-
Bug
-
Resolution: Done-Errata
-
Undefined
-
None
-
4.18.0
-
None
-
Yes
-
Auth - Sprint 250
-
1
-
Approved
-
False
-
-
Release Note Not Required
-
In Progress
Description of problem:
When an IDP name contains whitespaces, it causes the oauth-server to panic, if Golang is v1.22 or higher.
Version-Release number of selected component (if applicable):
How reproducible:
always
Steps to Reproduce:
1. Create a cluster with OCP 4.17
2. Create IDP with whitespaces in the name.
3. oauth-server panics.
Actual results:
oauth-server panics (if Go is at version 1.22 or higher).
Expected results:
NO REGRESSION, it worked with Go 1.21 and lower.
Additional info:
- is cloned by
-
-
- Closed
-
- is depended on by
-
-
- Closed
-
- links to
-
RHEA-2024:6122
OpenShift Container Platform 4.18.z bug fix update
[OCPBUGS-42772] Go's 1.22 net/http.ServeMux causes oauth-server to panic with idp names that contain whitespacs
Then use same steps, tested in fixed env (4.18.0-0.nightly-2024-10-31-190119). No such issue. oc login works well.
More thorough testing: added one more idp like ldap idp with '*my ldap idp #2?*' idp name, still not issue, oc login and console login still work well:
$ oc get user NAME UID FULL NAME IDENTITIES testuser-10 4bee9a61-99db-4d25-a8e2-56fa9ac4437e **my idp #2?**:testuser-10 user 982228bb-15d3-4f30-b299-053af7e73d90 user **my ldap idp #2?**:Y249dXNlcixvdT1wZW9wbGUsb3U9cmZjMjMwNyxkYz1leGFtcGxlLGRjPWNvbQ
So moving to Verified.
First, double reproduced it in old unfixed env (4.17.3), indeed reproduced:
$ oc edit oauth cluster
...
spec:
identityProviders:
- htpasswd:
fileData:
name: htpass-secret
mappingMethod: claim
name: '**my idp #2?**'
type: HTPasswd
$ oc get po -n openshift-authentication
NAME READY STATUS RESTARTS AGE
oauth-openshift-754c86cc6f-gg5nj 0/1 CrashLoopBackOff 3 (14s ago) 97s
...
$ oc logs -p -n openshift-authentication oauth-openshift-754c86cc6f-gg5nj
...
panic: parsing "/login/**my idp #2?**": at offset 0: invalid method "/login/**my"
goroutine 1 [running]:
net/http.(*ServeMux).register(...)
net/http/server.go:2738
net/http.(*ServeMux).Handle(0x4000450380?, {0x4000293920?, 0x2?}, {0x2812120?, 0x40006f8b40?})
net/http/server.go:2701 +0x64
github.com/openshift/oauth-server/pkg/server/login.(*Login).Install(...)
github.com/openshift/oauth-server/pkg/server/login/login.go:95
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthenticationHandler(0x40005d5880, {0x281d058, 0x40006b85b0}, {0x2811f60, 0x40004aef20})
github.com/openshift/oauth-server/pkg/oauthserver/auth.go:374 +0x15e4
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthorizeAuthenticationHandlers(0x40005d5880, {0x281d058, 0x40006b85b0}, {0x2811f60, 0x40004aef20})
github.com/openshift/oauth-server/pkg/oauthserver/auth.go:242 +0x54
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).WithOAuth(0x40005d5880, {0x280fee0, 0x40003f4fe0})
github.com/openshift/oauth-server/pkg/oauthserver/auth.go:107 +0x19c
github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).buildHandlerChainForOAuth(0x40005d5880, {0x280fee0?, 0x40003f4fe0?}, 0x4000412e08)
github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:342 +0x34
...
I'd added UpgradeBlocker to this one but then realized that it'd already been done on the 4.17.z clone.
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Important: OpenShift Container Platform 4.18.1 bug fix and security update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:6122