Bug 1696115 - [admin] IdentityProvider with duplicated name should not be created successfully.
Summary: [admin] IdentityProvider with duplicated name should not be created successfu...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.2.0
Assignee: Samuel Padgett
QA Contact: Yadan Pei
URL:
Whiteboard: f this bug is not fixed by Friday, Ma...
: 1677587 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-04 07:51 UTC by XiaochuanWang
Modified: 2019-06-04 10:47 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:47:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:47:11 UTC

Description XiaochuanWang 2019-04-04 07:51:52 UTC
Description of problem:
User create two Oauth Identities with same name, the 2nd one should not be created successfully

Version-Release number of selected component (if applicable):
4.0.0-0.nightly-2019-04-03-202419

How reproducible:
Always

Steps to Reproduce:
1. Cluster-admin user login on OAuth page and create an OpenID identities using Gitlab:

1) Add application on setting page: 
https://gitlab.com/profile/applications 
Fill in the Redirect URI: https://<$ oc get route -n openshift-authentication> + /oauth2callback/ + <openId name such as openid-xiaocwan>
Get the ClientID and ClientSecret

2) On "Add Identity Provider: OpenID Connect" page:
Fill in the Name as the openid-xiaocwan
Fill in the ClientID and ClientSecret copied from Gitlab.
Fill in Issuer URL 'https://gitlab.com' 

2. Create and wait for the pod ($ oc get pod -n openshift-authentication) succeed.
3. Repeat above steps and create another identity with same name (openid-xiaocwan)

Actual results:
3. Create successfully. The pods under openshift-authentication is CrashLoopBackOff until the first identity deleted.

Expected results:
3. Console should block the creation for the duplicated identity.

Additional info:
Htpasswd also reproduces.
oc logs openshift-authentication-5865bb76-w6v7z -n openshift-authentication
Command "openshift-osinserver" is deprecated, will be removed in 4.0
panic: http: multiple registrations for /login/htpasswdtest

goroutine 1 [running]:
net/http.(*ServeMux).Handle(0xc421a474d0, 0xc421a7c0a0, 0x13, 0xb4056e0, 0xc4206bdb80)
    /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/net/http/server.go:2356 +0x239
net/http.(*ServeMux).HandleFunc(0xc421a474d0, 0xc421a7c0a0, 0x13, 0xc4206bdb80)
    /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/net/http/server.go:2371 +0x55
github.com/openshift/origin/pkg/oauthserver/server/login.(*Login).Install(0xc420bf4340, 0xb41fa20, 0xc421a474d0, 0xc420ecce58, 0x1, 0x1)
    /go/src/github.com/openshift/origin/_output/local/go/src/github.com/openshift/origin/pkg/oauthserver/server/login/login.go:98 +0x57
github.com/openshift/origin/pkg/oauthserver/oauthserver.(*OAuthServerConfig).getAuthenticationHandler(0xc42135d680, 0xb41fa20, 0xc421a474d0, 0xb3f7bc0, 0xc4206bda50, 0x523fd20, 0xc4206bda50, 0xb3f7c00, 0xc4204a4f40)

Comment 2 Samuel Padgett 2019-04-04 12:21:46 UTC
Changing component to Auth since the validation needs to happen on the backend. Otherwise it would be possible to create duplicate names from other clients.

Comment 3 Erica von Buelow 2019-04-05 12:41:31 UTC
Should be handled as part of OAuth CRD validation: https://github.com/openshift/origin/pull/21922

Comment 5 Mo 2019-04-05 13:43:14 UTC
*** Bug 1677587 has been marked as a duplicate of this bug. ***

Comment 9 XiaochuanWang 2019-05-13 09:40:32 UTC
Function is acceptable, will move it to Verified. Duplicated name for identity provider is not allowed to be created on console. It behave correctly on both htpasswd and OpenId with Gitlab. Only the slightly change now is the new creating OpenId page will open as an edit view but it does create a new one.

But I assume here is a new issue for OpenId creating page when there is already one: 
The values of ClientID and ClientSecret should better to be cleared when creating the 2nd one, otherwise the existing one still match the previous callback url and it won't work for the new Identity Provider name. User need to remove both values sooner or later.


Tested on Cluster version: 4.1.0-rc.3
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e6dd4bf3fdb483a93d6e84a5574e0f2514cb1cbf1b4407e52e6c94fd66e3648d
Commit ID: https://github.com/openshift/console/commit/d8fc460a3d0e9f8de3d14373de8f36ba09103537

Comment 10 XiaochuanWang 2019-05-13 09:49:22 UTC
(In reply to Samuel Padgett from comment #2)
> Changing component to Auth since the validation needs to happen on the
> backend. Otherwise it would be possible to create duplicate names from other
> clients.

Comment 11 Mo 2019-05-13 12:01:49 UTC
Moving back to console since the issue being mentioned is specific to the UI.  I do think we should just close this BZ and make a new one.

Comment 12 Samuel Padgett 2019-05-13 13:18:10 UTC
(In reply to XiaochuanWang from comment #9)
> 
> But I assume here is a new issue for OpenId creating page when there is
> already one: 
> The values of ClientID and ClientSecret should better to be cleared when
> creating the 2nd one, otherwise the existing one still match the previous
> callback url and it won't work for the new Identity Provider name. User need
> to remove both values sooner or later.

I'm not sure I understand what the issue is. Can you give specific steps to reproduce?

This sounds like it should be a different bug, however.

Comment 13 XiaochuanWang 2019-05-14 06:22:26 UTC
Agree to move it to Verified since the duplicated name failed to created since the issue now is specific to console.


Tested on Cluster version: 4.1.0-rc.3
image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e6dd4bf3fdb483a93d6e84a5574e0f2514cb1cbf1b4407e52e6c94fd66e3648d
Commit ID: https://github.com/openshift/console/commit/d8fc460a3d0e9f8de3d14373de8f36ba09103537

Comment 15 errata-xmlrpc 2019-06-04 10:47:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.