Broken host:port splitting
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Undecided
|
Bence Romsics |
Bug Description
Our users found a bug while POSTing to /v3/ec2tokens. I could simplify the reproduction to this script:
$ cat keystone-
#! /bin/sh
# source openrc admin admin
# keystone-
keystone_
cleanup () {
openstack ec2 credential delete "$access"
}
trap cleanup EXIT
#host="localhost"
host="localhost
#host="1.2.3.4:123"
#host="
access="$( openstack ec2 credential create -f value -c access )"
secret="$( openstack ec2 credential show "$access" -f value -c secret )"
signature=
cat <<EOF |
{
"credentials": {
"access": "$access",
"host": "$host",
"params": {
},
"path": "/",
"secret": "$secret",
"verb": "GET"
}
}
EOF
curl \
-s \
-d @- \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
"$keystone_
END-OF-SCRIPT
Using any of the host values containing a port number, keystone throws an Internal Server Error:
~/keystone-
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
webmaster@
and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>
</body></html>
With the following stack trace in the logs:
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone Traceback (most recent call last):
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.wsgi_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.app(environ, start_response)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone resp = self.call_func(req, *args, **kw)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.func(req, *args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone response = req.get_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone status, headers, app_iter = self.call_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone app_iter = application(
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return resp(environ, start_response)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone resp = self.call_func(req, *args, **kw)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.func(req, *args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone response = req.get_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone status, headers, app_iter = self.call_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone app_iter = application(
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone resp = self.call_func(req, *args, **kw)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.func(req, *args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return request.
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone status, headers, app_iter = self.call_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone app_iter = application(
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone resp = self.call_func(req, *args, **kw)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.func(req, *args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone response = req.get_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone status, headers, app_iter = self.call_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone app_iter = application(
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/opt/stack/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.app(environ, start_response)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone resp = self.call_func(req, *args, **kw)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.func(req, *args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone response = req.get_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone status, headers, app_iter = self.call_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone app_iter = application(
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return app(environ, start_response)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone response = self.handle_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return original_handler(e)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return original_handler(e)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return original_handler(e)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone [Previous line repeated 28 more times]
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone response = self.full_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone rv = self.handle_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return original_handler(e)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return original_handler(e)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return original_handler(e)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone [Previous line repeated 28 more times]
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone rv = self.dispatch_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return self.ensure_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone resp = resource(*args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return current_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/usr/local/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone resp = meth(*args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/opt/stack/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone return f(*args, **kwargs)
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/opt/stack/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone token = self.handle_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/opt/stack/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone self._check_
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone File "/opt/stack/
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone hostname, _port = credentials.
aug 30 11:53:59 devstack0 <email address hidden>[31882]: ERROR keystone AttributeError: 'dict' object has no attribute 'split'
Keystone raises on this line:
Clearly the author wanted to split credentials['host'] and not credentials.
Without the bug present, keystone should reject the request as unauthorized (since the signature is not computed properly).
devstack 90e5479f
keystone 051aca8e8
Posting a proposed fix soon.
By the way: I found the /v2.0 api-ref for /ec2tokens, which marked it as deprecated. Despite this I found the same resources working under /v3, but I could not find anything about them in the /v3 api-ref. Did I miss something?
Changed in keystone: | |
assignee: | nobody → Bence Romsics (bence-romsics) |
Fix proposed to branch: master /review. opendev. org/c/openstack /keystone/ +/855198
Review: https:/