[Bug 1946787] Please test proposed package
Corey Bryant
1946787 at bugs.launchpad.net
Tue Oct 19 21:19:39 UTC 2021
Hello Corey, or anyone else affected,
Accepted barbican into wallaby-proposed. The package will build now and
be available in the Ubuntu Cloud Archive in a few hours, and then in the
-proposed repository.
Please help us by testing this new package. To enable the -proposed
repository:
sudo add-apt-repository cloud-archive:wallaby-proposed
sudo apt-get update
Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-wallaby-needed to verification-wallaby-done. If it
does not fix the bug for you, please add a comment stating that, and
change the tag to verification-wallaby-failed. In either case, details
of your testing will help us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: cloud-archive/wallaby
Status: Triaged => Fix Committed
** Tags added: verification-wallaby-needed
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1946787
Title:
[SRU] Fix inconsistent encoding secret encoding
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive ussuri series:
New
Status in Ubuntu Cloud Archive victoria series:
New
Status in Ubuntu Cloud Archive wallaby series:
Fix Committed
Status in Ubuntu Cloud Archive xena series:
Fix Released
Status in barbican package in Ubuntu:
Fix Released
Status in barbican source package in Focal:
New
Status in barbican source package in Hirsute:
Fix Committed
Status in barbican source package in Impish:
Fix Released
Bug description:
[Impact]
This SRU corresponds with the following story for upstream barbican
https://storyboard.openstack.org/#!/story/2008335.
The problem is some secrets were stored in plaintext and some were
stored encoded. This resulted in the inability to decode some secrets.
This is fixed by always storing secrets in plaintext and decoding
inconsistently stored data as needed when getting secrets.
[Test Case]
* deploy Openstack with Barbican using Vault as a backend
* openstack volume type create --encryption-provider nova.volume.encryptors.luks.LuksEncryptor --encryption-cipher aes-xts-plain64 --encryption-key-size 256 --encryption-control-location front-end LUKS
* openstack volume create --size 1 --type LUKS luks_vol1
* ensure volume created successfully
* openstack volume show luks_vol1
* create vm and attach volume
* mkfs and mount then test can read/write
[Where things could go wrong]
If things were to go wrong it would probably be in the get_secret() method which calls _ensure_legacy_base64(). _ensure_legacy_base64() assumes that anything that is not a key was stored base64 encoded. Presumably this is correct, but there was a path added to catch a UnicodeDecodeError exception to handle unexpected non-base64-encoded secrets.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1946787/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list