Barbican

secrets PUT (option #2 as binary from API doc) fails with 400 Bad Request

Bug #1350988 reported by Meera Belur
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Critical
Arun Kant
Barbican 2014.2 "juno"

Bug Description

From the API documentation, the two-step binary secret create (PUT secrets (option #2 as binary) fails with a 400 Bad Request. As per the document, the content-encoding is not specified.

curl -ik http://$HOST:9311/v1/$TENANT_ID/secrets/$SECRET_ID -X PUT -HContent-Type:application/octet-stream -T file.bin -HX-Auth-Token:$TOKEN_ID
HTTP/1.1 400 Bad Request
Content-Length: 161
Content-Type: application/json; charset=UTF-8

{"code": 400, "description": "Secret update issue seen - Text-based binary secret payloads must specify a content-encoding of 'base64'.", "title": "Bad Request"}

Venkat Sundaram (tsv)
Changed in barbican:
assignee: nobody → Venkat Sundaram (tsv)
Revision history for this message
Steve Heyman (sheyman) wrote :

Hi Venkat - are you working on this one?

Changed in barbican:
importance: Undecided → Critical
Revision history for this message
Steve Heyman (sheyman) wrote :

Seeing plugin.util.translations.normalize_before_encryption is called with content type of application/octet-stream and the enforce_text_only flag is set to True. Because of that flag we are throwing (oops, raising) SecretContentEncodingMustBeBase64 exception.

plugin.resources.StoreSecret is calling plugin.util.translations.normalize_before_encryption with that enforce_text_only flag set to True...but not sure why that's required. Both 1 and 2 step secret creates allow binary data so not sure why we are requiring text only (as mentioned in the comment in https://github.com/openstack/barbican/blob/master/barbican/plugin/util/translations.py#L45)

Revision history for this message
Steve Heyman (sheyman) wrote :

For the failing scenario (doing a secret PUT, content type=application/octet-stream, content type encoding is None, and the payload is just a string "here is my payload".

The stack trace is:

2014-08-08 14:44:22.515 63671 ERROR barbican.api.controllers [-] Secret update issue seen - Text-based binary secret payloads must specify a content-encoding of 'base64'.
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers Traceback (most recent call last):
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers File "/Users/step6927/barbican/barbican/api/controllers/__init__.py", line 85, in handler
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers File "/Users/step6927/barbican/barbican/api/controllers/__init__.py", line 71, in enforcer
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers File "/Users/step6927/barbican/barbican/api/controllers/__init__.py", line 117, in content_types_enforcer
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers File "/Users/step6927/barbican/barbican/api/controllers/secrets.py", line 171, in on_put
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers transport_key_id=transport_key_id)
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers File "/Users/step6927/barbican/barbican/plugin/resources.py", line 96, in store_secret
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers enforce_text_only=True)
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers File "/Users/step6927/barbican/barbican/plugin/util/translations.py", line 48, in normalize_before_encryption
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers raise s.SecretContentEncodingMustBeBase64()
2014-08-08 14:44:22.515 63671 TRACE barbican.api.controllers SecretContentEncodingMustBeBase64: Encoding type must be 'base64' for text-based payloads.

Revision history for this message
Venkat Sundaram (tsv) wrote :

I started but did not go much further. I was also looking at the other issue (two step secret creation failing with HTTP 500 error for MYSQL, CR #1351440) .
Please feel free to take this over.

Changed in barbican:
assignee: Venkat Sundaram (tsv) → nobody
Arun Kant (arukant)
Changed in barbican:
assignee: nobody → Arun Kant (arunkant-uws)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/120618

Changed in barbican:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/120618
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=93eda4a3f1f213c4c75482170ba11a6ce812b1f9
Submitter: Jenkins
Branch: master

commit 93eda4a3f1f213c4c75482170ba11a6ce812b1f9
Author: Arun Kant <email address hidden>
Date: Tue Sep 9 14:02:49 2014 -0700

    Adding support for allowing binary data as-is as part of PUT

    Closes-Bug: 1350988

    Change-Id: I2b38e49449a6eb12c8df2a66c694acbb9944eb64

Changed in barbican:
status: In Progress → Fix Committed
Douglas Mendizábal (dougmendizabal)
Changed in barbican:
milestone: none → juno-rc1
Thierry Carrez (ttx)
Changed in barbican:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in barbican:
milestone: juno-rc1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.