-
Notifications
You must be signed in to change notification settings - Fork 992
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[20.05] Assign random password in user manager if none specified #9587
[20.05] Assign random password in user manager if none specified #9587
Conversation
@nuwang My apologies for the late response. I guess you're using a provider via the CustosAuthnz; have you tried authentication flow against a PSA-based provider as well? (e.g., Google or Elixir) |
I only tried with Custos because only Custos exposed configuration through a well-known endpoint. It worked quit well. |
@VJalili Just a ping. Is this looking ok to go? |
334974f
to
79e45c8
Compare
@nuwang This looks fine, but I am curious about "but was wondering how it was not breaking authnz completely, and whether this was caused by a recent code change perhaps?" as well. Did you manage to look into this more? |
@nuwang can you please test this against a PSA-based backend and make sure it does not break them? Testing against Google should be sufficient. Unfortunately I guess with Custos we diverged a bit, so we should make sure the PSA-based backend is equally developed/maintained. |
@dannon I believe this refactoring commit caused it: 2a18857#diff-74566421da44253f075336826614cf9c @VJalili I agree that it would be nice to have PSA tested better, but that needs a separate integration test I think. I don't think this commit is related, and right now, I can't commit the time to test it unfortunately. |
@nuwang Thanks for the context; it looks like there's a bit more to do here if that's the code that broke it. Let me test it out. |
@nuwang I just figured out how we never saw this in any of the interim work -- do you have |
@dannon Yes, that seems to be the case. I hit this on the GA staging server, and presumably, that was carrying old defaults forward. Might be an issue with older cloudman versions even. How does one set about changing this? I imagine just flipping the setting won't do? However, I don't quite follow why only setting pbkdf2 triggers this. Won't hitting this line do so? https://github.com/galaxyproject/galaxy/pull/9587/files#diff-74566421da44253f075336826614cf9cL108 |
@nuwang It's all going to go through https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/model/__init__.py#L392, which only uses
|
Right, that makes sense. Although that has a very specific check to assert that it should be non null: galaxy/lib/galaxy/util/hash_util.py Line 72 in f0ebdd4
|
I was thinking that instead we should also raise an Exception in >>> from galaxy.security.passwords import check_password, hash_password
>>> hashed = hash_password(None)
>>> check_password(None, hashed)
True |
@nsoranzo Good catch; I shouldn't have said it generates a random password -- it generates a valid hash of the null password! :) That should probably throw an exception, agreed. Galaxy still needs refactoring to make user creation all go through the manager, but that probably shouldn't happen here. To handle all the cases where someone's trying to set a null password, should we just update |
Seems a good plan! To summarise:
if password is None:
raise Exception("password cannot be None")
|
32d329b
to
bfb5c97
Compare
bfb5c97
to
88d05dc
Compare
@dannon @nsoranzo I did a bit of refactoring on the password handling. See what you think. While doing this, also noticed a bit of repetition between the admin controller, toolshed and galaxy in terms of validation, so tried to factor that out too. One minor difference is that the toolshed public name regex is a bit different from the Galaxy one, and I opted to use the Galaxy public name regex. If this is a problem, I can restore the original regex for the toolshed. |
92d45d9
to
0a5cbe9
Compare
0a5cbe9
to
af7226c
Compare
I've changed the base to 20.05, since this does seem to have the potential to affect user-facing behavior. If something goes wrong it seems easier to isolate this if we roll it out with 20.05. Feel free to backport it further if this is absolutely required in 20.01. |
I ran into this error when trying to integrate an OpenID connect provider.
It turns out that the user_manager does not handle empty passwords correctly. The issue appears to be straightforward, but was wondering how it was not breaking authnz completely, and whether this was caused by a recent code change perhaps?