Bug 1753304 - [CPMA] Secret encoded twice
Summary: [CPMA] Secret encoded twice
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Migration Tooling
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.2.0
Assignee: Gilles Dubreuil
QA Contact: Sergio
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-18 14:40 UTC by Sergio
Modified: 2019-10-16 06:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:41:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:41:45 UTC

Description Sergio 2019-09-18 14:40:25 UTC 
Description of problem:
The secret generated by CPMA for a htpasswd OCP3 configuration is encoded twice in base64.

At least, It happens with gitlab authentication's secret too. Not only with htpasswd


Version-Release number of selected component (if applicable):

CPMA:
branch: release-1.0
commit 835495a137dab2d77520f1b4717bcdc6c2f40cb3

    Revert "OAuth GitHub Provider: Organizations or Teams field is mandatory (#3
    
    This reverts commit 89d24c4e4710f1c65e11d34b69bda675a6e92d94.

OCP3
# oc version
oc v3.11.141
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://
openshift v3.11.141
kubernetes v1.11.0+d4cacc0


How reproducible:
Always


Steps to Reproduce:
1.SSH to the master server of OCP 3 cluster and configure master-config.yaml 

 identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: my_htpasswd_provider
    provider:
      apiVersion: v1
      kind: HTPasswdPasswordIdentityProvider
      file: /etc/origin/master/htpasswd

2.Create a user account named `admin` (password is redhat) and grant cluster-admin role to the user, for instance
# touch /etc/origin/master/htpasswd
# htpasswd -c -b /etc/origin/master/htpasswd admin redhat
# oc adm policy add-cluster-role-to-user cluster-admin admin 

3.Restart api server
# master-restart api

4. Execute cpma utility to generate CR Manifests
$ tree data0919                                                                                           
data0919
├── ec2-35-175-205-14.compute-1.amazonaws.com
│   └── etc
│       ├── containers
│       │   └── registries.conf
│       ├── etcd
│       │   └── etcd.conf
│       └── origin
│           └── master
│               ├── htpasswd
│               └── master-config.yaml
├── manifests
│   ├── 100_CPMA-cluster-config-image.yaml
│   ├── 100_CPMA-cluster-config-oauth.yaml
│   ├── 100_CPMA-cluster-config-project.yaml
│   ├── 100_CPMA-cluster-config-sdn.yaml
│   └── 100_CPMA-cluster-config-secret-htpasswd-secret.yaml
└── report.json

5. Apply the generated auth CR Manifest to OCP 4 cluster by executing `oc create` command, for instance:

$ oc apply -f 100_CPMA-cluster-config-secret-htpasswd-secret.yaml
$ oc apply -f ./data/manifests/100_CPMA-cluster-config-oauth.yam


Actual results:
The new user "admin" with password "redhat" cannot log in to OCP4.

Expected results:
The user "admin" with password "redhat" should be able to log in to OCP4


Additional info:
The secret generated by CPMA application is encoded twice. We can see it in the following commands:


$ cat manifests/100_CPMA-cluster-config-secret-htpasswd-secret.yaml
apiVersion: v1
data:
  htpasswd: WVdSdGFXNDZKR0Z3Y2pFa09UbHFZWEp0VDFVa1pVcHJkRkl6YUdWRVJrVllXR0pzUW5VMU5VRkxMd289
kind: Secret
metadata:
  creationTimestamp: null
  name: htpasswd-secret
  namespace: openshift-config
type: Opaque

$ echo -n "WVdSdGFXNDZKR0Z3Y2pFa09UbHFZWEp0VDFVa1pVcHJkRkl6YUdWRVJrVllXR0pzUW5VMU5VRkxMd289" | base64 -d
YWRtaW46JGFwcjEkOTlqYXJtT1UkZUprdFIzaGVERkVYWGJsQnU1NUFLLwo=

$ echo -n "YWRtaW46JGFwcjEkOTlqYXJtT1UkZUprdFIzaGVERkVYWGJsQnU1NUFLLwo=" | base64 -d
admin:$apr1$99jarmOU$eJktR3heDFEXXblBu55AK/


If we modify the twice encoded secret for the same secret only encoded once, the user "admin" with password "redhat" can log in to the cluster.
Comment 1 Gilles Dubreuil 2019-09-19 09:37:07 UTC 
This has been addressed by following patch:
https://github.com/fusor/cpma/pull/406

PR has been merged to master and release-1.0 branches
Comment 3 Sergio 2019-09-20 16:03:08 UTC 
Verified in:

commit 006c5698376dda59438d6b25e78f00ad1dd630a4
Author: Gilles Dubreuil <gilles>
Date:   Wed Sep 18 23:11:42 2019 +0200

    Fix double encoding for oauth secrets (#406) (#410)
    
    (cherry picked from commit a89d3cdf3518e6fca2a2e68ef35466ed1356cae1)


Using user "admin" and password "redhat" to test the issue:

$ cat htpasswd-secret.yml 
apiVersion: v1
data:
  htpasswd: YWRtaW46JGFwcjEkOTlqYXJtT1UkZUprdFIzaGVERkVYWGJsQnU1NUFLLwo=
kind: Secret
metadata:
  creationTimestamp: null
  name: htpasswd-secret
  namespace: openshift-config
type: Opaque

$ echo "YWRtaW46JGFwcjEkOTlqYXJtT1UkZUprdFIzaGVERkVYWGJsQnU1NUFLLwo=" -n | base64 -d
admin:$apr1$99jarmOU$eJktR3heDFEXXblBu55AK/

In OCP4
$ oc login -u admin -p redhat
Login successful.
Comment 4 errata-xmlrpc 2019-10-16 06:41:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922
Note You need to log in before you can comment on or make changes to this bug.