Public bug reported:

It seems the following commit may have introduced a hard dependency on
cryptography 38.0.2. This poses a problem for downstream distributions
where openstack is backported to older LTS releases. For example, in
Ubuntu we are backporting antelope to jammy, where python3-cryptography
is at 3.4.8. Having to backport cryptography 38.0.2 is very complicated
and error prone as it depends on many (25+) rust libraries that would
also need to be backported.


commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f
Author: sunyonggen <[email protected]>
Date:   Fri Oct 7 11:00:05 2022 +0900

    OAuth 2.0 Mutual-TLS Support
    
    The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
    certificate-bound access token from the keystone identity server with
    OAuth 2.0 credentials and Mutual-TLS certificates.
    
    Co-Authored-By: Hiromu Asahina <[email protected]>
    Change-Id: I885527bec61429b1437a046097a16491848b5a0a
    Implements: blueprint support-oauth2-mtls


To reproduce:
1) clone the upstream keystone source
2) run 'tox -e py3' (I'm running py311 fwiw)
3) align dependencies for cryptography and openssl with Ubuntu Jammy:
.tox/py311/bin/pip3 install cryptography==3.4.8
.tox/py311/bin/pip3 install pyOpenSSL==21.0.0
4) run tests again and see failures


Here is an example of a failure:

keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email
                                                                   
--------------------------------------------------------------------------------------------
                                                                   
                                                                                
                                                                               
Captured traceback:                                                             
                                                                               
~~~~~~~~~~~~~~~~~~~                                                             
                                                                               
    Traceback (most recent call last):                                          
                                                                               
                                                                                
                                                                               
      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py",
 line 1379, in test_get_access_token_ignore_email                
    resp = self._get_access_token(                                              
                                                                               
           ^^^^^^^^^^^^^^^^^^^^^^^                                              
                                                                               
                                                                                
                                                                               
      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py",
 line 871, in _get_access_token                                  
    resp = self.post(                                                           
                                                                               
           ^^^^^^^^^^                                                          

      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 484, in post                                                      
    return self.v3_request(path, method='POST',                                
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                

      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 458, in v3_request                                                
    return self.v3_noauth_request(path, **kwargs)                              
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                              

      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 453, in v3_noauth_request                                         
    return self.admin_request(path=path, **kwargs)                             
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                             

      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
211, in admin_request                                                
    return self._request(app=self.public_app, **kwargs)                        
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                        

      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
202, in _request                                                     
    response = self.request(**kwargs)                                          
               ^^^^^^^^^^^^^^^^^^^^^^                                          

      File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
87, in request                                                       
    response = app.request(path, headers=headers,                               
                         
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                               
                         

      File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 579, in request                                                           
                                                              
    return self.do_request(req,                                
           ^^^^^^^^^^^^^^^^^^^^                                

      File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 646, in do_request                                                        
                                                              
    self._check_status(status, res)                                             
                                               

      File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 680, in _check_status                                                     
                                                               
    raise AppError(                                                             
                                               

    webtest.app.AppError: Bad response: 401 Unauthorized (not 200)              
                                               
b'{"error":"invalid_client","error_description":"Client authentication 
failed."}\n'                                            


Captured pythonlogging:                                                         
                                               
~~~~~~~~~~~~~~~~~~~~~~~                                                         
                                               
    No value present for key: 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                 
NeedRegenerationException                                                       
                                               
no value, waiting for create lock                                               
                                               
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 
0x7f8683910090> acquired                          
No value present for key: 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                     
Calling creation function for not-yet-present value                             
                                               
Cache value generated in 0.008 seconds for key(s): 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                                                                                
                                           
Released creation lock                                                          
                                               
Truncating password to algorithm specific maximum length 54 characters.         
                                               
No value present for key: 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                     
NeedRegenerationException                                                       
                                               
no value, waiting for create lock                                               
                                               
value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 
0x7f8684b9f790> acquired                          
No value present for key: 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                     
Calling creation function for not-yet-present value                             
                                               
Cache value generated in 0.025 seconds for key(s): 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                                                                                
                                           
Released creation lock                                                          
                                               
Truncating password to algorithm specific maximum length 54 characters.         
                                               
REQUEST_METHOD: `POST`                                                          
                                               
SCRIPT_NAME: ``                                                                 
                                               
PATH_INFO: `/v3/OS-OAUTH2/token`                                                
                                               
NameAttribute.rfc4514_string() got an unexpected keyword argument 
'attr_name_overrides'                                        
Traceback (most recent call last):                                              
                                               
  File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", 
line 482, in get_certificate_subject_dn                                         
                                                                                
                
    name, value = item.rfc4514_string(                                          
                                               
                  ^^^^^^^^^^^^^^^^^^^^                                          
                                               
TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 
'attr_name_overrides'                             
Get OAuth2.0 Access Token API: failed to get the subject DN from the 
certificate.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2009600

Title:
  Client authentication fails with cryptography 3.4.8

Status in OpenStack Identity (keystone):
  New

Bug description:
  It seems the following commit may have introduced a hard dependency on
  cryptography 38.0.2. This poses a problem for downstream distributions
  where openstack is backported to older LTS releases. For example, in
  Ubuntu we are backporting antelope to jammy, where
  python3-cryptography is at 3.4.8. Having to backport cryptography
  38.0.2 is very complicated and error prone as it depends on many (25+)
  rust libraries that would also need to be backported.

  
  commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f
  Author: sunyonggen <[email protected]>
  Date:   Fri Oct 7 11:00:05 2022 +0900

      OAuth 2.0 Mutual-TLS Support
      
      The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
      certificate-bound access token from the keystone identity server with
      OAuth 2.0 credentials and Mutual-TLS certificates.
      
      Co-Authored-By: Hiromu Asahina <[email protected]>
      Change-Id: I885527bec61429b1437a046097a16491848b5a0a
      Implements: blueprint support-oauth2-mtls


  To reproduce:
  1) clone the upstream keystone source
  2) run 'tox -e py3' (I'm running py311 fwiw)
  3) align dependencies for cryptography and openssl with Ubuntu Jammy:
  .tox/py311/bin/pip3 install cryptography==3.4.8
  .tox/py311/bin/pip3 install pyOpenSSL==21.0.0
  4) run tests again and see failures


  Here is an example of a failure:

  
keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email
                                                                   
  
--------------------------------------------------------------------------------------------
                                                                   
                                                                                
                                                                                
 
  Captured traceback:                                                           
                                                                                
 
  ~~~~~~~~~~~~~~~~~~~                                                           
                                                                                
 
      Traceback (most recent call last):                                        
                                                                                
 
                                                                                
                                                                                
 
        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py",
 line 1379, in test_get_access_token_ignore_email                
      resp = self._get_access_token(                                            
                                                                                
 
             ^^^^^^^^^^^^^^^^^^^^^^^                                            
                                                                                
 
                                                                                
                                                                                
 
        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py",
 line 871, in _get_access_token                                  
      resp = self.post(                                                         
                                                                                
 
             ^^^^^^^^^^                                                         
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 484, in post                                                      
      return self.v3_request(path, method='POST',                               
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                               
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 458, in v3_request                                                
      return self.v3_noauth_request(path, **kwargs)                             
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                             
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 453, in v3_noauth_request                                         
      return self.admin_request(path=path, **kwargs)                            
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                            
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
211, in admin_request                                                
      return self._request(app=self.public_app, **kwargs)                       
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                       
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
202, in _request                                                     
      response = self.request(**kwargs)                                         
 
                 ^^^^^^^^^^^^^^^^^^^^^^                                         
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
87, in request                                                       
      response = app.request(path, headers=headers,                             
                           
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                             
                           

        File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 579, in request                                                           
                                                              
      return self.do_request(req,                                
             ^^^^^^^^^^^^^^^^^^^^                                

        File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 646, in do_request                                                        
                                                              
      self._check_status(status, res)                                           
                                                 

        File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 680, in _check_status                                                     
                                                               
      raise AppError(                                                           
                                                 

      webtest.app.AppError: Bad response: 401 Unauthorized (not 200)            
                                                 
  b'{"error":"invalid_client","error_description":"Client authentication 
failed."}\n'                                            

  
  Captured pythonlogging:                                                       
                                                 
  ~~~~~~~~~~~~~~~~~~~~~~~                                                       
                                                 
      No value present for key: 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                 
  NeedRegenerationException                                                     
                                                 
  no value, waiting for create lock                                             
                                                 
  value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 
0x7f8683910090> acquired                          
  No value present for key: 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                     
  Calling creation function for not-yet-present value                           
                                                 
  Cache value generated in 0.008 seconds for key(s): 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                                                                                
                                           
  Released creation lock                                                        
                                                 
  Truncating password to algorithm specific maximum length 54 characters.       
                                                 
  No value present for key: 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                     
  NeedRegenerationException                                                     
                                                 
  no value, waiting for create lock                                             
                                                 
  value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 
0x7f8684b9f790> acquired                          
  No value present for key: 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                     
  Calling creation function for not-yet-present value                           
                                                 
  Cache value generated in 0.025 seconds for key(s): 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                                                                                
                                           
  Released creation lock                                                        
                                                 
  Truncating password to algorithm specific maximum length 54 characters.       
                                                 
  REQUEST_METHOD: `POST`                                                        
                                                 
  SCRIPT_NAME: ``                                                               
                                                 
  PATH_INFO: `/v3/OS-OAUTH2/token`                                              
                                                 
  NameAttribute.rfc4514_string() got an unexpected keyword argument 
'attr_name_overrides'                                        
  Traceback (most recent call last):                                            
                                                 
    File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", 
line 482, in get_certificate_subject_dn                                         
                                                                                
                
      name, value = item.rfc4514_string(                                        
                                                 
                    ^^^^^^^^^^^^^^^^^^^^                                        
                                                 
  TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 
'attr_name_overrides'                             
  Get OAuth2.0 Access Token API: failed to get the subject DN from the 
certificate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2009600/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to