Bug 2324227

Summary: [7.1][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi request is successful bypassing thumbprint verification
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Hemanth Sai <hmaheswa>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED ERRATA QA Contact: Hemanth Sai <hmaheswa>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 7.1CC: ceph-eng-bugs, cephqe-warriors, mbenjamin, mkasturi, rpollack, tserlin, vereddy
Target Milestone: ---   
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-19.2.1-2.el9cp Doc Type: Bug Fix
Doc Text:
.`AssumeRoleWithWebIdentity` operations now fails as expected when incorrect thumbprints are added Previously, due to a boolean flag being incorrectly set in the code, the `AssumeRoleWithWebIdentity` operation succeeded even when an incorrect thumbprint was registered in the CreateOIDCProvider call. As a result, `AssumeRoleWithWebIdentity` was able to succeed when it should have failed. With this fix, the boolean flag is not set when no correct thumbprints are found registered in the `CreateOIDCProvider` call. As a result, if the end user does not provide a correct thumbprint in the `CreateOIDCProvider` call, the `AssumeRoleWithWebIdentity` operation now fails as expected.
 Story Points: ---
Clone Of: 2324153 Environment:
Last Closed: 2025-06-26 12:18:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2324153    
Bug Blocks: 2351689    

Description Hemanth Sai 2024-11-06 18:24:43 UTC 
+++ This bug was initially created as a clone of Bug #2324153 +++

Description of problem:
with incorrect thumbprints in the OIDC provider, sts assume-role-with-web-identity request is successful bypassing thumbprint verification


log snippet:

actual thumbprints of the identity provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ ./obtain_oidc_thumbprint.sh 
C2746A3F9F2A39308C65031997971DC217DFE396
FB0E550188A5283990B1313D313712AE5BB82F45
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


sts aswi request is successful with fake thumbprints in the OIDC provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam list-open-id-connect-providers
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "OpenIDConnectProviderList": [
        {
            "Arn": "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
        }
    ]
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Url": "http://10.0.64.108:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-11-05T18:49:44.130Z"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl sts assume-role-with-web-identity --role-arn arn:aws:iam:::role/S3RoleOf.coryd.550 --role-session-name session1 --web-identity-token "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlUlA4c0VueGh3MG5NVVN1bHhUXzVSMFJUSnNxVmg5Z0hEck4tYzNyRUdjIn0.eyJleHAiOjE3MzA4MzczNzQsImlhdCI6MTczMDgzMzc3NCwianRpIjoiZjZjNmQ0MjItZjEyYS00Y2I5LWJiYTctYzQ3OWMzNTMxNzFmIiwiaXNzIjoiaHR0cDovLzEwLjAuNjQuMTA4OjgxODAvcmVhbG1zL21hc3RlciIsImF1ZCI6WyJhY2NvdW50IiwibWFzdGVyLXJlYWxtIl0sInN1YiI6Ijc1NTAyMWE5LTM1ODAtNGI5Zi04MjQzLWNiMTVkYmQ0YWFhYyIsInR5cCI6IkJlYXJlciIsImF6cCI6InN0c19jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBzZXNzaW9uX3RhZ3Nfc2NvcGUgZW1haWwgc2V0X2F1ZGllbmNlX3Njb3BlIHByb2ZpbGUiLCJjbGllbnRIb3N0IjoiMTAuMC42NC4xMDgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1zdHNfY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEwLjAuNjQuMTA4IiwiY2xpZW50X2lkIjoic3RzX2NsaWVudCJ9.YkUGztOBQj9MZTf3WsEifcBeUbQmjEC-AtvhlMogs75ZlQC7VvfICLLYj9ulrMzJDVMHSFn3eG645wRUnH6o_WVxOR6Jpup5RypJ_l_uWKh4ojsRqBAyNkClki1wGzEQPlwHycKRO7d_lSSAeutqxba5ebIX9wQO9xLfEn-a6Al84ELuq2wVQIzI5hal2vT7PApn-rdfsnlPva634PzSJ4bIjOCqIKMGFmEe35xaCYg3UUKc3m0R9xAmGNVhFLahqc0TLg6Rse7kosLrOgQITaWyTcqBj0cTejF9DZWiFgG7Z7Sg48_XIc2WwM-J0l8w1MiFmr8JsUe6xun-6uZJxQ"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Credentials": {
        "AccessKeyId": "cOC29o1YL1dp0O7TahgI",
        "SecretAccessKey": "1C4YQR65H8HFVQ860KMLBYDSM109SCDX082CFRGK",
        "SessionToken": "v1C6u04WqxEtAnDvKMWZZpcj7N+pKRe2lV7+WY9YrgY75y3ITcu0jO8Y8Qs3yYvQXBXf22dlHyHdu1WA38UoZw4RF6Ue/w119iIOAzg8imQXyrCLZQ+L8Qyg4XeZr7mskjT9HLZUvUjlEas8sWYSfcNZpBfuCsM+TH0bak4WnpFzx+51A/o5XloIESX3KdAWPTkbN0oEdJn3Oi8gk+SCp09U32Iya0XAn0QUcxqhJJOX8w7gnGC6+Nhzp1OMkuaCD5bnAiozDylsOSrFr8XQZwMmkdS6wMhXnO3J3Sgb9RKjfDlTtqm27cm5TGL6joPDvu9KCUXkr6ZLUjeCNfw7VaG+u+msSHU1pgjqwuZW1BosT+J/PJCfh2Dr3tORYbFmCD0/P5G5RyLXpB1nHZQ3IPrnv8k52vnh06Ch361qTxyz59O34Or1nFQr28Ou9MjaeuItTtFBQHRhVya4/9XUUlASQbpDWpkbvNG0/TC/iOTR0lAW6A+CPs7lNN0LZ7fb",
        "Expiration": "2024-11-05T20:11:24.263516724Z"
    },
    "SubjectFromWebIdentityToken": "755021a9-3580-4b9f-8243-cb15dbd4aaac",
    "AssumedRoleUser": {
        "Arn": "arn:aws:sts:::assumed-role/S3RoleOf.coryd.550/session1"
    },
    "PackedPolicySize": 0,
    "Provider": "http://10.0.64.108:8180/realms/master",
    "Audience": "master-realm"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


Version-Release number of selected component (if applicable):
ceph version 19.2.0-52.el9cp

How reproducible:
always

Steps to Reproduce:
1.create an OIDC provider with identity provider url and incorrect thumbprints
2.create a role, put role policy to the role.
3.create an user, add roles=* and oidc-provider=* capabilities to it.
4.try to perform sts aswi. the request is successful bypassing thumbprint verification

Actual results:
sts aswi request is successful bypassing thumbprint verification

Expected results:
expected sts aswi request fails if incorrect thumbprints are present in OIDC provider

Additional info:
Comment 9 errata-xmlrpc 2025-06-26 12:18:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775
Comment 10 Red Hat Bugzilla 2025-10-29 04:25:04 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days