Bug 1696115

Summary: [admin] IdentityProvider with duplicated name should not be created successfully.
Product: OpenShift Container Platform Reporter: XiaochuanWang <xiaocwan>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.0CC: aos-bugs, chuyu, eparis, evb, gblomqui, jokerman, mkhan, mmccomas, nagrawal, pweil, spadgett
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: f this bug is not fixed by Friday, May 3, we will move this to 4.2. Update 5/2: All the changes for fix are done in PR, awaiting CI
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:47:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description XiaochuanWang 2019-04-04 07:51:52 UTC 
Description of problem:
User create two Oauth Identities with same name, the 2nd one should not be created successfully

Version-Release number of selected component (if applicable):
4.0.0-0.nightly-2019-04-03-202419

How reproducible:
Always

Steps to Reproduce:
1. Cluster-admin user login on OAuth page and create an OpenID identities using Gitlab:

1) Add application on setting page: 
https://gitlab.com/profile/applications 
Fill in the Redirect URI: https://<$ oc get route -n openshift-authentication> + /oauth2callback/ + <openId name such as openid-xiaocwan>
Get the ClientID and ClientSecret

2) On "Add Identity Provider: OpenID Connect" page:
Fill in the Name as the openid-xiaocwan
Fill in the ClientID and ClientSecret copied from Gitlab.
Fill in Issuer URL 'https://gitlab.com' 

2. Create and wait for the pod ($ oc get pod -n openshift-authentication) succeed.
3. Repeat above steps and create another identity with same name (openid-xiaocwan)

Actual results:
3. Create successfully. The pods under openshift-authentication is CrashLoopBackOff until the first identity deleted.

Expected results:
3. Console should block the creation for the duplicated identity.

Additional info:
Htpasswd also reproduces.
oc logs openshift-authentication-5865bb76-w6v7z -n openshift-authentication
Command "openshift-osinserver" is deprecated, will be removed in 4.0
panic: http: multiple registrations for /login/htpasswdtest

goroutine 1 [running]:
net/http.(*ServeMux).Handle(0xc421a474d0, 0xc421a7c0a0, 0x13, 0xb4056e0, 0xc4206bdb80)
    /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/net/http/server.go:2356 +0x239
net/http.(*ServeMux).HandleFunc(0xc421a474d0, 0xc421a7c0a0, 0x13, 0xc4206bdb80)
    /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/net/http/server.go:2371 +0x55
github.com/openshift/origin/pkg/oauthserver/server/login.(*Login).Install(0xc420bf4340, 0xb41fa20, 0xc421a474d0, 0xc420ecce58, 0x1, 0x1)
    /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/oauthserver/server/login/login.go:98 +0x57
github.com/openshift/origin/pkg/oauthserver/oauthserver.(*OAuthServerConfig).getAuthenticationHandler(0xc42135d680, 0xb41fa20, 0xc421a474d0, 0xb3f7bc0, 0xc4206bda50, 0x523fd20, 0xc4206bda50, 0xb3f7c00, 0xc4204a4f40)
Comment 2 Samuel Padgett 2019-04-04 12:21:46 UTC 
Changing component to Auth since the validation needs to happen on the backend. Otherwise it would be possible to create duplicate names from other clients.
Comment 3 Erica von Buelow 2019-04-05 12:41:31 UTC 
Should be handled as part of OAuth CRD validation: https://github.com/openshift/origin/pull/21922
Comment 5 Mo 2019-04-05 13:43:14 UTC 
*** Bug 1677587 has been marked as a duplicate of this bug. ***
Comment 9 XiaochuanWang 2019-05-13 09:40:32 UTC 
Function is acceptable, will move it to Verified. Duplicated name for identity provider is not allowed to be created on console. It behave correctly on both htpasswd and OpenId with Gitlab. Only the slightly change now is the new creating OpenId page will open as an edit view but it does create a new one.

But I assume here is a new issue for OpenId creating page when there is already one: 
The values of ClientID and ClientSecret should better to be cleared when creating the 2nd one, otherwise the existing one still match the previous callback url and it won't work for the new Identity Provider name. User need to remove both values sooner or later.


Tested on Cluster version: 4.1.0-rc.3
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e6dd4bf3fdb483a93d6e84a5574e0f2514cb1cbf1b4407e52e6c94fd66e3648d
Commit ID: https://github.com/openshift/console/commit/d8fc460a3d0e9f8de3d14373de8f36ba09103537
Comment 10 XiaochuanWang 2019-05-13 09:49:22 UTC 
(In reply to Samuel Padgett from comment #2)
> Changing component to Auth since the validation needs to happen on the
> backend. Otherwise it would be possible to create duplicate names from other
> clients.
Comment 11 Mo 2019-05-13 12:01:49 UTC 
Moving back to console since the issue being mentioned is specific to the UI.  I do think we should just close this BZ and make a new one.
Comment 12 Samuel Padgett 2019-05-13 13:18:10 UTC 
(In reply to XiaochuanWang from comment #9)
> 
> But I assume here is a new issue for OpenId creating page when there is
> already one: 
> The values of ClientID and ClientSecret should better to be cleared when
> creating the 2nd one, otherwise the existing one still match the previous
> callback url and it won't work for the new Identity Provider name. User need
> to remove both values sooner or later.

I'm not sure I understand what the issue is. Can you give specific steps to reproduce?

This sounds like it should be a different bug, however.
Comment 13 XiaochuanWang 2019-05-14 06:22:26 UTC 
Agree to move it to Verified since the duplicated name failed to created since the issue now is specific to console.


Tested on Cluster version: 4.1.0-rc.3
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e6dd4bf3fdb483a93d6e84a5574e0f2514cb1cbf1b4407e52e6c94fd66e3648d
Commit ID: https://github.com/openshift/console/commit/d8fc460a3d0e9f8de3d14373de8f36ba09103537
Comment 15 errata-xmlrpc 2019-06-04 10:47:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758