1976598 – Designate DNS – it’s possible to create Tsigkey using empty secret key.

Bug 1976598 - Designate DNS – it’s possible to create Tsigkey using empty secret key.

Summary: Designate DNS – it’s possible to create Tsigkey using empty secret key.

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-designate
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Michael Johnson
QA Contact:	Toni Freger
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-27 13:04 UTC by Arkady Shtempler
Modified:	2023-08-01 14:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1933760	0	None	None	None	2021-06-27 13:04:22 UTC
Red Hat Issue Tracker	OSP-5483	0	None	None	None	2021-11-23 16:08:52 UTC

Description Arkady Shtempler 2021-06-27 13:04:23 UTC

Scenario:
Try to create Tsigkey using empty string

Actual Result:
Tsigkey is successfully created
2021-06-27 15:59:29.035 292921 INFO tempest.lib.common.rest_client [req-7e103208-0473-40ea-a040-0d6cf5bb7a61 ] Request (TsigkeyAdminTest:test_create_tsigkey_for_zone_empty_secret): 201 POST http://10.35.64.8/dns/v2/tsigkeys 0.090s
2021-06-27 15:59:29.036 292921 DEBUG tempest.lib.common.rest_client [req-7e103208-0473-40ea-a040-0d6cf5bb7a61 ] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"name": "Example_Key-1226165891.com.", "algorithm": "hmac-sha256", "secret": "", "scope": "ZONE", "resource_id": "78ad8add-35ee-4bfe-9835-50dccf0fc807"}
    Response - Headers: {'date': 'Sun, 27 Jun 2021 12:59:28 GMT', 'server': 'Apache/2.4.41 (Ubuntu)', 'location': 'http://10.35.64.8/dns/v2/tsigkeys/f989a5c9-efe7-4cfd-b15e-38d91543e3ea', 'content-length': '356', 'x-openstack-request-id': 'req-7e103208-0473-40ea-a040-0d6cf5bb7a61', 'connection': 'close', 'content-type': 'application/json', 'status': '201', 'content-location': 'http://10.35.64.8/dns/v2/tsigkeys'}
        Body: b'{"id": "f989a5c9-efe7-4cfd-b15e-38d91543e3ea", "name": "Example_Key-1226165891.com.", "algorithm": "hmac-sha256", "secret": "", "scope": "ZONE", "resource_id": "78ad8add-35ee-4bfe-9835-50dccf0fc807", "created_at": "2021-06-27T12:59:29.000000", "updated_at": null, "links": {"self": "http://10.35.64.8/dns/v2/tsigkeys/f989a5c9-efe7-4cfd-b15e-38d91543e3ea"}}' _log_request_full /opt/stack/tempest/tempest/lib/common/rest_client.py:450
2021-06-27 15:59:29.100 292921 INFO tempest.lib.common.rest_client [req-47cf30b1-68ca-454b-b9e8-1c0f3cfade34 ] Request (TsigkeyAdminTest:_run_cleanups): 202 DELETE http://10.35.64.8/dns/v2/zones/78ad8add-35ee-4bfe-9835-50dccf0fc807 0.062s
2021-06-27 15:59:29.100 292921 DEBUG tempest.lib.common.rest_client [req-47cf30b1-68ca-454b-b9e8-1c0f3cfade34 ] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}

Expected:
Tsigkey should fail to be created

Comment 1 Michael Johnson 2021-06-30 17:34:45 UTC

In theory an empty string is valid, but highly not recommended.
I agree we should add a validation for this, but for compatibility may not be able to be back ported.
Maybe this will require a configuration option to enable/disable to maintain compatibility.

Note You need to log in before you can comment on or make changes to this bug.