Image verification returns 500 if invalid 'img_signature_certificate_uuid' is specified

Bug #1736332 reported by Abhishek Kekane
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Medium
Abhishek Kekane

Bug Description

If image signature verification is enabled then while creating the image if invalid (non-existing) 'img_signature_certificate_uuid' is specified then image creation fails and returns 500 internal server error to the user. The reason is it returns 'ManagedObjectNotFoundError: Key not found, uuid: <non-existing-uuid>' which is not caught.

Ideally it should return HTTP 400 bad request to the user.

Pre-requisites:
1. Ensure Barbican is enabled
2. Create Keys and Certificate (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#90)
3. Create Signature (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#184) and note down output of 'signature_64'
4. Create context and upload certificate using context (Reference https://etherpad.openstack.org/p/glance-image-signing-create-context) and note down output of 'cert_uuid'

Steps to reproduce:
1. Upload Image to Glance, with Signature Metadata
   img_signature_certificate_uuid = 'fb67edd2-95ef-404b-9af2-910708c6d9b7' (different than noted in Pre-requisites section Point 4)
   img_signature_hash_method = 'SHA-256'
   img_signature_key_type = 'RSA-PSS'
   img_signature = 'ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM=' (Same which is noted in Pre-requisites section Point 4 as 'signature_64')

   $ glance image-create --property name=cirrosSignedImage_goodSignature --property is-public=true --container-format bare --disk-format qcow2 --property img_signature='ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM=' --property img_signature_certificate_uuid='fb67edd2-95ef-404b-9af2-910708c6d9b7' --property img_signature_hash_method='SHA-256' --property img_signature_key_type='RSA-PSS' --file cirros-0.3.2-source.tar.gz

Actual Output:
    $ 500 Internal Server Error: The server has either erred or is incapable of performing the requested operation. (HTTP 500)

Expected Output:
    $ 400 HTTP Bad Request: Secret incorrectly specified. (HTTP 400)

NOTE: Image remains in queued status forever.
+--------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+--------------------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-12-05T06:25:51Z |
| disk_format | qcow2 |
| id | c78598f5-23ac-46e8-8626-c908b5b830df |
| img_signature | ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4H |
| | BKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYb |
| | bsqW6d/obgM= |
| img_signature_certificate_uuid | fb67edd2-95ef-404b-9af2-910708c6d9b9 |
| img_signature_hash_method | SHA-256 |
| img_signature_key_type | RSA-PSS |
| is-public | true |
| min_disk | 0 |
| min_ram | 0 |
| name | cirrosSignedImage_goodSignature |
| owner | 4f186fe25c934eeb95186fd0c5afda49 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-12-05T06:25:51Z |
| virtual_size | None |
| visibility | shared |
+--------------------------------+----------------------------------------------------------------------------------+

Glance-api logs:
ec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR barbicanclient.client [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] 4xx Client error: Not Found: Not Found. Sorry but your secret is in another castle.
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR castellan.key_manager.barbican_key_manager [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Error retrieving object: Not Found: Not Found. Sorry but your secret is in another castle.: HTTPClientError: Not Found: Not Found. Sorry but your secret is in another castle.
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.api.v2.image_data [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Failed to upload image data due to internal error: ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi [None req-754c8c24-6407-473f-a8d5-f17278f47a40 demo admin] Caught error: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9: ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi Traceback (most recent call last):
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1222, in __call__
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi request, **action_args)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/wsgi.py", line 1261, in dispatch
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi return method(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/common/utils.py", line 363, in wrapped
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi return func(self, req, *args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 269, in upload
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self._restore(image_repo, image)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/v2/image_data.py", line 134, in upload
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi image.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/domain/proxy.py", line 195, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.base.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 480, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi _send_notification(notify_error, 'image.upload', msg)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.force_reraise()
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi six.reraise(self.type_, self.value, self.tb)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/notifier.py", line 427, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.repo.set_data(data, size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/api/policy.py", line 194, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi return self.image.set_data(*args, **kwargs)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/quota/__init__.py", line 304, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi self.image.set_data(data, size=size)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/opt/stack/glance/glance/location.py", line 427, in set_data
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi img_signature_key_type=key_type
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 232, in get_verifier
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi signature_key_type)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 287, in get_public_key
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi certificate = get_certificate(context, signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/cursive/signature_utils.py", line 316, in get_certificate
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi cert = keymgr_api.get(context, signature_certificate_uuid)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi File "/usr/lib/python2.7/site-packages/castellan/key_manager/barbican_key_manager.py", line 564, in get
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi uuid=managed_object_id)
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi ManagedObjectNotFoundError: Key not found, uuid: fb67edd2-95ef-404b-9af2-910708c6d9b9
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.common.wsgi
Dec 05 06:25:51 signature-test.rdocloud <email address hidden>[25628]: [pid: 25630|app: 0|req: 108/214] 127.0.0.1 () {40 vars in 692 bytes} [Tue Dec 5 06:25:51 2017] PUT /v2/images/c78598f5-23ac-46e8-8626-c908b5b830df/file => generated 228 bytes in 163 msecs (HTTP/1.1 500) 4 headers in 184 bytes (1 switches on core 0)

Changed in glance:
assignee: nobody → Abhishek Kekane (abhishek-kekane)
Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

This first needs to be fixed in openstack/cursive.
Refer; https://bugs.launchpad.net/cursive/+bug/1736679

description: updated
Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

This issue is fixed in cursive library with patch [1] and the latest library version 0.2.1 is updated in global requirements and glance with patch [2] and [3].

[1] https://review.openstack.org/#/c/526016/
[2] https://review.openstack.org/#/c/531356/
[3] https://review.openstack.org/#/c/531732

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Looks like there's nothing for Glance to do on this. Thanks for doing the research to track down the fix, Abhishek.

Changed in glance:
status: New → Triaged
importance: Undecided → Medium
milestone: none → queens-3
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers