Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use ephemeral ports for idp-fixture #40333

Merged
merged 6 commits into from
Mar 26, 2019
Merged

Conversation

jaymode
Copy link
Member

@jaymode jaymode commented Mar 21, 2019

This change removes the use of hardcoded port values for the
idp-fixture in favor of the mapped ephemeral ports. This should prevent
failures due to port conflicts in CI.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
This change removes the use of hardcoded port values for the
idp-fixture in favor of the mapped ephemeral ports. This should prevent
failures due to port conflicts in CI.
@jaymode jaymode added >test Issues or PRs that are addressing/adding tests :Delivery/Build Build or test infrastructure v7.0.0 v8.0.0 v7.2.0 v6.7.1 labels Mar 21, 2019
@jaymode jaymode requested a review from jkakavas March 21, 2019 20:45
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

@jkakavas
Copy link
Member

We should also change

ports:
      - "4443:4443"

to

ports:
      - "4443"

in x-pack/test/idp-fixture/docker-compose.yml so that we get a random port on localhost mapped to the 4443 of the container so that the IDP can be reached

@@ -17,11 +20,29 @@ testFixtures.useFixture ":x-pack:test:idp-fixture"

String outputDir = "${project.buildDir}/generated-resources/${project.name}"
task copyIdpCertificate(type: Copy) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename task to copyFiles or something generic like that ?

into outputDir
}
project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpCertificate)
integTestCluster.dependsOn copyIdpCertificate

task setupPorts {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for noticing and fixing this @jaymode !
The code to look up the ports is not necessary TestFixturesPlugin already sets this up,
postProcessFixture will have extension properties with the ports, so you just need something like this: postProcessFixture.doLast { println ext."test.fixtures.shibboleth-idp.tcp.443" } Note that any testing task also gets passed a system property by the same name.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for that tip!

Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will unfortunately not work as is. The port is part of the SingleSignOnService binding URL and that URL is set as the Destination element value in the SAML Authentication Response. So, even if we set this to a random port outside the container, the Shibboleth IDP will still be configured with 4443 internally so from its perspective, the SingleSignOnService HTTP-Redirect binding Location will still be

https://localhost:4443/idp/profile/SAML2/Redirect/SSO

and it will fail on an authentication request with a Destination set to

https://localhost:34567/idp/profile/SAML2/Redirect/SSO

Setting the Destination in the authn request is only mandatory when the the request is signed ( otherwise optional ) but even if we were to change this default behavior , the tests would work only for a subset of use cases and then again something else might break.
Shibboleth IDP is not easy to run behind a reverse proxy :/ , I think we'd have to use something like httpd or nginx to do proper request rewriting so that both our saml realm and the Shibboleth IDP can be happy.

Alternatively, maybe @atorok knows if this is possible, we might be able to get around this if we can replace the random ephemeral port in the mounted volumes config files, so that shibboleth / tomcat use randomized ports internally also

@jaymode jaymode requested review from jkakavas and alpar-t March 22, 2019 15:18
@jaymode
Copy link
Member Author

jaymode commented Mar 22, 2019

The port is part of the SingleSignOnService binding URL and that URL is set as the Destination element value in the SAML Authentication Response.

The idp-metadata.xml gets re-written with the updated port, which is how it works. Maybe shibboleth handles this better now? Or is the test broken?

The push from yesterday was missing some of my changes since I committed in a sub directory instead (DOH!).

@jkakavas
Copy link
Member

The idp-metadata.xml gets re-written with the updated port, which is how it works

This is the idp-metadata.xml file that we copy to outputDir from the idp/shibboleth-idp/metadata/idp-metadata.xml and it is the one the saml realm uses in its configuration (after we rewrite the port).

Shibboleth internally still knows of the old idp-metadata.xml (mapped from idp/shibboleth-idp/metadata/idp-metadata.xml ) and this one still points to 4443 for the SingleSignOn port. So I would expect it to deny the authn request with a

AML message intended destination endpoint  X did not match the recipient endpoint Y

@jaymode
Copy link
Member Author

jaymode commented Mar 22, 2019

The reason that this works is due to the way that Shibboleth gets the URL for comparison. It uses HttpServletRequest#getRequestURL. The jetty implementation builds this URL and uses data provided in the HOST header provided by the client, which has the ephemeral port and not the port that shibboleth has in its configuration.

Copy link
Contributor

@alpar-t alpar-t left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jaymode jaymode merged commit 834cc35 into elastic:master Mar 26, 2019
@jaymode jaymode deleted the idp_fixture_ports branch March 26, 2019 14:40
jaymode added a commit that referenced this pull request Mar 26, 2019
This change removes the use of hardcoded port values for the
idp-fixture in favor of the mapped ephemeral ports. This should prevent
failures due to port conflicts in CI.
jaymode added a commit that referenced this pull request Mar 26, 2019
This change removes the use of hardcoded port values for the
idp-fixture in favor of the mapped ephemeral ports. This should prevent
failures due to port conflicts in CI.
jaymode added a commit that referenced this pull request Mar 26, 2019
This change removes the use of hardcoded port values for the
idp-fixture in favor of the mapped ephemeral ports. This should prevent
failures due to port conflicts in CI.
@mark-vieira mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team >test Issues or PRs that are addressing/adding tests v6.7.1 v7.0.0-rc2 v7.2.0 v8.0.0-alpha1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants