security-checklist action fails for python2 and python3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Currently, the `security-
This can be reproduced by pulling the stable version from the opendev repo and running:
```
tox -e func-target xenial_mitaka
```
The tests will pass as expected, but invoking the action on the leftover model like so yields an error:
```
$ juju run-action openstack-
unit-openstack-
UnitId: openstack-
id: "116"
message: exit status 1
results:
ReturnCode: 1
Stderr: |
Traceback (most recent call last):
File "actions/
import django.
ImportError: No module named 'django'
Traceback (most recent call last):
File "/var/lib/
File "/var/lib/
File "/usr/lib/
File "/usr/lib/
subproces
status: failed
timing:
```
Currently, python3 packages are only installed for Rocky or later [2], but running this script manually with `python` also fails.
while juju ssh'd in /var/lib/
```
$ sudo -u horizon python actions/
File "actions/
key, type(value), value), file=sys.stderr)
SyntaxError: invalid syntax
```
Finally, if the same command is run with python3 instead, the `No module named 'django'` error occurs as shown in the first example.
One step that would help root cause this (now and in the future) would be to add something like `function_fail` [3] to this line of code [4] so that the errors (if any) are bubbled back up to the test harness. This is similar to the behavior in actions/actions.py [5].
description: | updated |
description: | updated |
summary: |
- Incorrect assumption of python3 for functional tests + security-checklist action fails for python2 and python3 |
The main problem here is that the openstack payload for < rocky is py2, thus the openstack-dashboard install results in python-django getting installed. The charm, however, is running py3 code and it depends on python3-django in actions/ local_settings_ to_json. py.
This results in not being able to set LOCAL_SETTINGS, therefore none of the security checks in actions/ security_ checklist. py can get run on < rocky.
Interestingly enough, python-django and python3-django can both coexist. However, that's not a solution because executing actions/ local_settings_ to_json. py under py3 fails because horizon's local_settings.py code is still py2 and that ends up with py3 imports missing.
The action is expected to result in stdout having a dictionary such as [1]:
UnitId: openstack- dashboard/ 0 password_ autocomplete: ndisable_ password_ reveal: FAIL (DISABLE_ PASSWORD_ REVEAL should be set to \ndisallow_ iframe_ embed: FAIL (DISALLOW_ IFRAME_ EMBED should be set to True)\nenforce_ password_ check: PASSWORD_ CHECK should be set to True)\npassword _validator_ is_not_ default: \nsecurie_ proxy_ssl_ header_ is_set: PROXY_SSL_ HEADER should be set to ('HTTP_ X_FORWARDED_ PROTO', 'https' ))\nsession_ cookie_ httponly: COOKIE_ HTTPONLY should be set to True)\nsession_ cookie_ store: FAIL COOKIE_ SECURE should be set to True)\nvalidate _file_ownership : PASS\nvalidate_ file_permission s: uses-keystone because it isexcluded in audit config\nSkipping uses-tls- for-glance because it isexcluded in audit config\nSkipping validate- uses-tls- for-keystone n====== ======= ======= \nError in password_ validator_ is_not_ default: password- autocomplete: PASS password- reveal: FAIL - DISABLE_ PASSWORD_ REVEAL should be set to True iframe- embed: FAIL - DISALLOW_ IFRAME_ EMBED should be set to True password- check: FAIL - ENFORCE_ PASSWORD_ CHECK should be set to True validator- is-not- default: FAIL - 'NoneType' object is not subscriptable proxy-ssl- header- is-set: FAIL - SECURE_ PROXY_SSL_ HEADER should be set to X_FORWARDED_ PROTO', 'https') cookie- httponly: FAIL - SESSION_ COOKIE_ HTTPONLY should be set to True cookie- store: FAIL - SESSION_ COOKIE_ SECURE should be set to True file-ownership: PASS file-permission s: PASS
id: "2"
message: exit status 1
results:
ReturnCode: 1
Stderr: |
...
Stdout: "csrf_cookie_set: FAIL (CSRF_COOKIE_SECURE should be set to True)\ndisable_
PASS\
True)
FAIL (ENFORCE_
ERROR ('NoneType' object is not subscriptable)
FAIL (SECURE_
FAIL (SESSION_
(SESSION_
PASS\nSkipping validate-
validate-
because it isexcluded in audit config\
\n\n"
csrf-cookie-set: FAIL - CSRF_COOKIE_SECURE should be set to True
disable-
disable-
disallow-
enforce-
password-
securie-
('HTTP_
session-
session-
validate-
validate-
status: failed
timing:
completed: 2021-02-11 20:41:31 +0000 UTC
enqueued: 2021-02-11 20:41:28 +0000 UTC
started: 2021-02-11 20:41:29 +0000 UTC
We tried calling function_fail() in local_settings_ to_json. py, but that causes unexpected action results (empty Stdout - no dictionary of results):
UnitId: openstack- dashboard/ 0
id: "118" ...