[Bug 1867676] Re: Fetching by secret container doesn't raises 404 exception

Jorge Niedbalski 1867676 at bugs.launchpad.net
Thu Mar 26 01:37:24 UTC 2020 

** Description changed:

+ [Impact]
+ 
+ Users of Ubuntu bionic running openstack clouds >= rocky 
+ can't create octavia load balancers listeners anymore since the backport of the following patch: 
+ 
+ https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
+ 
+ This change was introduced as part of the following backports and
+ their posterior syncs into the current Bionic version.
+ 
+ This change added a new exception handler in the code
+ that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
+ the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
+ under the legacy code handler as can be seen here:
+ 
+ https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
+ 
+ 
+ This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
+ user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
+ 
+ The change proposed on the SRU makes the client aware of container and
+ secret UUID(s) and is able to split the path to distinguish a non-secret
+ (such as a container), in that way if a container is passed, it fails to
+ pass the parsing validation and the right return code (404) is returned
+ by the client.
+ 
+ If a error 404 gets returned, then the except Exception block gets
+ executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
+ driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
+ 
+ This differentiation was implemented here:
+ 
+ https://github.com/openstack/python-
+ barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
+ 
+ As an example (this worked before the latest bionic version was pushed)
+ 
+ openstack loadbalancer listener create --protocol-port 443 --protocol
+ "TERMINATED_HTTPS" --name "test-listener" --default-tls-
+ container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-
+ 86eb3cc7fe1a" -- lb1
+ 
+ With the newest package upgrade this creation will fail with the
+ following exception:
+ 
+ The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
+ validity. In addition, make sure it does not require a pass phrase.
+ Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
+ data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
+ 4d26-9920-72b03343596a)
+ 
+ 
+ Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
+ 
+ 
+ ---
  [Impact]
  
  As per https://storyboard.openstack.org/#!/story/2007371 we identified that
  ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
  error when a secret container is passed.
  
  This causes the code to not fall back into the legacy mode
  
  [Test Case]
  
- Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
- Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
- Create the 3 certs at barbican
- $ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
- $ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
- $ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
+ 1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
  
- Create a loadbalancer
+ 2) Create self-signed certificate, key and ca
+ (http://paste.ubuntu.com/p/xyyxHZGDFR/)
+ 
+ 
+ 3) Create the 3 certs at barbican
+ 
+ $ openstack secret store --name "test-pk-1" --secret-type "private"
+ --payload-content-type "text/plain" --payload="$(cat
+ ./keys/controller_key.pem)"
+ 
+ $ openstack secret store --name "test-ca-1" --secret-type "certificate"
+ --payload-content-type "text/plain" --payload="$(cat
+ ./keys/controller_ca.pem)"
+ 
+ $ openstack secret store --name "test-pub-1" --secret-type "certificate"
+ --payload-content-type "text/plain" --payload="$(cat
+ ./keys/controller_cert.pem)"
+ 
+ 4) Create a loadbalancer
  $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
  
- Create a secrets container
+ 
+ 5) Create a secrets container
  
  $ openstack secret container create --type='certificate' --name "test-
  tls-1"
  --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"
  --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5
  -4b5a-bffd-c0c43a41b4a8"
  --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-
  b5c6-4433-a0a9-a195e2d54c57"
  
- Create the listener
+ 6) Try to create the listener
+ 
+ 
  openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
  
- This creation will fail with the following exception:
+ With the newest package upgrade this creation will fail with the
+ following exception:
  
  The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
  validity. In addition, make sure it does not require a pass phrase.
  Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
  data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
  4d26-9920-72b03343596a)
  
  [Regression Potential]
  
  * Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
  * No regressions identified so far.
  
  [Discussion]
  
  The following changesets needs to be backported into the bionic version
  4.6.0-0ubuntu1
  
  All of those are part of 4.8.0 onward.
  
  ** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
  ** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
  
  Corresponding reviews
  
  https://review.opendev.org/#/c/602810/
  https://review.opendev.org/#/c/628046/

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-barbicanclient in Ubuntu.
https://bugs.launchpad.net/bugs/1867676

Title:
  Fetching by secret container doesn't raises 404 exception

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in python-barbicanclient package in Ubuntu:
  Fix Released
Status in python-barbicanclient source package in Bionic:
  Triaged
Status in python-barbicanclient source package in Disco:
  Fix Released
Status in python-barbicanclient source package in Eoan:
  Fix Released
Status in python-barbicanclient source package in Focal:
  Fix Released

Bug description:
  [Impact]

  Users of Ubuntu bionic running openstack clouds >= rocky 
  can't create octavia load balancers listeners anymore since the backport of the following patch: 

  https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df

  This change was introduced as part of the following backports and
  their posterior syncs into the current Bionic version.

  This change added a new exception handler in the code
  that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
  the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
  under the legacy code handler as can be seen here:

  https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df

  
  This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
  user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.

  The change proposed on the SRU makes the client aware of container and
  secret UUID(s) and is able to split the path to distinguish a non-
  secret (such as a container), in that way if a container is passed, it
  fails to pass the parsing validation and the right return code (404)
  is returned by the client.

  If a error 404 gets returned, then the except Exception block gets
  executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
  driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.

  This differentiation was implemented here:

  https://github.com/openstack/python-
  barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468

  As an example (this worked before the latest bionic version was
  pushed)

  openstack loadbalancer listener create --protocol-port 443 --protocol
  "TERMINATED_HTTPS" --name "test-listener" --default-tls-
  container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990
  -b88c-86eb3cc7fe1a" -- lb1

  With the newest package upgrade this creation will fail with the
  following exception:

  The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
  validity. In addition, make sure it does not require a pass phrase.
  Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
  data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
  4d26-9920-72b03343596a)

  
  Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371

  
  ---
  [Impact]

  As per https://storyboard.openstack.org/#!/story/2007371 we identified that
  ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
  error when a secret container is passed.

  This causes the code to not fall back into the legacy mode

  [Test Case]

  1) Deploy this bundle or similar
  (http://paste.ubuntu.com/p/cgbwKNZHbW/)

  2) Create self-signed certificate, key and ca
  (http://paste.ubuntu.com/p/xyyxHZGDFR/)

  
  3) Create the 3 certs at barbican

  $ openstack secret store --name "test-pk-1" --secret-type "private"
  --payload-content-type "text/plain" --payload="$(cat
  ./keys/controller_key.pem)"

  $ openstack secret store --name "test-ca-1" --secret-type
  "certificate" --payload-content-type "text/plain" --payload="$(cat
  ./keys/controller_ca.pem)"

  $ openstack secret store --name "test-pub-1" --secret-type
  "certificate" --payload-content-type "text/plain" --payload="$(cat
  ./keys/controller_cert.pem)"

  4) Create a loadbalancer
  $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet

  
  5) Create a secrets container

  $ openstack secret container create --type='certificate' --name "test-
  tls-1"
  --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"
  --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5
  -4b5a-bffd-c0c43a41b4a8"
  --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-
  b5c6-4433-a0a9-a195e2d54c57"

  6) Try to create the listener

  
  openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1

  With the newest package upgrade this creation will fail with the
  following exception:

  The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
  validity. In addition, make sure it does not require a pass phrase.
  Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
  data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
  4d26-9920-72b03343596a)

  [Regression Potential]

  * Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
  * No regressions identified so far.

  [Discussion]

  The following changesets needs to be backported into the bionic
  version 4.6.0-0ubuntu1

  All of those are part of 4.8.0 onward.

  ** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
  ** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad

  Corresponding reviews

  https://review.opendev.org/#/c/602810/
  https://review.opendev.org/#/c/628046/

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1867676/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list