OpenStack Identity (keystone)

ec2 signature validation fails with v3 credentials

Bug #1259584 reported by Steven Hardy on 2013-12-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Steven Hardy	OpenStack Identity (keystone) 2014.1 "icehouse"

Bug Description

If you create an ec2 keypair via the v3/credentials API:

https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#credentials-v3credentials

Then you get a 500 when trying to validate a signed request (signed using the keypair) via the ec2tokens extension:

2013-12-10 14:52:30.060 722 ERROR keystone.common.wsgi [-] 'unicode' object has no attribute 'get'
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi Traceback (most recent call last):
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 238, in __call__
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi result = method(context, **params)
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 96, in authenticate
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi creds_ref = self._get_credentials(credentials['access'])
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 229, in _get_credentials
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi return self._convert_v3_to_ec2_credential(creds)
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/contrib/ec2/controllers.py", line 215, in _convert_v3_to_ec2_credential
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi 'access': blob.get('access'),
2013-12-10 14:52:30.060 722 TRACE keystone.common.wsgi AttributeError: 'unicode' object has no attribute 'get'

It looks like a mismatch between the way the data blob is stored via v3/credentials and creating the keypair direct via the ec2tokens

Tags:

Steven Hardy (shardy) on 2013-12-10

Changed in keystone:
assignee:	nobody → Steven Hardy (shardy)

Dolph Mathews (dolph) on 2013-12-12

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/66445

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-13:

Fix proposed to branch: master
Review: https://review.openstack.org/66446

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-13:

Fix proposed to branch: master
Review: https://review.openstack.org/66447

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-22: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/66445
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a8b65f7c1ef23487d733b94248d5998c55b768ee
Submitter: Jenkins
Branch: master

commit a8b65f7c1ef23487d733b94248d5998c55b768ee
Author: Steven Hardy <email address hidden>
Date: Fri Dec 20 17:35:29 2013 +0000

Refactor context trust_id check to wsgi.Application base class

    Move the ec2 controller check for a trust_id in the token
    specified in the request context, renaming it to match the
    existing convention in the controller base classes.

This function can be used by both v2 and v3 controllers
hence putting it into the common Application base class.

Test coverage for this is provided via existing tests in
test_keystoneclient_sql.py

Change-Id: I6028a2cfa0e9e2e16acc99b5a0a027cd6cc42ada
Partial-Bug: #1259584

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-22:

Reviewed: https://review.openstack.org/66446
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3e49433f00b7c244e8caf2e79b7c7a80a6c6dccd
Submitter: Jenkins
Branch: master

commit 3e49433f00b7c244e8caf2e79b7c7a80a6c6dccd
Author: Steven Hardy <email address hidden>
Date: Mon Jan 13 18:24:02 2014 +0000

Store trust_id for v3/credentials ec2 keypairs

    To fix bug #1259584 without re-opening the vulnerablility fixed in
    bug #1242597, we need to store the trust_id in the data blob when
    storing an ec2 keypair via the v3/credentials API. This is already
    done when keypairs are created/stored via the ec2tokens interface,
    so this aligns the behavior when the credentials are created via
    v3/credentials.

Change-Id: I8443d30dffed4201b46d10cef6a0bb43ccdcddc1
Partial-Bug: #1259584

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-22:

Reviewed: https://review.openstack.org/66447
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=949a2cdc3a4e15b3df56b79473d97c16fda9f422
Submitter: Jenkins
Branch: master

commit 949a2cdc3a4e15b3df56b79473d97c16fda9f422
Author: Steven Hardy <email address hidden>
Date: Mon Jan 13 21:17:13 2014 +0000

Store ec2 credentials blob as json

    For compatibility with the v3/credentials API, the blob dict should
    be stored serialized as json. To maintain backwards compatibility
    with existing DB contents stored via the ec2tokens interface, we
    fall back to the previous behavior if we fail to load the blob.

Change-Id: I21f068c308df5aa6a818031d3bc86a81b2bd25f4
Closes-Bug: #1259584

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-22: Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/66974
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6a051c19817292f4e221759f80d0b298aebbcee1
Submitter: Jenkins
Branch: master

commit 6a051c19817292f4e221759f80d0b298aebbcee1
Author: Steven Hardy <email address hidden>
Date: Wed Jan 15 21:47:52 2014 +0000

v3 credentials, ensure blob response is json

    The v3/credentials API specifies the blob response to be json, but
    due to bug #1259584, any credentials stored via the ec2tokens extension
    will incorrectly return a dict. This makes it hard for clients (and
    in particular users migrating from ec2tokens to v3/credentials) to
    handle the blob data consistently, so add a workaround to ensure the
    response is always serialized as json if the existing DB contents is
    a dict instead of a json string.

    Change-Id: I340cdf4e565fdadacb41b39acace3948aafb9b92
    Related-Bug: #1259584
    Closes-Bug: #1269637

Thierry Carrez (ttx) on 2014-01-22

Changed in keystone:
milestone:	none → icehouse-2
status:	Fix Committed → Fix Released

Steven Hardy (shardy) on 2014-01-31

tags:

added: havana-backport-potential

Thierry Carrez (ttx) on 2014-04-17

Changed in keystone:
milestone:	icehouse-2 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.