500 Internal Server Error when changing password
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To

Authored By

	Dogu
	Dec 2 2024, 8:42 PM

Description

Steps to replicate the issue (include links if applicable):

Navigate to the hamburger menu on the top-left corner of the Bitu Identity Manager interface.
Select the "Change Password" option from the menu.
Enter your old password, a new password, and repeat the new password in the respective fields.
Click on the "Update" button.

What happens?:
An error occurs, displaying a "500 Internal Server Error - Your request caused an error on the server" page

What should have happened instead?:
The password update should complete successfully, and the system should confirm the change with a success message.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Problem.mov729 KBDownload

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Password reset: use passlib for hashing	operations/software/bitu	master	+3 -1
	Password update: avoid triggering invalid hash error	operations/software/bitu	master	+49 -3

Customize query in gerrit

Related Objects

Mentioned In: rOSBIa0565f1b8d1a: Password reset: use passlib for hashing
rOSBIde6f5c0fe235: Password update: avoid triggering invalid hash error

Event Timeline

Dogu created this task.Dec 2 2024, 8:42 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 2 2024, 8:42 PM

Pppery renamed this task from IDM Bug-Report to 500 Internal Server Error when changing password.Dec 2 2024, 8:49 PM

SLyngshede-WMF changed the task status from Open to In Progress.Dec 3 2024, 7:22 AM

SLyngshede-WMF claimed this task.

SLyngshede-WMF triaged this task as High priority.

Hi, thank you for reporting.

I think I found the error in the logs, but I'm still trying to reproduce it locally.

ERROR 2024-12-02 20:38:32,958 Internal Server Error: /ldapbackend/password/
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/contrib/auth/decorators.py", line 21, in _wrapped_view
    return view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/views/generic/base.py", line 70, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/views/generic/base.py", line 98, in dispatch
    return handler(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/views/generic/edit.py", line 141, in post
    if form.is_valid():
       ^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/forms/forms.py", line 175, in is_valid
    return self.is_bound and not self.errors
                                 ^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/django/forms/forms.py", line 170, in errors
    self.full_clean()
  File "/usr/lib/python3/dist-packages/django/forms/forms.py", line 372, in full_clean
    self._clean_fields()
  File "/usr/lib/python3/dist-packages/django/forms/forms.py", line 393, in _clean_fields
    value = getattr(self, 'clean_%s' % name)()
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/bitu/ldapbackend/forms.py", line 107, in clean_old_password
    ldap_password_verification(self.cleaned_data['username'],
  File "/usr/lib/python3/dist-packages/bitu/ldapbackend/validators.py", line 126, in ldap_password_verification
    if not lsm.verify(password, ldap_user.userPassword.value):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/passlib/utils/handlers.py", line 788, in verify
    self = cls.from_string(hash, **context)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/passlib/handlers/ldap_digests.py", line 83, in from_string
    raise uh.exc.InvalidHashError(cls)
ValueError: not a valid ldap_salted_sha1 hash

Okay, the bug has been located. We're using the passlib library to do password validation. Apparently that library is a little particular about formatting of hashes.

When attempting to validate your existing password, using the hash, passlib notices that the hash for your password has been stored prefixed with: {ssha}. That seems fine, but passlib WILL ONLY ACCEPT {SSHA}.

I will produce a fix and let you know.

Limit in passlib is here: https://foss.heptapod.net/python-libs/passlib/-/blob/branch/stable/passlib/handlers/ldap_digests.py?ref_type=heads#L200

Not actually use if the passlib module is still being developed, there seems to be a fork, but we're running with the Debian version anyway.

We'll do a workaround in Bitu for now.

Change #1100058 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/bitu@master] Password update: avoid triggering invalid hash error

https://gerrit.wikimedia.org/r/1100058

gerritbot added a project: Patch-For-Review.Dec 3 2024, 10:03 AM

Change #1100058 merged by jenkins-bot:

[operations/software/bitu@master] Password update: avoid triggering invalid hash error

https://gerrit.wikimedia.org/r/1100058

SLyngshede-WMF mentioned this in rOSBIde6f5c0fe235: Password update: avoid triggering invalid hash error.Dec 3 2024, 11:53 AM

Maintenance_bot removed a project: Patch-For-Review.Dec 3 2024, 12:31 PM

@Dogu We've updated idm.wikimedia.org with the fix. If you still have a need to update your password, please give it a go and let me know how it goes.

In T381327#10378573, @SLyngshede-WMF wrote:

@Dogu We've updated idm.wikimedia.org with the fix. If you still have a need to update your password, please give it a go and let me know how it goes.

Hey @SLyngshede-WMF, now it says "Invalid password" below the old password input :)

@Dogu is it the wrong password :-)

It should be the same password you use for https://idp.wikimedia.org

Maybe something else went wrong with the hashing.

One workaround is to sign out on https://idm.wikimedia.org and then sign out of SSO as well, from https://idp.wikimedia.org/logout and then go to https://idm.wikimedia.org and pretend that you forgot your password. Or perhaps just a easy, use Toolforge: https://toolsadmin.wikimedia.org/profile/settings/change_password/ that will work as well.

I'll do a bit more digging, but I can understand if you just need to change your password. I'll work out the issue separately.

In T381327#10379053, @SLyngshede-WMF wrote:

@Dogu is it the wrong password :-)

It should be the same password you use for https://idp.wikimedia.org

Maybe something else went wrong with the hashing.

One workaround is to sign out on https://idm.wikimedia.org and then sign out of SSO as well, from https://idp.wikimedia.org/logout and then go to https://idm.wikimedia.org and pretend that you forgot your password. Or perhaps just a easy, use Toolforge: https://toolsadmin.wikimedia.org/profile/settings/change_password/ that will work as well.

I'll do a bit more digging, but I can understand if you just need to change your password. I'll work out the issue separately.