search

openshift / oauth-proxy

A reverse proxy that provides authentication with OpenShift via OAuth and Kubernetes service accounts
MIT License
261 stars 136 forks source link

Use cookie domain for the HMAC signing and validation #240

Closed samuelvl closed 2 years ago

samuelvl commented 2 years ago

Fix https://github.com/openshift/oauth-proxy/issues/239

openshift-ci[bot] commented 2 years ago

Hi @samuelvl. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
slaskawi commented 2 years ago

/lgtm /hold

Adding a LGTM and hold to let @stlaz look at it as well.

samuelvl commented 2 years ago

@slaskawi Should I retest? I think the logs show an error with the infra setup:

slaskawi commented 2 years ago

Let's give it a retry /retest

slaskawi commented 2 years ago

/retest

slaskawi commented 2 years ago

Let's give it one more try /retest

samuelvl commented 2 years ago

I don't get why it is failing. The failing test is TestOAuthProxyE2E/setting_up_e2e_tests_sar-multi-fail, in the logs I can see this error:

proxy_test.go:302: expected error 'did not reach upstream site', got 'expected to be redirected to the oauth-server login page, got "500 Internal Server Error";
...
<body>
  <div class="panel-login">
    <div class="panel-content panel-content-centered">
      <h1>500 Internal Error</h1>
      <p>configmap &#34;oauth-serving-cert&#34; not found</p>
      <p><a href="/oauth/sign_in">Log In</a></p>
    </div>
  </div>
</body>

However if I run the tests locally using my own image including this PR changes the tests pass:

$ go test -v ./test/... -run TestOAuthProxyE2E/setting_up_e2e_tests_sar-multi-fail
=== RUN   TestOAuthProxyE2E
    util.go:734: Found configuration for host https://api.*****.redhat.com:6443.
...
    util.go:768: current authentication operator status: map[Available:true Degraded:false Progressing:false]
    proxy_test.go:207: test image: quay.io/samuvl/ose-oauth-proxy:validate-cookie-domain, test namespace: e2e-oauth-proxy-lszdv
=== RUN   TestOAuthProxyE2E/setting_up_e2e_tests_sar-multi-fail
    proxy_test.go:274: Warning: User 'testuser9' not found
        clusterrole.rbac.authorization.k8s.io/admin added: "testuser9"
    proxy_test.go:280: cleaning up test sar-multi-fail
--- PASS: TestOAuthProxyE2E (240.97s)
    --- PASS: TestOAuthProxyE2E/setting_up_e2e_tests_sar-multi-fail (25.79s)
PASS
ok      github.com/openshift/oauth-proxy/test/e2e   240.979s

I am running Openshift 4.9:

Server Version: 4.9.8
samuelvl commented 2 years ago

/retest

samuelvl commented 2 years ago

After rebasing a different test is failing that wasn't failing before, so testing again

samuelvl commented 2 years ago

/retest

samuelvl commented 2 years ago

/retest

openshift-ci[bot] commented 2 years ago

@samuelvl: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).
samuelvl commented 2 years ago

@slaskawi Tests are finally passing :)

slaskawi commented 2 years ago

/lgtm

openshift-ci[bot] commented 2 years ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: samuelvl, slaskawi To complete the pull request process, please assign deads2k after the PR has been reviewed. You can assign the PR to them by writing /assign @deads2k in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/openshift/oauth-proxy/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
samuelvl commented 2 years ago

/assign @stlaz

samuelvl commented 2 years ago

@slaskawi @stlaz Hey guys, tests are passing, so any chance to get this merged or is there anything else required?

VassilisVassiliadis commented 2 years ago

Hello, would it be possible to also backport this to the v4.6 release so that the v4.6 images include the bugfix?

openshift-bot commented 2 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 2 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

ibihim commented 2 years ago

Hi, @samuelvl

please change the title / commit to explicitly mention that you want to use the cookie domain for the signing and validation with hmac. This must be very explicit.

I am also not so happy with the "CookieDomain" solution, but it is already implemented. Ideally you would set a flag, that you enable a cookie for all subdomains and not set the domain on your own. This can be a very problematic setting in the long run.

samuelvl commented 2 years ago

Title changed, thanks for the suggestion @ibihim

The main reason for this change is trying to get a SSO experience when using the OAuth proxy in Openshift as described in https://github.com/openshift/oauth-proxy/issues/239 to improve the user experience by not requiring multiple re-logins when accessing different route hosts.

If there is an alternative or a future enhancement to provide this capability I'm in favor of deprecating the --cookie-domain flag and use a more robust functionality instead.

openshift-bot commented 2 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci[bot] commented 2 years ago

@openshift-bot: Closed this PR.

In response to [this](https://github.com/openshift/oauth-proxy/pull/240#issuecomment-1206460412): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.