1253045 – handle_exceptions() raises JSONDecodeError

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1253045 - handle_exceptions() raises JSONDecodeError

Summary: handle_exceptions() raises JSONDecodeError

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Christian Heimes
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1250093
TreeView+	depends on / blocked

Reported:	2015-08-12 19:46 UTC by Matthew Harmsen
Modified:	2020-10-04 20:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	pki-core-10.2.5-5.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 09:22:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2047	0	None	None	None	2020-10-04 20:53:23 UTC
Red Hat Product Errata	RHBA-2015:2276	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2015-11-19 09:32:49 UTC

Description Matthew Harmsen 2015-08-12 19:46:18 UTC

pki.handle_exceptions() expects that the body of a HTTPException is always valid JSON. The expection doesn't hold true in some cases. For example in https://fedorahosted.org/freeipa/ticket/5129 an authentication error has no JSON body. The JSONDecodeError hides the true cause of the error. 

Pushed in 9fa1d0c968977ef23e26556b0a8e8e76b32c7288

Comment 2 Roshni 2015-08-28 16:08:47 UTC

Please provide verification steps for this bug.

Comment 3 Endi Sukma Dewata 2015-09-03 19:31:31 UTC

I have not tried this, but per discussion with alee this bug probably can be verified as follows:
1. Create a master with pki-9.0.3 (or IPA 3.0) on RHEL 6.7.
2. Create a replica with pki-10.2.5 (or IPA 4.2) on RHEL 7.2 with a wrong pki_security_domain_password (or provide a wrong password for ipa-replica-prepare).

Without the fix pkispawn will generate the following error message:

  simplejson.scanner.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

With the fix pkispawn will generate a more descriptive error message (not sure the exact error), for example:
* HTTPError: 403 Client Error: Forbidden
* HTTPError: 404 Client Error: Not Found

Comment 4 Roshni 2015-09-04 15:00:49 UTC

Endi,

I was trying out your suggestions and I see the following:

After installing ipa-server on a RHEL 6.7 machine using IPA 3.0, I copied /usr/share/ipa/copy-schema-to-ca.py from the RHEL 7.2 (IPA 4.2) machine to the RHEL 6.7 machine. I did the following on the RHEL 6.7 machine then

[root@sparks ~]# python /root/copy-schema-to-ca.py
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60samba.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipaconfig.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev2.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60basev3.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60ipadns.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/61kerberos-ipav3.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/65ipasudo.ldif
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/05rfc2247.ldif
ipa         : INFO     Restarting CA DS
ipa         : INFO     Schema updated successfully
[root@sparks ~]# ipa-replica-prepare mgmt7.rhq.lab.eng.bos.redhat.com
Directory Manager (existing master) password: 


The password provided is incorrect for LDAP server sparks.idmqe.lab.eng.bos.redhat.com

The only password prompted during ipa-replica-prepare was for the directory server instance password.

Then I copied /var/lib/ipa/replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg to the RHEL 7.2 replica machine and did the following

[root@mgmt7 ~]# ipa-replica-install replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password: 

ipa         : ERROR    Failed to decrypt or open the replica file.
ERROR: Failed to decrypt or open the replica file.
Verify you entered the correct Directory Manager password.
[root@mgmt7 ~]# ipa-replica-install replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'sparks.idmqe.lab.eng.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin.ENG.BOS.REDHAT.COM password: 

Cannot acquire Kerberos ticket: kinit: Password incorrect while getting initial credentials

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck parameter.

Please let me know if I am testing the right way, I did not see any HTTP error messages when provided the wrong password during the above test. I checked the ca debug log and ipareplica-install log, did not see any HTTP error messages there either

Comment 5 Endi Sukma Dewata 2015-09-04 18:36:14 UTC

Thanks for trying this. So it looks like we cannot provide an incorrect password to the ipa-replica-prepare. It's strange that the GPG file is still generated with the incorrect password. Are you sure it's not from a previous execution?

Could you try this instead?
1. Create a RHEL 6.7 master (or use the existing one).
2. Run ipa-replica-prepare on master with the correct Directory Manager password.
3. Change the security domain admin password to something else by modifying the userPassword attribute in uid=admin,ou=people,o=ipaca in the DS.
4. Run ipa-replica-install on RHEL 7.2 replica with the correct Directory Manager password as in #2.

I suppose the replica installation will fail and generate the proper error message when connecting to the security domain in master. Please let me know if there are any issues.

Comment 6 Roshni 2015-09-04 21:07:27 UTC

Hi Endi,

The followed you instructions in comment 5 and got the following output for step 4:

[root@mgmt7 ~]# ipa-replica-install replica-info-mgmt7.rhq.lab.eng.bos.redhat.com.gpg --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password: 

Run connection check to master
Check connection from replica to remote master 'ipaqa64vme.idmqe.lab.eng.bos.redhat.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin.ENG.BOS.REDHAT.COM password: 

Cannot acquire Kerberos ticket: kinit: Password incorrect while getting initial credentials

ipa.ipapython.install.cli.install_tool(Replica): ERROR    Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck parameter.

Is this sufficient to verify the bug?

Comment 7 Endi Sukma Dewata 2015-09-08 16:00:38 UTC

Thanks, Roshni.

It's a little bit hard to properly verify this bug since the bug can only be reproduced if there's another bug (as mentioned in the original bug description) and now the other bug has been fixed.

Per discussion with aakkiang the latest test is sufficient for sanity only verification.

Comment 8 Roshni 2015-09-08 17:55:44 UTC

[root@mgmt7 ~]# rpm -qi ipa-server
Name        : ipa-server
Version     : 4.2.0
Release     : 5.el7
Architecture: x86_64
Install Date: Fri 04 Sep 2015 04:18:55 PM EDT
Group       : System Environment/Base
Size        : 5133823
License     : GPLv3+
Signature   : RSA/SHA256, Thu 20 Aug 2015 06:11:44 AM EDT, Key ID 938a80caf21541eb
Source RPM  : ipa-4.2.0-5.el7.src.rpm
Build Date  : Wed 19 Aug 2015 09:03:05 AM EDT
Build Host  : x86-034.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

[root@mgmt7 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.2.6
Release     : 8.el7pki
Architecture: noarch
Install Date: Tue 08 Sep 2015 01:39:46 PM EDT
Group       : System Environment/Daemons
Size        : 2416291
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.2.6-8.el7pki.src.rpm
Build Date  : Tue 25 Aug 2015 01:18:45 AM EDT
Build Host  : x86-025.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Using the above builds I was able to verify a sanity test in comment 6. Verifying the bug based on Endi's comment 7.

Comment 9 errata-xmlrpc 2015-11-19 09:22:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2276.html

Note You need to log in before you can comment on or make changes to this bug.