Ubuntu
python-cryptography package

python-cryptography missing cffi dependency

Bug #1752660 reported by Graham Hayes
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-cryptography (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

When installing keystone (via apt-get install keystone) apt does not install python-cffi, which is required for keystone to implement fernat tokens (the current recommended token type)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: keystone 2:13.0.0-0ubuntu1~cloud0 [origin: Canonical]
Uname: Linux 4.4.88-mainline-rev1 x86_64
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
CrashDB:
 {
                "impl": "launchpad",
                "project": "cloud-archive",
                "bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
             }
Date: Thu Mar 1 17:19:34 2018
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: keystone
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.keystone.keystone.conf: 2018-03-01T16:51:52.734036

Revision history for this message
Graham Hayes (grahamhayes) wrote :
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hi Graham,

Thanks for reporting this. It would be good if this was specified in upstream keystone's requirements as well, so adding upstream to the bug.

Thanks,
Corey

Changed in cloud-archive:
status: New → Triaged
Changed in keystone (Ubuntu):
status: New → Triaged
Revision history for this message
Corey Bryant (corey.bryant) wrote :

I'm not seeing any imports of ffi/cffi in keystone but maybe my grep is failing me.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Graham, sorry can you provide some more details? Is this possible an indirect dependency via another project?

Changed in cloud-archive:
status: Triaged → Incomplete
Changed in keystone (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Graham Hayes (grahamhayes) wrote :

The stack trace I am getting looks like:

    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 226, in __call__
        result = method(req, **params)
      File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 154, in authenticate_for_token
        parent_audit_id=token_audit_id)
      File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 116, in wrapped
        __ret_val = __f(*args, **kwargs)
      File "/usr/lib/python2.7/dist-packages/keystone/token/provider.py", line 210, in issue_token
        parent_audit_id=parent_audit_id)
      File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", line 53, in issue_token
        *args, **kwargs)
      File "/usr/lib/python2.7/dist-packages/keystone/token/providers/common.py", line 605, in issue_token
        token_id = self._get_token_id(token_data)
      File "/usr/lib/python2.7/dist-packages/keystone/token/providers/fernet/core.py", line 187, in _get_token_id
        app_cred_id=app_cred_id
      File "/usr/lib/python2.7/dist-packages/keystone/token/token_formatters.py", line 160, in create_token
        token = self.pack(serialized_payload)
      File "/usr/lib/python2.7/dist-packages/keystone/token/token_formatters.py", line 79, in pack
        return self.crypto.encrypt(payload).rstrip(b'=').decode('utf-8')
      File "/usr/lib/python2.7/dist-packages/cryptography/fernet.py", line 135, in encrypt
        return self._fernets[0].encrypt(msg)
      File "/usr/lib/python2.7/dist-packages/cryptography/fernet.py", line 51, in encrypt
        return self._encrypt_from_parts(data, current_time, iv)
      File "/usr/lib/python2.7/dist-packages/cryptography/fernet.py", line 62, in _encrypt_from_parts
        ciphertext = encryptor.update(padded_data) + encryptor.finalize()
      File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/primitives/ciphers/base.py", line 149, in update
        return self._ctx.update(data)
      File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/backends/openssl/ciphers.py", line 120, in update
        n = self.update_into(data, buf)
      File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/backends/openssl/ciphers.py", line 131, in update_into
        "unsigned char *", self._backend._ffi.from_buffer(buf)
    TypeError: from_buffer() cannot return the address of the raw string within a str or unicode or bytearray object

It looks like it is transitive via cryptography when using fernat encryption.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Ok thanks, that's helpful. Something seems to be wrong with the python-cryptography package. It seems to intend to install cffi but it is obviously not happening.

Changed in cloud-archive:
status: Incomplete → Triaged
importance: Undecided → High
Changed in keystone (Ubuntu):
status: Incomplete → Invalid
Changed in keystone:
status: New → Invalid
Changed in python-cryptography (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've opened the following bug against the Debian package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892112

Corey Bryant (corey.bryant)
summary: - keystone requires cffi to be installed for fernat tokens
+ python-cryptography missing cffi dependency
Changed in python-cryptography (Ubuntu Xenial):
status: New → Triaged
no longer affects: keystone (Ubuntu Artful)
no longer affects: keystone
no longer affects: keystone (Ubuntu)
no longer affects: keystone (Ubuntu Xenial)
no longer affects: keystone (Ubuntu Bionic)
Changed in python-cryptography (Ubuntu Artful):
importance: Undecided → High
Changed in python-cryptography (Ubuntu Xenial):
importance: Undecided → High
Changed in python-cryptography (Ubuntu Artful):
status: New → Triaged
Revision history for this message
Corey Bryant (corey.bryant) wrote :

I think our long-term fix will come from the Debian maintainer's approach to adding dependencies. I'm going to fix this in Ubuntu for now by adding python-cffi to debian/control Depends.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've uploaded a new fixed version of the python-cryptography to all affected releases. The Xenial (Mitaka) and Artful (Pike) versions will need to be reviewed by the SRU team before they are accepted into proposed and backported to the cloud-archive.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Graham, would you mind testing with a PPA? If you can let me know what release combination you're working with and I can get a PPA built.

I've unsubscribed the SRU team for now as Tristan mentioned in the Debian bug that he didn't immediately see what the stack trace in the Ubuntu bug report has to do with cffi being installed or not.

Revision history for this message
Graham Hayes (grahamhayes) wrote :

Sure, no problem - I can spin up a VM to test tomorrow.

I am running Xenial / Queens.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Graham, thanks that would be great. This will get you the new version:

sudo add-apt-repository ppa:ubuntu-cloud-archive/queens-staging
sudo apt update

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-cryptography - 2.1.4-1ubuntu1

---------------
python-cryptography (2.1.4-1ubuntu1) bionic; urgency=medium

  * d/control: Add python-cffi to binary package dependencies (LP: #1752660).

 -- Corey Bryant <email address hidden> Mon, 05 Mar 2018 14:37:41 -0500

Changed in python-cryptography (Ubuntu Bionic):
status: Triaged → Fix Released
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hi Graham,

I don't think this is a dependency issue. I'm going to back out the changes I made earlier as I pulled the trigger too quickly with those. What would be good to know is what 'buf' is set to in your scenario. Here's a little script that hits the same path your traceback goes down. It runs successfully on xenial-queens for me.

from cryptography.fernet import Fernet, MultiFernet
key1 = Fernet(Fernet.generate_key())
key2 = Fernet(Fernet.generate_key())
f = MultiFernet([key1, key2])
token = f.encrypt(b"Secret message!")

Thanks,
Corey

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've marked this incomplete until we can recreate it.

Changed in python-cryptography (Ubuntu Bionic):
status: Fix Released → Incomplete
no longer affects: python-cryptography (Ubuntu Artful)
no longer affects: python-cryptography (Ubuntu)
no longer affects: python-cryptography (Ubuntu Xenial)
no longer affects: python-cryptography (Ubuntu Bionic)
Changed in python-cryptography (Ubuntu):
status: New → Incomplete
no longer affects: cloud-archive
no longer affects: cloud-archive/mitaka
no longer affects: cloud-archive/newton
no longer affects: cloud-archive/ocata
no longer affects: cloud-archive/queens
no longer affects: cloud-archive/pike
Revision history for this message
Graham Hayes (grahamhayes) wrote :

Yeah - I have been trying to repro on a new machine, and I can't.

It looks like it may have been a weird machine state due to it being an long running machine that had the archive added after ~ 6 months of running

Changed in python-cryptography (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.