-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[develop] check dcv sessions using uid to avoid username truncation #2472
base: develop
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #2472 +/- ##
===========================================
+ Coverage 76.27% 76.55% +0.27%
===========================================
Files 13 13
Lines 1901 1902 +1
===========================================
+ Hits 1450 1456 +6
+ Misses 451 446 -5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@@ -361,13 +361,17 @@ def _is_session_valid(user, session_id): | |||
# TODO change this method if DCV updates his behaviour. | |||
""" | |||
logger.info("Verifying NICE DCV session validity..") | |||
|
|||
# Query by uid rather than username to avoid truncation by ps command | |||
uid = subprocess.check_output(["id", "-u", user]).decode("utf-8").strip() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here you should use: /usr/bin/id
as first argument, see https://bandit.readthedocs.io/en/1.7.5/plugins/b607_start_process_with_partial_path.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also test by passing shell=True
to check_output
?
see https://bandit.readthedocs.io/en/1.7.5/plugins/b603_subprocess_without_shell_equals_true.html
Hi @timfurlong thanks for creating this patch! I left a comment. |
Hi @enrico-usai thanks for the feedback! I made a couple of small changes in response to your comment. Please let me know if you'd like to see any other changes. |
@enrico-usai Just bumping this PR. Can you please approve/merge? |
@@ -163,6 +163,26 @@ def test_get_request_token_parameter(parameters, keys, result): | |||
DCVAuthenticator._extract_parameters_values(parameters, keys) | |||
|
|||
|
|||
def test_is_session_valid(mocker): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An alternative to define this test and avoid code duplication (e.g. mocking part) is using @pytest.mark.parametrize(
, passing sessionid, expected_error
as parameters.
You can see test_get_request_token_parameter
defined above as an example.
Description of changes
_is_session_valid
function of the DCV authenticator would not work for long usernames. This is because theps aux
command truncates lengthy usernames. For example, the processes started by thedcvextauth
user display asdcvexta+
in theps aux
outputTests
test/unit/dcv/test_dcv_authenticator.py
mocked out the changed functions withmock_verify_session_existence
, and I couldn't think of an easy way to replicate the behavior without actually starting a process using a long username. Suggestions for a better approach to testing this are more than welcome!dcv create-session
using a user with a long username (14 characters long). I then restarted the dcv authenticator process, and queried it using:Prior to this change, this curl command would result in a timeout.
Checklist
develop
add the branch name as prefix in the PR title (e.g.[release-3.6]
).Please review the guidelines for contributing and Pull Request Instructions.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.