StarlingX

oidc-auth does not respond well to misconfiguration of dex

Bug #2024494 reported by Michel Thebeau [WIND]
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Henry Bailey

Bug Description

Brief Description
-----------------
When dex is misconfigured, or when there is a network error, an authentication request using 'oidc-auth' generates a python trace from unhandled exception with message "HTTP Error 500: Internal Server Error", or similar

Severity
--------
Minor

Steps to Reproduce
------------------
Apply the oidc/dex application per starlingx documentation and verify the correct behaviour and login using oidc-auth command. Apply a mis-configuration, such as incorrect baseDN for UserSearch, and retry the oidc-auth. Incorrect configuration will yield 500 internal server error. While induced network failure yields response code 200 with timeout reason.

Expected Behavior
------------------
Especially, no traceback. Preferable to have appropriate responses for known conditions, suggested actions.

Actual Behavior
----------------
Python stack trace, for example:

    Traceback (most recent call last):
      File "/usr/bin/oidc-auth", line 10, in <module>
        sys.exit(main())
      File "/usr/lib/python3/dist-packages/oidcauthtools/oidc_auth.py", line 110, in main
        dexLoginGrantAccessResponse = br.submit()
      File "/usr/lib/python3/dist-packages/mechanize/_mechanize.py", line 697, in submit
        return self.open(self.click(*args, **kwds))
      File "/usr/lib/python3/dist-packages/mechanize/_mechanize.py", line 257, in open
        return self._mech_open(url_or_request, data, timeout=timeout)
      File "/usr/lib/python3/dist-packages/mechanize/_mechanize.py", line 313, in _mech_open
        raise response
    mechanize._response.httperror_seek_wrapper: HTTP Error 500: Internal Server Error

Reproducibility
---------------
100%

System Configuration
--------------------
Any configuration, with oidc-auth-apps application

Branch/Pull Time/Commit
-----------------------
starlingx master

Last Pass
---------
n/a

Timestamp/Logs
--------------
N/A, trace for oidc-auth command as noted above. In the example of incorrect configuration the dex pod log clarifies the misconfiguration as ldap referral response:

time="2022-10-04T17:33:42Z" level=info msg="performing ldap search <snip>baseDN, etc</snip>"
time="2022-10-04T17:33:42Z" level=error msg="Failed to login user: ldap: search with filter "<snip>user info</snip>" failed: LDAP Result Code 10 \"Referral\": <snip>private stuff</snip>

Test Activity
-------------
manual regression

Workaround
----------
n/a

Henry Bailey (hbailey)
Changed in starlingx:
assignee: nobody → Henry Bailey (hbailey)
Revision history for this message
Michel Thebeau [WIND] (mthebeau) wrote :

Merged to starlingx master:
https://review.opendev.org/c/starlingx/oidc-auth-armada-app/+/886996
https://opendev.org/starlingx/oidc-auth-armada-app/commit/cc9186a7f979664004a0b1671be06528f93486dd

Zuul is being silent about it, but I'm not sure why.

Changed in starlingx:
status: New → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

The required reviews merged. Marking as Fix Released
https://review.opendev.org/c/starlingx/oidc-auth-armada-app/+/886997
https://review.opendev.org/c/starlingx/oidc-auth-armada-app/+/886996

Changed in starlingx:
importance: Undecided → Low
tags: added: stx.9.0 stx.apps stx.security
Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.