Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leave domain empty in cookies. #1076

Merged
merged 4 commits into from
May 15, 2020
Merged

Leave domain empty in cookies. #1076

merged 4 commits into from
May 15, 2020

Conversation

fisx
Copy link
Contributor

@fisx fisx commented Apr 24, 2020
edited
Loading

This makes UAs default to server host (plus sub-domains).

Fixes https://github.com/zinfra/backend-issues/issues/953

fisx added a commit to wireapp/wire-server-deploy that referenced this pull request Apr 24, 2020
@fisx
Leave domain empty in cookies, making UAs default to server host.
7b5ed1d 
Depends on wireapp/wire-server#1076
@fisx fisx mentioned this pull request Apr 24, 2020
Merged
@fisx
Copy link
Contributor Author

fisx commented May 4, 2020

@tiago-loureiro you asked for this, now you have to review it! ;-)

@fisx
Copy link
Contributor Author

fisx commented May 4, 2020

hum, this looks like it could be related:

        nginz
          nginz-login:                                                                     FAIL
            Exception: Assertions failed:
             1: 200 =/= 403
            
            Response was:
            
            Response {responseStatus = Status {statusCode = 403, statusMessage = "Forbidden"}, responseVersion = HTTP/1.1, responseHeaders = [("Server","nginx"),("Date","Mon, 04 May 2020 08:15:08 GMT"),("Content-Type","application/json"),("Transfer-Encoding","chunked"),("Connection","keep-alive"),("Content-Encoding","gzip"),("Access-Control-Allow-Credentials","true"),("Access-Control-Expose-Headers","Request-Id, Location"),("Request-Id","594a1af0b45e8ffa0ab20f7573b6dd11"),("Strict-Transport-Security","max-age=31536000; preload")], responseBody = Just "{\"code\":403,\"message\":\"Missing cookie\",\"label\":\"invalid-credentials\"}", responseCookieJar = CJ {expose = [Cookie {cookie_name = "zuid", cookie_value = "-SKBw8G0ofOPFjvkZAfw42hVqWOeiaz00Aj8pBrTup6P-1kbfWLmnAB1--7tynliRqWyZY6pnFAR3uS5ceSWBw==.v=1.k=1.d=1588580228.t=u.l=.u=43ce6ed6-283d-4908-ab8a-826c9759aeb4.r=4adb9eed", cookie_expiry_time = 2020-05-04 08:17:08 UTC, cookie_domain = "brig.test-hvr1b3dm1vb2.svc.cluster.local", cookie_path = "/access", cookie_creation_time = 2020-05-04 08:15:08.206192823 UTC, cookie_last_access_time = 2020-05-04 08:15:08.206192823 UTC, cookie_persistent = True, cookie_host_only = True, cookie_secure_only = False, cookie_http_only = True}]}, responseClose' = ResponseClose}
            CallStack (from HasCallStack):
              error, called at src/Bilge/Assert.hs:88:28 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
              <!!, called at test/integration/API/User/Auth.hs:159:10 in main:API.User.Auth
          nginz-legalhold-login:                                                           FAIL
            Exception: Assertions failed:
             1: 200 =/= 403
            
            Response was:
            
            Response {responseStatus = Status {statusCode = 403, statusMessage = "Forbidden"}, responseVersion = HTTP/1.1, responseHeaders = [("Server","nginx"),("Date","Mon, 04 May 2020 08:15:08 GMT"),("Content-Type","application/json"),("Transfer-Encoding","chunked"),("Connection","keep-alive"),("Content-Encoding","gzip"),("Access-Control-Allow-Credentials","true"),("Access-Control-Expose-Headers","Request-Id, Location"),("Request-Id","46c1fa9b5ae0f80b8c58b32c44e0d80a"),("Strict-Transport-Security","max-age=31536000; preload")], responseBody = Just "{\"code\":403,\"message\":\"Missing cookie\",\"label\":\"invalid-credentials\"}", responseCookieJar = CJ {expose = [Cookie {cookie_name = "zuid", cookie_value = "k8d18sVi8JOZ36tI4KtWM_sPXdZvl6qD6sJdlELfTOdMie22DJqmPJR75duKUG8qMvQkWVHLhGDdXhVsWmS9CQ==.v=1.k=1.d=1593418508.t=lu.l=.u=1e6e705d-1ea3-4bf5-a072-49792f9899de.r=94fdcd55", cookie_expiry_time = 2020-06-29 08:15:08 UTC, cookie_domain = "brig.test-hvr1b3dm1vb2.svc.cluster.local", cookie_path = "/access", cookie_creation_time = 2020-05-04 08:15:08.436346899 UTC, cookie_last_access_time = 2020-05-04 08:15:08.436346899 UTC, cookie_persistent = True, cookie_host_only = True, cookie_secure_only = False, cookie_http_only = True}]}, responseClose' = ResponseClose}
            CallStack (from HasCallStack):
              error, called at src/Bilge/Assert.hs:88:28 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
              <!!, called at src/Bilge/Assert.hs:105:19 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
              !!!, called at test/integration/API/User/Auth.hs:175:3 in main:API.User.Auth
      refresh /access

@fisx
Copy link
Contributor Author

fisx commented May 4, 2020

These tests pass locally, so the problem is something specific to the setup in which tests are run on concourse. My bet would be network setup. This would mean that either the concourse network setup needs to be fixed to accomodate implicit cookie domains, or it is right and catches an error here.

Or is it something about bilge, which we use as the client lib we use for integration tests?

@fisx
Copy link
Contributor Author

fisx commented May 4, 2020

05a7ccc fixes one test. the legal hold variant is using an internal end-point to login which can't just go through nginz. i'll take a break now and figure this out later.

@fisx
Copy link
Contributor Author

fisx commented May 6, 2020 

  Galley integration tests
    Teams LegalHold API
      works through nginz: 2020-05-06T20:42:08Z, D, Connecting to 127.0.0.1:9042
[brig] D, logger=cassandra.brig, Connection established: datacenter1:rack1:127.0.0.1:9042#<socket: 19>
[nginz] 127.0.0.1 - - [06/May/2020:20:42:09 +0000] "POST /login?persist=true HTTP/1.1" 200 249 "-" "-" "-" - 2 0.041 0.041 - - - ad1de944346c4e598172066973ff0f7c 
2020/05/06 20:42:09 [error] 31397#31397: *2 open() "/home/mf/src/wire-server/services/nginz/integration-test/html/teams/423032f9-e475-49d0-868d-3b60eb5d4d4e/legalhold/17593176-f771-43ff-ab34-5db337671322" failed (2: No such file or directory), client: 127.0.0.1, server: , request: "POST /teams/423032f9-e475-49d0-868d-3b60eb5d4d4e/legalhold/17593176-f771-43ff-ab34-5db337671322 HTTP/1.1", host: "127.0.0.1:8080"
2020/05/06 20:42:09 [warn] 31397#31397: *2 using uninitialized "sanitized_request" variable while logging request, client: 127.0.0.1, server: , request: "POST /teams/423032f9-e475-49d0-868d-3b60eb5d4d4e/legalhold/17593176-f771-43ff-ab34-5db337671322 HTTP/1.1", host: "127.0.0.1:8080"
[nginz] 127.0.0.1 - - [06/May/2020:20:42:09 +0000] "" 404 146 "-" "-" "-" - 2 0.000 - - 17593176-f771-43ff-ab34-5db337671322 6546001759223260245 236f35e87d464d4077c7be45e8c473b6 
FAIL
        Exception: Assertions failed:
         1: 200 =/= 404
        
        Response was:
        
        Response {responseStatus = Status {statusCode = 404, statusMessage = "Not Found"}, responseVersion = HTTP/1.1, responseHeaders = [("Server","nginx"),("Date","Wed, 06 May 2020 20:42:09 GMT"),("Content-Type","text/html"),("Content-Length","146"),("Connection","keep-alive")], responseBody = Just "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n", responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose}
        CallStack (from HasCallStack):
          error, called at src/Bilge/Assert.hs:88:28 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          <!!, called at src/Bilge/Assert.hs:105:19 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          !!!, called at test/integration/API/Teams/LegalHold.hs:788:3 in main:API.Teams.LegalHold
          legalHoldLoginViaNginz, called at test/integration/API/Teams/LegalHold.hs:753:5 in main:API.Teams.LegalHold

@fisx fisx changed the title Leave domain empty in cookies. [WIP] Leave domain empty in cookies. May 6, 2020
jschaul
jschaul reviewed May 6, 2020
View reviewed changes
services/galley/test/integration/API/Teams/LegalHold.hs Outdated
testNginzLegalHold = do
nginz <- view tsNginz
(owner, tid) <- createBindingTeam'
(c, t) <- withDummyTestServiceForTeam (Brig.userId owner) tid $ \_chan -> do
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious, trying to understand the code: What do you need the withDummyTestServiceForTeam for? Wouldn't (c, t) <- legalHoldLoginViaNginz ... work? (if not, why not?).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in the test before this PR, we called an internal end-point in brig directly to get the credentials. that circumvented the integrity tests that (presumably) galley does before approving a LH device, including talking to the device and checking that its certificate and URL are valid. Now that I need to go through nginz so that the cookie is issued by the same host that will get it back further down in the test, these integrity tests are happening, and fail.

i should have probably double-checked this theory, but that's my mental model, based on an error message to that end that i saw at some point today.

@jschaul
Copy link
Member

jschaul commented May 6, 2020 

  Galley integration tests
    Teams LegalHold API
      works through nginz: 2020-05-06T20:42:08Z, D, Connecting to 127.0.0.1:9042
[brig] D, logger=cassandra.brig, Connection established: datacenter1:rack1:127.0.0.1:9042#<socket: 19>
[nginz] 127.0.0.1 - - [06/May/2020:20:42:09 +0000] "POST /login?persist=true HTTP/1.1" 200 249 "-" "-" "-" - 2 0.041 0.041 - - - ad1de944346c4e598172066973ff0f7c 
2020/05/06 20:42:09 [error] 31397#31397: *2 open() "/home/mf/src/wire-server/services/nginz/integration-test/html/teams/423032f9-e475-49d0-868d-3b60eb5d4d4e/legalhold/17593176-f771-43ff-ab34-5db337671322" failed (2: No such file or directory), client: 127.0.0.1, server: , request: "POST /teams/423032f9-e475-49d0-868d-3b60eb5d4d4e/legalhold/17593176-f771-43ff-ab34-5db337671322 HTTP/1.1", host: "127.0.0.1:8080"
2020/05/06 20:42:09 [warn] 31397#31397: *2 using uninitialized "sanitized_request" variable while logging request, client: 127.0.0.1, server: , request: "POST /teams/423032f9-e475-49d0-868d-3b60eb5d4d4e/legalhold/17593176-f771-43ff-ab34-5db337671322 HTTP/1.1", host: "127.0.0.1:8080"
[nginz] 127.0.0.1 - - [06/May/2020:20:42:09 +0000] "" 404 146 "-" "-" "-" - 2 0.000 - - 17593176-f771-43ff-ab34-5db337671322 6546001759223260245 236f35e87d464d4077c7be45e8c473b6 
FAIL
        Exception: Assertions failed:
         1: 200 =/= 404
        
        Response was:
        
        Response {responseStatus = Status {statusCode = 404, statusMessage = "Not Found"}, responseVersion = HTTP/1.1, responseHeaders = [("Server","nginx"),("Date","Wed, 06 May 2020 20:42:09 GMT"),("Content-Type","text/html"),("Content-Length","146"),("Connection","keep-alive")], responseBody = Just "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n", responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose}
        CallStack (from HasCallStack):
          error, called at src/Bilge/Assert.hs:88:28 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          <!!, called at src/Bilge/Assert.hs:105:19 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          !!!, called at test/integration/API/Teams/LegalHold.hs:788:3 in main:API.Teams.LegalHold
          legalHoldLoginViaNginz, called at test/integration/API/Teams/LegalHold.hs:753:5 in main:API.Teams.LegalHold

The problem is that ./deploy/services-demo/conf/nginz/nginx.conf doesn't contain the legalhold entries. I.e. this is another instance of https://github.com/zinfra/backend-issues/issues/888 biting. Missing:

      - path: ~* ^/teams/([^/]*)/legalhold(.*)
      - path: ~* ^/i/teams/([^/]*)/legalhold(.*)

@fisx
Copy link
Contributor Author

fisx commented May 6, 2020

cool, thanks!

the next one feels more like something i got wrong during the heavy refactoring.

  Galley integration tests
    Teams LegalHold API
      works through nginz: 2020-05-06T21:14:48Z, D, Connecting to 127.0.0.1:9042
[brig] D, logger=cassandra.brig, Connection established: datacenter1:rack1:127.0.0.1:9042#<socket: 19>
[nginz] 127.0.0.1 - - [06/May/2020:21:14:48 +0000] "POST /login?persist=true HTTP/1.1" 200 249 "-" "-" "-" - 2 0.038 0.038 - - - c6b99496567b0c631cd95f025b111655                                                 
[nginz] 127.0.0.1 - - [06/May/2020:21:14:48 +0000] "POST /teams/f65a3ef8-a881-456b-bb9d-5fdade777a7e/legalhold/ecf9ed37-167b-410a-b02d-7b727ae02170 HTTP/1.1" 201 31 "-" "-" "-" - 2 0.008 0.007 - ecf9ed37-167b-410a-b02d-7b727ae02170 16437281497256731336 6fef425846b48af901c37f0e24766ac6 
[nginz] 127.0.0.1 - - [06/May/2020:21:14:48 +0000] "POST /login?persist=true HTTP/1.1" 200 250 "-" "-" "-" - 2 0.037 0.037 - - - 9824a31fd98ca10289dba9bcd100c778                                                 
[nginz] 127.0.0.1 - - [06/May/2020:21:14:49 +0000] "PUT /teams/f65a3ef8-a881-456b-bb9d-5fdade777a7e/legalhold/ecf9ed37-167b-410a-b02d-7b727ae02170/approve HTTP/1.1" 200 31 "-" "-" "-" - 2 0.100 0.099 - ecf9ed37-167b-410a-b02d-7b727ae02170 6785331843010980775 8b3d60e628e5d93eb9747c6d553389a0 
FAIL
        Exception: Error executing request: invalid access_token
        CallStack (from HasCallStack):
          error, called at test/integration/API/Teams/LegalHold.hs:830:29 in main:API.Teams.LegalHold
          decodeToken', called at test/integration/API/Teams/LegalHold.hs:808:7 in main:API.Teams.LegalHold                                                                                                       
          legalHoldLoginViaNginz, called at test/integration/API/Teams/LegalHold.hs:753:5 in main:API.Teams.LegalHold                                                                                             
        CallStack (from HasCallStack):
          error, called at src/Bilge/Assert.hs:97:18 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          <!!, called at src/Bilge/Assert.hs:105:19 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          !!!, called at test/integration/API/Teams/LegalHold.hs:756:3 in main:API.Teams.LegalHold

1 out of 1 tests failed (0.41s)
          error, called at test/integration/API/Teams/LegalHold.hs:830:29 in main:API.Teams.LegalHold  
          decodeToken', called at test/integration/API/Teams/LegalHold.hs:808:7 in main:API.Teams.LegalHold
          legalHoldLoginViaNginz, called at test/integration/API/Teams/LegalHold.hs:753:5 in main:API.Teams.LegalHold
        CallStack (from HasCallStack):
          error, called at src/Bilge/Assert.hs:97:18 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          <!!, called at src/Bilge/Assert.hs:105:19 in bilge-0.22.0-5aPm7hcwMbW8hs9PsPQhoJ:Bilge.Assert
          !!!, called at test/integration/API/Teams/LegalHold.hs:756:3 in main:API.Teams.LegalHold

@fisx fisx changed the title [WIP] Leave domain empty in cookies. Leave domain empty in cookies. May 6, 2020
jschaul
jschaul approved these changes May 12, 2020
View reviewed changes
Copy link
Member

@jschaul jschaul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now!

fisx added a commit to wireapp/wire-server-deploy that referenced this pull request May 14, 2020
@fisx
Leave domain empty in cookies, making UAs default to server host.
c8f4884 
Depends on wireapp/wire-server#1076
fisx added a commit to wireapp/wire-server-deploy that referenced this pull request May 14, 2020
@fisx
Leave domain empty in cookies, making UAs default to server host.
afadf96 
Depends on wireapp/wire-server#1076
@fisx fisx merged commit 24eccc4 into develop May 15, 2020
@fisx fisx deleted the fisx/cookies branch May 15, 2020 12:52
fisx added a commit that referenced this pull request May 18, 2020
@fisx
Revert "Leave domain empty in cookies. (#1076)"
14fb65f 
This reverts commit 24eccc4.
fisx added a commit that referenced this pull request May 18, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
0cd5079 
This reverts commit 14fb65f.
@fisx fisx mentioned this pull request May 18, 2020
Merged
fisx added a commit that referenced this pull request May 19, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
db6da13 
This reverts commit 14fb65f.
fisx added a commit that referenced this pull request May 25, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
8e5fa46 
This reverts commit 14fb65f.
fisx added a commit that referenced this pull request May 25, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
3910ab7 
This reverts commit 14fb65f.
fisx added a commit that referenced this pull request Aug 3, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
315e6aa 
This reverts commit 14fb65f.
fisx added a commit that referenced this pull request Aug 3, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
1f940df 
This reverts commit 14fb65f.
fisx added a commit that referenced this pull request Aug 3, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
fdf8365 
This reverts commit 14fb65f.
fisx added a commit that referenced this pull request Sep 4, 2020
@fisx
Recover "Leave domain empty in cookies. (#1076)"
7aefaa3 
This reverts commit 14fb65f.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschaul jschaul jschaul approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fisx @jschaul