Bug 1684402 - No type validation for accessTokenMaxAgeSeconds in oauth
Summary: No type validation for accessTokenMaxAgeSeconds in oauth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.1.0
Assignee: Standa Laznicka
QA Contact: Chuan Yu
URL:
Whiteboard: f this bug is not fixed by Friday, Ma...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-01 07:58 UTC by Chuan Yu
Modified: 2019-06-04 10:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:44:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:44:57 UTC

Description Chuan Yu 2019-03-01 07:58:22 UTC
Description of problem:
accessTokenMaxAgeSeconds in oauth configuration could only be set to positive integer number, but it could be set any characters now

Version-Release number of selected component (if applicable):
$ oc get clusterversion
NAME      VERSION     AVAILABLE   PROGRESSING   SINCE     STATUS
version   4.0.0-0.6   True        False         44m       Cluster version is 4.0.0-0.6

How reproducible:
always

Steps to Reproduce:
1.edit oauth object and set accessTokenMaxAgeSeconds to not positive integer number,

oc edit oauth cluster
spec:
  tokenConfig:
    accessTokenMaxAgeSeconds: dfadfadf
2.
3.

Actual results:
The edit successful, but the authenticaiton pod not restarted take effective.

Expected results:
Then edit oauth should failed, and prompt some hint, such as "could not be patched: unrecognized type"

Additional info:

Comment 2 Standa Laznicka 2019-03-11 09:35:57 UTC
Resolved in https://github.com/openshift/cluster-config-operator/pull/17

Comment 5 Chuan Yu 2019-03-19 10:12:36 UTC
Verified failed.

The accessTokenMaxAgeSeconds could be configured with negative number, such as `accessTokenMaxAgeSeconds: -86400`

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.0.0-0.nightly-2019-03-18-223058   True        False         9h      Cluster version is 4.0.0-0.nightly-2019-03-18-223058

Comment 6 Standa Laznicka 2019-03-29 07:41:22 UTC
-86400 is a valid value: https://github.com/openshift/api/blob/master/config/v1/types_oauth.go#L55

Comment 7 Chuan Yu 2019-03-29 08:24:08 UTC
Thanks for the clarification, it make sense, verified.

Comment 8 Standa Laznicka 2019-04-26 09:32:22 UTC
I overlooked the fact that this is accessTokenMaxAgeSeconds and not accessTokenInactivityTimeout.

This needs fixing, will be done as a part of https://github.com/openshift/origin/pull/21922

Comment 11 Chuan Yu 2019-05-05 07:44:54 UTC
Verified on 4.1.0-0.nightly-2019-05-04-210601

Comment 13 errata-xmlrpc 2019-06-04 10:44:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.