Reviewed: https://review.openstack.org/404806 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d16ec35378494f06a983a4c7f8566719bcf6ac3e Submitter: Jenkins Branch: master
commit d16ec35378494f06a983a4c7f8566719bcf6ac3e Author: Brant Knudson <[email protected]> Date: Wed Nov 30 08:47:01 2016 -0600 Validate token issue input The server wasn't validating the input to `POST /v3/auth/tokens` and instead allowing invalid input to be sent into the code which only haphazardly checked the types and values of the data, leading to confusing errors such as 500 Internal Server Error rather than 400 Bad Request as expected, and also potentially security issues. Closes-Bug: 1580338 Change-Id: I34146659ebb912485716a7d07f7ae7800a5cb9ac ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1580338 Title: create token API is not doing proper input validation Status in OpenStack Identity (keystone): Fix Released Bug description: HTTP 500 being returned when the request body for POST /v3/auth/tokens has an empty string in place of one of the dicts that should be passed in. This shows that the code is not doing proper input validation. It should detect the user error and return an HTTP 400. Here's an example where project domain is "" instead of {"id": "default"}: # curl -1 -k -i -X POST https://localhost:5000/v3/auth/tokens -H "Accept: application/json" -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"name": "myproj", "domain": ""}}, "identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "myuser", "password": "mypassword"}}}}}' HTTP/1.1 500 Internal Server Error Date: Tue, 10 May 2016 20:39:53 GMT Server: Apache Vary: X-Auth-Token x-openstack-request-id: req-a4961a66-b545-407e-9aa3-7575e38c252c Content-Length: 143 Connection: close Content-Type: application/json {"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}} Logs show: 2016-05-10 16:39:53.716 2951 INFO keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] POST https://localhost:5000/v3/auth/tokens 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] 'unicode' object has no attribute 'get' 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi Traceback (most recent call last): 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 249, in __call__ 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi result = method(context, **params) 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 392, in authenticate_for_token 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi auth_info = AuthInfo.create(context, auth=auth) 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 137, in create 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi auth_info._validate_and_normalize_auth_data(scope_only) 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 305, in _validate_and_normalize_auth_data 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi self._validate_and_normalize_scope_data() 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 247, in _validate_and_normalize_scope_data 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi project_ref = self._lookup_project(self.auth['scope']['project']) 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 210, in _lookup_project 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi domain_ref = self._lookup_domain(project_info['domain']) 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 172, in _lookup_domain 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi domain_id = domain_info.get('id') 2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi AttributeError: 'unicode' object has no attribute 'get' Note: you can also get HTTP 500 if you replace other dicts in the request, e.g. {"user": ""} To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1580338/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
