Public bug reported: It seems the following commit may have introduced a hard dependency on cryptography 38.0.2. This poses a problem for downstream distributions where openstack is backported to older LTS releases. For example, in Ubuntu we are backporting antelope to jammy, where python3-cryptography is at 3.4.8. Having to backport cryptography 38.0.2 is very complicated and error prone as it depends on many (25+) rust libraries that would also need to be backported.
commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f Author: sunyonggen <[email protected]> Date: Fri Oct 7 11:00:05 2022 +0900 OAuth 2.0 Mutual-TLS Support The OAuth2.0 Access Token API is modified, support to get an OAuth2.0 certificate-bound access token from the keystone identity server with OAuth 2.0 credentials and Mutual-TLS certificates. Co-Authored-By: Hiromu Asahina <[email protected]> Change-Id: I885527bec61429b1437a046097a16491848b5a0a Implements: blueprint support-oauth2-mtls To reproduce: 1) clone the upstream keystone source 2) run 'tox -e py3' (I'm running py311 fwiw) 3) align dependencies for cryptography and openssl with Ubuntu Jammy: .tox/py311/bin/pip3 install cryptography==3.4.8 .tox/py311/bin/pip3 install pyOpenSSL==21.0.0 4) run tests again and see failures Here is an example of a failure: keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email -------------------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 1379, in test_get_access_token_ignore_email resp = self._get_access_token( ^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 871, in _get_access_token resp = self.post( ^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 484, in post return self.v3_request(path, method='POST', ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 458, in v3_request return self.v3_noauth_request(path, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 453, in v3_noauth_request return self.admin_request(path=path, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 211, in admin_request return self._request(app=self.public_app, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 202, in _request response = self.request(**kwargs) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 87, in request response = app.request(path, headers=headers, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 579, in request return self.do_request(req, ^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 646, in do_request self._check_status(status, res) File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 680, in _check_status raise AppError( webtest.app.AppError: Bad response: 401 Unauthorized (not 200) b'{"error":"invalid_client","error_description":"Client authentication failed."}\n' Captured pythonlogging: ~~~~~~~~~~~~~~~~~~~~~~~ No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' NeedRegenerationException no value, waiting for create lock value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8683910090> acquired No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' Calling creation function for not-yet-present value Cache value generated in 0.008 seconds for key(s): 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' Released creation lock Truncating password to algorithm specific maximum length 54 characters. No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' NeedRegenerationException no value, waiting for create lock value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8684b9f790> acquired No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' Calling creation function for not-yet-present value Cache value generated in 0.025 seconds for key(s): 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' Released creation lock Truncating password to algorithm specific maximum length 54 characters. REQUEST_METHOD: `POST` SCRIPT_NAME: `` PATH_INFO: `/v3/OS-OAUTH2/token` NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides' Traceback (most recent call last): File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", line 482, in get_certificate_subject_dn name, value = item.rfc4514_string( ^^^^^^^^^^^^^^^^^^^^ TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides' Get OAuth2.0 Access Token API: failed to get the subject DN from the certificate. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2009600 Title: Client authentication fails with cryptography 3.4.8 Status in OpenStack Identity (keystone): New Bug description: It seems the following commit may have introduced a hard dependency on cryptography 38.0.2. This poses a problem for downstream distributions where openstack is backported to older LTS releases. For example, in Ubuntu we are backporting antelope to jammy, where python3-cryptography is at 3.4.8. Having to backport cryptography 38.0.2 is very complicated and error prone as it depends on many (25+) rust libraries that would also need to be backported. commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f Author: sunyonggen <[email protected]> Date: Fri Oct 7 11:00:05 2022 +0900 OAuth 2.0 Mutual-TLS Support The OAuth2.0 Access Token API is modified, support to get an OAuth2.0 certificate-bound access token from the keystone identity server with OAuth 2.0 credentials and Mutual-TLS certificates. Co-Authored-By: Hiromu Asahina <[email protected]> Change-Id: I885527bec61429b1437a046097a16491848b5a0a Implements: blueprint support-oauth2-mtls To reproduce: 1) clone the upstream keystone source 2) run 'tox -e py3' (I'm running py311 fwiw) 3) align dependencies for cryptography and openssl with Ubuntu Jammy: .tox/py311/bin/pip3 install cryptography==3.4.8 .tox/py311/bin/pip3 install pyOpenSSL==21.0.0 4) run tests again and see failures Here is an example of a failure: keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email -------------------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 1379, in test_get_access_token_ignore_email resp = self._get_access_token( ^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 871, in _get_access_token resp = self.post( ^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 484, in post return self.v3_request(path, method='POST', ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 458, in v3_request return self.v3_noauth_request(path, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 453, in v3_noauth_request return self.admin_request(path=path, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 211, in admin_request return self._request(app=self.public_app, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 202, in _request response = self.request(**kwargs) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 87, in request response = app.request(path, headers=headers, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 579, in request return self.do_request(req, ^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 646, in do_request self._check_status(status, res) File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 680, in _check_status raise AppError( webtest.app.AppError: Bad response: 401 Unauthorized (not 200) b'{"error":"invalid_client","error_description":"Client authentication failed."}\n' Captured pythonlogging: ~~~~~~~~~~~~~~~~~~~~~~~ No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' NeedRegenerationException no value, waiting for create lock value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8683910090> acquired No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' Calling creation function for not-yet-present value Cache value generated in 0.008 seconds for key(s): 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' Released creation lock Truncating password to algorithm specific maximum length 54 characters. No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' NeedRegenerationException no value, waiting for create lock value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8684b9f790> acquired No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' Calling creation function for not-yet-present value Cache value generated in 0.025 seconds for key(s): 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' Released creation lock Truncating password to algorithm specific maximum length 54 characters. REQUEST_METHOD: `POST` SCRIPT_NAME: `` PATH_INFO: `/v3/OS-OAUTH2/token` NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides' Traceback (most recent call last): File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", line 482, in get_certificate_subject_dn name, value = item.rfc4514_string( ^^^^^^^^^^^^^^^^^^^^ TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides' Get OAuth2.0 Access Token API: failed to get the subject DN from the certificate. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2009600/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp

