OpenStack Dashboard Charm

security-checklist action fails for python2 and python3

Bug #1915293 reported by Garrett Neugent on 2021-02-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard Charm	Confirmed	Undecided	Unassigned

Bug Description

Currently, the `security-checklist` action is not working for xenial_mitaka. This is defined as expected behavior with the current functional test [0], but is interfering with additional changes around this action. LOCAL_SETTINGS [1] is used to import configuration settings during tests for validation, but currently fails when invoked.

This can be reproduced by pulling the stable version from the opendev repo and running:

```
tox -e func-target xenial_mitaka
```

The tests will pass as expected, but invoking the action on the leftover model like so yields an error:

```
$ juju run-action openstack-dashboard/0 security-checklist --wait
unit-openstack-dashboard-0:
  UnitId: openstack-dashboard/0
  id: "116"
  message: exit status 1
  results:
    ReturnCode: 1
    Stderr: |
      Traceback (most recent call last):
        File "actions/local_settings_to_json.py", line 25, in <module>
          import django.utils.translation as translation
      ImportError: No module named 'django'
      Traceback (most recent call last):
        File "/var/lib/juju/agents/unit-openstack-dashboard-0/charm/actions/security-checklist", line 191, in <module>
          sys.exit(main())
        File "/var/lib/juju/agents/unit-openstack-dashboard-0/charm/actions/security-checklist", line 185, in main
          stderr=sys.stderr)
        File "/usr/lib/python3.5/subprocess.py", line 626, in check_output
          **kwargs).stdout
        File "/usr/lib/python3.5/subprocess.py", line 708, in run
          output=stdout, stderr=stderr)
      subprocess.CalledProcessError: Command '['sudo', '-u', 'horizon', 'python3', 'actions/local_settings_to_json.py']' returned non-zero exit status 1
  status: failed
  timing:
```

Currently, python3 packages are only installed for Rocky or later [2], but running this script manually with `python` also fails.

while juju ssh'd in /var/lib/juju/agents/unit-openstack-dashboard-0/charm:

```
$ sudo -u horizon python actions/local_settings_to_json.py
  File "actions/local_settings_to_json.py", line 39
    key, type(value), value), file=sys.stderr)
                                  ^
SyntaxError: invalid syntax
```

Finally, if the same command is run with python3 instead, the `No module named 'django'` error occurs as shown in the first example.

One step that would help root cause this (now and in the future) would be to add something like `function_fail` [3] to this line of code [4] so that the errors (if any) are bubbled back up to the test harness. This is similar to the behavior in actions/actions.py [5].

[0] https://github.com/openstack-charmers/zaza-openstack-tests/blob/2ef404be7563ab9a4907376c3b33719fee41679f/zaza/openstack/charm_tests/openstack_dashboard/tests.py#L415-L419

[1] https://github.com/openstack/charm-openstack-dashboard/blob/87e6acf25ca8ba38020cea21eec3d355f3671bb2/actions/security_checklist.py#L182-L185

[2] https://opendev.org/openstack/charm-openstack-dashboard/commit/8f84e453af27752a337c44c10f0cd4751eeb52a5

[3] https://opendev.org/openstack/charm-openstack-dashboard/src/commit/87e6acf25ca8ba38020cea21eec3d355f3671bb2/charmhelpers/core/hookenv.py#L1059

[4] https://opendev.org/openstack/charm-openstack-dashboard/src/commit/87e6acf25ca8ba38020cea21eec3d355f3671bb2/actions/security_checklist.py#L187

[5] https://opendev.org/openstack/charm-openstack-dashboard/src/commit/87e6acf25ca8ba38020cea21eec3d355f3671bb2/actions/actions.py#L68

See original description

Garrett Neugent (thogarre) on 2021-02-10

description:

updated

Garrett Neugent (thogarre) on 2021-02-11

description:	updated
summary:	- Incorrect assumption of python3 for functional tests + security-checklist action fails for python2 and python3

Revision history for this message

Corey Bryant (corey.bryant) wrote on 2021-02-11:

Download full text (3.7 KiB)

The main problem here is that the openstack payload for < rocky is py2, thus the openstack-dashboard install results in python-django getting installed. The charm, however, is running py3 code and it depends on python3-django in actions/local_settings_to_json.py.

This results in not being able to set LOCAL_SETTINGS, therefore none of the security checks in actions/security_checklist.py can get run on < rocky.

Interestingly enough, python-django and python3-django can both coexist. However, that's not a solution because executing actions/local_settings_to_json.py under py3 fails because horizon's local_settings.py code is still py2 and that ends up with py3 imports missing.

The action is expected to result in stdout having a dictionary such as [1]:

UnitId: openstack-dashboard/0
id: "2"
message: exit status 1
results:
  ReturnCode: 1
  Stderr: |
  ...
  Stdout: "csrf_cookie_set: FAIL (CSRF_COOKIE_SECURE should be set to True)\ndisable_password_autocomplete:
    PASS\ndisable_password_reveal: FAIL (DISABLE_PASSWORD_REVEAL should be set to
    True)\ndisallow_iframe_embed: FAIL (DISALLOW_IFRAME_EMBED should be set to True)\nenforce_password_check:
    FAIL (ENFORCE_PASSWORD_CHECK should be set to True)\npassword_validator_is_not_default:
    ERROR ('NoneType' object is not subscriptable)\nsecurie_proxy_ssl_header_is_set:
    FAIL (SECURE_PROXY_SSL_HEADER should be set to ('HTTP_X_FORWARDED_PROTO', 'https'))\nsession_cookie_httponly:
    FAIL (SESSION_COOKIE_HTTPONLY should be set to True)\nsession_cookie_store: FAIL
    (SESSION_COOKIE_SECURE should be set to True)\nvalidate_file_ownership: PASS\nvalidate_file_permissions:
    PASS\nSkipping validate-uses-keystone because it isexcluded in audit config\nSkipping
    validate-uses-tls-for-glance because it isexcluded in audit config\nSkipping validate-uses-tls-for-keystone
    because it isexcluded in audit config\n====================\nError in password_validator_is_not_default:
    \n\n"
  csrf-cookie-set: FAIL - CSRF_COOKIE_SECURE should be set to True
  disable-password-autocomplete: PASS
  disable-password-reveal: FAIL - DISABLE_PASSWORD_REVEAL should be set to True
  disallow-iframe-embed: FAIL - DISALLOW_IFRAME_EMBED should be set to True
  enforce-password-check: FAIL - ENFORCE_PASSWORD_CHECK should be set to True
  password-validator-is-not-default: FAIL - 'NoneType' object is not subscriptable
  securie-proxy-ssl-header-is-set: FAIL - SECURE_PROXY_SSL_HEADER should be set to
    ('HTTP_X_FORWARDED_PROTO', 'https')
  session-cookie-httponly: FAIL - SESSION_COOKIE_HTTPONLY should be set to True
  session-cookie-store: FAIL - SESSION_COOKIE_SECURE should be set to True
  validate-file-ownership: PASS
  validate-file-permissions: PASS
status: failed
timing:
  completed: 2021-02-11 20:41:31 +0000 UTC
  enqueued: 2021-02-11 20:41:28 +0000 UTC
  started: 2021-02-11 20:41:29 +0000 UTC

We tried calling function_fail() in local_settings_to_json.py, but that causes unexpected action results (empty Stdout - no dictionary of results):

UnitId: openstack-dashboard/0
id: "118" ...

This results in not being able to set LOCAL_SETTINGS, therefore none of the security checks in actions/security_checklist.py can get run on < rocky.

The action is expected to result in stdout having a dictionary such as [1]:

We tried calling function_fail() in local_settings_to_json.py, but that causes unexpected action results (empty Stdout - no dictionary of results):

UnitId: openstack-dashboard/0                                                                                                      
id: "118"                                                                                                                          
message: Command '['sudo', '-u', 'horizon', 'python3', 'actions/local_settings_to_json.py']'
  returned non-zero exit status 1
results:
  Stderr: |
    Traceback (most recent call last):
      File "actions/local_settings_to_json.py", line 25, in <module>
        import django.utils.translation as translation
    ImportError: No module named 'django'
status: failed
timing:
  completed: 2021-02-11 18:49:22 +0000 UTC
  enqueued: 2021-02-11 18:49:21 +0000 UTC
  started: 2021-02-11 18:49:21 +0000 UTC

Revision history for this message

Chris MacNaughton (chris.macnaughton) wrote on 2021-02-25:

The action needs to correctly decide which python version to use for this action, depending on the OpenStack version installed.

Changed in charm-openstack-dashboard:
status:	New → Confirmed

Revision history for this message

Chris MacNaughton (chris.macnaughton) wrote on 2021-02-25:

Interestingly, even after changing the action to use python2 on releases before Rocky and updating things to be py2 compatible, the following error still happens when trying to load the dashboard's settings:

Traceback (most recent call last):
  File "local_settings_to_json.py", line 27, in <module>
    import local_settings
  File "/etc/openstack-dashboard/local_settings.py", line 11, in <module>
    from openstack_dashboard import exceptions
ImportError: No module named openstack_dashboard

There's more to this than just making it work with python2 as apparently some other things are different on 2 vs 3 with the dashboard.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.