Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43587

Go's 1.22 net/http.ServeMux causes oauth-server to panic with idp names that contain whitespacs [4.17]

    • Important
    • Yes
    • Auth - Sprint 250
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, due to a behavior regression in Go 1.22, `oauth-server` pods crashed if the IDP configuration contained multiple password-based IDPs, such as `htpasswd`, with at least one of them having spaces in its name. Note that if the bootstrap user ,`kubeadmin`, still exists in a cluster, the user also counts as a password-based IDP. With this release, a fix to the `oauth-server` resolves this issue and prevents the server from crashing. (link:https://issues.redhat.com/browse/OCPBUGS-43587[*OCPBUGS-43587*])
      Show
      * Previously, due to a behavior regression in Go 1.22, `oauth-server` pods crashed if the IDP configuration contained multiple password-based IDPs, such as `htpasswd`, with at least one of them having spaces in its name. Note that if the bootstrap user ,`kubeadmin`, still exists in a cluster, the user also counts as a password-based IDP. With this release, a fix to the `oauth-server` resolves this issue and prevents the server from crashing. (link: https://issues.redhat.com/browse/OCPBUGS-43587 [* OCPBUGS-43587 *])
    • Bug Fix
    • Done

      Description of problem:

          When there is more than one password-based IDP (like htpasswd) and its name contains whitespaces, it causes the oauth-server to panic, if Golang is v1.22 or higher.

      Version-Release number of selected component (if applicable):

          

      How reproducible:

          always

      Steps to Reproduce:

          1. Create a cluster with OCP 4.17
          2. Create at least two password-based IDP (like htpasswd) with whitespaces in the name.
          3. oauth-server panics.
          

      Actual results:

          oauth-server panics (if Go is at version 1.22 or higher).

      Expected results:

          NO REGRESSION, it worked with Go 1.21 and lower.

      Additional info:

          

            [OCPBUGS-43587] Go's 1.22 net/http.ServeMux causes oauth-server to panic with idp names that contain whitespacs [4.17]

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Important: OpenShift Container Platform 4.17.4 bug fix and security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:8981

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Important: OpenShift Container Platform 4.17.4 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:8981

            Xingxing Xia added a comment - Already pre-merge verified ( https://github.com/openshift/oauth-server/pull/162#issuecomment-2451614193 )

            AUTH-550 has been declared as OAuthServerDownIfSpaceInIDPName.  I've dropped ImpactStatementProposed and added UpdateRecommendationsBlocked here.

            W. Trevor King added a comment - AUTH-550 has been declared as OAuthServerDownIfSpaceInIDPName .  I've dropped ImpactStatementProposed and added UpdateRecommendationsBlocked here.

            Hongkai Liu added a comment -

            This card has been labeled as a potential upgrade risk with an UpgradeBlock label. We have created a card AUTH-550 to help us understand the impact of the bug so that we can warn exposed cluster owners about it before they upgrade to an affected OCP version and assigned it to rh-ee-irinis (this card's assignee). The card simply asks for answers to several questions and should not require too much time to answer.

            Hongkai Liu added a comment - This card has been labeled as a potential upgrade risk with an UpgradeBlock label. We have created a card AUTH-550 to help us understand the impact of the bug so that we can warn exposed cluster owners about it before they upgrade to an affected OCP version and assigned it to rh-ee-irinis (this card's assignee). The card simply asks for answers to several questions and should not require too much time to answer.

              rh-ee-irinis Ilias Rinis
              kostrows@redhat.com Krzysztof Ostrowski
              Xingxing Xia Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: