2324153 – [8.0][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi request is successful bypassing thumbprint verification

Bug 2324153 - [8.0][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi request is successful bypassing thumbprint verification

Summary: [8.0][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi req...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	8.0z2
Assignee:	Pritha Srivastava
QA Contact:	Hemanth Sai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2324227
TreeView+	depends on / blocked

Reported:	2024-11-06 10:59 UTC by Hemanth Sai
Modified:	2025-03-06 14:23 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ceph-19.2.0-89.el9cp
Doc Type:	Bug Fix
Doc Text:	.AssumeRoleWithWebIdentity operations now fails as expected when incorrect thumbprints are added Previously, due to a boolean flag being incorrectly set in the code, the AssumeRoleWithWebIdentity operation succeeded even when an incorrect thumbprint was registered in the CreateOIDCProvider call. As a result, AssumeRoleWithWebIdentity was able to succeed when it should have failed. With this fix, the boolean flag is not set when no correct thumbprints are found registered in the CreateOIDCProvider call. As a result, if the end user does not provide a correct thumbprint in the CreateOIDCProvider call, the AssumeRoleWithWebIdentity operation now fails as expected.
Clone Of:
Clones:	2324227 (view as bug list)
Environment:
Last Closed:	2025-03-06 14:22:56 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-10190	0	None	None	None	2024-11-06 11:02:06 UTC
Red Hat Product Errata	RHBA-2025:2457	0	None	None	None	2025-03-06 14:23:01 UTC

Description Hemanth Sai 2024-11-06 10:59:08 UTC

Description of problem:
with incorrect thumbprints in the OIDC provider, sts assume-role-with-web-identity request is successful bypassing thumbprint verification


log snippet:

actual thumbprints of the identity provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ ./obtain_oidc_thumbprint.sh 
C2746A3F9F2A39308C65031997971DC217DFE396
FB0E550188A5283990B1313D313712AE5BB82F45
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


sts aswi request is successful with fake thumbprints in the OIDC provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam list-open-id-connect-providers
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "OpenIDConnectProviderList": [
        {
            "Arn": "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
        }
    ]
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Url": "http://10.0.64.108:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-11-05T18:49:44.130Z"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl sts assume-role-with-web-identity --role-arn arn:aws:iam:::role/S3RoleOf.coryd.550 --role-session-name session1 --web-identity-token "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlUlA4c0VueGh3MG5NVVN1bHhUXzVSMFJUSnNxVmg5Z0hEck4tYzNyRUdjIn0.eyJleHAiOjE3MzA4MzczNzQsImlhdCI6MTczMDgzMzc3NCwianRpIjoiZjZjNmQ0MjItZjEyYS00Y2I5LWJiYTctYzQ3OWMzNTMxNzFmIiwiaXNzIjoiaHR0cDovLzEwLjAuNjQuMTA4OjgxODAvcmVhbG1zL21hc3RlciIsImF1ZCI6WyJhY2NvdW50IiwibWFzdGVyLXJlYWxtIl0sInN1YiI6Ijc1NTAyMWE5LTM1ODAtNGI5Zi04MjQzLWNiMTVkYmQ0YWFhYyIsInR5cCI6IkJlYXJlciIsImF6cCI6InN0c19jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBzZXNzaW9uX3RhZ3Nfc2NvcGUgZW1haWwgc2V0X2F1ZGllbmNlX3Njb3BlIHByb2ZpbGUiLCJjbGllbnRIb3N0IjoiMTAuMC42NC4xMDgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1zdHNfY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEwLjAuNjQuMTA4IiwiY2xpZW50X2lkIjoic3RzX2NsaWVudCJ9.YkUGztOBQj9MZTf3WsEifcBeUbQmjEC-AtvhlMogs75ZlQC7VvfICLLYj9ulrMzJDVMHSFn3eG645wRUnH6o_WVxOR6Jpup5RypJ_l_uWKh4ojsRqBAyNkClki1wGzEQPlwHycKRO7d_lSSAeutqxba5ebIX9wQO9xLfEn-a6Al84ELuq2wVQIzI5hal2vT7PApn-rdfsnlPva634PzSJ4bIjOCqIKMGFmEe35xaCYg3UUKc3m0R9xAmGNVhFLahqc0TLg6Rse7kosLrOgQITaWyTcqBj0cTejF9DZWiFgG7Z7Sg48_XIc2WwM-J0l8w1MiFmr8JsUe6xun-6uZJxQ"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Credentials": {
        "AccessKeyId": "cOC29o1YL1dp0O7TahgI",
        "SecretAccessKey": "1C4YQR65H8HFVQ860KMLBYDSM109SCDX082CFRGK",
        "SessionToken": "v1C6u04WqxEtAnDvKMWZZpcj7N+pKRe2lV7+WY9YrgY75y3ITcu0jO8Y8Qs3yYvQXBXf22dlHyHdu1WA38UoZw4RF6Ue/w119iIOAzg8imQXyrCLZQ+L8Qyg4XeZr7mskjT9HLZUvUjlEas8sWYSfcNZpBfuCsM+TH0bak4WnpFzx+51A/o5XloIESX3KdAWPTkbN0oEdJn3Oi8gk+SCp09U32Iya0XAn0QUcxqhJJOX8w7gnGC6+Nhzp1OMkuaCD5bnAiozDylsOSrFr8XQZwMmkdS6wMhXnO3J3Sgb9RKjfDlTtqm27cm5TGL6joPDvu9KCUXkr6ZLUjeCNfw7VaG+u+msSHU1pgjqwuZW1BosT+J/PJCfh2Dr3tORYbFmCD0/P5G5RyLXpB1nHZQ3IPrnv8k52vnh06Ch361qTxyz59O34Or1nFQr28Ou9MjaeuItTtFBQHRhVya4/9XUUlASQbpDWpkbvNG0/TC/iOTR0lAW6A+CPs7lNN0LZ7fb",
        "Expiration": "2024-11-05T20:11:24.263516724Z"
    },
    "SubjectFromWebIdentityToken": "755021a9-3580-4b9f-8243-cb15dbd4aaac",
    "AssumedRoleUser": {
        "Arn": "arn:aws:sts:::assumed-role/S3RoleOf.coryd.550/session1"
    },
    "PackedPolicySize": 0,
    "Provider": "http://10.0.64.108:8180/realms/master",
    "Audience": "master-realm"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


Version-Release number of selected component (if applicable):
ceph version 19.2.0-52.el9cp

How reproducible:
always

Steps to Reproduce:
1.create an OIDC provider with identity provider url and incorrect thumbprints
2.create a role, put role policy to the role.
3.create an user, add roles=* and oidc-provider=* capabilities to it.
4.try to perform sts aswi. the request is successful bypassing thumbprint verification

Actual results:
sts aswi request is successful bypassing thumbprint verification

Expected results:
expected sts aswi request fails if incorrect thumbprints are present in OIDC provider

Additional info:

Comment 10 errata-xmlrpc 2025-03-06 14:22:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fixes, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2025:2457

Note You need to log in before you can comment on or make changes to this bug.