2324227 – [7.1][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi request is successful bypassing thumbprint verification

Bug 2324227 - [7.1][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi request is successful bypassing thumbprint verification

Summary: [7.1][rgw][sts] with incorrect thumbprints in the OIDC provider, sts aswi req...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	8.1
Assignee:	Pritha Srivastava
QA Contact:	Hemanth Sai
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:	2324153
Blocks:	2351689
TreeView+	depends on / blocked

Reported:	2024-11-06 18:24 UTC by Hemanth Sai
Modified:	2025-10-29 04:25 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ceph-19.2.1-2.el9cp
Doc Type:	Bug Fix
Doc Text:	.`AssumeRoleWithWebIdentity` operations now fails as expected when incorrect thumbprints are added Previously, due to a boolean flag being incorrectly set in the code, the `AssumeRoleWithWebIdentity` operation succeeded even when an incorrect thumbprint was registered in the CreateOIDCProvider call. As a result, `AssumeRoleWithWebIdentity` was able to succeed when it should have failed. With this fix, the boolean flag is not set when no correct thumbprints are found registered in the `CreateOIDCProvider` call. As a result, if the end user does not provide a correct thumbprint in the `CreateOIDCProvider` call, the `AssumeRoleWithWebIdentity` operation now fails as expected.
Clone Of:	2324153
Environment:
Last Closed:	2025-06-26 12:18:41 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-10194	0	None	None	None	2024-11-06 18:26:14 UTC
Red Hat Product Errata	RHSA-2025:9775	0	None	None	None	2025-06-26 12:18:49 UTC

Description Hemanth Sai 2024-11-06 18:24:43 UTC

+++ This bug was initially created as a clone of Bug #2324153 +++

Description of problem:
with incorrect thumbprints in the OIDC provider, sts assume-role-with-web-identity request is successful bypassing thumbprint verification


log snippet:

actual thumbprints of the identity provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ ./obtain_oidc_thumbprint.sh 
C2746A3F9F2A39308C65031997971DC217DFE396
FB0E550188A5283990B1313D313712AE5BB82F45
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


sts aswi request is successful with fake thumbprints in the OIDC provider:

[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam list-open-id-connect-providers
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "OpenIDConnectProviderList": [
        {
            "Arn": "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
        }
    ]
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl iam get-open-id-connect-provider --open-id-connect-provider-arn "arn:aws:iam:::oidc-provider/10.0.64.108:8180/realms/master"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Url": "http://10.0.64.108:8180/realms/master",
    "ClientIDList": [
        "account",
        "sts_client"
    ],
    "ThumbprintList": [
        "E292963BBB547E837805C088572EB0C3D97AB3F0",
        "A2A1930F45FA426142B7D2FF34F936020691B99C"
    ],
    "CreateDate": "2024-11-05T18:49:44.130Z"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ aws --endpoint-url https://10.0.65.88:443 --no-verify-ssl sts assume-role-with-web-identity --role-arn arn:aws:iam:::role/S3RoleOf.coryd.550 --role-session-name session1 --web-identity-token "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlUlA4c0VueGh3MG5NVVN1bHhUXzVSMFJUSnNxVmg5Z0hEck4tYzNyRUdjIn0.eyJleHAiOjE3MzA4MzczNzQsImlhdCI6MTczMDgzMzc3NCwianRpIjoiZjZjNmQ0MjItZjEyYS00Y2I5LWJiYTctYzQ3OWMzNTMxNzFmIiwiaXNzIjoiaHR0cDovLzEwLjAuNjQuMTA4OjgxODAvcmVhbG1zL21hc3RlciIsImF1ZCI6WyJhY2NvdW50IiwibWFzdGVyLXJlYWxtIl0sInN1YiI6Ijc1NTAyMWE5LTM1ODAtNGI5Zi04MjQzLWNiMTVkYmQ0YWFhYyIsInR5cCI6IkJlYXJlciIsImF6cCI6InN0c19jbGllbnQiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsImRlZmF1bHQtcm9sZXMtbWFzdGVyIiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBzZXNzaW9uX3RhZ3Nfc2NvcGUgZW1haWwgc2V0X2F1ZGllbmNlX3Njb3BlIHByb2ZpbGUiLCJjbGllbnRIb3N0IjoiMTAuMC42NC4xMDgiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1zdHNfY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjEwLjAuNjQuMTA4IiwiY2xpZW50X2lkIjoic3RzX2NsaWVudCJ9.YkUGztOBQj9MZTf3WsEifcBeUbQmjEC-AtvhlMogs75ZlQC7VvfICLLYj9ulrMzJDVMHSFn3eG645wRUnH6o_WVxOR6Jpup5RypJ_l_uWKh4ojsRqBAyNkClki1wGzEQPlwHycKRO7d_lSSAeutqxba5ebIX9wQO9xLfEn-a6Al84ELuq2wVQIzI5hal2vT7PApn-rdfsnlPva634PzSJ4bIjOCqIKMGFmEe35xaCYg3UUKc3m0R9xAmGNVhFLahqc0TLg6Rse7kosLrOgQITaWyTcqBj0cTejF9DZWiFgG7Z7Sg48_XIc2WwM-J0l8w1MiFmr8JsUe6xun-6uZJxQ"
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.65.88'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
{
    "Credentials": {
        "AccessKeyId": "cOC29o1YL1dp0O7TahgI",
        "SecretAccessKey": "1C4YQR65H8HFVQ860KMLBYDSM109SCDX082CFRGK",
        "SessionToken": "v1C6u04WqxEtAnDvKMWZZpcj7N+pKRe2lV7+WY9YrgY75y3ITcu0jO8Y8Qs3yYvQXBXf22dlHyHdu1WA38UoZw4RF6Ue/w119iIOAzg8imQXyrCLZQ+L8Qyg4XeZr7mskjT9HLZUvUjlEas8sWYSfcNZpBfuCsM+TH0bak4WnpFzx+51A/o5XloIESX3KdAWPTkbN0oEdJn3Oi8gk+SCp09U32Iya0XAn0QUcxqhJJOX8w7gnGC6+Nhzp1OMkuaCD5bnAiozDylsOSrFr8XQZwMmkdS6wMhXnO3J3Sgb9RKjfDlTtqm27cm5TGL6joPDvu9KCUXkr6ZLUjeCNfw7VaG+u+msSHU1pgjqwuZW1BosT+J/PJCfh2Dr3tORYbFmCD0/P5G5RyLXpB1nHZQ3IPrnv8k52vnh06Ch361qTxyz59O34Or1nFQr28Ou9MjaeuItTtFBQHRhVya4/9XUUlASQbpDWpkbvNG0/TC/iOTR0lAW6A+CPs7lNN0LZ7fb",
        "Expiration": "2024-11-05T20:11:24.263516724Z"
    },
    "SubjectFromWebIdentityToken": "755021a9-3580-4b9f-8243-cb15dbd4aaac",
    "AssumedRoleUser": {
        "Arn": "arn:aws:sts:::assumed-role/S3RoleOf.coryd.550/session1"
    },
    "PackedPolicySize": 0,
    "Provider": "http://10.0.64.108:8180/realms/master",
    "Audience": "master-realm"
}
[cephuser@ceph-pri-hsm-cephadm-h0a759-node6 ~]$ 


Version-Release number of selected component (if applicable):
ceph version 19.2.0-52.el9cp

How reproducible:
always

Steps to Reproduce:
1.create an OIDC provider with identity provider url and incorrect thumbprints
2.create a role, put role policy to the role.
3.create an user, add roles=* and oidc-provider=* capabilities to it.
4.try to perform sts aswi. the request is successful bypassing thumbprint verification

Actual results:
sts aswi request is successful bypassing thumbprint verification

Expected results:
expected sts aswi request fails if incorrect thumbprints are present in OIDC provider

Additional info:

Comment 9 errata-xmlrpc 2025-06-26 12:18:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat Ceph Storage 8.1 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2025:9775

Comment 10 Red Hat Bugzilla 2025-10-29 04:25:04 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.