Barbican returns a 400 when unable to find a plugin.

Bug #1416075 reported by Douglas Mendizábal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Medium
Juan Antonio Osorio Robles

Bug Description

I found this bug while testing the client against a Barbican instance that has stored secrets using different plugins. The scenario is this:

Barbican is running with a particular SecreStore plugin, let's call it PluginA. Then the secret store plugin is changed to a new plugin, let's call it PluginB.
The Barbican database contains secrets that were either encrypted with PluginA or PluginB.
When a client attempts to retrieve a secret that was stored using PluginA, Barbican responds with "400 - could not find plugin" since the only plugin available is PluginB.

The problem I see with this is that 400 errors imply that the client is in error, and that the request must somehow be changed so that the service can fulfill the request. This is not the case in this scenario, though, because there is nothing the client can do to their request to get their secret back.

Since this error is the result of a misconfiguration (leaving PluginA out of the config), or possibly due to a failed PluginA -> PluginB migration, I would expect the response to be a 500 (or 5xx) error, since the service itself must be modified to be able to fulfill the request.

Revision history for this message
John Wood (john-wood-w) wrote :

IMHO, agreed!

Changed in barbican:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in barbican:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/151936

Changed in barbican:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/151936
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=b1effb65a641073fdba76da680890e290712b5a1
Submitter: Jenkins
Branch: master

commit b1effb65a641073fdba76da680890e290712b5a1
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Sun Feb 1 19:46:32 2015 +0200

    Change exception when store plugin is misconfigured

    If we try to get a plugin that supports the "retrieve" and "delete"
    operations and the plugin is not there, is is probably due to a server
    misconfiguration, since the plugin name is gotten from the metadata
    from the database; And if it was there in the first place, it means
    that it once was actually able to store that secret using a valid
    plugin. Thus, a new exception is raised if this is the case.

    Change-Id: I2be8b9dd17a7bd12f10e55945b09257fce616f3d
    Closes-Bug: #1416075

Changed in barbican:
status: In Progress → Fix Committed
Changed in barbican:
milestone: none → kilo-3
Thierry Carrez (ttx)
Changed in barbican:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in barbican:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.