ec2 signature validation fails with v3 credentials

Bug #1259584 reported by Steven Hardy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Steven Hardy

Bug Description

If you create an ec2 keypair via the v3/credentials API:

https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#credentials-v3credentials

Then you get a 500 when trying to validate a signed request (signed using the keypair) via the ec2tokens extension:

2013-12-10 14:52:30.060 722 ERROR keystone.common.wsgi [-] 'unicode' object has no attribute 'get'
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi Traceback (most recent call last):
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 238, in __call__
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi result = method(context, **params)
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 96, in authenticate
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi creds_ref = self._get_credentials(credentials['access'])
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 229, in _get_credentials
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi return self._convert_v3_to_ec2_credential(creds)
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 215, in _convert_v3_to_ec2_credential
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi 'access': blob.get('access'),
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi AttributeError: 'unicode' object has no attribute 'get'

It looks like a mismatch between the way the data blob is stored via v3/credentials and creating the keypair direct via the ec2tokens

Steven Hardy (shardy)
Changed in keystone:
assignee: nobody → Steven Hardy (shardy)
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/66445

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/66446

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/66447

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/66445
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a8b65f7c1ef23487d733b94248d5998c55b768ee
Submitter: Jenkins
Branch: master

commit a8b65f7c1ef23487d733b94248d5998c55b768ee
Author: Steven Hardy <email address hidden>
Date: Fri Dec 20 17:35:29 2013 +0000

    Refactor context trust_id check to wsgi.Application base class

    Move the ec2 controller check for a trust_id in the token
    specified in the request context, renaming it to match the
    existing convention in the controller base classes.

    This function can be used by both v2 and v3 controllers
    hence putting it into the common Application base class.

    Test coverage for this is provided via existing tests in
    test_keystoneclient_sql.py

    Change-Id: I6028a2cfa0e9e2e16acc99b5a0a027cd6cc42ada
    Partial-Bug: #1259584

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/66446
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3e49433f00b7c244e8caf2e79b7c7a80a6c6dccd
Submitter: Jenkins
Branch: master

commit 3e49433f00b7c244e8caf2e79b7c7a80a6c6dccd
Author: Steven Hardy <email address hidden>
Date: Mon Jan 13 18:24:02 2014 +0000

    Store trust_id for v3/credentials ec2 keypairs

    To fix bug #1259584 without re-opening the vulnerablility fixed in
    bug #1242597, we need to store the trust_id in the data blob when
    storing an ec2 keypair via the v3/credentials API. This is already
    done when keypairs are created/stored via the ec2tokens interface,
    so this aligns the behavior when the credentials are created via
    v3/credentials.

    Change-Id: I8443d30dffed4201b46d10cef6a0bb43ccdcddc1
    Partial-Bug: #1259584

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/66447
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=949a2cdc3a4e15b3df56b79473d97c16fda9f422
Submitter: Jenkins
Branch: master

commit 949a2cdc3a4e15b3df56b79473d97c16fda9f422
Author: Steven Hardy <email address hidden>
Date: Mon Jan 13 21:17:13 2014 +0000

    Store ec2 credentials blob as json

    For compatibility with the v3/credentials API, the blob dict should
    be stored serialized as json. To maintain backwards compatibility
    with existing DB contents stored via the ec2tokens interface, we
    fall back to the previous behavior if we fail to load the blob.

    Change-Id: I21f068c308df5aa6a818031d3bc86a81b2bd25f4
    Closes-Bug: #1259584

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/66974
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6a051c19817292f4e221759f80d0b298aebbcee1
Submitter: Jenkins
Branch: master

commit 6a051c19817292f4e221759f80d0b298aebbcee1
Author: Steven Hardy <email address hidden>
Date: Wed Jan 15 21:47:52 2014 +0000

    v3 credentials, ensure blob response is json

    The v3/credentials API specifies the blob response to be json, but
    due to bug #1259584, any credentials stored via the ec2tokens extension
    will incorrectly return a dict. This makes it hard for clients (and
    in particular users migrating from ec2tokens to v3/credentials) to
    handle the blob data consistently, so add a workaround to ensure the
    response is always serialized as json if the existing DB contents is
    a dict instead of a json string.

    Change-Id: I340cdf4e565fdadacb41b39acace3948aafb9b92
    Related-Bug: #1259584
    Closes-Bug: #1269637

Thierry Carrez (ttx)
Changed in keystone:
milestone: none → icehouse-2
status: Fix Committed → Fix Released
Steven Hardy (shardy)
tags: added: havana-backport-potential
Thierry Carrez (ttx)
Changed in keystone:
milestone: icehouse-2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.