Incorrect Error Code when Passing Accept Header on a Secret GET

Bug #1561701 reported by Fernando Diaz on 2016-03-24
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Medium
Fernando Diaz

Bug Description

When the Accept header is passed with the value "text/plain" or "application/octet-stream" on a secret GET(On a Secret with no payload), then the server will return a 500.

Instead a 406 Not Acceptable should be performed, giving the following information:
ERROR pecan.core [req-ace1dd34-d099-475a-a543-3f9487e11d1c e1eeffc35e644c1095a90e6579a3a150 abfe717162974e2aacc02a5db8e92067] Controller 'handler' defined does not support content_type 'None'. Supported type(s): ['application/json']
2016-03-24 18:59:18.600 INFO barbican.api.middleware.context [req-ace1dd34-d099-475a-a543-3f9487e11d1c e1eeffc35e644c1095a90e6579a3a150 abfe717162974e2aacc02a5db8e92067] Processed request: 406 Not Acceptable - GET http://localhost:9311/v1/secrets/secret_uuid

Terminal
-------------
vagrant@vagrant-ubuntu-trusty-64:~$ curl -H "Accept: text/plain" -H "X-Auth-Token: $TOKEN" http://localhost:9311/v1/secrets/2c177e9e-cba7-4363-8167-4d1d9012ccf6
{"code": 500, "description": "Secret retrieval failure seen - please contact site administrate

vagrant@vagrant-ubuntu-trusty-64:~$ curl -H "X-Auth-Token: $TOKEN" http://localhost:9311/v1/secrets/2c177e9e-cba7-4363-8167-4d1d9012ccf6
{"status": "ACTIVE", "secret_type": "opaque", "updated": "2016-03-24T18:50:16", "name": null, "algorithm": "yes", "created": "2016-03-24T18:50:16", "secret_ref": "http://10.0.2.15:9311/v1/secrets/2c177e9e-cba7-4363-8167-4d1d9012ccf6", "creator_id": "e1eeffc35e644c1095a90e6579a3a150", "mode": "cbc", "bit_length": 256, "expiration": null}

Server
----------
2016-03-24 18:53:08.566 WARNING barbican.api.controllers.secrets [req-95b89df4-26bd-44be-b728-3e0555059150 e1eeffc35e644c1095a90e6579a3a150 abfe717162974e2aacc02a5db8e92067] Decrypted secret 2c177e9e-cba7-4363-8167-4d1d9012ccf6 requested using deprecated API call.
2016-03-24 18:53:08.569 ERROR barbican.api.controllers [req-95b89df4-26bd-44be-b728-3e0555059150 e1eeffc35e644c1095a90e6579a3a150 abfe717162974e2aacc02a5db8e92067] Secret retrieval failure seen - please contact site administrator.
2016-03-24 18:53:08.569 TRACE barbican.api.controllers Traceback (most recent call last):
2016-03-24 18:53:08.569 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 102, in handler
2016-03-24 18:53:08.569 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2016-03-24 18:53:08.569 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/__init__.py", line 88, in enforcer
2016-03-24 18:53:08.569 TRACE barbican.api.controllers return fn(inst, *args, **kwargs)
2016-03-24 18:53:08.569 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 114, in on_get
2016-03-24 18:53:08.569 TRACE barbican.api.controllers **kwargs)
2016-03-24 18:53:08.569 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/api/controllers/secrets.py", line 162, in _on_get_secret_payload
2016-03-24 18:53:08.569 TRACE barbican.api.controllers transport_key)
2016-03-24 18:53:08.569 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/resources.py", line 132, in get_secret
2016-03-24 18:53:08.569 TRACE barbican.api.controllers secret_metadata.get('plugin_name'))
2016-03-24 18:53:08.569 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/interface/secret_store.py", line 489, in _check_plugins_configured
2016-03-24 18:53:08.569 TRACE barbican.api.controllers return plugin_related_function(self, *args, **kwargs)
2016-03-24 18:53:08.569 TRACE barbican.api.controllers File "/opt/stack/barbican/barbican/plugin/interface/secret_store.py", line 557, in get_plugin_retrieve_delete
2016-03-24 18:53:08.569 TRACE barbican.api.controllers raise StorePluginNotAvailableOrMisconfigured(plugin_name)
2016-03-24 18:53:08.569 TRACE barbican.api.controllers StorePluginNotAvailableOrMisconfigured: The requested Store Plugin None is not currently available. This is probably a server misconfiguration.
2016-03-24 18:53:08.569 TRACE barbican.api.controllers
2016-03-24 18:53:08.570 INFO barbican.api.middleware.context [req-95b89df4-26bd-44be-b728-3e0555059150 e1eeffc35e644c1095a90e6579a3a150 abfe717162974e2aacc02a5db8e92067] Processed request: 500 Internal Server Error - GET http://localhost:9311/v1/secrets/2c177e9e-cba7-4363-8167-4d1d9012ccf6
{address space usage: 183238656 bytes/174MB} {rss usage: 72962048 bytes/69MB} [pid: 22552|app: 0|req: 15/15] 127.0.0.1 () {26 vars in 420 bytes} [Thu Mar 24 18:53:08 2016] GET /v1/secrets/2c177e9e-cba7-4363-8167-4d1d9012ccf6 => generated 132 bytes in 21 secs (HTTP/1.1 500) 4 headers in 191 bytes (1 switches on core 0)

2016-03-24 18:53:49.276 INFO barbican.api.controllers.secrets [req-c6765f07-0a75-4471-ac3f-dce80df42a7c e1eeffc35e644c1095a90e6579a3a150 abfe717162974e2aacc02a5db8e92067] Retrieved secret metadata for project: abfe717162974e2aacc02a5db8e92067
2016-03-24 18:53:49.277 INFO barbican.api.middleware.context [req-c6765f07-0a75-4471-ac3f-dce80df42a7c e1eeffc35e644c1095a90e6579a3a150 abfe717162974e2aacc02a5db8e92067] Processed request: 200 OK - GET http://localhost:9311/v1/secrets/2c177e9e-cba7-4363-8167-4d1d9012ccf6
{address space usage: 183238656 bytes/174MB} {rss usage: 72962048 bytes/69MB} [pid: 22552|app: 0|req: 16/16] 127.0.0.1 () {26 vars in 413 bytes} [Thu Mar 24 18:53:49 2016] GET /v1/secrets/2c177e9e-cba7-4363-8167-4d1d9012ccf6 => generated 338 bytes in 17 msecs (HTTP/1.1 200) 4 headers in 172 bytes (1 switches on core 0)

Fernando Diaz (diazjf) on 2016-03-24
Changed in barbican:
assignee: nobody → Fernando Diaz (diazjf)
importance: Undecided → Medium
Fernando Diaz (diazjf) on 2016-03-24
description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/297820

Changed in barbican:
status: New → In Progress
Fernando Diaz (diazjf) wrote :

The above is a partial fix, so that the Accept Header will not cause any errors when a user is only trying to obtain metadata for a secret. There still needs to be a code change where if there is no payload when trying to decrypt a Secret

Fernando Diaz (diazjf) wrote :

Held discussion on this bug during the weekly meeting. We came to an agreement on the following:

GET secrets/{uuid}/payload -> 404
GET secrets/{uuid} with any Accept Header other than "application/json" -> 406

Fix proposed to branch: master
Review: https://review.openstack.org/299108

Change abandoned by Fernando Diaz (<email address hidden>) on branch: master
Review: https://review.openstack.org/297820
Reason: Expected behavior is if no payload then a 404 should be returned. If payload then it should be returned instead of 406, if a payload is there.

Reviewed: https://review.openstack.org/299108
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=d9b5ac8295d096382ccf531e0e5126fba202b217
Submitter: Jenkins
Branch: master

commit d9b5ac8295d096382ccf531e0e5126fba202b217
Author: Fernando Diaz <email address hidden>
Date: Wed Mar 30 03:50:38 2016 +0000

    Return 404 when a secret does not have a payload

    Currently when a Secret payload GET is performed, a 500 Error will
    be thrown if there is no payload present. The correct behavior
    would be to throw a 404.

    Change-Id: Ibbe8a592c853fc0196ae7c2daf365754c800fc87
    Partial-Bug: #1561701

Jeremy Liu (liujiong) wrote :

Yes. If a secret has no payload, when retrieving the payload, we would get utf-8 decode error.

Changed in barbican:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers