Bug 1910278 - [MTR-1130] Jenkins logout fails to invalidate the token even if the request deletes oauthaccesstoken tokenname
Summary: [MTR-1130] Jenkins logout fails to invalidate the token even if the request d...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Akram Ben Aissi
QA Contact: Jitendar Singh
URL:
Whiteboard:
Depends On: 1909153
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-23 09:41 UTC by XiuJuan Wang
Modified: 2021-02-08 10:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-08 10:30:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description XiuJuan Wang 2020-12-23 09:41:35 UTC 
Description of problem:
Jenkins logout fails to invalidate the token even if the request deletes oauthaccesstoken tokenname

Version-Release number of selected component (if applicable):
4.7.0-0.nightly-2020-12-20-031835

How reproducible:
always

Steps to Reproduce:
1. Create a jenkins application with normal user
$oc new-app jenkins-persistent

2. oc delete clusterrolebinding.rbac system:oauth-token-deleters

3. Login to jenkins webconsole

4. Check oauthaccesstoken
$oc get oauthaccesstoken | grep jenkins
sha256~OOvJK8xxI2wQsgzoYUv8RmPmubt1P_ptzgQ-jYvH2pc   testuser-42     system:serviceaccount:xiuwang:jenkins            2020-12-23T09:21:26Z   2020-12-24 09:21:26 +0000 UTC   https://jenkins-xiuwang.apps.wsun1223aws.qe.devcluster.openshift.com/securityRealm/finishLogin   user:info,user:check-access

5. Logout jenkins from webconsole
6. Check jenkins pod logs 
7. Check oauthaccesstoken again.


Actual results:
Step 6:
2020-12-23 09:21:26 INFO    org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm updateAuthorizationStrategy OpenShift OAuth: adding permissions for user testuser-42, stored in the matrix as testuser-42-admin-edit-view, based on OpenShift roles [admin, edit, view]
2020-12-23 09:22:55 INFO    org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm doLogout Entering doLogout
2020-12-23 09:22:55 INFO    org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm doLogout Found an  oauthaccess token in the sessions
2020-12-23 09:22:55 INFO    org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm doLogout The oauthaccesstoken to delete has a computed name of: sha256~OOvJK8xxI2wQsgzoYUv8RmPmubt1P_ptzgQ-jYvH2pc
2020-12-23 09:22:55 INFO    org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm deleteOauthAccessToken Failed to delete oAuthAccessToken
com.google.api.client.http.HttpResponseException: 403 Forbidden
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"oauthaccesstokens.oauth.openshift.io \"sha256~OOvJK8xxI2wQsgzoYUv8RmPmubt1P_ptzgQ-jYvH2pc\" is forbidden: User \"system:serviceaccount:xiuwang:jenkins\" cannot delete resource \"oauthaccesstokens\" in API group \"oauth.openshift.io\" at the cluster scope","reason":"Forbidden","details":{"name":"sha256~OOvJK8xxI2wQsgzoYUv8RmPmubt1P_ptzgQ-jYvH2pc","group":"oauth.openshift.io","kind":"oauthaccesstokens"},"code":403}

	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1097)
	at org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm.deleteOauthAccessToken(OpenShiftOAuth2SecurityRealm.java:1213)
	at org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm.doLogout(OpenShiftOAuth2SecurityRealm.java:1162)
	at jenkins.model.Jenkins.doLogout(Jenkins.java:4106)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)

step 7
The old token still exists.
$oc get oauthaccesstoken | grep jenkins
sha256~OOvJK8xxI2wQsgzoYUv8RmPmubt1P_ptzgQ-jYvH2pc   testuser-42     system:serviceaccount:xiuwang:jenkins            2020-12-23T09:21:26Z   2020-12-24 09:21:26 +0000 UTC   https://jenkins-xiuwang.apps.wsun1223aws.qe.devcluster.openshift.com/securityRealm/finishLogin   user:info,user:check-access

Expected results:
The old token should be deleted.

Additional info:
Comment 1 Jitendar Singh 2021-02-08 08:43:50 UTC 
 NOT A BUG
==========================================
jsingh@fugaku  ~  cat ./users.htpasswd                            
user1:$2y$05$Bj7pN8/zvotXNHDBaF6naOm3xLSyGEZuF8Nv2dzKptPTiq7itwMpu
jitsingh:$apr1$e6a0X//v$lVOyB4DbebYCrtmgHYOqb.
 jsingh@fugaku  ~  oc apply -f htpass_cr.yaml
oauth.config.openshift.io/cluster unchanged
 jsingh@fugaku  ~  oc create secret generic htpass-secret1 --from-file=htpasswd=./users.htpasswd -n openshift-config
secret/htpass-secret1 created
 jsingh@fugaku  ~  vi htpass_cr.yaml 
 jsingh@fugaku  ~  oc apply -f htpass_cr.yaml                                                                       
oauth.config.openshift.io/cluster configured
=====================================================
 jsingh@fugaku  ~  oc login -u jitsingh -p XXXXXXXXX
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

 jsingh@fugaku  ~  oc new-project jenkins-bug
Now using project "jenkins-bug" on server "https://api.jenkins-dev-4.6-020804.qe.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname

 jsingh@fugaku  ~  oc new-app jenkins-persistent
--> Deploying template "openshift/jenkins-persistent" to project jenkins-bug

     Jenkins
     ---------
     Jenkins service, with persistent storage.
     
     NOTE: You must have persistent volumes available in your cluster to use this template.

     A Jenkins service has been created in your project.  Log into Jenkins with your OpenShift account.  The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template.

     * With parameters:
        * Jenkins Service Name=jenkins
        * Jenkins JNLP Service Name=jenkins-jnlp
        * Enable OAuth in Jenkins=true
        * Memory Limit=1Gi
        * Volume Capacity=1Gi
        * Jenkins ImageStream Namespace=openshift
        * Disable memory intensive administrative monitors=false
        * Jenkins ImageStreamTag=jenkins:2
        * Fatal Error Log File=false
        * Allows use of Jenkins Update Center repository with invalid SSL certificate=false

--> Creating resources ...
    route.route.openshift.io "jenkins" created
    configmap "jenkins-trusted-ca-bundle" created
    persistentvolumeclaim "jenkins" created
    deploymentconfig.apps.openshift.io "jenkins" created
    serviceaccount "jenkins" created
    rolebinding.authorization.openshift.io "jenkins_edit" created
    service "jenkins-jnlp" created
    service "jenkins" created
--> Success
    Access your application via route 'jenkins-jenkins-bug.apps.jenkins-dev-4.6-020804.qe.devcluster.openshift.com' 
    Run 'oc status' to view your app.
 jsingh@fugaku  ~  oc get pods -w
NAME               READY   STATUS    RESTARTS   AGE
jenkins-1-4zskf    0/1     Running   0          22s
jenkins-1-deploy   1/1     Running   0          24s
jenkins-1-4zskf    1/1     Running   0          114s
jenkins-1-deploy   0/1     Completed   0          117s
^C%                                                                                                                                                                                            ✘ jsingh@fugaku  ~  oc get oauthaccesstoken | grep jenkins
Error from server (Forbidden): oauthaccesstokens.oauth.openshift.io is forbidden: User "jitsingh" cannot list resource "oauthaccesstokens" in API group "oauth.openshift.io" at the cluster scope
 ✘ jsingh@fugaku  ~  oc get routes
NAME      HOST/PORT                                                                     PATH   SERVICES   PORT    TERMINATION     WILDCARD
jenkins   jenkins-jenkins-bug.apps.jenkins-dev-4.6-020804.qe.devcluster.openshift.com          jenkins    <all>   edge/Redirect   None
 jsingh@fugaku  ~  oc whoami
kube:admin
================================
Post login to jenkins console

 jsingh@fugaku  ~  oc get oauthaccesstoken | grep jitsingh
sha256~IlmW1wgOxoEfHCUnDzcrOQLEZgv9tbyhdIxMv6D_Tpw   jitsingh     openshift-challenging-client                2021-02-08T08:15:31Z   2021-02-09 08:15:31 +0000 UTC   https://oauth-openshift.apps.jenkins-dev-4.6-020804.qe.devcluster.openshift.com/oauth/token/implicit            user:full
sha256~ZeiJKcOswFmBBbTAb_Yb3jqWDeSTvHZGaScZ4LlOOHk   jitsingh     system:serviceaccount:jenkins-bug:jenkins   2021-02-08T08:36:21Z   2021-02-09 08:36:21 +0000 UTC   https://jenkins-jenkins-bug.apps.jenkins-dev-4.6-020804.qe.devcluster.openshift.com/securityRealm/finishLogin   user:info,user:check-access

post logout from jenkins console

jsingh@fugaku  ~  oc get oauthaccesstoken | grep jitsingh
sha256~IlmW1wgOxoEfHCUnDzcrOQLEZgv9tbyhdIxMv6D_Tpw   jitsingh     openshift-challenging-client          2021-02-08T08:15:31Z   2021-02-09 08:15:31 +0000 UTC   https://oauth-openshift.apps.jenkins-dev-4.6-020804.qe.devcluster.openshift.com/oauth/token/implicit      user:full

===========================
Note You need to log in before you can comment on or make changes to this bug.