horizon removing trailing spaces on passwords - auth fails

Bug #1861224 reported by Orestes Leal Rodriguez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Akihiro Motoki

Bug Description

From the dashboard openstack is removing the trailing spaces from our user's passwords.
We have a modified sql.py backend, that does an ldap bind to an active directory data store. And that works almost always. I say almost because for some users it doesn't work at all. We figure out (and a co-worker also confirmed this) that openstack is removing trailing (also leading?) spaces from the password entered in the dashboard. Also, inside the dashboard trailing spaces are not accepted even when they are equal byte by byte (including the space, I get an error). So this is going on.

Do anybody knows where is this removal performed? (python script location, line) So I can remove that since I have users (me included, I have the issue since the very beginning of this deployment) that cannot login. And they can use their Active Directrory passwords from other apps without problem.

We are running 'stein' with the latest update for ubuntu 18.04-AMD64.
NOTE: Since passwords can indeed contain spaces anywhere I consider this a bug.

Details:

'openstack token isue' works with spaces at the end so this is horizon/django related.

Revision history for this message
Orestes Leal Rodriguez (orestesleal) wrote :

I'm starting to think that it's the clean method from CharField() from django

Python 3.6.9 (default, Nov 7 2019, 10:44:02)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from django import forms
>>> f = forms.CharField()
>>> f.clean("hello ")
'hello'

As it can be seen it removed the trailing space. I believe horizon should redefine clean which I think they don't and it gets inherited.

Revision history for this message
Orestes Leal Rodriguez (orestesleal) wrote :

I have found a workaround, but since nobody is taking care so far I will leave it for later.

Revision history for this message
Orestes Leal Rodriguez (orestesleal) wrote :

I have posted my solution here: http://lists.openstack.org/pipermail/openstack-discuss/2020-January/012223.html

As I said in that email I'm open to other suggestions that work.

Orestes

Revision history for this message
Akihiro Motoki (amotoki) wrote :

More discussion happened in the thread http://lists.openstack.org/pipermail/openstack-discuss/2020-January/thread.html#12223.

It is better to change horizon not to string leading/trailing spaces in the password form.
It is not limited to the form reported here. It should be changed for all password related forms in horizon.

Changed in horizon:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/705886

Changed in horizon:
assignee: nobody → Akihiro Motoki (amotoki)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.opendev.org/705886
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=6a07f5a5b4e2c0921967b8c47c8c9cfcd9a45b90
Submitter: Zuul
Branch: master

commit 6a07f5a5b4e2c0921967b8c47c8c9cfcd9a45b90
Author: Akihiro Motoki <email address hidden>
Date: Wed Feb 5 14:41:49 2020 +0900

    Avoid stripping leading/traling spaces in password forms

    There are cases where leading/trailing spaces are included in passwords
    We should not touch passwords input in forms and pass them to auth
    backends without any modifications. The detail was discussed in
    the mailing list thread [1] referred in the bug comment.

    [1] http://lists.openstack.org/pipermail/openstack-discuss/2020-January/thread.html#12223

    Change-Id: I98de224cc77a98fa216ec3bc032412325e661e14
    Closes-Bug: #1861224

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to horizon (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/754254

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to horizon (master)

Reviewed: https://review.opendev.org/754254
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=37ea4159f002213c5e378a7d925f51dc1c152f53
Submitter: Zuul
Branch: master

commit 37ea4159f002213c5e378a7d925f51dc1c152f53
Author: Akihiro Motoki <email address hidden>
Date: Fri Sep 25 11:43:30 2020 +0900

    Relnote on disabling stripping leading/trailing spaces in password

    commit 6a07f5a5b4e2c0921967b8c47c8c9cfcd9a45b90 changed the password
    form to avoid dropping leading/trailing spaces in passwords.
    It is worth having a release note.

    Change-Id: I9009d616975acc1c84d0a150119167d424eb5dfb
    Related-Bug: #1861224

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to horizon (stable/victoria)

Related fix proposed to branch: stable/victoria
Review: https://review.opendev.org/754991

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to horizon (stable/victoria)

Reviewed: https://review.opendev.org/754991
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=4bfa767f002e608412410309ec47b36b6caf6fa3
Submitter: Zuul
Branch: stable/victoria

commit 4bfa767f002e608412410309ec47b36b6caf6fa3
Author: Akihiro Motoki <email address hidden>
Date: Fri Sep 25 11:43:30 2020 +0900

    Relnote on disabling stripping leading/trailing spaces in password

    commit 6a07f5a5b4e2c0921967b8c47c8c9cfcd9a45b90 changed the password
    form to avoid dropping leading/trailing spaces in passwords.
    It is worth having a release note.

    Change-Id: I9009d616975acc1c84d0a150119167d424eb5dfb
    Related-Bug: #1861224
    (cherry picked from commit 37ea4159f002213c5e378a7d925f51dc1c152f53)

tags: added: in-stable-victoria
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.