Giters

StackStorm / st2

StackStorm (aka "IFTTT for Ops") is event-driven automation for auto-remediation, incident responses, troubleshooting, deployments, and more for DevOps and SREs. Includes rules engine, workflow, 160 integration packs with 6000+ actions (see https://exchange.stackstorm.org) and ChatOps. Installer at https://docs.stackstorm.com/install/index.html

Home Page:https://stackstorm.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

bind_password field in LDAP JSON does not accept $ in the password

setswei opened this issue · comments

commented

SUMMARY

I was configuring LDAP authentication and I created a service account in my ad domain called svc-duo-proxy. I randomly generated a password. this password contained a '$'. This caused the st2auth service constantly crash.

STACKSTORM VERSION

st2 3.8.0, on Python 3.8.10

OS, environment, install method

Ubuntu 20.04 LTS

/etc/lsb-release details

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"

Steps to reproduce the problem

Utilise a password that contains a $ within the password and it will crash the st2auth service constantly

Example Configuration

[auth]
host = 127.0.0.1
port = 9100
mode = standalone
backend = ldap
backend_kwargs = {"bind_dn": "CN=username,ou=orgunit,dc=domain", "bind_password": "Pa$$w0rd01", "id_attr": "sAMAccountName" ,"base_ou": "dc=domain", "group_dns": ["cn=group,ou=ou,dc=domain"], "host": "xxx.xxx.xxx.xxx", "port": 389 }
api_url = http://127.0.0.1:9101/
debug = False

Expected Results

  • st2auth service to stay online
  • LDAP auth configuration should support $ with the password.

Actual Results

The st2 auth service crash with the following python error

2023-10-23 10:18:41 +0000] [2000] [INFO] Starting gunicorn 20.1.0
[2023-10-23 10:18:41 +0000] [2000] [INFO] Listening at: http://127.0.0.1:9100 (2000)
[2023-10-23 10:18:41 +0000] [2000] [INFO] Using worker: eventlet
[2023-10-23 10:18:41 +0000] [2002] [INFO] Booting worker with pid: 2002
2023-10-23 10:18:41,884 140607890677424 INFO app [-] Creating st2auth: StackStorm v3.8.0 as OpenAPI app.
[2023-10-23 10:18:42 +0000] [2002] [ERROR] Exception in worker process
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2260, in _get
    raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2630, in __getitem__
    value = self.conf._get(option, group=group,
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2264, in _get
    value = self._do_get(name, group, namespace)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2282, in _do_get
    info = self._get_opt_info(name, group)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2415, in _get_opt_info
    raise NoSuchOptError(opt_name, group)
oslo_config.cfg.NoSuchOptError: no such option in group auth: TtBB

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2260, in _get
    raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
    worker.init_process()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/workers/geventlet.py", line 134, in init_process
    super().init_process()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/workers/base.py", line 134, in init_process
    self.load_wsgi()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
    self.wsgi = self.app.wsgi()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/app/base.py", line 67, in wsgi
    self.callable = self.load()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
    return self.load_wsgiapp()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
    return util.import_app(self.app_uri)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/util.py", line 359, in import_app
    mod = importlib.import_module(module)
  File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 848, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2auth/wsgi.py", line 39, in <module>
    application = app.setup_app(config)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2auth/app.py", line 56, in setup_app
    common_setup(
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/service_setup.py", line 125, in setup
    config.parse_args(config_args)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2auth/config.py", line 31, in parse_args
    cfg.CONF(
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 1876, in __call__
    self._namespace = self._parse_cli_opts(args if args is not None
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2451, in _parse_cli_opts
    return self._parse_config_files()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2470, in _parse_config_files
    self._validate_cli_options(namespace)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2483, in _validate_cli_options
    value = self._substitute(value, group=group, namespace=namespace)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2348, in _substitute
    ret = tmpl.safe_substitute(
  File "/usr/lib/python3.8/string.py", line 147, in safe_substitute
    return self.pattern.sub(convert, self.template)
  File "/usr/lib/python3.8/string.py", line 138, in convert
    return str(mapping[named])
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2633, in __getitem__
    value = self.conf._get(key, namespace=self.namespace)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2264, in _get
    value = self._do_get(name, group, namespace)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2282, in _do_get
    info = self._get_opt_info(name, group)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2415, in _get_opt_info
    raise NoSuchOptError(opt_name, group)
oslo_config.cfg.NoSuchOptError: no such option: TtBB

The error line 'oslo_config.cfg.NoSuchOptError: no such option: TtBB' shows a part of the password after the $

Thanks!

commented

My configuration also has $ symbols in the PW and I had to type them twice in a row, so $ became $$. It works fine after that.