Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[develop] check dcv sessions using uid to avoid username truncation #2472

Open
wants to merge 16 commits into
base: develop
Choose a base branch
from

Conversation

timfurlong
Copy link

@timfurlong timfurlong commented Sep 25, 2023

Description of changes

  • The _is_session_valid function of the DCV authenticator would not work for long usernames. This is because the ps aux command truncates lengthy usernames. For example, the processes started by the dcvextauth user display as dcvexta+ in the ps aux output
  • This change fixes the above by querying by UID rather than username

Tests

  • test/unit/dcv/test_dcv_authenticator.py mocked out the changed functions with mock_verify_session_existence, and I couldn't think of an easy way to replicate the behavior without actually starting a process using a long username. Suggestions for a better approach to testing this are more than welcome!
  • Since automated testing seemed impractical in this case, I went with a manual approach. I started a dcv session using dcv create-session using a user with a long username (14 characters long). I then restarted the dcv authenticator process, and queried it using:
curl --retry 3 --max-time 5 -s -k -X GET -G https://localhost:8444 -d action=requestToken \
        -d authUser=$longusername -d sessionID=$sessionID

Prior to this change, this curl command would result in a timeout.

Checklist

  • Make sure you are pointing to the right branch.
  • If you're creating a patch for a branch other than develop add the branch name as prefix in the PR title (e.g. [release-3.6]).
  • Check all commits' messages are clear, describing what and why vs how.
  • Make sure to have added unit tests or integration tests to cover the new/modified code.
  • Check if documentation is impacted by this change.

Please review the guidelines for contributing and Pull Request Instructions.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@timfurlong timfurlong requested review from a team as code owners September 25, 2023 20:53
@codecov
Copy link

codecov bot commented Sep 28, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (c03e02b) 76.27% compared to head (7cf285d) 76.55%.

Additional details and impacted files
@@             Coverage Diff             @@
##           develop    #2472      +/-   ##
===========================================
+ Coverage    76.27%   76.55%   +0.27%     
===========================================
  Files           13       13              
  Lines         1901     1902       +1     
===========================================
+ Hits          1450     1456       +6     
+ Misses         451      446       -5     
Flag Coverage Δ
unittests 76.55% <100.00%> (+0.27%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@enrico-usai enrico-usai added skip-security-exclusions-check Skip the checks regarding the security exclusions skip-changelog-update labels Sep 28, 2023
@@ -361,13 +361,17 @@ def _is_session_valid(user, session_id):
# TODO change this method if DCV updates his behaviour.
"""
logger.info("Verifying NICE DCV session validity..")

# Query by uid rather than username to avoid truncation by ps command
uid = subprocess.check_output(["id", "-u", user]).decode("utf-8").strip()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also test by passing shell=True to check_output?
see https://bandit.readthedocs.io/en/1.7.5/plugins/b603_subprocess_without_shell_equals_true.html

@enrico-usai
Copy link
Contributor

Hi @timfurlong thanks for creating this patch!
I think we never faced this issue because DCV is enabled only for default users that have short names (ec2-user, centos, ubuntu).

I left a comment.
Thanks!

@timfurlong
Copy link
Author

Hi @timfurlong thanks for creating this patch! I think we never faced this issue because DCV is enabled only for default users that have short names (ec2-user, centos, ubuntu).

I left a comment. Thanks!

Hi @enrico-usai thanks for the feedback! I made a couple of small changes in response to your comment. Please let me know if you'd like to see any other changes.

@timfurlong timfurlong requested a review from enrico-usai October 2, 2023 17:21
@timfurlong
Copy link
Author

@enrico-usai Just bumping this PR. Can you please approve/merge?

@@ -163,6 +163,26 @@ def test_get_request_token_parameter(parameters, keys, result):
DCVAuthenticator._extract_parameters_values(parameters, keys)


def test_is_session_valid(mocker):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An alternative to define this test and avoid code duplication (e.g. mocking part) is using @pytest.mark.parametrize(, passing sessionid, expected_error as parameters.
You can see test_get_request_token_parameter defined above as an example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
skip-changelog-update skip-security-exclusions-check Skip the checks regarding the security exclusions
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants