, fixing [Impact] and [Regression
Potential] as above, and then we can reconsider your upload. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-barbicanclient in Ubuntu.
https://bugs.launchpad.net/bugs/1867676

Title:
  Fetching by secret container doesn't raises 404 exception

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in python-barbicanclient package in Ubuntu:
  Fix Released
Status in python-barbicanclient source package in Bionic:
  Triaged
Status in python-barbicanclient source package in Disco:
  Fix Released
Status in python-barbicanclient source package in Eoan:
  Fix Released
Status in python-barbicanclient source package in Focal:
  Fix Released

Bug description:
  [Impact]

  As per https://storyboard.openstack.org/#!/story/2007371 we identified that
  ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
  error when a secret container is passed.

  This causes the code to not fall back into the legacy mode

  [Test Case]

  Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
  Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
  Create the 3 certs at barbican
  $ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
  $ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
  $ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"

  Create a loadbalancer
  $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet

  Create a secrets container

  $ openstack secret container create --type='certificate' --name "test-
  tls-1"
  --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"
  --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5
  -4b5a-bffd-c0c43a41b4a8"
  --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-
  b5c6-4433-a0a9-a195e2d54c57"

  Create the listener
  openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1

  This creation will fail with the following exception:

  The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
  validity. In addition, make sure it does not require a pass phrase.
  Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
  data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
  4d26-9920-72b03343596a)

  [Regression Potential]

  * Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
  * No regressions identified so far.

  [Discussion]

  The following changesets needs to be backported into the bionic
  version 4.6.0-0ubuntu1

  All of those are part of 4.8.0 onward.

  ** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
  ** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad

  Corresponding reviews

  https://review.opendev.org/#/c/602810/
  https://review.opendev.org/#/c/628046/

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1867676/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list