[Bug 1867676] [NEW] Fetching by secret container doesn't raises 404 exception

Jorge Niedbalski 1867676 at bugs.launchpad.net
Mon Mar 16 20:15:16 UTC 2020 

Public bug reported:

[Description]

As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.

This causes the code to not fall back into the legacy mode

[Reproducer]

Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"

Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet

Create a secrets container

$ openstack secret container create --type='certificate' --name "test-
tls-1"
--secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"
--secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5
-4b5a-bffd-c0c43a41b4a8"
--secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-
b5c6-4433-a0a9-a195e2d54c57"

Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1

This creation will fail with the following exception:

The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
validity. In addition, make sure it does not require a pass phrase.
Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
4d26-9920-72b03343596a)

[Possible Regressions]

* No regressions identified so far.

[Fix]

The following changesets needs to be backported into the bionic version
4.6.0-0ubuntu1

All of those are part of 4.8.0 onward.

** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad

Corresponding reviews

https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/

** Affects: python-barbicanclient (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: python-barbicanclient (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: python-barbicanclient (Ubuntu Disco)
     Importance: Undecided
         Status: Fix Released

** Affects: python-barbicanclient (Ubuntu Eoan)
     Importance: Undecided
         Status: Fix Released

** Affects: python-barbicanclient (Ubuntu Focal)
     Importance: Undecided
         Status: Fix Released

** Also affects: python-barbicanclient (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: python-barbicanclient (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Also affects: python-barbicanclient (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: python-barbicanclient (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Changed in: python-barbicanclient (Ubuntu Focal)
       Status: New => Fix Released

** Changed in: python-barbicanclient (Ubuntu Eoan)
       Status: New => Fix Released

** Changed in: python-barbicanclient (Ubuntu Disco)
       Status: New => Fix Released

** Description changed:

  [Description]
  
  As per https://storyboard.openstack.org/#!/story/2007371 we identified that
  ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
  error when a secret container is passed.
  
  This causes the code to not fall back into the legacy mode
  
  [Reproducer]
  
  Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
  Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
  Create the 3 certs at barbican
  $ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
  $ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
  $ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
  
  Create a loadbalancer
  $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
  
  Create a secrets container
  
  $ openstack secret container create --type='certificate' --name "test-
  tls-1"
  --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"
  --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5
  -4b5a-bffd-c0c43a41b4a8"
  --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-
  b5c6-4433-a0a9-a195e2d54c57"
  
  Create the listener
  openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
  
  This creation will fail with the following exception:
  
  The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
  validity. In addition, make sure it does not require a pass phrase.
  Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
  data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
  4d26-9920-72b03343596a)
  
- 
  [Possible Regressions]
  
  * No regressions identified so far.
  
  [Fix]
  
  The following changesets needs to be backported into the bionic version
  4.6.0-0ubuntu1
+ 
+ All of those are part of 4.8.0 onward.
+ 
+ ** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
+ ** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad

** Description changed:

  [Description]
  
  As per https://storyboard.openstack.org/#!/story/2007371 we identified that
  ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
  error when a secret container is passed.
  
  This causes the code to not fall back into the legacy mode
  
  [Reproducer]
  
  Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
  Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
  Create the 3 certs at barbican
  $ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
  $ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
  $ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
  
  Create a loadbalancer
  $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
  
  Create a secrets container
  
  $ openstack secret container create --type='certificate' --name "test-
  tls-1"
  --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"
  --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5
  -4b5a-bffd-c0c43a41b4a8"
  --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-
  b5c6-4433-a0a9-a195e2d54c57"
  
  Create the listener
  openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
  
  This creation will fail with the following exception:
  
  The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
  validity. In addition, make sure it does not require a pass phrase.
  Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
  data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
  4d26-9920-72b03343596a)
  
  [Possible Regressions]
  
  * No regressions identified so far.
  
  [Fix]
  
  The following changesets needs to be backported into the bionic version
  4.6.0-0ubuntu1
  
  All of those are part of 4.8.0 onward.
  
  ** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
  ** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
+ 
+ Corresponding reviews
+ 
+ https://review.opendev.org/#/c/602810/
+ https://review.opendev.org/#/c/628046/

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-barbicanclient in Ubuntu.
https://bugs.launchpad.net/bugs/1867676

Title:
  Fetching by secret container doesn't raises 404 exception

Status in python-barbicanclient package in Ubuntu:
  Fix Released
Status in python-barbicanclient source package in Bionic:
  New
Status in python-barbicanclient source package in Disco:
  Fix Released
Status in python-barbicanclient source package in Eoan:
  Fix Released
Status in python-barbicanclient source package in Focal:
  Fix Released

Bug description:
  [Description]

  As per https://storyboard.openstack.org/#!/story/2007371 we identified that
  ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
  error when a secret container is passed.

  This causes the code to not fall back into the legacy mode

  [Reproducer]

  Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
  Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
  Create the 3 certs at barbican
  $ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
  $ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
  $ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"

  Create a loadbalancer
  $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet

  Create a secrets container

  $ openstack secret container create --type='certificate' --name "test-
  tls-1"
  --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00"
  --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5
  -4b5a-bffd-c0c43a41b4a8"
  --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-
  b5c6-4433-a0a9-a195e2d54c57"

  Create the listener
  openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1

  This creation will fail with the following exception:

  The PKCS12 bundle is unreadable. Please check the PKCS12 bundle
  validity. In addition, make sure it does not require a pass phrase.
  Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough
  data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-
  4d26-9920-72b03343596a)

  [Possible Regressions]

  * No regressions identified so far.

  [Fix]

  The following changesets needs to be backported into the bionic
  version 4.6.0-0ubuntu1

  All of those are part of 4.8.0 onward.

  ** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
  ** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad

  Corresponding reviews

  https://review.opendev.org/#/c/602810/
  https://review.opendev.org/#/c/628046/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-barbicanclient/+bug/1867676/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list