bind_password field in LDAP JSON does not accept $ in the password
setswei opened this issue · comments
SUMMARY
I was configuring LDAP authentication and I created a service account in my ad domain called svc-duo-proxy. I randomly generated a password. this password contained a '$'. This caused the st2auth service constantly crash.
STACKSTORM VERSION
st2 3.8.0, on Python 3.8.10
OS, environment, install method
Ubuntu 20.04 LTS
/etc/lsb-release details
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"
Steps to reproduce the problem
Utilise a password that contains a $ within the password and it will crash the st2auth service constantly
Example Configuration
[auth]
host = 127.0.0.1
port = 9100
mode = standalone
backend = ldap
backend_kwargs = {"bind_dn": "CN=username,ou=orgunit,dc=domain", "bind_password": "Pa$$w0rd01", "id_attr": "sAMAccountName" ,"base_ou": "dc=domain", "group_dns": ["cn=group,ou=ou,dc=domain"], "host": "xxx.xxx.xxx.xxx", "port": 389 }
api_url = http://127.0.0.1:9101/
debug = False
Expected Results
- st2auth service to stay online
- LDAP auth configuration should support $ with the password.
Actual Results
The st2 auth service crash with the following python error
2023-10-23 10:18:41 +0000] [2000] [INFO] Starting gunicorn 20.1.0
[2023-10-23 10:18:41 +0000] [2000] [INFO] Listening at: http://127.0.0.1:9100 (2000)
[2023-10-23 10:18:41 +0000] [2000] [INFO] Using worker: eventlet
[2023-10-23 10:18:41 +0000] [2002] [INFO] Booting worker with pid: 2002
2023-10-23 10:18:41,884 140607890677424 INFO app [-] Creating st2auth: StackStorm v3.8.0 as OpenAPI app.
[2023-10-23 10:18:42 +0000] [2002] [ERROR] Exception in worker process
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2260, in _get
raise KeyError
KeyError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2630, in __getitem__
value = self.conf._get(option, group=group,
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2264, in _get
value = self._do_get(name, group, namespace)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2282, in _do_get
info = self._get_opt_info(name, group)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2415, in _get_opt_info
raise NoSuchOptError(opt_name, group)
oslo_config.cfg.NoSuchOptError: no such option in group auth: TtBB
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2260, in _get
raise KeyError
KeyError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker
worker.init_process()
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/workers/geventlet.py", line 134, in init_process
super().init_process()
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/workers/base.py", line 134, in init_process
self.load_wsgi()
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi
self.wsgi = self.app.wsgi()
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/app/base.py", line 67, in wsgi
self.callable = self.load()
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py", line 58, in load
return self.load_wsgiapp()
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp
return util.import_app(self.app_uri)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/gunicorn/util.py", line 359, in import_app
mod = importlib.import_module(module)
File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
File "<frozen importlib._bootstrap>", line 991, in _find_and_load
File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 848, in exec_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2auth/wsgi.py", line 39, in <module>
application = app.setup_app(config)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2auth/app.py", line 56, in setup_app
common_setup(
File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/service_setup.py", line 125, in setup
config.parse_args(config_args)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2auth/config.py", line 31, in parse_args
cfg.CONF(
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 1876, in __call__
self._namespace = self._parse_cli_opts(args if args is not None
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2451, in _parse_cli_opts
return self._parse_config_files()
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2470, in _parse_config_files
self._validate_cli_options(namespace)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2483, in _validate_cli_options
value = self._substitute(value, group=group, namespace=namespace)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2348, in _substitute
ret = tmpl.safe_substitute(
File "/usr/lib/python3.8/string.py", line 147, in safe_substitute
return self.pattern.sub(convert, self.template)
File "/usr/lib/python3.8/string.py", line 138, in convert
return str(mapping[named])
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2633, in __getitem__
value = self.conf._get(key, namespace=self.namespace)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2264, in _get
value = self._do_get(name, group, namespace)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2282, in _do_get
info = self._get_opt_info(name, group)
File "/opt/stackstorm/st2/lib/python3.8/site-packages/oslo_config/cfg.py", line 2415, in _get_opt_info
raise NoSuchOptError(opt_name, group)
oslo_config.cfg.NoSuchOptError: no such option: TtBB
The error line 'oslo_config.cfg.NoSuchOptError: no such option: TtBB' shows a part of the password after the $
Thanks!
My configuration also has $ symbols in the PW and I had to type them twice in a row, so $ became $$. It works fine after that.
Relevant bug report?
https://bugs.launchpad.net/oslo-incubator/+bug/1259729