Bug #1504646 “Client returns a decode error when secret cannot b...” : Bugs : python-barbicanclient

Christopher Solis (cnsolis) on 2015-10-12

description:	updated
description:	updated

Laurent Luce (laurentluce49) on 2015-10-26

Changed in python-barbicanclient:
assignee:	nobody → Laurent Luce (laurentluce49)

Laurent Luce (laurentluce49) on 2015-11-07

Changed in python-barbicanclient:
assignee:	Laurent Luce (laurentluce49) → nobody

Christopher Solis (cnsolis) on 2015-11-09

Changed in python-barbicanclient:
assignee:	nobody → Christopher Solis (cnsolis)

Christopher Solis (cnsolis) on 2015-11-19

Changed in python-barbicanclient:
status:	New → In Progress

Revision history for this message

Christopher Solis (cnsolis) wrote on 2015-11-19:

#1

After investigation the root of this bug is the same as bug 1419166.

I think it's time to deprecate manually setting the content_type and content_encoding parameters. The documentation has it marked as deprecated but it is still possible through the cli and the client to use the parameters.

Revision history for this message

Dave McCowan (dave-mccowan) wrote on 2015-12-03:

#2

For backwards compatibility, I don't think deprecating will be enough.
For encryption keys (like used by Nova/Cinder volume encryption), I can have:

[stack@localhost devstack]$ openstack secret get http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976
+---------------+--------------------------------------------------------------------------+
| Field | Value |
+---------------+--------------------------------------------------------------------------+
| Secret href | http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976 |
| Name | Cinder Volume Key |
| Created | 2015-12-03 04:29:04+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'application/octet-stream'} |
| Algorithm | AES |
| Bit length | 256 |
| Secret type | symmetric |
| Mode | CBC |
| Expiration | None |
+---------------+--------------------------------------------------------------------------+

To get the payload in table format, I get this error:

[stack@localhost devstack]$ openstack secret get -p --payload_content_type 'application/octet-stream' http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976
'utf8' codec can't decode byte 0x9f in position 0: invalid start byte

If I add "-f value", I can see the payload:

[stack@localhost devstack]$ openstack secret get -p --payload_content_type 'application/octet-stream' -f value http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976
ï¿½ï¿½]sï¿½vï¿½ï¿½ï¿½Í²<1Êï¿½ï¿½ï¿½iuï¿½5ï¿½ï¿½+o_Bï¿½

I can decode it manually:

[stack@localhost devstack]$ openstack secret get -p --payload_content_type 'application/octet-stream' -f value http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976 | od -x
0000000 c69f 735d 7688 e08c cdf2 3cb2 ca31 aa94
0000020 b10f 698d 1c05 ad75 9b35 2b9c 5f6f 8f42
0000040 000a
0000041

At least for secrets with built-in secret types, Barbican client can be smarter about formatting.

For backwards compatibility, I don't think deprecating will be enough.
For encryption keys (like used by Nova/Cinder volume encryption), I can have:

[stack@localhost devstack]$ openstack secret get http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976
+---------------+--------------------------------------------------------------------------+
| Field         | Value                                                                    |
+---------------+--------------------------------------------------------------------------+
| Secret href   | http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976 |
| Name          | Cinder Volume Key                                                        |
| Created       | 2015-12-03 04:29:04+00:00                                                |
| Status        | ACTIVE                                                                   |
| Content types | {u'default': u'application/octet-stream'}                                |
| Algorithm     | AES                                                                      |
| Bit length    | 256                                                                      |
| Secret type   | symmetric                                                                |
| Mode          | CBC                                                                      |
| Expiration    | None                                                                     |
+---------------+--------------------------------------------------------------------------+

To get the payload in table format, I get this error:

[stack@localhost devstack]$ openstack secret get -p --payload_content_type 'application/octet-stream' http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976
'utf8' codec can't decode byte 0x9f in position 0: invalid start byte

If I add "-f value", I can see the payload:

[stack@localhost devstack]$ openstack secret get -p --payload_content_type 'application/octet-stream' -f value http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976
ï¿½ï¿½]sï¿½vï¿½ï¿½ï¿½Í²<1Êï¿½ï¿½ï¿½iuï¿½5ï¿½ï¿½+o_Bï¿½

I can decode it manually:

[stack@localhost devstack]$ openstack secret get -p --payload_content_type 'application/octet-stream' -f value http://10.30.118.79:9311/v1/secrets/bc924dfb-1bae-4657-a91e-49f451809976 | od -x
0000000 c69f 735d 7688 e08c cdf2 3cb2 ca31 aa94
0000020 b10f 698d 1c05 ad75 9b35 2b9c 5f6f 8f42
0000040 000a
0000041

At least for secrets with built-in secret types, Barbican client can be smarter about formatting.

Dave McCowan (dave-mccowan) on 2015-12-03

summary:	- Unable to return secret payload with content type application/octet- - stream + Get secret for symmetric secrets returns decode error
description:	updated

Revision history for this message

Douglas Mendizábal (dougmendizabal) wrote on 2016-01-13: Re: Get secret for symmetric secrets returns decode error

#3

It appears that the decode error is being thrown by Cliff, and not by python-barbicanclient code. I still need to dig into why this is happening, but it's got something to do with the Cliff formatters. :-\

Christopher Solis (cnsolis) on 2016-02-22

Changed in python-barbicanclient:
status:	In Progress → New
status:	New → In Progress

Christopher Solis (cnsolis) on 2016-02-23

summary:

- Get secret for symmetric secrets returns decode error
+ Client returns a decode error when secret cannot be formatted correctly

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-23: Fix proposed to python-barbicanclient (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/283672

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-29: Change abandoned on python-barbicanclient (master)

#5

Change abandoned by Christopher Solis (<email address hidden>) on branch: master
Review: https://review.openstack.org/283672
Reason: It looks like the reason python3.4 is not raising the exception is because it is converting the bytestrings to actual integer values to have a friendly output. Which I think is not good because that basically means what the user puts in might not be what they get back out. At least from a CLI perspective, not the client. Patch is being abandoned in lieu of revamping the CLI, we will address this issue.

python-barbicanclient

Client returns a decode error when secret cannot be formatted correctly

Bug Description

Other bug subscribers

Remote bug watches