Bug 806189

Summary: User can not be redirected to accept terms page after first log in.
Product: OKD Reporter: Yujie Zhang <yujzhang>
Component: WebsiteAssignee: Fotios Lindiakos <fotios>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: low Docs Contact:
Priority: high    
Version: 2.xCC: ccoleman, jkeck, mhicks, rmillner, xtian
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-27 20:46:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Login flow log none

Description Yujie Zhang 2012-03-23 07:20:14 UTC
Description of problem:

After a new user first log in, the user will be token to app/console/application_types page not the accept terms page.

Version-Release number of selected component (if applicable):

devenv_1670

How reproducible:always


Steps to Reproduce:
1.Go to Openshift website and register a new account
2.Click the email confirm link and login with the new account
3.
  
Actual results:

After a new user first log in, the user will be token to app/console/application_types page not the accept terms page.

Expected results:

After a new user first log in, the user should be token to accept terms page. But during other operations,it will redirect to accept term page sometime.

Additional info:

After I registered the first time in the morning, I was redirected to accept terms correctly,but after that,I registered again,I met the above issue,and I was never redirected to the accept term page when I first log in, here is the log of the first time I registered and the log of the second time I registered:

<The fist time I registered>:

Started GET "/app/console/applications" for 203.114.244.88 at Thu Mar 22 23:01:26 -0400 2012
[Barista] Compiling all scripts for barista
[Barista] Compiling all coffeescripts
[Barista] Copying all javascripts
  Processing by ApplicationsController#index as HTML
Checking for logout request
Not a logout request, checking for cookie
rh_sso cookie = '0|5Aa3Ve7sj3bjcgnfdeanfJNAFM9DDrWCieT'
========================================================
User does not have a authenticated session
Looking up user based on rh_sso ticket
Response from Streamline took (/wapps/streamline/cloudVerify.html): 420.123 ms
POST Response code = 200
Found #<WebUser:0x7f4b717475c0>. Authenticating session
Response from Streamline took (/wapps/streamline/protected/findUnacknowledgedTerms.html): 744.883 ms
POST Response code = 200
User #<WebUser:0x7f4b717475c0> has terms to accept.
==================================================
Redirected to https://openshifttest.redhat.com/app/terms/accept
Completed 302 Found in 1181ms

<The second time I registered>:

Started GET "/app/console" for 203.114.244.88 at Fri Mar 23 01:15:46 -0400 2012
[Barista] Compiling all scripts for barista
[Barista] Compiling all coffeescripts
[Barista] Copying all javascripts
  Processing by ConsoleController#index as HTML
Checking for logout request
Not a logout request, checking for cookie
rh_sso cookie = '0|rciFVn2IP1jS6T4LqRyhGR9PElgcdI4NLY9'
==============================================================
User has an authenticated session
Session ticket matches current ticket
User yujzhang+newnew007 is missing access.  Requesting access...
Response from Streamline took (/wapps/streamline/requestAccess.html): 869.073 ms
POST Response code = 200
Access request successful for user yujzhang+newnew007
Response from Streamline took (/wapps/streamline/cloudVerify.html): 433.432 ms
POST Response code = 200
Login required
Redirected to https://openshifttest.redhat.com/app/console/applications
Completed 302 Found in 1310ms
================================================================

PLS : I have cleared all my cookies before I registered the second time, but still not clear why "User has an authenticated session".

Comment 1 Clayton Coleman 2012-03-26 05:07:02 UTC
This looks like a combination of several changes, some of which may have been intentional (for the terms signup story).  When a user signs up, they have to log in for the first time, which sets the rh_sso cookie.  However, the block of code which handles terms only gets called if you visit the OpenShift site with a valid rh_sso cookie (meaning you logged in via the Redhat.com main site) but without our session cookie.  So the terms are intentionally bypassed until you access the site without the session cookie but with an rh_sso cookie (which is unlikely to occur).

I think what should be happening is that the login flow should check once per session for the list of terms the user must accept, and then redirect them to the terms UI.  If the user accepts the terms, or if he has no terms to accept, then the session should contain a boolean like :complete = true which indicates that the check has been completed.  

1) User accesses protected page and is authenticated
2) Check token age
3) Check whether user has the cloud_access_1 role
4) Check whether the user has any unacknowledged terms (redirect to terms page if so)
5) If everything passes, set session[:complete] = true which bypasses the role and terms checks on subsequent URLs as long as the session is valid.

Fotios, assigning to you since this is under your story.  Double check if anything I said above doesn't make sense or is different than what you think should happen.  Also, if the terms service fails or is unavailable, we should let the user through (don't want to prevent login because of that), and should have a 5-10s timeout (dunno what we have now).

Because signed up users have to accept the terms on the signup page, and this works when already logged in as an RHN account, I think we can afford not to deliver this this sprint as long as it's correct next sprint.

Comment 2 Clayton Coleman 2012-03-26 20:41:41 UTC
Yujie, can we reduce the priority on this to medium?  As noted before this is in code that hasn't changed in the last few sprints, and while it might be annoying, only happens once per user on their second login.  We should fix it, but I don't know if it's the blocking issue for the sprint.

Comment 3 Xiaoli Tian 2012-03-27 03:49:39 UTC
(In reply to comment #2)
> Yujie, can we reduce the priority on this to medium?  As noted before this is
> in code that hasn't changed in the last few sprints, and while it might be
> annoying, only happens once per user on their second login.  We should fix it,
> but I don't know if it's the blocking issue for the sprint.

Hi, Clayton.

The current situation is the terms are even not required to accept almost all the time, after I register an new user , and log in without need to accept to terms, then I could do anything like creating app,

I think we need to fix it in this sprint if accept terms is important, and can not reduce its priority.

The attachment below is the log flow while I'm logging in with a new user, hope it could help you to debug.

Thanks

Comment 4 Xiaoli Tian 2012-03-27 03:50:47 UTC
Created attachment 572912 [details]
Login flow log

Comment 5 Clayton Coleman 2012-03-27 03:55:25 UTC
The bottom of the signup screen clearly lists the terms and says that by signing up you accept them - from a legal perspective the two steps are considered identical (and in a future sprint that will be the only way to accept terms, once Streamline support for accepting all terms on signup is complete).

Comment 6 Xiaoli Tian 2012-03-27 04:01:09 UTC
OK, since we already refer the  terms in signup page, then it's ok to reduce the priority, thanks for clarification.

Comment 7 Matt Hicks 2012-03-29 22:38:46 UTC
Reducing the priority to low since it was decided above not to block the sprint on this.

Comment 8 Fotios Lindiakos 2012-03-30 19:07:43 UTC
This flow is being taken care of with the new login code (R&D for this sprint and being delivered next sprint).

I'm going to hold off making the change now so as not to mess with the current logic.

Comment 9 Yujie Zhang 2012-04-11 10:34:59 UTC
(In reply to comment #8)
Still has this issue on devenv_1713, could you please check it again ?

Comment 10 Clayton Coleman 2012-04-11 14:28:26 UTC
We couldn't make the change this sprint because of other priorities.  It's going to go in next sprint for sure.

Comment 11 Yujie Zhang 2012-04-12 01:26:12 UTC
(In reply to comment #10)
Ok, then we will wait for the next sprint, thanks.

Comment 12 Yujie Zhang 2012-04-19 06:00:49 UTC
Tested this issue on devenv_1730, the user will be taken to accept term page when first log in, verify this bug.
The current workflow is as following:
1)register
2)confirm
3)first login
4)accept terms
5)logged in
Btw, the user can access all the marketing pages without accepting terms when first login.