Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mfa: fix startup crash when SSO users with MFA expire #6779

Merged
merged 4 commits into from
May 12, 2021
Merged

mfa: fix startup crash when SSO users with MFA expire #6779

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c2379bb
mfa: fix startup crash when SSO users with MFA expire
May 7, 2021
3d7bae3
Merge branch 'master' into andrew/startup-crash-mfa
May 11, 2021
acdcec9
Merge branch 'master' into andrew/startup-crash-mfa
May 12, 2021
3721fe4
Merge branch 'master' into andrew/startup-crash-mfa
May 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions lib/services/local/resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,15 @@ func collectUserItems(items []backend.Item) (users map[string]userItems, rem []b
}
users[name] = collector
}
// Remove user entries that are incomplete.
//
// For example, an SSO user entry that expired but still has MFA devices
// persisted. These users should not be loaded until they login again.
for user, items := range users {
if !items.complete() {
delete(users, user)
}
}
return users, rem, nil
}

Expand Down Expand Up @@ -613,3 +622,9 @@ func (u *userItems) Len() int {
l += len(u.mfa)
return l
}

// complete checks whether userItems is complete enough to be parsed by
// userFromUserItems.
func (u *userItems) complete() bool {
return u.params != nil
}
15 changes: 12 additions & 3 deletions lib/services/local/resource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,10 @@ func (r *ResourceSuite) TestUserResourceWithSecrets(c *check.C) {
}

func (r *ResourceSuite) runUserResourceTest(c *check.C, withSecrets bool) {
alice := newUserTestCase(c, "alice", nil, withSecrets)
bob := newUserTestCase(c, "bob", nil, withSecrets)
expiry := r.bk.Clock().Now().Add(time.Minute)

alice := newUserTestCase(c, "alice", nil, withSecrets, expiry)
bob := newUserTestCase(c, "bob", nil, withSecrets, expiry)
// Check basic dynamic item creation
r.runCreationChecks(c, alice, bob)
// Check that dynamically created item is compatible with service
Expand All @@ -126,6 +128,12 @@ func (r *ResourceSuite) runUserResourceTest(c *check.C, withSecrets bool) {
c.Errorf("Unexpected user %q", user.GetName())
}
}

// Advance the clock to let the users to expire.
r.bk.Clock().(clockwork.FakeClock).Advance(2 * time.Minute)
allUsers, err = s.GetUsers(withSecrets)
c.Assert(err, check.IsNil)
c.Assert(len(allUsers), check.Equals, 0, check.Commentf("expected all users to expire"))
}

func (r *ResourceSuite) TestCertAuthorityResource(c *check.C) {
Expand Down Expand Up @@ -235,13 +243,14 @@ func localAuthSecretsTestCase(c *check.C) services.LocalAuthSecrets {
return auth
}

func newUserTestCase(c *check.C, name string, roles []string, withSecrets bool) services.User {
func newUserTestCase(c *check.C, name string, roles []string, withSecrets bool, expires time.Time) services.User {
user := services.UserV2{
Kind: services.KindUser,
Version: services.V2,
Metadata: services.Metadata{
Name: name,
Namespace: defaults.Namespace,
Expires: &expires,
},
Spec: services.UserSpecV2{
Roles: roles,
Expand Down