Barbican

500 Error instead of 400 Bad Request when barbican secret get payload with missing payload_content_type

Bug #1590097 reported by Arun Kant
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Undecided
Jeremy Liu

Bug Description

Barbican get secret payload call returns 500 internal server error when payload content type is missing. Client defaults to text/plain and in that case, server fails if initially stored secret content type is application/octet-stream.

Server code already generates 'SecretAcceptNotSupportedException' but as its not classified as HTTPException so it fallbacks to general error case i.e. 500 (Internal server error). We should mark this as 400 error because of invalid input case. So just need to derive this from 'BarbicanHTTPException' instead of 'BarbicanException'.

Here is the sample for this error.

barbican secret store --payload 'gF6+lLoF3ohA9aPRpt+6bQ==' --payload-content-type 'application/octet-stream' --payload-content-encoding 'base64' --algorithm 'aes' --bit-length 256

+---------------+----------------------------------------------------------------------------+
| Field | Value |
+---------------+----------------------------------------------------------------------------+
| Secret href | https://192.168.245.9:9311/v1/secrets/b1222b61-20fc-442f-8e07-750d1e78f308 |
| Name | None |
| Created | 2016-05-27 20:18:27+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'application/octet-stream'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+----------------------------------------------------------------------------+

barbican secret get https://192.168.245.9:9311/v1/secrets/b1222b61-20fc-442f-8e07-750d1e78f308 --payload_content_type application/octet-stream --payload -f value | python -m base64

gF6+lLoF3ohA9aPRpt+6bQo=

Now with missing payload_content_type case....

barbican secret get https://192.168.245.9:9311/v1/secrets/b1222b61-20fc-442f-8e07-750d1e78f308 --payload -f value

5xx Server error: Internal Server Error
Internal Server Error

Log:

2016-05-27 20:22:55,948 - barbican.api.controllers - ERROR - Secret payload retrieval failure seen - please contact site administrator.
Traceback (most recent call last):
  File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 103, in handler
    return fn(inst, *args, **kwargs)
  File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 89, in enforcer
    return fn(inst, *args, **kwargs)
  File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/secrets.py", line 184, in payload
    **kwargs
  File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/secrets.py", line 162, in _on_get_secret_payload
    transport_key)
  File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/resources.py", line 144, in get_secret
    requesting_content_type)
  File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/util/translations.py", line 102, in denormalize_after_decryption
    raise s.SecretAcceptNotSupportedException(content_type)
SecretAcceptNotSupportedException: Secret Accept of 'text/plain' not supported

192.168.245.9:9311 - [27/May/2016:20:22:55 +0000] "GET /v1/secrets/b1222b61-20fc-442f-8e07-750d1e78f308/payload HTTP/1.1" 500 312 "-" "python-keystoneclient" "721791 micros" "rss: 76 MB" "pid: 5196"

Jeremy Liu (liujiong)
Changed in barbican:
assignee: nobody → liujiong (liujiong)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/328716

Changed in barbican:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/328716
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=8bef6b47a5c6ef5426f118ab63b3ad49559ebefe
Submitter: Jenkins
Branch: master

commit 8bef6b47a5c6ef5426f118ab63b3ad49559ebefe
Author: liujiong <email address hidden>
Date: Sun Jun 12 17:36:18 2016 +0800

    Change SecretAcceptNotSupportedException from exception.BarbicanException to exception.BarbicanHTTPException

    When retrieving secret's payload without providing payload_content_type,
    if the payload_content_type is not default as "text/plain", we get 500 error.
    Since this is generated by invalid input, we should mark this as 406 error.

    Closes-bug: #1590097
    Change-Id: I9ca94b7c66995991a9b0df37a46bd082e9795b74

Changed in barbican:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on barbican (master)

Change abandoned by Arun Kant (<email address hidden>) on branch: master
Review: https://review.openstack.org/326694
Reason: Not needed as another related review https://review.openstack.org/328716 is already merged.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/barbican 3.0.0.0b2

This issue was fixed in the openstack/barbican 3.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.