Bug#990544: python3-keystone: Some federated-identity operations fail due to provider name being a bytestream

Marek Szuba Thu, 01 Jul 2021 08:54:17 -0700

Package: python3-keystone
Version: 2:14.2.0-0+deb10u1
Severity: normal
Tags: patch upstream



Hello,

With Keystone configured as a federated-identity Service Provider (withthe IdP accessed over OpenID in our case but it might affect otherprotocols as well), certain operations performed as a federated user -e.g. obtaining a scoped token from an unscoped one using 'openstacktoken issue' - report a server error 500. On the server side, Keystonelogs show the following exception:

INFO keystone.common.wsgi [req-foo bar baz - Federated default]POSThttps://osc.example.com:5000/v3/auth/tokens

ERROR keystone.common.wsgi [req-foo bar baz - Federated default]
identity_provider failed validation: <function
FederatedCredential.<lambda> at 0xdeadbeef>: ValueError:
identity_provider failed validation: <function
FederatedCredential.<lambda> at 0xdeadbeef>
ERROR keystone.common.wsgi Traceback (most recent call last):
ERROR keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/keystone/common/wsgi.py", line 148, in
__call__
ERROR keystone.common.wsgi     result = method(req, **params)ERROR
keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/keystone/auth/controllers.py", line 67,
in authenticate_for_token
ERROR keystone.common.wsgi     self.authenticate(request, auth_info,
auth_context)
ERROR keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/keystone/auth/controllers.py", line 236,
in authenticate
ERROR keystone.common.wsgi     auth_info.get_method_data(method_name))
ERROR keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/keystone/auth/plugins/token.py", line
46, in authenticate
ERROR keystone.common.wsgi     PROVIDERS.identity_api
ERROR keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/keystone/auth/plugins/mapped.py", line
101, in handle_scoped_token
ERROR keystone.common.wsgi     send_notification(taxonomy.OUTCOME_SUCCESS)
ERROR keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/keystone/notifications.py", line 685, in
send_saml_audit_notification
ERROR keystone.common.wsgi     user=user_id, groups=group_ids)
ERROR keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/pycadf/credential.py", line 84, in __init__
ERROR keystone.common.wsgi     setattr(self,
FED_CRED_KEYNAME_IDENTITY_PROVIDER, identity_provider)
ERROR keystone.common.wsgi   File
"/usr/lib/python3/dist-packages/pycadf/cadftype.py", line 66, in __set__
ERROR keystone.common.wsgi     (self.name, self.func))
ERROR keystone.common.wsgi ValueError: identity_provider failed
validation: <function FederatedCredential.<lambda> at 0xdeadbeef>

i.e. the request has succeeded but then things fall over when an audit
notification is to be sent.

Having poked around the sources of
keystone.notifications.send_saml_audit_notifications() and the code it
references, I found out the following:
  - the lambda function which triggers the error checks if
'identity_provider' is a six string type;
  - when this error occurs the value of 'identity_provider' is indeed
the name of my IdP - but as *bytes* rather than str!

- this doesn't happen every time this IdP name is used - if I add asimple


identity_provider = identity_provider.decode('utf-8') to the relevant
function

I start getting errors suggesting that under some circumstances,
'identity_provider' is str as it should be.
All in all, it seems this particular bit of Keystone code does not fully
support Python3 in Rocky.

A simple workaround that I have put in place (which is why debsums hasfound notifications.py to have changed) looks as follows:


--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -680,6 +680,8 @@
     user_id = user_id or taxonomy.UNKNOWN
     token_id = token_id or taxonomy.UNKNOWN
     group_ids = group_ids or []
+    if isinstance(identity_provider, bytes):
+        identity_provider = identity_provider.decode('utf-8')
     cred = credential.FederatedCredential(token=token_id, type=audit_type,

identity_provider=identity_provider,
                                           user=user_id, groups=group_ids)

On Debian 10 Keystone is a Python3-only package so I didn't bother withsix. With this patch in place getting scoped tokens works and I have yetto hear from our federated users about any authentication-relatedissues. Unfortunately having changed the contents of a package I had toput python3-keystone on hold, which of course means no automaticsecurity updates.


PS. I have already mentioned the problem upstream, see
http://lists.openstack.org/pipermail/openstack-discuss/2021-June/023281.html


-- System Information:
Debian Release: 10.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-14-amd64 (SMP w/56 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set
LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to
default locale: No such file or directory
UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-keystone depends on:
ii  python3                        3.7.3-1
ii  python3-babel                  2.6.0+dfsg.1-1
ii  python3-bcrypt                 3.1.6-1
ii  python3-crypto                 2.6.1-9+b1
ii  python3-cryptography           2.6.1-3+deb10u2
ii  python3-dateutil               2.7.3-3
ii  python3-dogpile.cache          0.6.2-6
ii  python3-flask                  1.0.2-3
ii  python3-flask-restful          0.3.7-1
ii  python3-jsonschema             2.6.0-4
ii  python3-keystoneclient         1:3.17.0-2
ii  python3-keystonemiddleware     5.2.0-2
ii  python3-ldap [python3-pyldap]  3.1.0-2
ii  python3-ldappool               2.3.1-1
ii  python3-lxml                   4.3.2-1+deb10u3
ii  python3-memcache               1.59-1
ii  python3-migrate                0.11.0-5
ii  python3-msgpack                0.5.6-1+b1
ii  python3-mysqldb                1.3.10-2
ii  python3-oauthlib               2.1.0-1
ii  python3-openstackclient        3.16.2-1
ii  python3-oslo.cache             1.30.3-1
ii  python3-oslo.concurrency       3.27.0-3
ii  python3-oslo.config            1:6.4.1-1
ii  python3-oslo.context           2.21.0-2
ii  python3-oslo.db                4.40.0-3
ii  python3-oslo.i18n              3.21.0-2
ii  python3-oslo.log               3.39.0-2
ii  python3-oslo.messaging         8.1.4-1+deb10u1
ii  python3-oslo.middleware        3.36.0-2
ii  python3-oslo.policy            1.38.1-2
ii  python3-oslo.serialization     2.27.0-2
ii  python3-oslo.utils             3.36.5-0+deb10u1
ii  python3-osprofiler             2.3.0-3
ii  python3-passlib                1.7.1-1
ii  python3-pbr                    4.2.0-5
ii  python3-pycadf                 2.7.0-2
ii  python3-pymysql                0.9.3-1
ii  python3-pysaml2                4.5.0-4+deb10u1
ii  python3-routes                 2.4.1-1
ii  python3-scrypt                 0.8.0-0.1+b1
ii  python3-six                    1.12.0-1
ii  python3-sqlalchemy             1.2.18+ds1-2
ii  python3-stevedore              1.29.0-2
ii  python3-tz                     2019.1-1
ii  python3-webob                  1:1.8.5-1

python3-keystone recommends no packages.

python3-keystone suggests no packages.

-- debconf information excluded

-- debsums errors found:
perl: warning: Setting locale failed.
perl: warning: Falling back to a fallback locale ("en_US.UTF-8").
debsums: changed file
/usr/lib/python3/dist-packages/keystone/notifications.py (from
python3-keystone package)

Bug#990544: python3-keystone: Some federated-identity operations fail due to provider name being a bytestream

Reply via email to