OpenStack Identity (keystone)

Validation parameter_type.url regex doesn't pass validation for IPv6 addresses

Bug #1386376 reported by Matthew Edmonds on 2014-10-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Matthew Edmonds	OpenStack Identity (keystone) 2015.1.0 "kilo"
	Juno	Fix Released	Medium	Brant Knudson	OpenStack Identity (keystone) 2014.2.1

Bug Description

Can't create an endpoint with an IPv6 address in the URL. E.g.:

[root@XXXXXXXX ~]# curl -k -i -X POST https://localhost:35357/v3/endpoints -H "Accept: application/json" -H "X-Auth-Token: 96d82b1a36a94b439fd91d2a875380be" -H "Content-Type: application/json" -d '{"endpoint": {"interface": "admin", "name": "metering", "region": "RegionOne", "url": "https://[fd55:faaf:e1ab:3ea:9:114:251:134]:8777/v2", "service_id": "57118ebd91094d7d8d609136d185f0dd"}}'; echo
HTTP/1.1 400 Bad Request
Date: Mon, 27 Oct 2014 18:42:32 GMT
Server: Apache/2.2.15 (Red Hat)
Vary: X-Auth-Token
Content-Length: 182
Connection: close
Content-Type: application/json

{"error": {"message": "Invalid input for field 'url'. The value is 'https://[fd55:faaf:e1ab:3ea:9:114:251:134]:8777/v2'.", "code": 400, "title": "Bad Request"}}

See original description

Matthew Edmonds (edmondsw) on 2014-10-27

Changed in keystone:
assignee:	nobody → Matthew Edmonds (edmondsw)

Lance Bragstad (lbragstad) on 2014-10-27

summary:

- endpoint url validation fails for IPv6 addresses
+ Validation parameter_type.url regex doesn't pass validation for IPv6
+ addresses with ports

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-10-27: Re: Validation parameter_type.url regex doesn't pass validation for IPv6 addresses with ports

Endpoint url validation is controlled by a regular expression [1]. We had the option to use the url validation FormatChecker object that was built into jsonschema but it relies on rfc3987 [2], which is GPL licensed. The rfc3987 library wasn't added to global requirements since it is GPL licensed [3]. Chances are the regex can be tweaked to allow for ipv6 addresses with ports.

[1] https://github.com/openstack/keystone/blob/15a01f2918b4822b3df660ca2567ef398ed7d0a3/keystone/common/validation/parameter_types.py#L53-L59
[2] https://pypi.python.org/pypi/rfc3987
[3] https://review.openstack.org/#/c/98012/

Matthew Edmonds (edmondsw) on 2014-10-27

description:

updated

Lance Bragstad (lbragstad) on 2014-10-27

summary:

Validation parameter_type.url regex doesn't pass validation for IPv6
- addresses with ports
+ addresses

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-28: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/131326

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-30: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/131326
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7fa6e92c441644c0d990e79a78692b786d88acec
Submitter: Jenkins
Branch: master

commit 7fa6e92c441644c0d990e79a78692b786d88acec
Author: Matthew Edmonds <email address hidden>
Date: Mon Oct 27 16:34:35 2014 -0400

Adds IPv6 url validation support

Fixes an issue where url validation fails when attempting to
create an endpoint with an IPv6 address in the URL.

Change-Id: I179b0cb7e5546a3a051e5a1e6390385a833b9f96
Closes-Bug: 1386376

Changed in keystone:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-30: Fix proposed to keystone (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/131902

Brant Knudson (blk-u) on 2014-10-30

tags:

added: juno-backport-potential

Alan Pevec (apevec) on 2014-11-20

tags:	removed: juno-backport-potential
Changed in keystone:
importance:	Undecided → Medium

Morgan Fainberg (mdrnstm) on 2014-11-20

Changed in keystone:
milestone:	none → kilo-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-23: Fix merged to keystone (stable/juno)

Reviewed: https://review.openstack.org/131902
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd92689e4915f6dfe4ca72c802146ecd5d206bcf
Submitter: Jenkins
Branch: stable/juno

commit bd92689e4915f6dfe4ca72c802146ecd5d206bcf
Author: Matthew Edmonds <email address hidden>
Date: Mon Oct 27 16:34:35 2014 -0400

Adds IPv6 url validation support

Fixes an issue where url validation fails when attempting to
create an endpoint with an IPv6 address in the URL.

    Change-Id: I179b0cb7e5546a3a051e5a1e6390385a833b9f96
    Closes-Bug: 1386376
    (cherry picked from commit 7fa6e92c441644c0d990e79a78692b786d88acec)

Revision history for this message

Will Angenent (will-angenent) wrote on 2014-11-25:

This is a copy-paste of a comment I put on a related bug incorrectly, https://bugs.launchpad.net/keystone/+bug/1266416/comments/3

I've run into another validation problem as well using Juno keystone v3. This test code demonstrates the problem with the regular expression:

import re

foo = {
    'pat': '^https?://'
           '(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)'
           '+[a-zA-Z]{2,6}\.?|'
           'localhost|'
           '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'
           '(?::\d+)?'
           '(?:/?|[/?]\S+)$'
}

pat = foo['pat']

print bool(re.match(pat, 'https://foo')) # Bad
print bool(re.match(pat, 'https://foo.l')) # Bad
print bool(re.match(pat, 'https://foo.lo')) # Good
print bool(re.match(pat, 'https://foo.loc')) # Good
print bool(re.match(pat, 'https://foo.loca')) # Good
print bool(re.match(pat, 'https://foo.local')) # Good
print bool(re.match(pat, 'https://foo.locald')) # Good
print bool(re.match(pat, 'https://foo.localdo')) # Bad
print bool(re.match(pat, 'https://foo.localdoma')) # Bad

It appears the above domain name has to be between 2 and 6 characters. The [a-zA-Z]{2,6} part is responsible for that. Looking at the diff for the IPv6 fix, it should solve this one too.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Fix proposed to keystone (feature/hierarchical-multitenancy)

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Change abandoned on keystone (feature/hierarchical-multitenancy)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Thierry Carrez (ttx) on 2014-12-17

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.