-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preparations for launching cockpit-session via unix socket activation #21258
Open
martinpitt
wants to merge
9
commits into
cockpit-project:main
Choose a base branch
from
martinpitt:session-prep
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Stop failing with "didn't receive expected authorize message", as that's confusing -- the user did nothing wrong. Instead, silently exit successfully, and let cockpit-ws handle the timeout. This is mostly occurring when enabling Negotiate (kerberos) authentication, and thus cockpit-ws always starts *two* cockpit-session attempts (one for Negotiate, one for PAM), like in TestIPA.testQualifiedUsers.
This makes it easier for callers to treat the reply as textual string. The only remaining user is cockpit-session, where we will need this behaviour in the following commit.
12 tasks
This comment was marked as resolved.
This comment was marked as resolved.
martinpitt
added
the
no-test
For doc/workflow changes, or experiments which don't need a full CI run,
label
Nov 13, 2024
martinpitt
force-pushed
the
session-prep
branch
2 times, most recently
from
November 13, 2024 06:19
bba7277
to
f5ce821
Compare
martinpitt
force-pushed
the
session-prep
branch
from
November 13, 2024 06:28
f5ce821
to
cb30518
Compare
We want to parse more fields than just "response" from the authorize message in the message. So remove the very rigidly harcoded parsing in `read_authorize_response()` and let it return the whole JSON string instead. Add a new `get_authorize_key()` function that parses a single value from that, and adjust the callers accordingly. This is a very restricted parser to keep things simple: No spaces in the structure, and no escaping. We can assume all that as cockpit-ws sends very controlled messages, and '"' isn't used in base64 values. In the worst case we get a truncated value, which will just fail authentication. Localize some variables while we are at it.
Drop the duplicated (but not identical!) implementation of `read_authorize_response()` and use the real implementation.
Run socket-activated cockpit-session with correct context. By default it is `init_t`, but that will produce a memfd with the wrong permissions, which the session cannot read. Allow cockpit-ws to connect to /run/cockpit/session. Allow restricted user_t and sysadm_t sessions to communicate (but not connect) to cockpit-ws through the session unix socket. (Covered by TestLogin.testSELinuxRestrictedUser)
…codes cockpit-session exits with 5 on authentication failures, including `authentication-unavailable`; or with 127 on authentication timeouts. These aren't a reason to mark the unit as failed.
The point of this is really to determine the cgroup of our caller, i.e. the cockpit-ws process. With [email protected] this is different than cockpit-session's own cgroup. Rename the variables to clarify this.
If cockpit-ws directly spawns cockpit-session, it can process the 127 exit code by itself. But there is no exit code if that happens via unix socket. Check this condition explicitly and report `no-cockpit` via the protocol. This triggers a more specific error path in cockpit-ws and the login page, adjust TestConnection.testBasic accordingly.
The test idles on the login page for more than the 60s authorize timeout. When running cockpit-session via unix socket, this causes some unsightly "session timed out during authentication" messages. This ought to be handled better in cockpit-ws, but for the time being ignore these messages.
martinpitt
removed
the
no-test
For doc/workflow changes, or experiments which don't need a full CI run,
label
Nov 13, 2024
martinpitt
force-pushed
the
session-prep
branch
from
November 13, 2024 08:05
cb30518
to
d16dcbd
Compare
martinpitt
requested review from
mvollmer
and removed request for
allisonkarlitskaya
November 15, 2024 09:01
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Broken out from #16808. But that requires a few more rounds of review and has ideas for more cleanups. These are the cockpit-session JSON parser (which is a bit finnicky, but got reviewed a few rounds already), plus a few extra commits which I believe are not problematic. Let's get them out of the way.