search

OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
92 stars 5 forks source link

Login problems in 1.0.39 #98

Closed RuriRyan closed 6 months ago

RuriRyan commented 6 months ago

We're running openunison in k8s for some time now and it pretty much just worked. After the update to 1.0.39 it failed with the following error:

[2024-01-10 16:11:12,060][XNIO-1 task-2] INFO  AccessLog - [Error] - completelogin - https://k8sou.<redacted>/auth/oidc - uid=Anonymous,o=Tremolo - NONE [<redacted>] - [<redacted>]
[2024-01-10 16:11:12,060][XNIO-1 task-2] ERROR ConfigSys - Could not process request
org.graalvm.polyglot.PolyglotException: 'void com.novell.ldap.LDAPAttribute.setName(java.lang.String)'
        at net.sourceforge.myvd.types.Entry.renameAttribute(Entry.java:93) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.inserts.mapping.AttributeMapper.postSearchEntry(AttributeMapper.java:231) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.chain.PostSearchEntryInterceptorChain.nextPostSearchEntry(PostSearchEntryInterceptorChain.java:65) ~[myvd-server-1.0.20.jar:?]
        at com.tremolosecurity.proxy.myvd.log.AccessLog.postSearchEntry(AccessLog.java:383) ~[unison-server-core-1.0.39.jar:?]
        at net.sourceforge.myvd.chain.PostSearchEntryInterceptorChain.nextPostSearchEntry(PostSearchEntryInterceptorChain.java:65) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.types.Results.nextEntry(Results.java:244) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.types.Results.hasMore(Results.java:156) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.types.Results.finishSet(Results.java:189) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.types.Results.hasMore(Results.java:151) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.types.Results.start(Results.java:112) ~[myvd-server-1.0.20.jar:?]
        at net.sourceforge.myvd.chain.jdbcLdapImpl.EntrySetSearchResults.<init>(EntrySetSearchResults.java:33) ~[myvd-server-1.0.20.jar:?]
        at com.tremolosecurity.proxy.myvd.MyVDConnection.search(MyVDConnection.java:101) ~[unison-sdk-1.0.39.jar:?]        at com.tremolosecurity.provisioning.core.WorkflowImpl.executeWorkflow(WorkflowImpl.java:585) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.provisioning.auth.JITAuthMech.doGet(JITAuthMech.java:126) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.execAuth(AuthManagerImpl.java:452) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:134) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:88) ~[unison-server-core-1.0.39.jar:?]
        at <js>.doAuth(Unnamed:34) ~[?:?]
        at org.graalvm.polyglot.Value.execute(Value.java:880) ~[graal-sdk-22.3.4.jar:?]
        at com.tremolosecurity.proxy.auth.JavaScriptAuth.doGet(JavaScriptAuth.java:66) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.execAuth(AuthManagerImpl.java:452) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:134) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:88) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.FullMappingAuthMech.doGet(FullMappingAuthMech.java:85) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.execAuth(AuthManagerImpl.java:452) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:134) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:88) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.unison.proxy.auth.openidconnect.OpenIDConnectAuthMech.doGet(OpenIDConnectAuthMech.java:443) ~[unison-auth-openidconnect-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:196) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.39.jar:?]
        at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:88) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) [unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) [unison-server-core-1.0.39.jar:?]
        at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:299) [unison-server-core-1.0.39.jar:?]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) [undertow-servlet-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) [undertow-core-2.3.10.Final.jar:2.3.10.Final]
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) [jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) [jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) [jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) [jboss-threads-2.3.6.Final.jar:2.3.6.Final]
        at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) [xnio-api-3.8.12.Final.jar:3.8.12.Final]
        at java.base/java.lang.Thread.run(Thread.java:829) [?:?]

Downgrading to 1.0.38 works just fine. We're using the helm charts and I just changed the image version for the orchestra chart.

We're using AzureAD as the IDP.

I looked through some changes but couldn't find any in the files mentioned in the stacktrace. I would guess this is related to a wrong/missing configuration somewhere?

mlbiam commented 6 months ago

looks like we got bit by a bug by a dependency - https://github.com/jdereg/json-io/issues/250 (which coincidentally happened because that library was fixing a bug we reported) and the class loader picked up the older version of the jar.

the fix is pushed and in the latest 1.0.3 image (ghcr.io/openunison/openunison-k8s:1.0.39-cb663a). Can you give it a try and see if it resolves your issue?

RuriRyan commented 6 months ago

Updated to the latest 1.0.39 image and it's working again.

Thanks for the quick fix!