Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement inactivity timeout for logging user out #451

Merged
merged 1 commit into from Jul 24, 2020
Merged

Implement inactivity timeout for logging user out #451

merged 1 commit into from Jul 24, 2020

Conversation

jhadvig
Copy link
Member

@jhadvig jhadvig commented Jul 22, 2020
edited

We fetch the inactivity timeout first from the accessTokenInactivityTimeoutSeconds in the OAuthClient. If thats not set we fetch accessTokenInactivityTimeout field from OAuth config. The inactivity timeout is stored in seconds.

When the inactivity timeout is set, the console configmap will look:

apiVersion: console.openshift.io/v1
auth:
  clientID: console
  clientSecretFile: /var/oauth-config/clientSecret
  inactivityTimeoutSeconds: 600
  oauthEndpointCAFile: /var/default-ingress-cert/ca-bundle.crt
clusterInfo:
  consoleBaseAddress: https://console-openshift-console.cluster.openshift.com
  masterPublicURL: https://api.cluster.openshift.com:6443
customization:
  branding: ocp
  documentationBaseURL: https://docs.openshift.com/container-platform/4.5/
kind: ConsoleConfig
monitoringInfo:
  alertmanagerPublicURL: https://alertmanager-main-openshift-monitoring.cluster.openshift.com
  grafanaPublicURL: https://grafana-openshift-monitoring.cluster.openshift.com
  prometheusPublicURL: https://prometheus-k8s-openshift-monitoring.cluster.openshift.com
  thanosPublicURL: https://thanos-querier-openshift-monitoring.cluster.com
providers: {}
servingInfo:
  bindAddress: https://[::]:8443
  certFile: /var/serving-cert/tls.crt
  keyFile: /var/serving-cert/tls.key

story: https://issues.redhat.com/browse/CONSOLE-740

/assign @spadgett

cc'ing @stlaz

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 22, 2020
spadgett
spadgett reviewed Jul 22, 2020
View reviewed changes
pkg/console/operator/operator.go Show resolved Hide resolved
pkg/console/operator/sync_v400.go Outdated Show resolved Hide resolved
pkg/console/operator/sync_v400.go Outdated
if oauthClient.AccessTokenInactivityTimeoutSeconds != nil {
inactivityTimeoutSeconds = int(*oauthClient.AccessTokenInactivityTimeoutSeconds)
} else {
oauthConfig, oacErr := co.oauthConfigClient.Get(co.ctx, api.ConfigResourceName, metav1.GetOptions{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should already have this right? Can we pass this into the function like we do for Infrastructure config?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, sorry forgot to remove it

pkg/console/subresource/consoleserver/types.go
ClientSecretFile string `yaml:"clientSecretFile,omitempty"`
OAuthEndpointCAFile string `yaml:"oauthEndpointCAFile,omitempty"`
LogoutRedirect string `yaml:"logoutRedirect,omitempty"`
InactivityTimeoutSeconds int `yaml:"inactivityTimeoutSeconds,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think omitempty on these fields will work since they're not pointers.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they will, in this case if the InactivityTimeoutSeconds will be 0, it will get omitted

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they will, in this case if the InactivityTimeoutSeconds will be 0, it will get omitted

I'm skeptical :) But we can look at it separately since all the existing properties have it also.

pkg/console/operator/sync_v400.go Outdated
if oacErr != nil {
return nil, false, "FailedGetOAuthConfigClient", oacErr
}
inactivityTimeoutSeconds = int(oauthConfig.Spec.TokenConfig.AccessTokenInactivityTimeout.Seconds())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can AccessTokenInactivityTimeout be nil?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So based on the vendor bump I did its not... but the changed it recently in upstream.
I guess we shall bump again then :(

@jhadvig
Copy link
Member Author

jhadvig commented Jul 23, 2020

@spadgett rebased && comments addressed

@jhadvig
Copy link
Member Author

jhadvig commented Jul 23, 2020

/retest

1 similar comment
@jhadvig
Copy link
Member Author

jhadvig commented Jul 23, 2020

/retest

spadgett
spadgett approved these changes Jul 23, 2020
View reviewed changes
Copy link
Member

@spadgett spadgett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

pkg/console/operator/sync_v400.go
Comment on lines +313 to +317
} else {
if oauthConfig.Spec.TokenConfig.AccessTokenInactivityTimeout != nil {
inactivityTimeoutSeconds = int(oauthConfig.Spec.TokenConfig.AccessTokenInactivityTimeout.Seconds())
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
} else {
if oauthConfig.Spec.TokenConfig.AccessTokenInactivityTimeout != nil {
inactivityTimeoutSeconds = int(oauthConfig.Spec.TokenConfig.AccessTokenInactivityTimeout.Seconds())
}
}
} else if oauthConfig.Spec.TokenConfig.AccessTokenInactivityTimeout != nil {
inactivityTimeoutSeconds = int(oauthConfig.Spec.TokenConfig.AccessTokenInactivityTimeout.Seconds())
}

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 23, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhadvig, spadgett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

3 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 7932374 into openshift:master Jul 24, 2020
@openshift-ci-robot
Copy link
Contributor

@jhadvig: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-aws-operator dedf24a link /test e2e-aws-operator
ci/prow/e2e-gcp-upgrade dedf24a link /test e2e-gcp-upgrade
ci/prow/e2e-gcp dedf24a link /test e2e-gcp

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spadgett spadgett spadgett approved these changes

@bparees bparees Awaiting requested review from bparees

Assignees

@spadgett spadgett

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jhadvig @openshift-ci-robot @openshift-bot @spadgett @openshift-merge-robot