Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add exclusions mechanism into jwtproxy config builder & exlude liveness probes from auth #10463

Merged
merged 11 commits into from
Jul 24, 2018
Merged

Add exclusions mechanism into jwtproxy config builder & exlude liveness probes from auth #10463

merged 11 commits into from
Jul 24, 2018

Conversation

mshaposhnik
Copy link
Contributor

@mshaposhnik mshaposhnik commented Jul 18, 2018
edited
Loading

What does this PR do?

  • Adds code that parse exclusions in the server configuration attributes and puts it into jwtproxy conf.
  • Adds exec, terminal and wsagent http server /liveness paths into excludes;
  • Adds some jwtproxy required JWT claims like IAT, NBF, etc

What issues does this PR fix or reference?

#10400

Release Notes

N/A

Docs PR

N/A

@mshaposhnik
Copy link
Contributor Author

ci-test

@benoitf benoitf added status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. kind/task Internal things, technical debt, and to-do tasks to be performed. labels Jul 18, 2018
sleshchenko
sleshchenko reviewed Jul 18, 2018
View reviewed changes
...ipse/che/workspace/infrastructure/kubernetes/server/secure/jwtproxy/JwtProxyProvisioner.java Outdated
@@ -77,6 +81,7 @@

static final String JWT_PROXY_CONFIG_FOLDER = "/config";
static final String JWT_PROXY_PUBLIC_KEY_FILE = "mykey.pub";
static final String UNSECURED_PATHS_ATTRIBUTE = "unsecuredPaths";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to move this constant to https://github.com/eclipse/che/blob/efaef7e0d1a05c03a6819f240a267a015a542f05/core/che-core-api-model/src/main/java/org/eclipse/che/api/core/model/workspace/config/ServerConfig.java#L37
and document it there.

@riuvshin
Copy link
Contributor

ci-test build report:
Build details
Test report
selenium tests report data
docker image: eclipseche/che-server:10463
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

sleshchenko
sleshchenko reviewed Jul 18, 2018
View reviewed changes
agents/exec/installer/src/main/resources/installers/1.0.0/org.eclipse.che.exec.json Outdated
@@ -11,15 +11,17 @@
"protocol": "http",
"path" : "/process",
"attributes": {
"secure": "true"
"secure": "true",
"unsecuredPaths" : "/liveness"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove space before :

@mshaposhnik
Copy link
Contributor Author

ci-test

sleshchenko
sleshchenko approved these changes Jul 18, 2018
View reviewed changes
Copy link
Member

@sleshchenko sleshchenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

infrastructures/kubernetes/src/test/resources/jwtproxy-confg.yaml
public_key_path: /config/mykey.pub
claims_verifiers:
- type: static
options:
iss: wsmaster
nonce_storage:
type: void
excludes:

This comment was marked as resolved.

Sign in to view

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok

@riuvshin
Copy link
Contributor

ci-test build report:
Build details
Test report
selenium tests report data
docker image: eclipseche/che-server:10463
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@mshaposhnik mshaposhnik requested a review from a user July 18, 2018 14:39
@mshaposhnik
Copy link
Contributor Author

ci-test

@riuvshin
Copy link
Contributor

ci-test build report:
Build details
Test report
selenium tests report data
docker image: eclipseche/che-server:10463
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@vkuznyetsov vkuznyetsov mentioned this pull request Jul 19, 2018
Closed
39 tasks
@mshaposhnik mshaposhnik removed the request for review from l0rd July 19, 2018 10:48
@mshaposhnik
Copy link
Contributor Author

ci-test

@riuvshin
Copy link
Contributor

ci-test build report:
Build details
Test report
selenium tests report data
docker image: eclipseche/che-server:10463
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@mshaposhnik
Copy link
Contributor Author

ci-test

@riuvshin
Copy link
Contributor

ci-test build report:
Build details
Test report
selenium tests report data
docker image: eclipseche/che-server:10463
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@Ohrimenko1988
Copy link
Contributor

@mshaposhnik Will this feature be enabled by default? I mean if it enabled we should rework tests or issue #10490 should be resolved previously.

@mshaposhnik
Copy link
Contributor Author

No it will be turned off by def.

@Ohrimenko1988
Copy link
Contributor

It looks like everything except problem which described in issue #10490 is OK. But the opinion of QE team is - the issue #10490 should be resolved before the merge this PR because we do not guarantee protection from regression. And if enable the "jwt-proxy" by default in future it will lead to big regression (20 %) and possibly additional problems which related to the absence of regression checking.

@Ohrimenko1988
Copy link
Contributor

Ohrimenko1988 commented Jul 23, 2018
edited
Loading

Also a very important point. If this PR merge with master it also should be checked for regression with disabled "jwt-proxy".

@mshaposhnik
Copy link
Contributor Author

mshaposhnik commented Jul 24, 2018
edited
Loading

It was checked with proxy feature off: https://ci.codenvycorp.com/job/che-pullrequests-test-ocp/492/Selenium_20tests_20report/

@mshaposhnik
Copy link
Contributor Author

ci-test

@riuvshin
Copy link
Contributor

ci-test build report:
Build details
Test report
selenium tests report data
docker image: eclipseche/che-server:10463
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@mshaposhnik
Copy link
Contributor Author

ci-test

@Ohrimenko1988 Ohrimenko1988 mentioned this pull request Jul 24, 2018
Closed
@riuvshin
Copy link
Contributor

ci-test build report:
Build details
Test report
selenium tests report data
docker image: eclipseche/che-server:10463
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@Ohrimenko1988
Copy link
Contributor

Tests which started on the assembly with disabled "jwt-proxy" didn't show any regression.
But the problem which described in the issue #10521 is still actual for enabled "jwt-proxy".
Disabling of this functionality looks like hiding the bug.
And it entails risks which I have described in the previous comment.

@mshaposhnik mshaposhnik merged commit 1471003 into master Jul 24, 2018
@mshaposhnik
Copy link
Contributor Author

Ok, merging now.

@mshaposhnik mshaposhnik deleted the exclusions branch July 24, 2018 15:18
@benoitf benoitf removed the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Jul 24, 2018
@benoitf benoitf added this to the 6.9.0 milestone Jul 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skabashnyuk skabashnyuk skabashnyuk approved these changes

@sleshchenko sleshchenko sleshchenko approved these changes

Assignees
No one assigned
Labels
kind/task Internal things, technical debt, and to-do tasks to be performed.
Projects
None yet
Milestone
6.9.0
Development

Successfully merging this pull request may close these issues.
6 participants
@mshaposhnik @riuvshin @Ohrimenko1988 @skabashnyuk @sleshchenko @benoitf