Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1984046

Summary: python-oauthlib depends on jwt for RSA
Product: Red Hat Enterprise Linux 9 Reporter: Scott Poore <spoore>
Component: python-oauthlibAssignee: Tomas Halman <thalman>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: aboscatt, thalman
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-oauthlib-3.1.1-5.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:38:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2117590    
Bug Blocks:    

Description Scott Poore 2021-07-20 13:52:50 UTC
Description of problem:

While testing another bug, we found that there is a leftover dependency on jwt still in python-oauthlib.

Trying to sign with an RSA-SHA256 key fails because the missing dependency isn't installed:

[root@rhel9 ~]# python test.py 
Traceback (most recent call last):
  File "/root/test.py", line 4, in <module>
    Client('client_key',
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 353, in sign
    ('oauth_signature', self.get_oauth_signature(request)))
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 188, in get_oauth_signature
    sig = self.SIGNATURE_METHODS[self.signature_method](base_string, self)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 743, in sign_rsa_sha256_with_client
    return _sign_rsa('SHA-256', sig_base_str, client.rsa_key)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 616, in _sign_rsa
    alg = _get_jwt_rsa_algorithm(hash_algorithm_name)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 562, in _get_jwt_rsa_algorithm
    import jwt.algorithms as jwt_algorithms
ModuleNotFoundError: No module named 'jwt'


Version-Release number of selected component (if applicable):
python3-oauthlib-3.1.1-1.el9.noarch

How reproducible:
always

Steps to Reproduce:
1.  dnf -y install python3-oauthlib
2.  make simple test script using library

[root@rhel9 ~]# cat test.py
import oauthlib
from oauthlib.oauth1 import Client

Client('client_key',
       signature_method='RSA-SHA256',
       rsa_key='',
       timestamp='1234567890',
       nonce='abc').sign('http://example.com')

3.  python test-rsa.py

Actual results:
returns module import error shown above.

Expected results:
this particular test won't do much but show this error.  we can use a more complete test script to test that things work properly.  FYI, this just means adding rsa_key into script.

Additional info:

Comment 1 Jakub Hrozek 2021-07-28 13:44:47 UTC
I think the only reasonable thing to do is to remove the rest of the RSA-* based signature methods. The RFC only prescribes RSA-SHA1 which is not permitted in RHEL-9. python-oauthlib adds also RSA-SHA256 and others, but those are not standard. In the real world, it's mostly HMAC-SHA1 that I've seen used anyway.

Comment 7 Scott Poore 2022-11-18 15:08:13 UTC
Verified

Version ::

[root@hostname1 ~]# rpm -q python3-oauthlib
python3-oauthlib-3.1.1-5.el9.noarch

[root@hostname1 ~]# dnf list python3-oauthlib
Last metadata expiration check: 0:53:29 ago on Fri Nov 18 09:10:28 2022.
Installed Packages
python3-oauthlib.noarch                         3.1.1-5.el9                         @rhel-9.2-AppStream

Results ::

[root@hostname1 ~]# cat test-rsa-sha256.py 
import oauthlib
from oauthlib.oauth1 import Client

Client('client_key',
       signature_method='RSA-SHA256',
       rsa_key='',
       timestamp='1234567890',
       nonce='abc').sign('http://example.com')

[root@hostname1 ~]# python test-rsa-sha256.py 
Traceback (most recent call last):
  File "/root/test-rsa-sha256.py", line 4, in <module>
    Client('client_key',
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 353, in sign
    ('oauth_signature', self.get_oauth_signature(request)))
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 188, in get_oauth_signature
    sig = self.SIGNATURE_METHODS[self.signature_method](base_string, self)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 755, in sign_rsa_sha256_with_client
    return _sign_rsa('SHA-256', sig_base_str, client.rsa_key)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 626, in _sign_rsa
    raise ValueError('Invalid signature method.')
ValueError: Invalid signature method.


Expected failure ^^

[root@hostname1 ~]# cat test-hmac-sha1.py 
import oauthlib
from oauthlib.oauth1 import Client

Client('client_key',
       signature_method='HMAC-SHA1',
       timestamp='1234567890',
       nonce='abc').sign('http://example.com')
[root@hostname1 ~]# python test-hmac-sha1.py 
[root@hostname1 ~]# echo $?
0

Comment 10 errata-xmlrpc 2023-05-09 07:38:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python-oauthlib bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2247