Reviewed: https://review.opendev.org/c/openstack/keystone/+/877807 Committed: https://opendev.org/openstack/keystone/commit/f5db9801c23bde15d162a67d4fd6621e5bd09719 Submitter: "Zuul (22348)" Branch: master
commit f5db9801c23bde15d162a67d4fd6621e5bd09719 Author: Hiromu Asahina <[email protected]> Date: Fri Mar 17 23:16:04 2023 +0900 Remove Dependency on Cryptography >=36.0.0 The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on cryptography 36.0.0 or later. Users may have to upgrade cryptography which is already installed, which can be unreasonably hassle. This patch introduces an alternative for that parameter. [1] https://cryptography.io/en/latest/changelog/#v36-0-0 Closes-bug: 2009600 Change-Id: Idffe269b62797bb2935429f4069e878a177db04f ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/2009600 Title: Client authentication fails with cryptography 3.4.8 Status in OpenStack Identity (keystone): Fix Released Bug description: It seems the following commit may have introduced a hard dependency on cryptography 38.0.2. This poses a problem for downstream distributions where openstack is backported to older LTS releases. For example, in Ubuntu we are backporting antelope to jammy, where python3-cryptography is at 3.4.8. Having to backport cryptography 38.0.2 is very complicated and error prone as it depends on many (25+) rust libraries that would also need to be backported. commit f6a0cce4409232d8ade69b7773dbabcf4c53ec0f Author: sunyonggen <[email protected]> Date: Fri Oct 7 11:00:05 2022 +0900 OAuth 2.0 Mutual-TLS Support The OAuth2.0 Access Token API is modified, support to get an OAuth2.0 certificate-bound access token from the keystone identity server with OAuth 2.0 credentials and Mutual-TLS certificates. Co-Authored-By: Hiromu Asahina <[email protected]> Change-Id: I885527bec61429b1437a046097a16491848b5a0a Implements: blueprint support-oauth2-mtls To reproduce: 1) clone the upstream keystone source 2) run 'tox -e py3' (I'm running py311 fwiw) 3) align dependencies for cryptography and openssl with Ubuntu Jammy: .tox/py311/bin/pip3 install cryptography==3.4.8 .tox/py311/bin/pip3 install pyOpenSSL==21.0.0 4) run tests again and see failures Here is an example of a failure: keystone.tests.unit.test_v3_oauth2.OAuth2CertificateTests.test_get_access_token_ignore_email -------------------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 1379, in test_get_access_token_ignore_email resp = self._get_access_token( ^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3_oauth2.py", line 871, in _get_access_token resp = self.post( ^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 484, in post return self.v3_request(path, method='POST', ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 458, in v3_request return self.v3_noauth_request(path, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/test_v3.py", line 453, in v3_noauth_request return self.admin_request(path=path, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 211, in admin_request return self._request(app=self.public_app, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 202, in _request response = self.request(**kwargs) ^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/keystone/tests/unit/rest.py", line 87, in request response = app.request(path, headers=headers, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 579, in request return self.do_request(req, ^^^^^^^^^^^^^^^^^^^^ File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 646, in do_request self._check_status(status, res) File "/home/corey/pkg/antelope/upstream/keystone/.tox/py311/lib/python3.11/site-packages/webtest/app.py", line 680, in _check_status raise AppError( webtest.app.AppError: Bad response: 401 Unauthorized (not 200) b'{"error":"invalid_client","error_description":"Client authentication failed."}\n' Captured pythonlogging: ~~~~~~~~~~~~~~~~~~~~~~~ No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' NeedRegenerationException no value, waiting for create lock value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8683910090> acquired No value present for key: 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' Calling creation function for not-yet-present value Cache value generated in 0.008 seconds for key(s): 'keystone.resource.core:get_domain|a4e9718804df4c33b42a3741e719890f' Released creation lock Truncating password to algorithm specific maximum length 54 characters. No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' NeedRegenerationException no value, waiting for create lock value creation lock <dogpile.cache.region.CacheRegion._LockWrapper object at 0x7f8684b9f790> acquired No value present for key: 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' Calling creation function for not-yet-present value Cache value generated in 0.025 seconds for key(s): 'keystone.resource.core:get_domain|ff0b39fd7d554f558fed56cea91e12d8' Released creation lock Truncating password to algorithm specific maximum length 54 characters. REQUEST_METHOD: `POST` SCRIPT_NAME: `` PATH_INFO: `/v3/OS-OAUTH2/token` NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides' Traceback (most recent call last): File "/home/corey/pkg/antelope/upstream/keystone/keystone/common/utils.py", line 482, in get_certificate_subject_dn name, value = item.rfc4514_string( ^^^^^^^^^^^^^^^^^^^^ TypeError: NameAttribute.rfc4514_string() got an unexpected keyword argument 'attr_name_overrides' Get OAuth2.0 Access Token API: failed to get the subject DN from the certificate. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/2009600/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
