yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #91460
[Bug 2009600] [NEW] Client authentication fails with cryptography 3.4.8
Public bug reported:
It seems the following commit may have introduced a hard dependency on
cryptography 38.0.2. This poses a problem for downstream distributions
where openstack is backported to older LTS releases. For example, in
Ubuntu we are backporting antelope to jammy, where python3-cryptography
is at 3.4.8. Having to backport cryptography 38.0.2 is very complicated
and error prone as it depends on many (25+) rust libraries that would
also need to be backported.
commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f
Author: sunyonggen <sunyonggen@xxxxxxxxxxx>
Date: Fri Oct 7 11:00:05 2022 +0900
OAuth 2.0 Mutual-TLS Support
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@xxxxxxxxxxxxx>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
To reproduce:
1) clone the upstream keystone source
2) run 'tox -e py3' (I'm running py311 fwiw)
3) align dependencies for cryptography and openssl with Ubuntu Jammy:
.tox/py311/bin/pip3 install cryptography==3.4.8
.tox/py311/bin/pip3 install pyOpenSSL==21.0.0
4) run tests again and see failures
Here is an example of a failure:
keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email
--------------------------------------------------------------------------------------------
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 1379, in test_get_access_token_ignore_email
resp = self._get_access_token(
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 871, in _get_access_token
resp = self.post(
^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 484, in post
return self.v3_request(path, method='POST',
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 458, in v3_request
return self.v3_noauth_request(path, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 453, in v3_noauth_request
return self.admin_request(path=path, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 211, in admin_request
return self._request(app=self.public_app, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 202, in _request
response = self.request(**kwargs)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 87, in request
response = app.request(path, headers=headers,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 579, in request
return self.do_request(req,
^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 646, in do_request
self._check_status(status, res)
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 680, in _check_status
raise AppError(
webtest.app.AppError: Bad response: 401 Unauthorized (not 200)
b'{"error":"invalid_client","error_description":"Client authentication failed."}\n'
Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
NeedRegenerationException
no value, waiting for create lock
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8683910090> acquired
No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
Calling creation function for not-yet-present value
Cache value generated in 0.008 seconds for key(s): 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
Released creation lock
Truncating password to algorithm specific maximum length 54 characters.
No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
NeedRegenerationException
no value, waiting for create lock
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8684b9f790> acquired
No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
Calling creation function for not-yet-present value
Cache value generated in 0.025 seconds for key(s): 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
Released creation lock
Truncating password to algorithm specific maximum length 54 characters.
REQUEST_METHOD: `POST`
SCRIPT_NAME: ``
PATH_INFO: `/v3/OS-OAUTH2/token`
NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides'
Traceback (most recent call last):
File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", line 482, in get_certificate_subject_dn
name, value = item.rfc4514_string(
^^^^^^^^^^^^^^^^^^^^
TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides'
Get OAuth2.0 Access Token API: failed to get the subject DN from the certificate.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2009600
Title:
Client authentication fails with cryptography 3.4.8
Status in OpenStack Identity (keystone):
New
Bug description:
It seems the following commit may have introduced a hard dependency on
cryptography 38.0.2. This poses a problem for downstream distributions
where openstack is backported to older LTS releases. For example, in
Ubuntu we are backporting antelope to jammy, where
python3-cryptography is at 3.4.8. Having to backport cryptography
38.0.2 is very complicated and error prone as it depends on many (25+)
rust libraries that would also need to be backported.
commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f
Author: sunyonggen <sunyonggen@xxxxxxxxxxx>
Date: Fri Oct 7 11:00:05 2022 +0900
OAuth 2.0 Mutual-TLS Support
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@xxxxxxxxxxxxx>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
To reproduce:
1) clone the upstream keystone source
2) run 'tox -e py3' (I'm running py311 fwiw)
3) align dependencies for cryptography and openssl with Ubuntu Jammy:
.tox/py311/bin/pip3 install cryptography==3.4.8
.tox/py311/bin/pip3 install pyOpenSSL==21.0.0
4) run tests again and see failures
Here is an example of a failure:
keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email
--------------------------------------------------------------------------------------------
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 1379, in test_get_access_token_ignore_email
resp = self._get_access_token(
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 871, in _get_access_token
resp = self.post(
^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 484, in post
return self.v3_request(path, method='POST',
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 458, in v3_request
return self.v3_noauth_request(path, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 453, in v3_noauth_request
return self.admin_request(path=path, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 211, in admin_request
return self._request(app=self.public_app, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 202, in _request
response = self.request(**kwargs)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 87, in request
response = app.request(path, headers=headers,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 579, in request
return self.do_request(req,
^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 646, in do_request
self._check_status(status, res)
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 680, in _check_status
raise AppError(
webtest.app.AppError: Bad response: 401 Unauthorized (not 200)
b'{"error":"invalid_client","error_description":"Client authentication failed."}\n'
Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
NeedRegenerationException
no value, waiting for create lock
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8683910090> acquired
No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
Calling creation function for not-yet-present value
Cache value generated in 0.008 seconds for key(s): 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
Released creation lock
Truncating password to algorithm specific maximum length 54 characters.
No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
NeedRegenerationException
no value, waiting for create lock
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8684b9f790> acquired
No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
Calling creation function for not-yet-present value
Cache value generated in 0.025 seconds for key(s): 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
Released creation lock
Truncating password to algorithm specific maximum length 54 characters.
REQUEST_METHOD: `POST`
SCRIPT_NAME: ``
PATH_INFO: `/v3/OS-OAUTH2/token`
NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides'
Traceback (most recent call last):
File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", line 482, in get_certificate_subject_dn
name, value = item.rfc4514_string(
^^^^^^^^^^^^^^^^^^^^
TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides'
Get OAuth2.0 Access Token API: failed to get the subject DN from the certificate.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2009600/+subscriptions
Follow ups
