Bug 2324227

Summary: [7.1][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi request is successful bypassing thumbprint verification
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: VERIFIED --- QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 7.1CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, mkasturi, rpollack, tserlin, vereddy
Target Milestone: ---Flags: prsrivas: needinfo? (mbenjamin)
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-2.el9cp Doc Type: Bug Fix
Doc Text:
.`AssumeRoleWithWebIdentity` operations now fails as expected when incorrect thumbprints are added Previously, due to a boolean flag being incorrectly set in the code, the `AssumeRoleWithWebIdentity` operation succeeded even when an incorrect thumbprint was registered in the CreateOIDCProvider call. As a result, `AssumeRoleWithWebIdentity` was able to succeed when it should have failed. With this fix, the boolean flag is not set when no correct thumbprints are found registered in the `CreateOIDCProvider` call. As a result, if the end user does not provide a correct thumbprint in the `CreateOIDCProvider` call, the `AssumeRoleWithWebIdentity` operation now fails as expected.
 Story Points: ---
Clone Of: 2324153 Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2324153    
Bug Blocks: 2351689    

Description Hemanth Sai 2024-11-06 18:24:43 UTC 
+++ This bug was initially created as a clone of Bug #2324153 +++

Description of problem:
with incorrect thumbprints in the OIDC provider, sts assume-role-with-web-identity request is successful bypassing thumbprint verification


log snippet:

actual thumbprints of the identity provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ ./obtain_oidc_thumbprint.sh 
C2746A3F9F2A39308C65031997971DC217DFE396
FB0E550188A5283990B1313D313712AE5BB82F45
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


sts aswi request is successful with fake thumbprints in the OIDC provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam list-open-id-connect-providers
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "OpenIDConnectProviderList": [
        {
            "Arn": "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
        }
    ]
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Url": "http://10.0.64.108:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-11-05T18:49:44.130Z"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl sts assume-role-with-web-identity --role-arn arn:aws:iam:::role/S3RoleOf.coryd.550 --role-session-name session1 --web-identity-token "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlUlA4c0VueGh3MG5NVVN1bHhUXzVSMFJUSnNxVmg5Z0hEck4tYzNyRUdjIn0.eyJleHAiOjE3MzA4MzczNzQsImlhdCI6MTczMDgzMzc3NCwianRpIjoiZjZjNmQ0MjItZjEyYS00Y2I5LWJiYTctYzQ3OWMzNTMxNzFmIiwiaXNzIjoiaHR0cDovLzEwLjAuNjQuMTA4OjgxODAvcmVhbG1zL21hc3RlciIsImF1ZCI6WyJhY2NvdW50IiwibWFzdGVyLXJlYWxtIl0sInN1YiI6Ijc1NTAyMWE5LTM1ODAtNGI5Zi04MjQzLWNiMTVkYmQ0YWFhYyIsInR5cCI6IkJlYXJlciIsImF6cCI6InN0c19jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBzZXNzaW9uX3RhZ3Nfc2NvcGUgZW1haWwgc2V0X2F1ZGllbmNlX3Njb3BlIHByb2ZpbGUiLCJjbGllbnRIb3N0IjoiMTAuMC42NC4xMDgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1zdHNfY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEwLjAuNjQuMTA4IiwiY2xpZW50X2lkIjoic3RzX2NsaWVudCJ9.YkUGztOBQj9MZTf3WsEifcBeUbQmjEC-AtvhlMogs75ZlQC7VvfICLLYj9ulrMzJDVMHSFn3eG645wRUnH6o_WVxOR6Jpup5RypJ_l_uWKh4ojsRqBAyNkClki1wGzEQPlwHycKRO7d_lSSAeutqxba5ebIX9wQO9xLfEn-a6Al84ELuq2wVQIzI5hal2vT7PApn-rdfsnlPva634PzSJ4bIjOCqIKMGFmEe35xaCYg3UUKc3m0R9xAmGNVhFLahqc0TLg6Rse7kosLrOgQITaWyTcqBj0cTejF9DZWiFgG7Z7Sg48_XIc2WwM-J0l8w1MiFmr8JsUe6xun-6uZJxQ"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Credentials": {
        "AccessKeyId": "cOC29o1YL1dp0O7TahgI",
        "SecretAccessKey": "1C4YQR65H8HFVQ860KMLBYDSM109SCDX082CFRGK",
        "SessionToken": "v1C6u04WqxEtAnDvKMWZZpcj7N+pKRe2lV7+WY9YrgY75y3ITcu0jO8Y8Qs3yYvQXBXf22dlHyHdu1WA38UoZw4RF6Ue/w119iIOAzg8imQXyrCLZQ+L8Qyg4XeZr7mskjT9HLZUvUjlEas8sWYSfcNZpBfuCsM+TH0bak4WnpFzx+51A/o5XloIESX3KdAWPTkbN0oEdJn3Oi8gk+SCp09U32Iya0XAn0QUcxqhJJOX8w7gnGC6+Nhzp1OMkuaCD5bnAiozDylsOSrFr8XQZwMmkdS6wMhXnO3J3Sgb9RKjfDlTtqm27cm5TGL6joPDvu9KCUXkr6ZLUjeCNfw7VaG+u+msSHU1pgjqwuZW1BosT+J/PJCfh2Dr3tORYbFmCD0/P5G5RyLXpB1nHZQ3IPrnv8k52vnh06Ch361qTxyz59O34Or1nFQr28Ou9MjaeuItTtFBQHRhVya4/9XUUlASQbpDWpkbvNG0/TC/iOTR0lAW6A+CPs7lNN0LZ7fb",
        "Expiration": "2024-11-05T20:11:24.263516724Z"
    },
    "SubjectFromWebIdentityToken": "755021a9-3580-4b9f-8243-cb15dbd4aaac",
    "AssumedRoleUser": {
        "Arn": "arn:aws:sts:::assumed-role/S3RoleOf.coryd.550/session1"
    },
    "PackedPolicySize": 0,
    "Provider": "http://10.0.64.108:8180/realms/master",
    "Audience": "master-realm"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


Version-Release number of selected component (if applicable):
ceph version 19.2.0-52.el9cp

How reproducible:
always

Steps to Reproduce:
1.create an OIDC provider with identity provider url and incorrect thumbprints
2.create a role, put role policy to the role.
3.create an user, add roles=* and oidc-provider=* capabilities to it.
4.try to perform sts aswi. the request is successful bypassing thumbprint verification

Actual results:
sts aswi request is successful bypassing thumbprint verification

Expected results:
expected sts aswi request fails if incorrect thumbprints are present in OIDC provider

Additional info: