Keystone raise 500 error when authorize request token with invalid body

Bug #1736875 reported by wangxiyuan on 2017-12-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Undecided
wangxiyuan

Bug Description

Keystone raise 500 error when authorize request token with invalid body.
reproduce:
1. create a request token first, suppose the token key is f13b2c6755634131b59cf5fa08d49331
2. PUT http://keystone-server/v3/OS-OAUTH1/authorize/f13b2c6755634131b59cf5fa08d49331 with body:

{
 "roles": [
  {
   "id": "711aa6371a6343a9a43e8a310fbe4a6f"
  },
  {
   "name": "admin"
  }
 ]
}

Keystone will raise 500 error. error log:

 Traceback (most recent call last):
   File "/opt/stack/keystone/keystone/common/wsgi.py", line 226, in __call__
     result = method(req, **params)
   File "/opt/stack/keystone/keystone/common/controller.py", line 82, in inner
     return f(self, request, *args, **kwargs)
   File "/opt/stack/keystone/keystone/oauth1/controllers.py", line 404, in authorize_request_token
     authed_roles.add(role['id'])
 KeyError: 'id'

here are two things we can improve:
1. Add the schema check for request token authorize API
2. Support role name.

To fix the 500 error, step 1 is enough.

wangxiyuan (wangxiyuan) on 2017-12-07
Changed in keystone:
assignee: nobody → wangxiyuan (wangxiyuan)

Fix proposed to branch: master
Review: https://review.openstack.org/526295

Changed in keystone:
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/526296

Dave Chen (wei-d-chen) wrote :

I assume that your body didn't include role "id" property.

Reviewed: https://review.openstack.org/526295
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=af151559eef407dad400df58e1743b847440fc42
Submitter: Zuul
Branch: master

commit af151559eef407dad400df58e1743b847440fc42
Author: wangxiyuan <email address hidden>
Date: Thu Dec 7 15:03:42 2017 +0800

    Expose a bug when authorize request token

    Keystone raise 500 error when authorize request token
    with invalid body.

    This patch expose the bug that keystone raise 500
    error instead of 400 in this case.

    Change-Id: I3ddeebf8a46467ed090d8831fd8cf35edee7ce04
    Partial-Bug: #1736875

Reviewed: https://review.openstack.org/526296
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1f0473a597c7420b9a98face33a30d5e57592dc7
Submitter: Zuul
Branch: master

commit 1f0473a597c7420b9a98face33a30d5e57592dc7
Author: wangxiyuan <email address hidden>
Date: Thu Dec 7 14:51:39 2017 +0800

    Add schema check for authorize request token

    This patch add the schema check for authorize
    request token API. It'll avoiding some 500 error
    caused by invalid input format and it will raise
    400 error correctly.

    This patch also add role name support for
    authorize request token

    Closes-bug: #1736875
    Change-Id: I9d113692702e7aaa0127ffa9405a17908c0c6ff7

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 13.0.0.0b3 development milestone.

Changed in keystone:
milestone: none → queens-rc2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers