Glance

Image verification returns 500 if invalid 'img_signature_certificate_uuid' is specified

Bug #1736332 reported by Abhishek Kekane
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Medium
Abhishek Kekane
Glance queens-3 "16.0.0.0b3"

Bug Description

If image signature verification is enabled then while creating the image if invalid (non-existing) 'img_signature_certificate_uuid' is specified then image creation fails and returns 500 internal server error to the user. The reason is it returns 'ManagedObjectNotFoundError: Key not found, uuid: <non-existing-uuid>' which is not caught.

Ideally it should return HTTP 400 bad request to the user.

Pre-requisites:
1. Ensure Barbican is enabled
2. Create Keys and Certificate (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#90)
3. Create Signature (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#184) and note down output of 'signature_64'
4. Create context and upload certificate using context (Reference https://etherpad.openstack.org/p/glance-image-signing-create-context) and note down output of 'cert_uuid'

Steps to reproduce:
1. Upload Image to Glance, with Signature Metadata
   img_signature_certificate_uuid = 'fb67edd2-95ef-404b-9af2-910708c6d9b7' (different than noted in Pre-requisites section Point 4)
   img_signature_hash_method = 'SHA-256'
   img_signature_key_type = 'RSA-PSS'
   img_signature = 'ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM=' (Same which is noted in Pre-requisites section Point 4 as 'signature_64')

   $ glance image-create --property name=cirrosSignedImage_goodSignature --property is-public=true --container-format bare --disk-format qcow2 --property img_signature='ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM=' --property img_signature_certificate_uuid='fb67edd2-95ef-404b-9af2-910708c6d9b7' --property img_signature_hash_method='SHA-256' --property img_signature_key_type='RSA-PSS' --file cirros-0.3.2-source.tar.gz

Actual Output:
    $ 500 Internal Server Error: The server has either erred or is incapable of performing the requested operation. (HTTP 500)

Expected Output:
    $ 400 HTTP Bad Request: Secret incorrectly specified. (HTTP 400)

NOTE: Image remains in queued status forever.
+--------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+--------------------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-12-05T06:25:51Z |
| disk_format | qcow2 |
| id | c78598f5-23ac-46e8-8626-c908b5b830df |
| img_signature | ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4H |
| | BKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYb |
| | bsqW6d/obgM= |
| img_signature_certificate_uuid | fb67edd2-95ef-404b-9af2-910708c6d9b9 |
| img_signature_hash_method | SHA-256 |
| img_signature_key_type | RSA-PSS |
| is-public | true |
| min_disk | 0 |
| min_ram | 0 |
| name | cirrosSignedImage_goodSignature |
| owner | 4f186fe25c934eeb95186fd0c5afda49 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-12-05T06:25:51Z |
| virtual_size | None |
| visibility | shared |
+--------------------------------+----------------------------------------------------------------------------------+

Glance-api logs:
ec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR barbicanclient.client [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] 4xx Client error: Not Found: Not Found. Sorry but your secret is in another castle.
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR castellan.key_manager.barbican_key_manager [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Error retrieving object: Not Found: Not Found. Sorry but your secret is in another castle.: HTTPClientError: Not Found: Not Found. Sorry but your secret is in another castle.
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.api.v2.image_data [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Failed to upload image data due to internal error: ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Caught error: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9: ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi Traceback (most recent call last):
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1222, in __call__
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi request, **action_args)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1261, in dispatch
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi return method(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/utils.py", line 363, in wrapped
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi return func(self, req, *args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 269, in upload
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self._restore(image_repo, image)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 134, in upload
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi image.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/domain/proxy.py", line 195, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.base.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 480, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi _send_notification(notify_error, 'image.upload', msg)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 427, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.repo.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/policy.py", line 194, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi return self.image.set_data(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/quota/__init__.py", line 304, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.image.set_data(data, size=size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/location.py", line 427, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi img_signature_key_type=key_type
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 232, in get_verifier
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi signature_key_type)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 287, in get_public_key
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi certificate = get_certificate(context, signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 316, in get_certificate
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi cert = keymgr_api.get(context, signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/castellan/key_manager/barbican_key_manager.py", line 564, in get
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi uuid=managed_object_id)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: [pid: 25630|app: 0|req: 108/214] 127.0.0.1 () {40 vars in 692 bytes} [Tue Dec 5 06:25:51 2017] PUT /v2/images/c78598f5-23ac-46e8-8626-c908b5b830df/file => generated 228 bytes in 163 msecs (HTTP/1.1 500) 4 headers in 184 bytes (1 switches on core 0)

See original description
Abhishek Kekane (abhishek-kekane)
Changed in glance:
assignee: nobody → Abhishek Kekane (abhishek-kekane)
Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

This first needs to be fixed in openstack/cursive.
Refer; https://bugs.launchpad.net/cursive/+bug/1736679

Abhishek Kekane (abhishek-kekane)
description: updated
Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

This issue is fixed in cursive library with patch [1] and the latest library version 0.2.1 is updated in global requirements and glance with patch [2] and [3].

[1] https://review.openstack.org/#/c/526016/
[2] https://review.openstack.org/#/c/531356/
[3] https://review.openstack.org/#/c/531732

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Looks like there's nothing for Glance to do on this. Thanks for doing the research to track down the fix, Abhishek.

Changed in glance:
status: New → Triaged
importance: Undecided → Medium
milestone: none → queens-3
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.