Brief Description
-----------------
When creating a secret in Barbican, barbican-api will trace back and fail the operation.
Severity
--------
Critical
Steps to Reproduce
------------------
Try to store a secret (password) in Barbican:
openstack secret store -n <name of the secret> -p <payload (the password)>
Expected Behavior
------------------
The secret is created successfully.
Actual Behavior
----------------
The secret creation failed.
Reproducibility
---------------
100% reproducible
System Configuration
--------------------
One node system running Debian
Branch/Pull Time/Commit
-----------------------
STX master latest
Last Pass
---------
Unknown
Timestamp/Logs
--------------
Barbican-api traceback:
2022-05-17 23:05:55.839 1190796 INFO barbican.model.repositories [-] Setting up database engine and session factory
2022-05-17 23:05:55.841 1190796 WARNING oslo_db.sqlalchemy.engines [-] URL postgresql://admin-barbican:***@192.168.204.1/barbican does not contain a '+drivername' portion, and will make use of a default driver. A full dbname+drivername:.
2022-05-17 23:05:55.870 1190796 INFO barbican.model.repositories [-] Not auto-creating barbican registry DB
2022-05-17 23:05:55.871 1190796 INFO barbican.api.app [-] Barbican app created and initialized
2022-05-17 23:05:55.874 1190796 WARNING keystonemiddleware.auth_token [-] AuthToken middleware is set with keystone_authtoken.service_token_roles_required set to False. This is backwards compatible but deprecated behaviour. Please set th.
2022-05-17 23:08:58.499 1190796 WARNING keystonemiddleware.auth_token [-] Using the in-process token cache is deprecated as of the 4.2.0 release and may be removed in the 5.0.0 release or the 'O' development cycle. The in-process cache c.
2022-05-17 23:08:59.244 1190796 INFO barbican.api.middleware.context [-] Begin processing request req-39f3c488-5bc3-4bdb-b3b5-3923310bfbf2
2022-05-17 23:08:59.396 1190796 INFO barbican.api.controllers.secrets [req-92f133a8-8426-46db-a99f-fbe216de3ff0 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Retrieved secret list for project: 2a27af
2022-05-17 23:08:59.397 1190796 INFO barbican.api.middleware.context [req-92f133a8-8426-46db-a99f-fbe216de3ff0 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Processed request: 200 OK - GET http://coa
192.168.204.2 - - [17/May/2022:23:08:59 +0000] "GET /v1/secrets?limit=10&offset=0&name=08ed0e0d-e84c-41ce-b787-75fcdbe3246a HTTP/1.1" 200 27 "-" "python-keystoneclient"
2022-05-17 23:08:59.405 1190796 INFO barbican.api.middleware.context [req-92f133a8-8426-46db-a99f-fbe216de3ff0 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Begin processing request req-cc8a8ad6-857c
2022-05-17 23:08:59.437 1190796 INFO barbican.plugin.crypto.simple_crypto [req-a4dca6a7-1426-4d70-982b-525cd2a19d50 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Software Only Crypto initialized
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers [req-a4dca6a7-1426-4d70-982b-525cd2a19d50 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Secret creation failure seen - please contact sn
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers Traceback (most recent call last):
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 96, in _get_unverified_token_data
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers data = base64.urlsafe_b64decode(token)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3.9/base64.py", line 133, in urlsafe_b64decode
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return b64decode(s)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3.9/base64.py", line 87, in b64decode
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return binascii.a2b_base64(s)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers binascii.Error: Invalid base64-encoded string: number of data characters (281) cannot be 1 more than a multiple of 4
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers During handling of the above exception, another exception occurred:
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers Traceback (most recent call last):
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 101, in handler
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 87, in enforcer
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 149, in content_types_enforcer
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 450, in on_post
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers new_secret, transport_key_model = plugin.store_secret(
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 108, in store_secret
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 279, in _store_secret_using_plugin
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/store_crypto.py", line 96, in store_secret
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers response_dto = encrypting_plugin.encrypt(
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 76, in encrypt
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers kek = self._get_kek(kek_meta_dto)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 73, in _get_kek
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers return encryptor.decrypt(kek_meta_dto.plugin_meta)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 75, in decrypt
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers timestamp, data = Fernet._get_unverified_token_data(token)
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 98, in _get_unverified_token_data
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers raise InvalidToken
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers cryptography.fernet.InvalidToken
2022-05-17 23:08:59.442 1190796 ERROR barbican.api.controllers
2022-05-17 23:08:59.446 1190796 INFO barbican.api.middleware.context [req-a4dca6a7-1426-4d70-982b-525cd2a19d50 7418f471d1c04847ba53c134e5a2d3c6 2a27a56bad28433dbe4cd6398188e3df - default default] Processed request: 500 Internal Server Er/
192.168.204.2 - - [17/May/2022:23:08:59 +0000] "POST /v1/secrets/ HTTP/1.1" 500 131 "-" "python-keystoneclient"
Test Activity
-------------
Developer Testing
Workaround
----------
N/A
Fix proposed to branch: master /review. opendev. org/c/starlingx /upstream/ +/843180
Review: https:/