From 5c1f04819e35d2ff01aea4b7d942e7c6066e6d44 Mon Sep 17 00:00:00 2001
From: Matt Riedemann <mriedem.os@gmail.com>
Date: Fri, 26 Jul 2019 10:53:02 -0400
Subject: [PATCH] WIP: Obfuscate non-nova server fault message

The server fault "message" is always shown in the API
server response, regardless of policy or user role.

The fault "details" are only shown to users with the
admin role when the fault code is 500.

The problem with this is for non-nova exceptions, the
fault message is a string-ified version of the exception
(see nova.compute.utils.exception_to_dict) which can
contain sensitive information which the non-admin owner
of the server can see.

This change adds a functional test to recreate the issue
and a change to exception_to_dict which for the non-nova
case obfuscates the fault message by simply storing the
exception type class name. Admins can still see the fault
traceback in the "details" key of the fault dict in the
server API response.

Note that nova exceptions with a %(reason)s replacement
variable could potentially be leaking sensitive details as
well but those would need to be cleaned up on a case-by-case
basis since we don't want to obfuscate all fault messages
otherwise users might not see information like NoValidHost
when their server goes to ERROR status.

Change-Id: I5e0a43ec59341c9ac62f89105ddf82c4a014df81
Closes-Bug: #1837877
---
 nova/tests/functional/test_server_faults.py | 111 ++++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 nova/tests/functional/test_server_faults.py

diff --git a/nova/tests/functional/test_server_faults.py b/nova/tests/functional/test_server_faults.py
new file mode 100644
index 0000000000..c716e71bce
--- /dev/null
+++ b/nova/tests/functional/test_server_faults.py
@@ -0,0 +1,111 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import mock
+
+from nova import test
+from nova.tests import fixtures as nova_fixtures
+from nova.tests.functional.api import client as api_client
+from nova.tests.functional import fixtures as func_fixtures
+from nova.tests.functional import integrated_helpers
+from nova.tests.unit.image import fake as fake_image
+from nova.tests.unit import policy_fixture
+
+
+class ServerFaultTestCase(test.TestCase,
+                          integrated_helpers.InstanceHelperMixin):
+    """Tests for the server faults reporting from the API."""
+
+    def setUp(self):
+        super(ServerFaultTestCase, self).setUp()
+        # Setup the standard fixtures.
+        fake_image.stub_out_image_service(self)
+        self.addCleanup(fake_image.FakeImageService_reset)
+        self.useFixture(nova_fixtures.NeutronFixture(self))
+        self.useFixture(func_fixtures.PlacementFixture())
+        self.useFixture(policy_fixture.RealPolicyFixture())
+
+        # Start the compute services.
+        self.start_service('conductor')
+        self.start_service('scheduler')
+        self.compute = self.start_service('compute')
+        api_fixture = self.useFixture(nova_fixtures.OSAPIFixture(
+            api_version='v2.1'))
+        self.api = api_fixture.api
+        self.admin_api = api_fixture.admin_api
+
+    def test_server_fault_non_nova_exception(self):
+        """Creates a server using the non-admin user, then reboots it which
+        will generate a non-NovaException fault and put the instance into
+        ERROR status. Then checks that fault details are only visible to the
+        admin user.
+        """
+        # Create the server with the non-admin user.
+        server = self._build_minimal_create_server_request(
+            self.api, 'test_server_fault_non_nova_exception',
+            image_uuid=fake_image.get_valid_image_id(),
+            networks=[{'port': nova_fixtures.NeutronFixture.port_1['id']}])
+        server = self.api.post_server({'server': server})
+        server = self._wait_for_state_change(self.admin_api, server, 'ACTIVE')
+
+        # Stop the server before rebooting it so that after the driver.reboot
+        # method raises an exception, the fake driver does not report the
+        # instance power state as running - that will make the compute manager
+        # set the instance vm_state to error.
+        self.api.post_server_action(server['id'], {'os-stop': None})
+        server = self._wait_for_state_change(self.admin_api, server, 'SHUTOFF')
+
+        # Stub out the compute driver reboot method to raise a non-nova
+        # exception to simulate some error from the underlying hypervisor
+        # which in this case we are going to say has sensitive content.
+        error_msg = 'sensitive info'
+        with mock.patch.object(
+                self.compute.manager.driver, 'reboot',
+                side_effect=Exception(error_msg)) as mock_reboot:
+            reboot_request = {'reboot': {'type': 'HARD'}}
+            self.api.post_server_action(server['id'], reboot_request)
+            # In this case we wait for the status to change to ERROR using
+            # the non-admin user so we can assert the fault details. We also
+            # wait for the task_state to be None since the wrap_instance_fault
+            # decorator runs before the reverts_task_state decorator so we will
+            # be sure the fault is set on the server.
+            server = self._wait_for_server_parameter(
+                self.api, server, {'status': 'ERROR',
+                                   'OS-EXT-STS:task_state': None})
+            mock_reboot.assert_called_once()
+        # The server fault from the non-admin user API response should not
+        # have details in it.
+        self.assertIn('fault', server)
+        fault = server['fault']
+        self.assertNotIn('details', fault)
+        # And the sensitive details from the non-nova exception should not be
+        # in the message.
+        self.assertIn('message', fault)
+        # FIXME(mriedem): This is bug 1837877 where the non-admin user sees
+        # the sensitive non-nova error in the message.
+        self.assertIn(error_msg, fault['message'])
+        # self.assertNotIn(error_msg, fault['message'])
+
+        # Get the server fault details for the admin user.
+        server = self.admin_api.get_server(server['id'])
+        fault = server['fault']
+        # The admin can see the fault details which includes the traceback.
+        self.assertIn('details', fault)
+        # FIXME(mriedem): I expected the error to be in the details too but
+        # I guess it's not because only the traceback is there. This means
+        # if we wholesale obfuscate the message in compute the admin won't
+        # see the actual error message only the exception type and traceback.
+        self.assertNotIn(error_msg, fault['details'])
+        # Make sure the traceback is there by looking for part of it.
+        self.assertIn('in reboot_instance', fault['details'])
+        # The admin can see the error message in the fault message.
+        self.assertIn(error_msg, fault['message'])
-- 
2.17.1