Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preparations for launching cockpit-session via unix socket activation #21258

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Preparations for launching cockpit-session via unix socket activation #21258

wants to merge 9 commits into from

Conversation

martinpitt
Copy link
Member

Broken out from #16808. That requires a few more rounds of review and has ideas for more cleanups. These are the cockpit-session JSON parser (which is a bit finnicky, but got reviewed a few rounds already), plus a few extra commits which I believe are not problematic. Let's get them out of the way.

@martinpitt
session: Exit cleanly on EOF
de351d0 
Stop failing with "didn't receive expected authorize message", as that's
confusing -- the user did nothing wrong. Instead, silently exit
successfully, and let cockpit-ws handle the timeout.

This is mostly occurring when enabling Negotiate (kerberos)
authentication, and thus cockpit-ws always starts *two* cockpit-session
attempts (one for Negotiate, one for PAM), like in
TestIPA.testQualifiedUsers.
@martinpitt
common: NUL-terminate cockpit_frame_read() result
92c6180 
This makes it easier for callers to treat the reply as textual string.
The only remaining user is cockpit-session, where we will need this
behaviour in the following commit.
@martinpitt martinpitt mentioned this pull request Nov 12, 2024
Draft
12 tasks
@martinpitt martinpitt marked this pull request as draft November 13, 2024 05:26
@martinpitt

This comment was marked as resolved.

Sign in to view
@martinpitt martinpitt added the no-test For doc/workflow changes, or experiments which don't need a full CI run, label Nov 13, 2024
@martinpitt martinpitt force-pushed the session-prep branch 2 times, most recently from bba7277 to f5ce821 Compare November 13, 2024 06:19
@martinpitt martinpitt removed the request for review from allisonkarlitskaya November 13, 2024 06:19
@martinpitt
session: Support more keys in authorize JSON message parser
3b6a81b 
We want to parse more fields than just "response" from the authorize message in
the message. So remove the very rigidly harcoded parsing in
`read_authorize_response()` and let it return the whole JSON string instead.
Add a new `get_authorize_key()` function that parses a single value from that,
and adjust the callers accordingly.

This is a very restricted parser to keep things simple: No spaces in the
structure, and no escaping. We can assume all that as cockpit-ws sends
very controlled messages, and '"' isn't used in base64 values. In the
worst case we get a truncated value, which will just fail
authentication.

Localize some variables while we are at it.
@martinpitt
ws: Re-use session-utils.c in mock-auth-command.c
0985f1e 
Drop the duplicated (but not identical!) implementation of
`read_authorize_response()` and use the real implementation.
@martinpitt
selinux: Fix policy for socket-activated cockpit-session
64d65c0 
Run socket-activated cockpit-session with correct context. By default it
is `init_t`, but that will produce a memfd with the wrong permissions, which
the session cannot read.

Allow cockpit-ws to connect to /run/cockpit/session.

Allow restricted user_t and sysadm_t sessions to communicate (but not
connect) to cockpit-ws through the session unix socket. (Covered by
TestLogin.testSELinuxRestrictedUser)
@martinpitt
systemd: Allow cockpit-session@.service to fail with some known exit …
6389ce0 
…codes

cockpit-session exits with 5 on authentication failures, including
`authentication-unavailable`; or with 127 on authentication timeouts.
These aren't a reason to mark the unit as failed.
@martinpitt
session: Rename my_cgroup* to ws_cgroup*
a84ca36 
The point of this is really to determine the cgroup of our caller, i.e.
the cockpit-ws process. With cockpit-session@.service this is different
than cockpit-session's own cgroup. Rename the variables to clarify this.
@martinpitt
session: Send no-cockpit init problem if cockpit-bridge fails to exec
edf85ee 
If cockpit-ws directly spawns cockpit-session, it can process the 127
exit code by itself. But there is no exit code if that happens via unix
socket. Check this condition explicitly and report `no-cockpit` via the
protocol.

This triggers a more specific error path in cockpit-ws and the login
page, adjust TestConnection.testBasic accordingly.
@martinpitt
test: Ignore session timeout messages in TestIPA.testQualifiedUsers
d16dcbd 
The test idles on the login page for more than the 60s authorize
timeout. When running cockpit-session via unix socket, this causes some
unsightly "session timed out during authentication" messages. This ought
to be handled better in cockpit-ws, but for the time being ignore these
messages.
@martinpitt martinpitt removed the no-test For doc/workflow changes, or experiments which don't need a full CI run, label Nov 13, 2024
@martinpitt martinpitt marked this pull request as ready for review November 13, 2024 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@allisonkarlitskaya allisonkarlitskaya Awaiting requested review from allisonkarlitskaya

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@martinpitt