yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #91530
[Bug 2009600] Re: Client authentication fails with cryptography 3.4.8
Reviewed: https://review.opendev.org/c/openstack/keystone/+/877807
Committed: https://opendev.org/openstack/keystone/commit/f5db9801c23bde15d162a67d4fd6621e5bd09719
Submitter: "Zuul (22348)"
Branch: master
commit f5db9801c23bde15d162a67d4fd6621e5bd09719
Author: Hiromu Asahina <hiromu.asahina.az@xxxxxxxxxxxxx>
Date: Fri Mar 17 23:16:04 2023 +0900
Remove Dependency on Cryptography >=36.0.0
The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on
cryptography 36.0.0 or later. Users may have to upgrade cryptography
which is already installed, which can be unreasonably hassle. This
patch introduces an alternative for that parameter.
[1] https://cryptography.io/en/latest/changelog/#v36-0-0
Closes-bug: 2009600
Change-Id: Idffe269b62797bb2935429f4069e878a177db04f
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2009600
Title:
Client authentication fails with cryptography 3.4.8
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
It seems the following commit may have introduced a hard dependency on
cryptography 38.0.2. This poses a problem for downstream distributions
where openstack is backported to older LTS releases. For example, in
Ubuntu we are backporting antelope to jammy, where
python3-cryptography is at 3.4.8. Having to backport cryptography
38.0.2 is very complicated and error prone as it depends on many (25+)
rust libraries that would also need to be backported.
commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f
Author: sunyonggen <sunyonggen@xxxxxxxxxxx>
Date: Fri Oct 7 11:00:05 2022 +0900
OAuth 2.0 Mutual-TLS Support
The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@xxxxxxxxxxxxx>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
To reproduce:
1) clone the upstream keystone source
2) run 'tox -e py3' (I'm running py311 fwiw)
3) align dependencies for cryptography and openssl with Ubuntu Jammy:
.tox/py311/bin/pip3 install cryptography==3.4.8
.tox/py311/bin/pip3 install pyOpenSSL==21.0.0
4) run tests again and see failures
Here is an example of a failure:
keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email
--------------------------------------------------------------------------------------------
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 1379, in test_get_access_token_ignore_email
resp = self._get_access_token(
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 871, in _get_access_token
resp = self.post(
^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 484, in post
return self.v3_request(path, method='POST',
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 458, in v3_request
return self.v3_noauth_request(path, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 453, in v3_noauth_request
return self.admin_request(path=path, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 211, in admin_request
return self._request(app=self.public_app, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 202, in _request
response = self.request(**kwargs)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 87, in request
response = app.request(path, headers=headers,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 579, in request
return self.do_request(req,
^^^^^^^^^^^^^^^^^^^^
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 646, in do_request
self._check_status(status, res)
File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 680, in _check_status
raise AppError(
webtest.app.AppError: Bad response: 401 Unauthorized (not 200)
b'{"error":"invalid_client","error_description":"Client authentication failed."}\n'
Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
NeedRegenerationException
no value, waiting for create lock
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8683910090> acquired
No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
Calling creation function for not-yet-present value
Cache value generated in 0.008 seconds for key(s): 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'
Released creation lock
Truncating password to algorithm specific maximum length 54 characters.
No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
NeedRegenerationException
no value, waiting for create lock
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8684b9f790> acquired
No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
Calling creation function for not-yet-present value
Cache value generated in 0.025 seconds for key(s): 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'
Released creation lock
Truncating password to algorithm specific maximum length 54 characters.
REQUEST_METHOD: `POST`
SCRIPT_NAME: ``
PATH_INFO: `/v3/OS-OAUTH2/token`
NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides'
Traceback (most recent call last):
File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", line 482, in get_certificate_subject_dn
name, value = item.rfc4514_string(
^^^^^^^^^^^^^^^^^^^^
TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides'
Get OAuth2.0 Access Token API: failed to get the subject DN from the certificate.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2009600/+subscriptions
References
