StarlingX

Debain: Barbican failed to create secrets

Bug #1975611 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
When creating a secret in Barbican, barbican-api will trace back and fail the operation.

Severity
--------
Critical

Steps to Reproduce
------------------
Try to store a secret (password) in Barbican:
openstack secret store -n <name of the secret> -p <payload (the password)>

Expected Behavior
------------------
The secret is created successfully.

Actual Behavior
----------------
The secret creation failed.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
One node system running Debian

Branch/Pull Time/Commit
-----------------------
STX master latest

Last Pass
---------
Unknown

Timestamp/Logs
--------------
Barbican-api traceback:

2022-05-17 23:05:55.839 1190796 INFO barbican.model.repositories [-] Setting up database engine and session factory
2022-05-17 23:05:55.841 1190796 WARNING oslo_db.sqlalchemy.engines [-] URL postgresql://admin-barbican:***@192.168.204.1/barbican does not contain a '+drivername' portion, and will make use of a default driver. A full dbname+drivername:.
2022-05-17 23:05:55.870 1190796 INFO barbican.model.repositories [-] Not auto-creating barbican registry DB
2022-05-17 23:05:55.871 1190796 INFO barbican.api.app [-] Barbican app created and initialized
2022-05-17 23:05:55.874 1190796 WARNING keystonemiddleware.auth_token [-] AuthToken middleware is set with keystone_authtoken.service_token_roles_required set to False. This is backwards compatible but deprecated behaviour. Please set th.
2022-05-17 23:08:58.499 1190796 WARNING keystonemiddleware.auth_token [-] Using the in-process token cache is deprecated as of the 4.2.0 release and may be removed in the 5.0.0 release or the 'O' development cycle. The in-process cache c.
2022-05-17 23:08:59.244 1190796 INFO barbican.api.middleware.context [-] Begin processing request req-39f3c488-5bc3-4bdb-b3b5-3923310bfbf2
2022-05-17 23:08:59.396 1190796 INFO barbican.api.controllers.secrets [req-92f133a8-8426-46db-a99f-fbe216de3ff0 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Retrieved secret list for project: 2a27af
2022-05-17 23:08:59.397 1190796 INFO barbican.api.middleware.context [req-92f133a8-8426-46db-a99f-fbe216de3ff0 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Processed request: 200 OK - GET http://coa
192.168.204.2 - - [17/May/2022:23:08:59 +0000] "GET /v1/secrets?limit=10&offset=0&name=08ed0e0d-e84c-41ce-b787-75fcdbe3246a HTTP/1.1" 200 27 "-" "python-keystoneclient"
2022-05-17 23:08:59.405 1190796 INFO barbican.api.middleware.context [req-92f133a8-8426-46db-a99f-fbe216de3ff0 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Begin processing request req-cc8a8ad6-857c
2022-05-17 23:08:59.437 1190796 INFO barbican.plugin.crypto.simple_crypto [req-a4dca6a7-1426-4d70-982b-525cd2a19d50 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Software Only Crypto initialized
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers [req-a4dca6a7-1426-4d70-982b-525cd2a19d50 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Secret creation failure seen - please contact sn
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers Traceback (most recent call last):
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 96, in _get_unverified_token_data
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers data = base64.urlsafe_b64decode(token)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3.9/base64.py", line 133, in urlsafe_b64decode
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return b64decode(s)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3.9/base64.py", line 87, in b64decode
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return binascii.a2b_base64(s)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers binascii.Error: Invalid base64-encoded string: number of data characters (281) cannot be 1 more than a multiple of 4
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers During handling of the above exception, another exception occurred:
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers Traceback (most recent call last):
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 101, in handler
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 87, in enforcer
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 149, in content_types_enforcer
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 450, in on_post
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers new_secret, transport_key_model = plugin.store_secret(
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 108, in store_secret
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 279, in _store_secret_using_plugin
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/store_crypto.py", line 96, in store_secret
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers response_dto = encrypting_plugin.encrypt(
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 76, in encrypt
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers kek = self._get_kek(kek_meta_dto)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 73, in _get_kek
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return encryptor.decrypt(kek_meta_dto.plugin_meta)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 75, in decrypt
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers timestamp, data = Fernet._get_unverified_token_data(token)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 98, in _get_unverified_token_data
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers raise InvalidToken
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers cryptography.fernet.InvalidToken
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers
2022-05-17 23:08:59.446 1190796 INFO barbican.api.middleware.context [req-a4dca6a7-1426-4d70-982b-525cd2a19d50 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Processed request: 500 Internal Server Er/
192.168.204.2 - - [17/May/2022:23:08:59 +0000] "POST /v1/secrets/ HTTP/1.1" 500 131 "-" "python-keystoneclient"

Test Activity
-------------
Developer Testing

Workaround
----------
N/A

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
summary: - Debain: Barbican failed to create and retrieve secrets
+ Debain: Barbican failed to create secrets
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to upstream (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/upstream/+/843180

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to upstream (master)

Reviewed: https://review.opendev.org/c/starlingx/upstream/+/843180
Committed: https://opendev.org/starlingx/upstream/commit/ccf9416b74a5409c59ad2a3e921fc07f729dd145
Submitter: "Zuul (22348)"
Branch: master

commit ccf9416b74a5409c59ad2a3e921fc07f729dd145
Author: Andy Ning <email address hidden>
Date: Tue May 24 12:15:06 2022 -0400

    Added patch to store barbican data in ascii format in DB

    Currently Barbican stores base64 encoded secret data (plugin_meta
    and cypher_text) as hex bytes in database. But when these data
    is retrieved from database for base64 decoding, it is not
    converted back to ascii format, causing the decoding failed with
    error:

    binascii.Error: Invalid base64-encoded string: number of data
    characters (273) cannot be 1 more than a multiple of 4.

    This commit added a patch to Barbican to store these data in ascii
    format in the database so they can be decoded when retrieved.

    Test Plan for Debian:
    PASS: trigger mtcAgent to store a password secret in Barbican by
          system host-update controller-0 bm_type=dynamic bm_ip=<bm IP>
          bm_username=root bm_password=root.
    PASS: retrieve the secret with "--payload" option by
          openstack secret get <secret URL> --payload.
    PASS: AIO-SX deployment and unlock.

    Closes-Bug: 1975611
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: I1c2fa112caa8700b1c21130aec041fd7d2a52a19

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.7.0 stx.debian stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.