Bug 1443166 - External Auth - FreeIPA - Self-service UI doesn't time out when session timeout is reached
Summary: External Auth - FreeIPA - Self-service UI doesn't time out when session timeo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.8.0
Assignee: Chris Hale
QA Contact: Matt Pusateri
URL:
Whiteboard: auth:externalauth:freeipa:security
Depends On: 1435459
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-18 16:19 UTC by Satoe Imaishi
Modified: 2017-05-31 14:53 UTC (History)
13 users (show)

Fixed In Version: 5.8.0.16
Doc Type: Release Note
Doc Text:
This release of CloudForms corrects a configuration issue whereby the self-service UI did not time out when a custom session timeout was reached. Inactive users in the self-service UI will now be logged out when the established session time has expired.
Clone Of: 1435459
Environment:
Last Closed: 2017-05-31 14:53:57 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1367 normal SHIPPED_LIVE Moderate: CFME 5.8.0 security, bug, and enhancement update 2017-05-31 18:16:03 UTC

Comment 2 CFME Bot 2017-04-19 19:17:52 UTC
New commit detected on ManageIQ/manageiq-ui-service/fine:
https://github.com/ManageIQ/manageiq-ui-self_service/commit/c418f8399363a3dd2c8237c5fadd45d59932b001

commit c418f8399363a3dd2c8237c5fadd45d59932b001
Author:     Chris Kacerguis <chriskacerguis@users.noreply.github.com>
AuthorDate: Tue Apr 18 10:33:13 2017 -0500
Commit:     Satoe Imaishi <simaishi@redhat.com>
CommitDate: Wed Apr 19 15:16:11 2017 -0400

    Merge pull request #678 from chalettu/token-header
    
    Self-service UI doesn't time out when session timeout is reached
    (cherry picked from commit cd8ee12778a370843435bcd5674d88932c200ae1)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1443166

 client/app/core/session.service.js | 1 +
 1 file changed, 1 insertion(+)

Comment 3 Chris Hale 2017-04-24 21:15:29 UTC
Hi, 
  We have added this header in, just to be sure, 
X-Auth-Skip-Token-Renewal=True  .  Does the "True" have to be capitalized or is it expected to be lower case. 

Thanks,

Chris

Comment 4 Šimon Lukašík 2017-04-25 06:24:24 UTC
Hello,

You are right, it should be lower case 'true'. See: https://github.com/ManageIQ/manageiq/blob/08d6d4f35e923b698e23ef94509d8d22706aded0/app/controllers/api/base_controller/authentication.rb#L75

Sorry for the typo in one of the comments. I didn't noticed that capitalization matters here. :-(

Comment 5 Matt Pusateri 2017-04-28 16:48:41 UTC
I don't see the user logged out after the timeout time expires.

Comment 6 Chris Hale 2017-04-28 18:58:27 UTC
Hi Matt.  Does the sui ever log you out or is it just not logging you out when you believe it should have by a certain time?    The endpoint that Simon told us to add a header to only gets retrieved by the SUI every 5 minutes.  The net result is that it could be taking 5 minutes + whatever timeout you set in Admin UI.   Simon might need to explain to me the workflow of what adding that header does but I suspect its just an issue that because of the delay between our requests that it doesn't timeout exactly when is expected.

Comment 7 Matt Pusateri 2017-04-28 19:49:38 UTC
It never logs out.  I know I set it for 5 mins and waited 6, then  logged out manually and logged in and waited 8-10 mins and still nothing. Then I repeated and waited 20 mins on a 5 min timeout setting.  Regardless the expectation will be if you set it to 5 mins then it should log you out in 5 mins. 

What version did you test this on?

Comment 8 Chris Hale 2017-04-28 21:05:51 UTC
Simon, 
    Can you explain to me exactly what is supposed to happen when we pass this header you had us add in?   Does the API return some piece of info we are supposed to use to log the person out ?  I think there must be something in this process we are missing.  


Thanks in advance,

Chris

Comment 9 Šimon Lukašík 2017-05-02 08:04:05 UTC
The service ui does not have 'session' in traditional meaning of the word. We only have a token to authenticate with the API. To emulate session expire, we let this authentication token expire.

When the token is used it is automatically renewed/refresh. So, any click on the service ui refreshes the token. Without this mechanism the session would expire after these 5.minutes flat.

The problem is that the re-occurring background requests from service ui must not refresh this token, otherwise we end-up with infinite session again.

There are about 5 different background queries that have to supply X-Auth-Skip-Token-Renewal=true to not extend the token indefinitely. Use network tab of your browser debugger to see more info.

So far so good.

Recently, the background query was added on /api?attributes=authorization and X-Auth-Skip-Token-Renewal=true header was not added, so we ended-up with an indefinite session again.

Side note: In an ideal world MiQ would revert this logic. We default for renewal and that causes problem. In an ideal world, we would default for no renewal and we would send something like X-Auth-Renew-Token=true only onClick and everything would be greener.


Chris, I think the problem here is that we send X-Auth-Skip-Token-Renewal=True instead of X-Auth-Skip-Token-Renewal=true. I am sorry I made this typo in bug 1435459 comment 5.


Note, I am not expert on all of this. I just found all this within 5 minutes of looking into https://github.com/search?q=org%3AManageIQ+X-Auth-Skip-Token-Renewal&type=Code

HTH!

Comment 10 Šimon Lukašík 2017-05-02 08:24:21 UTC
> Chris, I think the problem here is that we send X-Auth-Skip-Token-Renewal=True 
> instead of X-Auth-Skip-Token-Renewal=true. I am sorry I made this typo in bug 
> 1435459 comment 5.

Ah, I see you already did that in https://github.com/ManageIQ/manageiq-ui-service/pull/716

Perhaps when we crosslink that pr with this bz, it will get backported.

Comment 13 Chris Hale 2017-05-02 19:17:48 UTC
So I have changed our authorizations http call to ensure this token renewal doesn't happen.  Here is the catch.  Many pages in the Service UI poll the miq backend every 10 seconds or so for data updates.  Because these pages poll , you will not timeout your session on these pages.  Any of our list views and our service details page all poll data at a regular basis.   This might be why your testing doesn't log you out as expected.  

New GH PR https://github.com/ManageIQ/manageiq-ui-service/pull/731

Comment 15 CFME Bot 2017-05-02 20:02:43 UTC
New commit detected on ManageIQ/manageiq-ui-service/fine:
https://github.com/ManageIQ/manageiq-ui-self_service/commit/431eb1cdd52cd0f17bca1df2ba41ce99036b34f2

commit 431eb1cdd52cd0f17bca1df2ba41ce99036b34f2
Author:     Chris Kacerguis <chriskacerguis@users.noreply.github.com>
AuthorDate: Tue May 2 14:23:11 2017 -0500
Commit:     Satoe Imaishi <simaishi@redhat.com>
CommitDate: Tue May 2 15:59:18 2017 -0400

    Merge pull request #731 from chalettu/session-timeout
    
    Doesn't time out when session timeout is reached
    (cherry picked from commit b114b90a26e63c4ead172c4c72e93fe565579c5c)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1443166

 client/app/core/session.service.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comment 17 Chris Kacerguis 2017-05-16 19:45:34 UTC
Confirmed that we are sending the correct header:

X-Auth-Skip-Token-Renewal='true'

From what we can tell we are sending everything we need to over, but it doesn't appear to log us out.  Sending to auth team to investigate (along with the Z-stream clone)

Comment 18 Chris Kacerguis 2017-05-17 13:36:36 UTC
According to Simon and all his testing, this PR should fix it.

https://github.com/ManageIQ/manageiq-ui-service/pull/771

Once that is merged, we should test to verify before sending to QE.

Comment 19 Joe Vlcek 2017-05-17 13:53:13 UTC
(In reply to Chris Kacerguis from comment #18)
> According to Simon and all his testing, this PR should fix it.
> 
> https://github.com/ManageIQ/manageiq-ui-service/pull/771
> 
> Once that is merged, we should test to verify before sending to QE.

Tthis PR has been merged. I will work with ChrisH, Tim and Simon
to confirm this fixes the issue this morning.

JoeV

Comment 20 Chris Kacerguis 2017-05-17 14:14:46 UTC
JoeV - it's merged :)  thanks for your help with this.

Comment 21 Joe Vlcek 2017-05-17 16:15:25 UTC
Tim Wade, ChrisH and I confirmed the change in the PR from Comment 18 does resolve this issue.

When ChrisH had initially tested it he did not realize the evmserverd needed to be restarted in order for the updated "Session Timeout" to take effect.

Having to restart evmserverd for updates to the "Session Timeout" to take effect is not a perfect user experience I have filed a new BZ [1] to track this, which TimW has offered to work on.

Also, ChrisH has to make a similar change as was done in the PR from Comment 18 in other places in the SSUI.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1451848

Comment 23 CFME Bot 2017-05-17 21:47:51 UTC
New commit detected on ManageIQ/manageiq-ui-service/fine:
https://github.com/ManageIQ/manageiq-ui-self_service/commit/94cbabc50b4326da13843951f493cc62f14b40cf

commit 94cbabc50b4326da13843951f493cc62f14b40cf
Author:     Allen Wight <allen.b.wight@gmail.com>
AuthorDate: Wed May 17 09:38:19 2017 -0400
Commit:     Satoe Imaishi <simaishi@redhat.com>
CommitDate: Wed May 17 17:45:23 2017 -0400

    Merge pull request #771 from chriskacerguis/master
    
    sending string true vs literal true
    (cherry picked from commit 21de7ce2efaf9ace43df55d25e13de2305d62a83)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1443166

 client/app/core/session.service.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 24 CFME Bot 2017-05-17 21:53:07 UTC
New commit detected on ManageIQ/manageiq-ui-service/fine:
https://github.com/ManageIQ/manageiq-ui-self_service/commit/6b46ee169568eef0b65cded5bc42c1abf69fc265

commit 6b46ee169568eef0b65cded5bc42c1abf69fc265
Author:     Chris Kacerguis <chriskacerguis@users.noreply.github.com>
AuthorDate: Wed May 17 13:09:16 2017 -0500
Commit:     Satoe Imaishi <simaishi@redhat.com>
CommitDate: Wed May 17 17:48:07 2017 -0400

    Merge pull request #773 from chalettu/session-timeout-polling
    
    Enabled session timeout on pages that poll
    (cherry picked from commit 7925f9c9008e4ae0ceca076c45e42c0f4fa73296)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1443166

 client/app/requests/order-explorer/order-explorer.component.js |  3 ++-
 client/app/requests/orders-state.service.js                    |  4 +++-
 .../app/services/service-details/service-details.component.js  |  6 +++---
 .../services/service-explorer/service-explorer.component.js    |  3 ++-
 client/app/services/services-state.service.js                  |  6 ++++--
 client/app/services/vm-details/vm-details.component.js         | 10 ++++++----
 client/app/services/vms.service.js                             |  3 ++-
 7 files changed, 22 insertions(+), 13 deletions(-)

Comment 25 Andrew Dahms 2017-05-21 23:18:11 UTC
Setting the 'requires_doc_text' flag to '-' in accordance with a discussion with Chris Pelland.

Comment 26 Matt Pusateri 2017-05-22 14:39:38 UTC
Until bug https://bugzilla.redhat.com/show_bug.cgi?id=1443166 get's fixed, SSUI will not respect changes to session timeout unless evmserverd is restarted. 


We need some doc-text around restarting emvserverd if using SSUI and changing session timeout.

Comment 27 Matt Pusateri 2017-05-23 15:18:40 UTC
Tested on 5.8.0.16 with MIQLDAP and External Auth on FreeIPA. - SSUI now times out on custom session time.

Comment 29 errata-xmlrpc 2017-05-31 14:53:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1367


Note You need to log in before you can comment on or make changes to this bug.