Reviewed:  https://review.opendev.org/c/openstack/keystone/+/877807
Committed: 
https://opendev.org/openstack/keystone/commit/f5db9801c23bde15d162a67d4fd6621e5bd09719
Submitter: "Zuul (22348)"
Branch:    master

commit f5db9801c23bde15d162a67d4fd6621e5bd09719
Author: Hiromu Asahina <[email protected]>
Date:   Fri Mar 17 23:16:04 2023 +0900

    Remove Dependency on Cryptography >=36.0.0
    
    The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on
    cryptography 36.0.0 or later. Users may have to upgrade cryptography
    which is already installed, which can be unreasonably hassle. This
    patch introduces an alternative for that parameter.
    
    [1] https://cryptography.io/en/latest/changelog/#v36-0-0
    
    Closes-bug: 2009600
    Change-Id: Idffe269b62797bb2935429f4069e878a177db04f


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2009600

Title:
  Client authentication fails with cryptography 3.4.8

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  It seems the following commit may have introduced a hard dependency on
  cryptography 38.0.2. This poses a problem for downstream distributions
  where openstack is backported to older LTS releases. For example, in
  Ubuntu we are backporting antelope to jammy, where
  python3-cryptography is at 3.4.8. Having to backport cryptography
  38.0.2 is very complicated and error prone as it depends on many (25+)
  rust libraries that would also need to be backported.

  
  commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f
  Author: sunyonggen <[email protected]>
  Date:   Fri Oct 7 11:00:05 2022 +0900

      OAuth 2.0 Mutual-TLS Support
      
      The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
      certificate-bound access token from the keystone identity server with
      OAuth 2.0 credentials and Mutual-TLS certificates.
      
      Co-Authored-By: Hiromu Asahina <[email protected]>
      Change-Id: I885527bec61429b1437a046097a16491848b5a0a
      Implements: blueprint support-oauth2-mtls


  To reproduce:
  1) clone the upstream keystone source
  2) run 'tox -e py3' (I'm running py311 fwiw)
  3) align dependencies for cryptography and openssl with Ubuntu Jammy:
  .tox/py311/bin/pip3 install cryptography==3.4.8
  .tox/py311/bin/pip3 install pyOpenSSL==21.0.0
  4) run tests again and see failures


  Here is an example of a failure:

  
keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email
                                                                   
  
--------------------------------------------------------------------------------------------
                                                                   
                                                                                
                                                                                
 
  Captured traceback:                                                           
                                                                                
 
  ~~~~~~~~~~~~~~~~~~~                                                           
                                                                                
 
      Traceback (most recent call last):                                        
                                                                                
 
                                                                                
                                                                                
 
        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py",
 line 1379, in test_get_access_token_ignore_email                
      resp = self._get_access_token(                                            
                                                                                
 
             ^^^^^^^^^^^^^^^^^^^^^^^                                            
                                                                                
 
                                                                                
                                                                                
 
        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py",
 line 871, in _get_access_token                                  
      resp = self.post(                                                         
                                                                                
 
             ^^^^^^^^^^                                                         
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 484, in post                                                      
      return self.v3_request(path, method='POST',                               
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                               
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 458, in v3_request                                                
      return self.v3_noauth_request(path, **kwargs)                             
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                             
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", 
line 453, in v3_noauth_request                                         
      return self.admin_request(path=path, **kwargs)                            
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                            
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
211, in admin_request                                                
      return self._request(app=self.public_app, **kwargs)                       
 
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                       
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
202, in _request                                                     
      response = self.request(**kwargs)                                         
 
                 ^^^^^^^^^^^^^^^^^^^^^^                                         
 

        File 
"/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 
87, in request                                                       
      response = app.request(path, headers=headers,                             
                           
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                             
                           

        File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 579, in request                                                           
                                                              
      return self.do_request(req,                                
             ^^^^^^^^^^^^^^^^^^^^                                

        File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 646, in do_request                                                        
                                                              
      self._check_status(status, res)                                           
                                                 

        File 
"/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py",
 line 680, in _check_status                                                     
                                                               
      raise AppError(                                                           
                                                 

      webtest.app.AppError: Bad response: 401 Unauthorized (not 200)            
                                                 
  b'{"error":"invalid_client","error_description":"Client authentication 
failed."}\n'                                            

  
  Captured pythonlogging:                                                       
                                                 
  ~~~~~~~~~~~~~~~~~~~~~~~                                                       
                                                 
      No value present for key: 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                 
  NeedRegenerationException                                                     
                                                 
  no value, waiting for create lock                                             
                                                 
  value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 
0x7f8683910090> acquired                          
  No value present for key: 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                     
  Calling creation function for not-yet-present value                           
                                                 
  Cache value generated in 0.008 seconds for key(s): 
'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f'            
                                                                                
                                           
  Released creation lock                                                        
                                                 
  Truncating password to algorithm specific maximum length 54 characters.       
                                                 
  No value present for key: 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                     
  NeedRegenerationException                                                     
                                                 
  no value, waiting for create lock                                             
                                                 
  value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 
0x7f8684b9f790> acquired                          
  No value present for key: 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                     
  Calling creation function for not-yet-present value                           
                                                 
  Cache value generated in 0.025 seconds for key(s): 
'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8'            
                                                                                
                                           
  Released creation lock                                                        
                                                 
  Truncating password to algorithm specific maximum length 54 characters.       
                                                 
  REQUEST_METHOD: `POST`                                                        
                                                 
  SCRIPT_NAME: ``                                                               
                                                 
  PATH_INFO: `/v3/OS-OAUTH2/token`                                              
                                                 
  NameAttribute.rfc4514_string() got an unexpected keyword argument 
'attr_name_overrides'                                        
  Traceback (most recent call last):                                            
                                                 
    File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", 
line 482, in get_certificate_subject_dn                                         
                                                                                
                
      name, value = item.rfc4514_string(                                        
                                                 
                    ^^^^^^^^^^^^^^^^^^^^                                        
                                                 
  TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 
'attr_name_overrides'                             
  Get OAuth2.0 Access Token API: failed to get the subject DN from the 
certificate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2009600/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to