juju-core

juju 1.25.5: Juju Login with invalid user tag should return an error code

Bug #1578327 reported by Chad Smith
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Won't Fix
Medium
Unassigned
juju-core
Won't Fix
Medium
Unassigned
1.25
Won't Fix
Medium
Unassigned

Bug Description

When trying to login with an invalid AuthTag in a request. Juju 1.25.5 should return CodeUnauthorized error string. It returns the proper error code/message when password is invalid or when the authtag contains the prefix 'user-' . But, it doesn't send the proper error code when the authtag doesn't start with 'user-'.

Here's a copy of the requests and responses from landscape to the juju API

# Case 1: valid response on bogus Authtag with user- prefix
Landscape send payload {'Request': 'Login', 'Params': {'Password': u'95277d93d98d033fa05e18579e5803ef', 'AuthTag': u'user-adminBOGUS'}, 'Type': 'Admin', 'RequestId': 1}
# Proper error response from juju
Landscape received payload {u'ErrorCode': u'unauthorized access', u'Response': {}, u'Error': u'invalid entity name or password'}

# Case 2: valid response on bogus password
Landscape send payload {'Request': 'Login', 'Params': {'Password': u'BOGUS', 'AuthTag': u'user-admin'}, 'Type': 'Admin', 'RequestId': 1}
Landscape received payload {u'ErrorCode': u'unauthorized access', u'Response': {}, u'Error': u'invalid entity name or password'}

# Case 3 invalid response on bogus Authtag withount 'user-' prefix
Landscape send payload {'Request': 'Login', 'Params': {'Password': u'95277d93d98d033fa05e18579e5803ef', 'AuthTag': u'useradmin'}, 'Type': 'Admin', 'RequestId': 1}
Landscape received payload {u'Response': {}, u'Error': u'"useradmin" is not a valid tag'}

Note no ErrorCode and non distinct error message given we are in the middle of a Login request.

Tags: landscape
Revision history for this message
Cheryl Jennings (cherylj) wrote :

If the auth tag doesn't contain the previx 'user-', it isn't a valid tag and the login request is malformed, so I'm not sure I agree that it should return 'invalid entity name or password'?

Others may have a different opinion, so I'll ask.

Revision history for this message
Cheryl Jennings (cherylj) wrote :

Chatted with Menno and Andrew and they agreed that in this case, returning an error that the tag a user passed in isn't valid is the desired behavior.

Changed in juju-core:
status: New → Invalid
Revision history for this message
David Britton (dpb) wrote :

Why is there an ErrorCode in one case and not another?

Changed in juju-core:
status: Invalid → New
Revision history for this message
Cheryl Jennings (cherylj) wrote :

Good point, sorry I missed that detail.

summary: - juju 1.25.5: Juju Login with invalid user tag should return
- CodeUnauthorized
+ juju 1.25.5: Juju Login with invalid user tag should return an error
+ code
Changed in juju-core:
status: New → Triaged
importance: Undecided → Medium
Canonical Juju QA Bot (juju-qa-bot)
affects: juju-core → juju
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju-core:
importance: Undecided → Medium
status: New → Won't Fix
Revision history for this message
Anastasia (anastasia-macmood) wrote :

This report just caught my attention this morning.

The short answer is that the first 2 scenarios produce functional errors - we have parsed the request and tried to process it but failed. Last scenario - we could not even parse the request (one of the expected inputs was not in the expected format, i.e. 'user-' prefix was missing from the tag).

Longer answer, by looking at API call itself:

    Login(req params.LoginRequest) (params.LoginResult, error)

The first 2 scenarios have output - params.LoginResult where 2nd output parameter, error, is nil. So authentication was not successful - valid input was provided but the input was not correct.
The last scenario has 2nd output parameter, error, is not nil because calling the method itself has failed - malformed input was provided, it was not a valid method call.

Changed in juju:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.