Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44099

oauth-server panic with OAuth2.0 idp names that contain whitespaces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.18.0
    • oauth-apiserver
    • None
    • Important
    • None
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      OCPBUGS-42772 is verified. But testing found oauth-server panic with OAuth2.0 idp names that contain whitespaces

      Version-Release number of selected component (if applicable):

      4.18.0-0.nightly-2024-10-31-190119    

      How reproducible:

      Always    

      Steps to Reproduce:

      1. Set up Google IDP with below:
      $ oc create secret generic google-secret-1 --from-literal=clientSecret=xxxxxxxx -n openshift-config
      $ oc edit oauth cluster
      spec:
        identityProviders:
        - google:
            clientID: 9745..snipped..apps.googleusercontent.com
            clientSecret:
              name: google-secret-1
            hostedDomain: redhat.com
          mappingMethod: claim
          name: 'my Google idp'
          type: Google
      ...

      Actual results:

      oauth-server panic:

      $ oc get po -n openshift-authentication
      NAME                               READY   STATUS             RESTARTS
      oauth-openshift-59545c6f5-dwr6s    0/1     CrashLoopBackOff   11 (4m10s ago)
      ...
      
      $ oc logs -p -n openshift-authentication oauth-openshift-59545c6f5-dwr6s
      Copying system trust bundle
      I1101 03:40:09.883698       1 dynamic_serving_content.go:113] "Loaded a new cert/key pair" name="serving-cert::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.crt::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.key"
      I1101 03:40:09.884046       1 dynamic_serving_content.go:113] "Loaded a new cert/key pair" name="sni-serving-cert::/var/config/system/secrets/v4-0-config-system-router-certs/apps.hongli-az.qe.azure.devcluster.openshift.com::/var/config/system/secrets/v4-0-config-system-router-certs/apps.hongli-az.qe.azure.devcluster.openshift.com"
      I1101 03:40:10.335739       1 audit.go:340] Using audit backend: ignoreErrors<log>
      I1101 03:40:10.347632       1 requestheader_controller.go:244] Loaded a new request header values for RequestHeaderAuthRequestController
      panic: parsing "/oauth2callback/my Google idp": at offset 0: invalid method "/oauth2callback/my"goroutine 1 [running]:
      net/http.(*ServeMux).register(...)
              net/http/server.go:2738
      net/http.(*ServeMux).Handle(0x29844c0?, {0xc0008886a0?, 0x2984420?}, {0x2987fc0?, 0xc0006ff4a0?})
              net/http/server.go:2701 +0x56
      github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthenticationHandler(0xc0006c28c0, {0x298f618, 0xc0008a4d00}, {0x2984540, 0xc000171450})
              github.com/openshift/oauth-server/pkg/oauthserver/auth.go:407 +0x11ad
      github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthorizeAuthenticationHandlers(0xc0006c28c0, {0x298f618, 0xc0008a4d00}, {0x2984540, 0xc000171450})
              github.com/openshift/oauth-server/pkg/oauthserver/auth.go:243 +0x65
      github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).WithOAuth(0xc0006c28c0, {0x2982500, 0xc0000aca80})
              github.com/openshift/oauth-server/pkg/oauthserver/auth.go:108 +0x21d
      github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).buildHandlerChainForOAuth(0xc0006c28c0, {0x2982500?, 0xc0000aca80?}, 0xc000785888)
              github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:342 +0x45
      k8s.io/apiserver/pkg/server.completedConfig.New.func1({0x2982500?, 0xc0000aca80?})
              k8s.io/apiserver@v0.29.2/pkg/server/config.go:825 +0x28
      k8s.io/apiserver/pkg/server.NewAPIServerHandler({0x252ca0a, 0xf}, {0x2996020, 0xc000501a00}, 0xc0005d1740, {0x0, 0x0})
              k8s.io/apiserver@v0.29.2/pkg/server/handler.go:96 +0x2ad
      k8s.io/apiserver/pkg/server.completedConfig.New({0xc000785888?, {0x0?, 0x0?}}, {0x252ca0a, 0xf}, {0x29b41a0, 0xc000171370})
              k8s.io/apiserver@v0.29.2/pkg/server/config.go:833 +0x2a5
      github.com/openshift/oauth-server/pkg/oauthserver.completedOAuthConfig.New({{0xc0005add40?}, 0xc0006c28c8?}, {0x29b41a0?, 0xc000171370?})
              github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:322 +0x6a
      github.com/openshift/oauth-server/pkg/cmd/oauth-server.RunOsinServer(0xc000451cc0?, 0xc000810000?, 0xc00061a5a0)
              github.com/openshift/oauth-server/pkg/cmd/oauth-server/server.go:45 +0x73
      github.com/openshift/oauth-server/pkg/cmd/oauth-server.(*OsinServerOptions).RunOsinServer(0xc00030e168, 0xc00061a5a0)
              github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:108 +0x259
      github.com/openshift/oauth-server/pkg/cmd/oauth-server.NewOsinServerCommand.func1(0xc00061c300?, {0x251a8c8?, 0x4?, 0x251a8cc?})
              github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:46 +0xed
      github.com/spf13/cobra.(*Command).execute(0xc000780008, {0xc00058d6c0, 0x7, 0x7})
              github.com/spf13/cobra@v1.7.0/command.go:944 +0x867
      github.com/spf13/cobra.(*Command).ExecuteC(0xc0001a3b08)
              github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3a5
      github.com/spf13/cobra.(*Command).Execute(...)
              github.com/spf13/cobra@v1.7.0/command.go:992
      k8s.io/component-base/cli.run(0xc0001a3b08)
              k8s.io/component-base@v0.29.2/cli/run.go:146 +0x290
      k8s.io/component-base/cli.Run(0xc00061a5a0?)
              k8s.io/component-base@v0.29.2/cli/run.go:46 +0x17
      main.main()
              github.com/openshift/oauth-server/cmd/oauth-server/main.go:46 +0x2de
      
      

      Expected results:

      No panic

      Additional info:

      Tried in old env like 4.16.20 with same steps, no panic:
      $ oc get clusterversion
      NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.16.20   True        False         95m     Cluster version is 4.16.20
      
      $ oc get po -n openshift-authentication
      NAME                               READY   STATUS    RESTARTS   AGE    
      oauth-openshift-7dfcd8c8fd-77ltf   1/1     Running   0          116s   
      oauth-openshift-7dfcd8c8fd-sr97w   1/1     Running   0          89s    
      oauth-openshift-7dfcd8c8fd-tsrff   1/1     Running   0          62s
      

              rh-ee-irinis Ilias Rinis
              xxia-1 Xingxing Xia
              Xingxing Xia Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: