Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
core: avoid sending bad macaroons to gplazma
Motivation: Macaroons are bearer tokens issued by dCache: a macaroon issued by dCache is only acceptable by the dCache instance that issued it. UnionLoginStrategy, when used to combine multiple strategies, is currently used only to combine the MacaroonLoginStrategy with the RemoteLoginStrategy (i.e., gPlazma). Currently, UnionLoginStrategy stops iterating through the list of configured LoginStrategy objects only if the login was successful and yielded a non-NOBODY identity. This means that UnionLoginStrategy will send a dCache-issued macaroon that is invalid (e.g., has expired) to gPlazma. As macaroons may be unique with each request, any caching (e.g., within the door, to prevent overloading gPlazma) may be ineffective and (potentially) all invalid macaroons are sent to gPlazma. OpenID-Connect (OIDC) access-tokens are also bearer tokens. OIDC access tokens are opaque: there's no way to determine whether a bearer token is an OIDC access token. (An OP could issue a macaroon as an OIDC access token, but currently no OP does this.) This means that, if gPlazma has the OpenID-Connect (OIDC) plugin configured, then (potentially) all invalid macaroons are sent to all OPs. Some OPs may implement counter-measures for such request spamming, such as rate-limiting requests if requests are received too often. This can result in login requests to gPlazma timing out. Modification: Update UnionLoginStrategy so that any LoginStrategy that both understands the credentials and rejects it terminates the login attempt. Update MacaroonLoginStrategy so that unknown macaroons are treated as an unknown credential instead of failing the login. Result: An invalid macaroon login no longer spams gPlazma and (consequently) OPs. Target: master Request: 4.2 Request: 4.1 Request: 4.0 Request: 3.2 Requires-notes: yes Requires-book: no Patch: https://rb.dcache.org/r/11245/ Acked-by: Tigran Mkrtchyan
- Loading branch information