PR#2622: cli: commands.add-pkg call activate_session (login) before calling session.getUser (requires auth) - koji

koji

#2622 cli: commands.add-pkg call activate_session (login) before calling session.getUser (requires auth)

Closed 4 years ago by gpchelkin. Opened 4 years ago by gpchelkin.

gpchelkin/koji fix_add_pkg_session into master

commands.add-pkg: call activate_session (login) before calling session.getUser (requires auth)

George Pchelkin • 4 years ago

523ec5d

cli/koji_cli/commands.py

file modified

+1 -1

		`@@ -336,13 +336,13 @@`
		`parser.add_option("--owner", help=_("Specify owner"))`
		`parser.add_option("--extra-arches", help=_("Specify extra arches"))`
		`(options, args) = parser.parse_args(args)`
		`+ activate_session(session, goptions)`
		`if len(args) < 2:`
		`parser.error(_("Please specify a tag and at least one package"))`
		`if not options.owner:`
		`parser.error(_("Please specify an owner for the package(s)"))`
		`if not session.getUser(options.owner):`
		`error("User %s does not exist" % options.owner)`
		`- activate_session(session, goptions)`
		`tag = args[0]`
		`opts = {}`
		`opts['force'] = options.force`

gpchelkin commented 4 years ago

Otherwise koji add-pkg command fails even with SSL auth set up.

ktdreyer commented 4 years ago

Can you help us understand more about the error message you're seeing, or steps to reproduce?

The hub permits anonymous clients to call the getUser RPC without authenticating. I'm thinking we should keep the code as-is so we don't have to touch the sessions table any more than necessary.

tkopecek commented 4 years ago

It looks to me, that it could be some environment which doesn't have anonymous calls enabled? (httpd conf requireing auth everywhere not only for login endpoint) If it is a case then there would be failing all anonymous calls.

gpchelkin commented 4 years ago

Yes, @tkopecek is right, thanks. Our environment doesn't have anonymous calls enabled, httpd conf requires ssl client cert auth everywhere, so you can't read/download anything - this is an infosec requirement we have. And yes, there would be failing all anonymous calls. My bad, fix in this PR only applies to Koji 1.21.1 and lower, where we used --force-auth argument for all commands, so "anonymous" commands (anon_*) worked well in this environment.

As I see, Koji 1.22 replaced activate_session() with ensure_connection() for anonymous commands. So the --force-auth argument doesn't work as intended. Should I open separate issue for this? Also it would be nice to have some koji.conf parameter for force-auth, so it wouldn't be needed every time in such an environment.