- 
                Notifications
    You must be signed in to change notification settings 
- Fork 29
Avoid polling token endpoint after login request cancelled #903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Avoid polling token endpoint after login request cancelled #903
Conversation
| I manually tested the changes by running  However, this comment: authd/internal/brokers/dbusbroker.go Line 102 in 5863e33 
 ... indicates that the previous behavior was on purpose. I did some investigations to find out the reason. The functionality to cancel  The first implementation actually used  @denisonbarbosa, do you remember any more details? Am I missing something? | 
| Ok, I figured out what I was missing. The  | 
| Yeah... Sorry for not mentioning it in the card, but I also did some experiments with that after I wrote the initial thing, login disconnecting doesn't bring anything new to us. So I feel we'll have to do process monitoring or something instead. | 
The Go process started by the PAM module kept running even after the process of the PAM module exited, causing authd to continue with the authentication procedure.
This is needed to be able to check the underlying error with errors.Is or errors.As.
631cd42    to
    afb8cea      
    Compare
  
    | With the new commits I pushed, cancellation also works when I run  | 
D-Bus does not support cancelling ongoing method calls through context cancellation, in contrast to gRPC. So if the context of the IsAuthenticated call from the PAM module to authd is cancelled (e.g. because the PAM module exited unexpectedly), we need propagate that to the broker by calling the CancelIsAuthenticated method. We used to do that by calling IsAuthenticated in a goroutine and waiting for the context to be cancelled in the main goroutine, calling CancelIsAuthenticated when the context is cancelled. This commit simplifies that, by passing the context to BusObject.CallWithContext, and calling when the returned error is context.Cancelled. This is only done for the D-Bus broker, not the example broker. That's not a problem, because the example broker already cancels the IsAuthenticated call if the context is cancelled, without requiring a separate CancelIsAuthenticated call. This commit also returns auth.Cancelled if the context was cancelled, which was actually never used with the actual D-Bus broker, but with the example broker and the testutils.BrokerBusMock.
The first call was cancelled iff cancelFirstCall is false.
afb8cea    to
    e44b939      
    Compare
  
    | if err := unix.Prctl(unix.PR_SET_PDEATHSIG, uintptr(syscall.SIGTERM), 0, 0, 0); err != nil { | ||
| log.Errorf(context.Background(), "failed to set PDEATHSIG: %v", err) | ||
| os.Exit(1) | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I was wondering to use the same too... But maybe we can handle it also client-side, on the dbus side... Let me check that too.
However this is fine.
The changes on broker instead I'd hold since I had some refactoring there for another branch, and that side is quite delicate sadly (as we may cancel too early).
| b.CancelIsAuthenticated(context.Background(), sessionID) | ||
| return auth.Cancelled, "", nil | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't this create a race? CancelIsAuthenticated is not a blocking call, so (also considering that the "wait" was removed on the IsAuthenticated function) we can end up returning to PAM without the broker being "ready" to handle a new call, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CancelIsAuthenticatedis not a blocking call
Really? It also uses BusObject.CallWithContext from the dbus package, which according to the documentation waits for a reply.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, the dbus call returns, but if you look at the CancelIsAuthenticated func on the broker side, it's not waiting for the cancellation to be done, it just requests a cancel and then the IsAuthenticated func that returns whether it was cancelled or not. Did it make sense? It's not easy to explain
e44b939    to
    c576d00      
    Compare
  
    | Codecov ReportAttention: Patch coverage is  
 
 Additional details and impacted files@@            Coverage Diff             @@
##             main     #903      +/-   ##
==========================================
- Coverage   85.51%   85.38%   -0.14%     
==========================================
  Files          82       82              
  Lines        5703     5707       +4     
  Branches      109      109              
==========================================
- Hits         4877     4873       -4     
- Misses        771      779       +8     
  Partials       55       55              ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
 | 
If the context of the IsAuthenticated call from the PAM module to authd is cancelled, e.g. because the process of the PAM module exits, we want to automatically cancel the IsAuthenticated call to the broker, to avoid doing any further work towards authenticating the user (like sending requests to OAuth2 endpoints).