OpenStack Heat

Encrypted passwords are not (always) encoded correctly

Bug #1207707 reported by Zane Bitter
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
High
Steven Hardy
OpenStack Heat 2013.2 "havana"
Grizzly
Fix Released
High
Steven Hardy
OpenStack Heat 2013.1.4

Bug Description

From: https://answers.launchpad.net/heat/+question/233335

Passwords that are being stored encrypted in the database may arrive as unicode, but are always treated as strings after decrypting.

This appears to cause a problem with the RDO package, which uses a different encryption library to upstream Heat. Probably upstream handles the conversion appropriately, but the RDO version does not.

keystone.log reports:
2013-07-31 17:14:35 DEBUG [keystone.common.wsgi] {"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "4\u0000\u0000\u00002\u0000\u0000\u00009\u0000\u0000\u0000f\u0000\u0000\u00003\u0000\u0000\u00002\u0000\u0000\u0000b\u0000\u0000\u00008\u0000\u0000\u00006\u0000\u0000\u00008\u0000\u0000\u0000a\u0000\u0000\u0000d\u0000\u0000\u00004\u0000\u0000\u00002\u0000\u0000\u00009\u0000\u0000\u0000a\u0000\u0000\u0000"}}}

We should ensure that the value is correctly encoded as utf-8 before storing it by modifying user_creds_create() in heat/db/sqlalchemy/api.py at line 209

    user_creds_ref.password = crypt.encrypt(unicode(values['password']).encode('utf-8'))

Steven Hardy (shardy)
Changed in heat:
milestone: none → havana-rc1
Steven Hardy (shardy)
Changed in heat:
assignee: nobody → Steven Hardy (shardy)
importance: Undecided → High
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/46287

Changed in heat:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/46287
Committed: http://github.com/openstack/heat/commit/68c1d8ed88ba6b8fa9dd8b50b985fb9ff033a203
Submitter: Jenkins
Branch: master

commit 68c1d8ed88ba6b8fa9dd8b50b985fb9ff033a203
Author: Steven Hardy <email address hidden>
Date: Thu Sep 12 15:18:10 2013 +0100

    Encode values as utf-8 before encrypting

    Ensure strings are correctly encoded before encrypting

    This is necessary because some encryption libraries don't handle
    the unicode conversion appropriately.

    Change-Id: Iebbf32e57ba21d955c1984ee32360379579366c8
    Closes-Bug: #1207707

Changed in heat:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/50589

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/50877

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/grizzly)

Reviewed: https://review.openstack.org/50877
Committed: http://github.com/openstack/heat/commit/a4090b7189ba64173827f36208bb2320015c8eaa
Submitter: Jenkins
Branch: stable/grizzly

commit a4090b7189ba64173827f36208bb2320015c8eaa
Author: Steven Hardy <email address hidden>
Date: Thu Sep 12 15:18:10 2013 +0100

    Encode values as utf-8 before encrypting

    Ensure strings are correctly encoded before encrypting

    This is necessary because some encryption libraries don't handle
    the unicode conversion appropriately.

    Also includes "tolerate None values to _encrypt" fix from
    bug #1237596, without which the grizzly unit tests fail

    Conflicts:
        heat/db/sqlalchemy/api.py
        heat/heat/tests/test_sqlalchemy_api.py

    Combination of these Change-Id's,
    Iebbf32e57ba21d955c1984ee32360379579366c8
    I39cd4a1bab39def9ad4c214da768e91f411d7697
    with a partial backport (one test) from
    Ie0fdc5068475db7e84f366d1eb2b9ae56db0b3fc
    to ensure test-coverage of the bugfix.

    Closes-Bug: #1237596
    Closes-Bug: #1207707
    Change-Id: I1efaedc983b60a01944d5ebf88084f52ba909e78

Thierry Carrez (ttx)
Changed in heat:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.