Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44474

No input validation for identityProvider name - accepts name with spaces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • 4.17.z
    • oauth-apiserver
    • None
    • None
    • False
    • Hide

      None

      Show
      None

      OCP version:  4.17.3

      Steps to reproduce:

      Try to edit oauth, with oc edit oauth cluster.

       

      Set htpasswd identityProvider with name that has space in it spec the following:

      spec:
  identityProviders:
  - htpasswd:
      fileData:
        name: htpasswd
    mappingMethod: claim
    name: "htpasswd authentication"
    type: HTPasswd

      Result:

      The above is accepted. Later when the pods under openshift-authentication namespace attempt to restart - the fail to start with:

       

       

      



[kni@r640-u01 ~]$ oc get pod -n openshift-authentication
NAME                               READY   STATUS    RESTARTS     AGEoauth-openshift-5f7998d59-7kbjx    1/1     Running   0            70moauth-openshift-5f7998d59-dtmff    1/1     Running   0            69moauth-openshift-7cc87487f5-2j6pw   0/1     Error     1 (1s ago)   4s[kni@r640-u01 ~]$ oc logs -n openshift-authentication oauth-openshift-7cc87487f5-2j6pwCopying system trust bundleI1112 18:39:25.733263       1 dynamic_serving_content.go:113] "Loaded a new cert/key pair" name="serving-cert::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.crt::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.key"I1112 18:39:25.733449       1 dynamic_serving_content.go:113] "Loaded a new cert/key pair" name="sni-serving-cert::/var/config/system/secrets/v4-0-config-system-router-certs/apps.kni-qe-64.lab.eng.rdu2.redhat.com::/var/config/system/secrets/v4-0-config-system-router-certs/apps.kni-qe-64.lab.eng.rdu2.redhat.com"I1112 18:39:25.976476       1 audit.go:340] Using audit backend: ignoreErrors<log>I1112 18:39:25.984837       1 requestheader_controller.go:244] Loaded a new request header values for RequestHeaderAuthRequestControllerpanic: parsing "/login/htpasswd authentication": at offset 0: invalid method "/login/htpasswd"
goroutine 1 [running]:net/http.(*ServeMux).register(...)	net/http/server.go:2738net/http.(*ServeMux).Handle(0xc00054faa0?, {0xc00019bb60?, 0x2?}, {0x2977760?, 0xc0008ec600?})	net/http/server.go:2701 +0x56github.com/openshift/oauth-server/pkg/server/login.(*Login).Install(...)	github.com/openshift/oauth-server/pkg/server/login/login.go:95github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthenticationHandler(0xc000782700, {0x29825d8, 0xc000752680}, {0x29775a0, 0xc00074dab0})	github.com/openshift/oauth-server/pkg/oauthserver/auth.go:374 +0x1a03github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).getAuthorizeAuthenticationHandlers(0xc000782700, {0x29825d8, 0xc000752680}, {0x29775a0, 0xc00074dab0})	github.com/openshift/oauth-server/pkg/oauthserver/auth.go:242 +0x65github.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).WithOAuth(0xc000782700, {0x2975560, 0xc00054e5a0})	github.com/openshift/oauth-server/pkg/oauthserver/auth.go:107 +0x21dgithub.com/openshift/oauth-server/pkg/oauthserver.(*OAuthServerConfig).buildHandlerChainForOAuth(0xc000782700, {0x2975560?, 0xc00054e5a0?}, 0xc000669c08)	github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:342 +0x45k8s.io/apiserver/pkg/server.completedConfig.New.func1({0x2975560?, 0xc00054e5a0?})	k8s.io/apiserver@v0.29.2/pkg/server/config.go:825 +0x28k8s.io/apiserver/pkg/server.NewAPIServerHandler({0x2520b57, 0xf}, {0x2988fe0, 0xc000192540}, 0xc000795740, {0x0, 0x0})	k8s.io/apiserver@v0.29.2/pkg/server/handler.go:96 +0x2adk8s.io/apiserver/pkg/server.completedConfig.New({0xc000669c08?, {0x0?, 0x0?}}, {0x2520b57, 0xf}, {0x29a70a0, 0xc00074d9d0})	k8s.io/apiserver@v0.29.2/pkg/server/config.go:833 +0x2a5github.com/openshift/oauth-server/pkg/oauthserver.completedOAuthConfig.New({{0xc000a94b70?}, 0xc000782708?}, {0x29a70a0?, 0xc00074d9d0?})	github.com/openshift/oauth-server/pkg/oauthserver/oauth_apiserver.go:322 +0x6agithub.com/openshift/oauth-server/pkg/cmd/oauth-server.RunOsinServer(0xc0001781e0?, 0xc000353800?, 0xc0006a0000)	github.com/openshift/oauth-server/pkg/cmd/oauth-server/server.go:45 +0x73github.com/openshift/oauth-server/pkg/cmd/oauth-server.(*OsinServerOptions).RunOsinServer(0xc0004a6060, 0xc0006a0000)	github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:108 +0x259github.com/openshift/oauth-server/pkg/cmd/oauth-server.NewOsinServerCommand.func1(0xc0004ea000?, {0x250ea67?, 0x4?, 0x250ea6b?})	github.com/openshift/oauth-server/pkg/cmd/oauth-server/cmd.go:46 +0xedgithub.com/spf13/cobra.(*Command).execute(0xc0004e8308, {0xc00026a310, 0x7, 0x7})	github.com/spf13/cobra@v1.7.0/command.go:944 +0x867github.com/spf13/cobra.(*Command).ExecuteC(0xc0004e8008)	github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3a5github.com/spf13/cobra.(*Command).Execute(...)	github.com/spf13/cobra@v1.7.0/command.go:992k8s.io/component-base/cli.run(0xc0004e8008)	k8s.io/component-base@v0.29.2/cli/run.go:146 +0x290k8s.io/component-base/cli.Run(0xc0006a0000?)	k8s.io/component-base@v0.29.2/cli/run.go:46 +0x17main.main()	github.com/openshift/oauth-server/cmd/oauth-server/main.go:46 +0x2de

       

      Expected result:

      There should be validation that would prevent submitting a name separated with space.

       

              Unassigned Unassigned
              achuzhoy@redhat.com Alexander Chuzhoy
              Xingxing Xia Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: