OpenStack Identity (keystone)

TOTP auth not functional in python3

Bug #1607119 reported by Adrian Turjak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Adrian Turjak
OpenStack Identity (keystone) newton-3 "n3"

Bug Description

Because of how python3 handles byte>str conversion, the passcode generation function produces a mangled result in python3. The reason the unit tests still pass in python3 is because the tests also use the same function and thus the server and the tests are both sending and expecting the same mangled passcode.

This would then mean that anyone correctly generating the passcode and attempting to authenticate via TOTP would fail because the server is expecting a mangled passcode.

The fix is to not use six.text_type, as it does the wrong thing, and instead use .decode('utf-8') which produces the correct result in both python2 and python3.

Example of why and how this happens:
Python2:

>>> passcode = b'123456'
>>> print passcode
123456
>>> type(passcode)
<type 'str'>
>>> import six
>>> six.text_type(passcode)
u'123456'
>>> type(six.text_type(passcode))
<type 'unicode'>
>>> otherstring = "openstack"
>>> otherstring + passcode
'openstack123456'
>>> passcode.decode('utf-8')
u'123456'
>>> type(passcode.decode('utf-8'))
<type 'unicode'>

Python3:

>>> passcode = b'123456'
>>> print(passcode)
b'123456'
>>> type(passcode)
<class 'bytes'>
>>> import six
>>> six.text_type(passcode)
"b'123456'"
>>> type(six.text_type(passcode))
<class 'str'>
>>> otherstring = "openstack"
>>> otherstring + passcode
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: Can't convert 'bytes' object to str implicitly
>>> otherstring + str(passcode)
"openstackb'123456'"
>>> passcode.decode('utf-8')
'123456'
>>> type(passcode.decode('utf-8'))
<class 'str'>

See original description
Adrian Turjak (adriant-y)
description: updated
Adrian Turjak (adriant-y)
Changed in keystone:
assignee: nobody → Adrian Turjak (adriant-y)
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: New → In Progress
Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → newton-3
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/348081
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b2cb4c403f94fdf61100d43b59dedec1547c7364
Submitter: Jenkins
Branch: master

commit b2cb4c403f94fdf61100d43b59dedec1547c7364
Author: adriant <email address hidden>
Date: Thu Jul 28 11:24:58 2016 +1200

    TOTP auth not functional in python3

    Fixing a byte>str conversion bug present in the TOTP
    passcode generation function that was only present in python3
    which rendered TOTP auth non-functional in python3.

    Also adding a test to check passcode generation returns the
    correct format.

    Closes-Bug: #1607119

    Change-Id: Ie052d559c4eb2577d35caa9f6e240664cf4cf399

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 10.0.0.0b3

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.