[SRU] PY3: when uploading file as secret: TypeError: a bytes-like object is required, not 'str'

http://paste.ubuntu.com/p/sPhM59jhqQ/plain/

Here's a bit easier version of the traceback in #1 to view: https://paste.ubuntu.com/p/JbrzT4VgFC/

At first glance this appears to be an issue in castellan.

Failure is occurring at: https://github.com/openstack/castellan/blob/0.19.0/castellan/key_manager/vault_key_manager.py#L165 (Note: line numbers don't match up with traceback as we are carrying cherry-picked patches in our stable/rocky package).

Here's a small test that seems to confirm this is limited to py3:

$ python3
Python 3.6.7rc1 (default, Sep 27 2018, 09:51:25)
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import binascii
>>> binascii.hexlify('string')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: a bytes-like object is required, not 'str'
>>> quit()

$ python2
Python 2.7.15+ (default, Oct 2 2018, 22:12:08)
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import binascii
>>> binascii.hexlify('string')
'737472696e67'
>>>

This works better:

corey@corey-ThinkPad-T440s:~/pkg/rocky/upstream/castellan/castellan/key_manager$ python3
Python 3.6.7rc1 (default, Sep 27 2018, 09:51:25)
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import binascii
>>> binascii.hexlify('string'.encode('utf-8'))
b'737472696e67'
>>> quit()

corey@corey-ThinkPad-T440s:~/pkg/rocky/upstream/castellan/castellan/key_manager$ python2
Python 2.7.15+ (default, Oct 2 2018, 22:12:08)
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import binascii
>>> binascii.hexlify('string'.encode('utf-8'))
'737472696e67'

If I'm reading the parenthesis in the failing line correctly, it seems that value.get_encoded() is not actually encoded in py3:

'value': binascii.hexlify(value.get_encoded()).decode('utf-8')

It's possible this is an issue in barbican. Possibly this call:
  opaque_data.OpaqueData(secret_dto.secret)

needs to be changed to:
  opaque_data.OpaqueData(secret_dto.secret.encode('utf-8'))

https://github.com/openstack/barbican/blob/7.0.0/barbican/plugin/castellan_secret_store.py#L86

barbican upstream doesn't track bugs in LP anymore so I'll open a bug with storyboard

Upstream barbican bug: https://storyboard.openstack.org/#!/story/2004170

I think comment #8 can be disregarded. It seems like get_encoded() is not getting an encoded value for py3:

'value': binascii.hexlify(value.get_encoded()).decode('utf-8')

Which get_encoded() is getting called?

In barbican's store_secret() this line is called:

    opaque_data.OpaqueData(secret_dto.secret)

castellan/common/objects/opaque_data.py
---------------------------------------
class OpaqueData(managed_object.ManagedObject):
    """This class represents opaque data."""

    def __init__(self, data, name=None, created=None, id=None):
        """Create a new OpaqueData object.

        Expected type for data is a bytestring.
        """
        self._data = data
        super(OpaqueData, self).__init__(name=name, created=created, id=id)

    @property
    def format(self):
        """This method returns 'Opaque'."""
        return "Opaque"

    def get_encoded(self):
        """Returns the data in its original format."""
        return self._data

Ok OpaqueData.__init__() expects a bytestring for data so appears it should already be encoded when the object is initialized and get_encoded() should just return the already encoded string.

So it would seem that secret_dto.secret is not encoded on the call to:

  opaque_data.OpaqueData(secret_dto.secret)

Where doeas secret_dto.secret come from?

barbican/plugin/resources.py
----------------------------
from barbican.plugin.util import translations as tr

def store_secret(unencrypted_raw, content_type_raw, content_encoding,
                 secret_model, project_model,
                 transport_key_needed=False,
                 transport_key_id=None):
  ...
  unencrypted, content_type = tr.normalize_before_encryption(
      unencrypted_raw, content_type_raw, content_encoding,
      secret_model.secret_type, enforce_text_only=True)
  ...
  secret_dto = secret_store.SecretDTO(type=secret_model.secret_type,
                                      secret=unencrypted,
                                      key_spec=key_spec,
                                      content_type=content_type,
                                      transport_key=transport_key)

so secret_dto.secret = unencrypted which is set in tr.normalize_before_encryption

barbican/plugin/util/translations.py
------------------------------------
normalize_before_encryption is defined here:

https://github.com/openstack/barbican/blob/7.0.0/barbican/plugin/util/translations.py#L25

It returns:

    return b64payload, normalized_media_type

It seems that b64payload may not be correctly getting encoded for py3.

For some reason this isn't failing for me. I wonder if it comes down to a difference in clients used? Note the Ubuntu Rocky clients won't work with the --file CLI argument due to: https://bugs.launchpad.net/bugs/1799776

So I've used pip-installed clients from pypi. The following paste is against a py3 Rocky deployment. Note the debug logging added to barbican and the path taken in barbican (no encoding of data because id_rsa.pub is already base64 encoded): https://paste.ubuntu.com/p/pvmPCPrrHz/

I have a bionic-rocky barbican version building in the following PPA with the same debug that I used above. Could you run with that and report the barbican-api.log details with CCB prefixes? It may also be worth ensuring the id_rsa.pub is not corrupt, though still that should be a bug, but maybe it's partially b64encoded or something?

PPA: https://launchpad.net/~corey.bryant/+archive/ubuntu/bionic-rocky/+packages

Upgraded barbican pkgs on the unit, restarted the unit. Client details and output below. I didn't see any CCB entries in the log, but it's attached. I've also clarified with the date > file.txt as a clean example.

ubuntu@juju-b7ad6b-beisner-0:/var/log/barbican$ apt-cache policy barbican-common
barbican-common:
  Installed: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Candidate: 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636
  Version table:
 *** 1:7.0.0-0ubuntu3~ubuntu18.04.1~ppa201810241636 500
        500 http://ppa.launchpad.net/corey.bryant/bionic-rocky/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
     1:7.0.0-0ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
     1:6.0.0-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

---

(clients) ubuntu@beisner-bastion:~/demo$ pip freeze | egrep "barbican|openstack"
openstacksdk==0.18.1
python-barbicanclient==4.7.0
python-openstackclient==3.16.1

---

(clients) ubuntu@beisner-bastion:~/demo$ date > file.txt
(clients) ubuntu@beisner-bastion:~/demo$ openstack secret store --name store_bucket --file file.txt
5xx Server error: Internal Server Error: Secret creation failure seen - please contact site administrator.
Internal Server Error: Secret creation failure seen - please contact site administrator.

---

Logs:

http://paste.ubuntu.com/p/hNJKwH6VHt/

Retested with debug enabled:

barbican-api.log:[Wed Oct 24 23:33:07.184924 2018] [wsgi:error] [pid 17477:tid 140505406514944] [remote 10.5.0.11:35220] 2018-10-24 23:33:07.184 17477 DEBUG barbican.plugin.util.translations [req-b53b964f-8541-4f30-b620-aff3bb962969 174f3123041f42818318b4ce4d46d755 a5e22ca876884268bf8c2dba92863ecd - 7e87323e783a41a6a9ba9d0763ae3f38 7e87323e783a41a6a9ba9d0763ae3f38] CCB: entering normalize_before_encryption normalize_before_encryption /usr/lib/python3/dist-packages/barbican/plugin/util/translations.py:46\x1b[00m
barbican-api.log:[Wed Oct 24 23:33:07.185194 2018] [wsgi:error] [pid 17477:tid 140505406514944] [remote 10.5.0.11:35220] 2018-10-24 23:33:07.184 17477 DEBUG barbican.plugin.util.translations [req-b53b964f-8541-4f30-b620-aff3bb962969 174f3123041f42818318b4ce4d46d755 a5e22ca876884268bf8c2dba92863ecd - 7e87323e783a41a6a9ba9d0763ae3f38 7e87323e783a41a6a9ba9d0763ae3f38] CCB: D normalize_before_encryption /usr/lib/python3/dist-packages/barbican/plugin/util/translations.py:70\x1b[00m
barbican-api.log:[Wed Oct 24 23:33:07.185440 2018] [wsgi:error] [pid 17477:tid 140505406514944] [remote 10.5.0.11:35220] 2018-10-24 23:33:07.185 17477 DEBUG barbican.plugin.util.translations [req-b53b964f-8541-4f30-b620-aff3bb962969 174f3123041f42818318b4ce4d46d755 a5e22ca876884268bf8c2dba92863ecd - 7e87323e783a41a6a9ba9d0763ae3f38 7e87323e783a41a6a9ba9d0763ae3f38] CCB: b64payload=c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFDQVFDckphczYvdnZjZzlVVlBDY3RGNUEycjFCODJIMGMvQmg3S3daZHBQN3ZWRy8vcW5iUDljb0V6NUtlOE1IMlkySmRCQ2xhVzBFODZJaWQ4dEhFdnRZaXNPWFNJZWR3Q1R3WThnelkvYjBNdjRzVGxOSkRPV1RzWlFXRTVad0xGVHZkMTVJNld2ZHBrbHl0ZGlmVmRySlZxSjlyWmxnYWsremFtcjNWWjlvdDMrbkhMZGI5MnBhd1IvQ2QvRjQwZStsWHg0TWlyb2RkZDBQY2Z0Z0FBT2U5cngvMThZR2EzVFpTUU5zS3M4SHlZeWQvRVY0Nm5qcktKWGRQcitLUzFZQTZKZmRtd21FSnFOb2o5bkkwQVh0RWwzVmxyQlhwMGJYRHlGYzRlNHZrUDUrMWhJNnB2U29iWnMxWUkyOGlGS3RLbnhPMjFpS2dYOE1aZXVkMlVEa201Qi9ISHJGZU9KYjhQbHNSYUdrcysxbFhDSWFXdnNlOEhvVmdwcEl1SWd4ck9RY3ZHeWxla1NYUHhqWTNCVTBEWENuUGNNUDZzRHR2V3VtOHZXM3grbXlPUzdicEZCYmlidVYrZjQ1V09TL1czcEpKZmNJcDd3dXRidnFGNCt2cWdqczdsclB4UEVoaEQvb25Za3gySmpua0hlM1BoY2FNZkdWdHNVV1dPRTNTaGFVTUxzUVRGV2dRRjVMR2twcUtSSk1NZDVsdk1DTGxuWm5uK0pqZDR5ZGM2S1laa0pySzZSN25WSUMySUc3U1JuZXgrbW1HcjRrUXVHNUp0a3kxajI3VGJNejdyUkhkYkV0N2haNC9BT0JQMjFrcGoyeGN6S0NBZGJta0dQR20vcy9DVzFzRHdyeG04clpEUzlaVk5UamdsOUlETCs5dVFWZlBkU0JZcHc9PSB1YnVudHVAYmVpc25lci1iYXN0aW9uCg== normalize_before_encryption /usr/lib/python3/dist-packages/barbican/plugin/util/translations.py:84\x1b[00m
barbican-api.log:[Wed Oct 24 23:33:07.185625 2018] [wsgi:error] [pid 17477:tid 140505406514944] [remote 10.5.0.11:35220] 2018-10-24 23:33:07.185 17477 DEBUG barbican.plugin.util.translations [req-b53b964f-8541-4f30-b620-aff3bb962969 174f3123041f42818318b4ce4d46d755 a5e22ca876884268bf8c2dba92863ecd - 7e87323e783a41a6a9ba9d0763ae3f38 7e87323e783a41a6a9ba9d0763ae3f38] CCB: type(b64payload)=<class 'str'> normalize_before_encryption /usr/lib/python3/dist-packages/barbican/plugin/util/translations.py:85\x1b[00m
barbican-api.log:[Wed Oct 24 23:33:07.185857 2018] [wsgi:error] [pid 17477:tid 140505406514944] [remote 10.5.0.11:35220] 2018-10-24 23:33:07.185 17477 DEBUG barbican.pl...

http://paste.ubuntu.com/p/7x3Ct3WVQG/

Content appears to already be base64 encoded so the raw context is passed back in the b64payload variable

The code incorrectly assumes that base64 is byte encoded so something like:

        elif content_encoding.lower() == 'base64':
            if not isinstance(unencrypted, six.binary_type):
                b64payload = unencrypted.encode('utf-8')
            else:
                b64payload = unencrypted

does the trick in terms of ensuring binary encoding of the data in this code path.

Makes sense! What that code does with plain text for py3 is base64.encode_as_bytes(plaintext) which results in bytes:

  >>> from oslo_serialization import base64
  >>> base64.encode_as_bytes('hello')
  b'aGVsbG8='

Basically what that does is:

  >>> base64.b64encode('hello'.encode('utf-8'))
  b'aGVsbG8='

Hello Ryan, or anyone else affected,

Accepted barbican into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/barbican/1:7.0.0-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified successfully on cosmic-proposed: https://paste.ubuntu.com/p/gSyMMDdCXd/

s/cosmic-proposed/rocky-proposed ^^

Verified successfully on cosmic-proposed: https://paste.ubuntu.com/p/BMqSv8rBqJ/

This bug was fixed in the package barbican - 1:7.0.0-0ubuntu4

---------------
barbican (1:7.0.0-0ubuntu4) disco; urgency=medium

  * d/tests/barbican-shebangs-py3: Update shebang for Python 3.7.

 -- Corey Bryant <email address hidden> Wed, 07 Nov 2018 09:22:03 -0500

This bug was fixed in the package barbican - 1:7.0.0-0ubuntu3

---------------
barbican (1:7.0.0-0ubuntu3) cosmic; urgency=medium

  * d/p/encode-b64payload.patch: Cherry-pick from upstream review
    (https://review.openstack.org/#/c/613324/) to ensure base64
    payloads are correctly encoded in Python 3 (LP: #1799746).

 -- Corey Bryant <email address hidden> Thu, 25 Oct 2018 09:48:28 -0400

The verification of the Stable Release Update for barbican has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package barbican - 1:7.0.0-0ubuntu3~cloud0
---------------

 barbican (1:7.0.0-0ubuntu3~cloud0) bionic-rocky; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 barbican (1:7.0.0-0ubuntu3) cosmic; urgency=medium
 .
   * d/p/encode-b64payload.patch: Cherry-pick from upstream review
     (https://review.openstack.org/#/c/613324/) to ensure base64
     payloads are correctly encoded in Python 3 (LP: #1799746).