-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authenticateHawk response has non-array scopes #3502
Comments
I think I see the issue -- we use |
Hm, I don't think that's it. Looking more closely, |
BTW this occurred in v36.0.0, after 3fd060c and 9edca22 modified how the auth service interacts with the DB such that it uses the DB functions directly. But, |
Hm, I don't think that PR's putting debugging info at the right place. |
The worker in this case was |
OK, I've spent way too long staring at this. Since these are permacreds, things are pretty simple. I've looked through the codepaths, and scopes are only manipulated in a few places. Several of those only occur with temporary credentials. For permacreds, it comes down to taskcluster/services/auth/src/scoperesolver.js Lines 315 to 320 in c489ae9
That calls the resolver: taskcluster/services/auth/src/scoperesolver.js Lines 267 to 292 in c489ae9
and both return paths from the resolver return the result of mergeScopeSets. That function would probably choke on arguments that are null or undefined, since it calls So taskcluster/services/auth/src/signaturevalidator.js Lines 215 to 254 in c489ae9
ext is not set here, so that destructures the client and returns the scopes unmodified to the signature validator:taskcluster/services/auth/src/signaturevalidator.js Lines 255 to 290 in c489ae9
Here hawk.server.authenticate is a part of the Hawk library and doesn't know a thing about scopes. It returns the result of its second argument as authResult.credentials
That's then encoded into the API response shape and returned: taskcluster/services/auth/src/signaturevalidator.js Lines 335 to 341 in c489ae9
and the API method changes the expires format and returns it:taskcluster/services/auth/src/signaturevalidator.js Lines 335 to 341 in c489ae9
In all of that, my suspicion is that |
Let's give this a few weeks between deployment and closing as can't-reproduce. |
#3502 - get more data when scopes is not an array
Deployed to community today. |
This also occurred September 18 2020 22:10:08 UTC in firefox-ci (a total of two times now) |
Ah too bad that 658487e hasn't made it to production in firefox cluster yet. I see we're running 37.1.0 but the extra debugging went into 37.2.0.... Hopefully it will happen again once 37.2.0 or higher is deployed... |
Still last reported in 37.1.0 (and I don't see it at all for community). I'll give it another week or so. |
Still not seen since Sept 18. We can re-open if this gets spotted. |
Occurred again at October 27 2020 10:24:08 UTC |
The assertion in #3504 did not fail! |
Here's the logging this time {
"timestamp": "2020-10-27T10:24:08.596573156Z",
"Type": "monitor.error",
"Fields": {
"message": "Output schema validation error: \nSchema Validation Failed!\nRejecting Schema: https://firefox-ci-tc.services.mozilla.com/schemas/auth/v1/authenticate-hawk-response.json#\nErrors:\n * data.scopes should be array\n * data should NOT have additional properties: \"scheme\"\n * data should NOT have additional properties: \"expires\"\n * data should NOT have additional properties: \"scopes\"\n * data should NOT have additional properties: \"clientId\"\n * data should NOT have additional properties: \"hash\"\n * data.status should be equal to one of the allowed values\n * data should have required property 'message'\n * data should match exactly one schema in oneOf",
"incidentId": "5d75a682-63f6-4f9e-82f8-28a9b0c1876a",
"params": {},
"name": "Error",
"schema": "https://firefox-ci-tc.services.mozilla.com/schemas/auth/https://firefox-ci-tc.services.mozilla.com/schemas/auth/v1/authenticate-hawk-response.json#",
"payload": {
"port": 443,
"host": "firefox-ci-tc.services.mozilla.com",
"sourceIp": "34.83.21.167",
"authorization": "Hawk mac=\"***\", hash=\"9O/k6UTxx2c7Wq2ZG28XE/uXFX3WbGMARo7Tb0jgbCc=\", id=\"project/releng/scriptworker/beetmover/prod/firefoxci-gecko-3\", ts=\"1603794248\", nonce=\"GCW6fH\", ext=\"e30=\"",
"resource": "/api/queue/v1/claim-work/scriptworker-k8s/gecko-3-beetmover",
"method": "post"
},
"url": "/authenticate-hawk",
"reportId": "2eaf16b208c9432981110a5fb0561c43",
"method": "authenticateHawk",
"stack": "Error: Output schema validation error: \nSchema Validation Failed!\nRejecting Schema: https://firefox-ci-tc.services.mozilla.com/schemas/auth/v1/authenticate-hawk-response.json#\nErrors:\n * data.scopes should be array\n * data should NOT have additional properties: \"scheme\"\n * data should NOT have additional properties: \"expires\"\n * data should NOT have additional properties: \"scopes\"\n * data should NOT have additional properties: \"clientId\"\n * data should NOT have additional properties: \"hash\"\n * data.status should be equal to one of the allowed values\n * data should have required property 'message'\n * data should match exactly one schema in oneOf\n at ServerResponse.res.reply (/app/libraries/api/src/middleware/schema.js:80:23)\n at /app/services/auth/src/api.js:970:16\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:97:5)",
"v": 1
}
}
{
"timestamp": "2020-10-27T10:24:08.597856875Z",
"Type": "monitor.apiMethod",
"Fields": {
"public": true,
"sourceIp": "::ffff:10.4.4.132",
"statusCode": 500,
"method": "POST",
"query": {},
"name": "authenticateHawk",
"expires": "",
"clientId": "",
"resource": "/authenticate-hawk",
"hasAuthed": false,
"satisfyingScopes": [],
"v": 1,
"duration": 285.785589,
"apiVersion": "v1"
}
}
{
"timestamp": "2020-10-27T10:24:08.853340003Z",
"Type": "monitor.apiMethod",
"Fields": {
"query": {},
"resource": "/authenticate-hawk",
"duration": 6.161082,
"v": 1,
"expires": "",
"hasAuthed": false,
"method": "POST",
"sourceIp": "::ffff:10.4.4.132",
"satisfyingScopes": [],
"statusCode": 200,
"clientId": "",
"name": "authenticateHawk",
"public": true,
"apiVersion": "v1"
}
}
{
"timestamp": "2020-10-27T10:24:28.857431344Z",
"Type": "monitor.apiMethod",
"Fields": {
"satisfyingScopes": [
"queue:claim-work:scriptworker-k8s/gecko-3-beetmover",
"queue:worker-id:gecko-3-beetmover/gecko-3-beetmover-av4vicjstlu4shcl2hvm"
],
"public": false,
"hasAuthed": true,
"name": "claimWork",
"query": {},
"resource": "/claim-work/scriptworker-k8s/gecko-3-beetmover",
"clientId": "project/releng/scriptworker/beetmover/prod/firefoxci-gecko-3",
"method": "POST",
"v": 1,
"apiVersion": "v1",
"expires": "3019-11-07T00:02:07.485Z",
"duration": 20753.919976,
"statusCode": 200,
"sourceIp": "34.83.21.167"
}
}
|
Interesting that this is from scriptworker both times! |
Full error stack:
|
Doing some experimenting with schema validation, I confirm that this is message corresponds to an auth-success response with a present but non-array |
To be clear, in the previous comment I was able to reproduce the error message by making up fake response bodies. I was not able to reproduce the problem. I'm drawing a blank here. Given that the assert from #3504 did not fire, we can assume that I'd love to have someone else take a look at this -- I must be missing something. Some issue with object aliasing? Something specific in the request that's causing this? |
@imbstack and I found the issue. The When a client's last-used date needs to be updated, we When there's a change to clients or roles, the So we think what's happening is:
@imbstack will be putting up a PR shortly, to shallow-clone the returned value and avoid this issue. |
Nice sleuthing! I'll take a closer look tomorrow, out for the day now. |
https://sentry.prod.mozaws.net/operations/taskcluster-firefox-ci/issues/9581113/activity/?referrer=alert_email
see more comment on the sentry issue.
The text was updated successfully, but these errors were encountered: