I think this can be closed, right?
Oliver Freyermuth (b3c445f3) at 25 Jan 02:30
oidc-ssh: Make linter happy again.
Christoph Wissing (0fd00a94) at 24 Jan 22:36
Add timeout for curl command to get remote username.
I think groups are automatically updated by default, however that automatic update fails as well.
Using configured primary group: dfn-de-nfdi-de-punch_punch4nfdi
[2022-07-11 09:54:00,550] { ...adapter/__init__.py:840} DEBUG - Using aarc-g002 groups from 'entitlements' claim
[2022-07-11 09:54:00,550] { ...adapter/__init__.py:896} WARNING - Group name 'helmholtz.de_Helmholtz-member' changed to 'helmholtz-de_helmholtz-member' for general compatibilty
[2022-07-11 09:54:00,551] { ...adapter/__init__.py:896} WARNING - Group name 'dfn.de-nfdi.de-punch_PUNCH4NFDI_punch_intra' changed to 'dfn-de-nfdi-de-punch_punch4nfdi_punch_intra' for general compatibilty
[2022-07-11 09:54:00,551] { ...adapter/__init__.py:896} WARNING - Group name 'helmholtz.de_KIT' changed to 'helmholtz-de_kit' for general compatibilty
[2022-07-11 09:54:00,551] { ...adapter/__init__.py:896} WARNING - Group name 'dfn.de-nfdi.de-punch_PUNCH4NFDI' changed to 'dfn-de-nfdi-de-punch_punch4nfdi' for general compatibilty
[2022-07-11 09:54:00,551] { ...ckend/local_unix.py:390} ERROR - User or group name is too long: dfn-de-nfdi-de-punch_punch4nfdi_punch_intra (43)
This are the log entries when I login via mccli
. motley_cue
is calling local_unix.py
, but that fails. However, it seems to be silently ignored and the login proceeded.
Thanks @manuel.giffels , seems like you beat me to the punch (pun intended
This issue still highlights two interesting things:
oidc-ssh
(the error thrown by jq
getting invalid JSON as input was not caught).mc_cli
still worked, since it realized that the account was already deployed. However, I think this also means that with mc_cli
, groups will not be updated automatically, while with oidc-ssh
this is attempted (by always triggering the state-machine to reach user deployment state).It seems like a good idea to use this issue to track improving the error handling in oidc-ssh
now that we actually see an error
There is a bug/feature of feudal
, which takes care of the local user deployment. It fails if group names are too long.
[2022-07-05 19:18:01,815] { ...adapter/__init__.py:896} WARNING - Group name 'dfn.de-nfdi.de-punch_PUNCH4NFDI' changed to 'dfn-de-nfdi-de-punch_punch4nfdi' for general compatibilty
[2022-07-05 19:18:01,815] { ...adapter/__init__.py:896} WARNING - Group name 'dfn.de-nfdi.de-punch_PUNCH4NFDI_punch_intra' changed to 'dfn-de-nfdi-de-punch_punch4nfdi_punch_intra' for general compatibilty
[2022-07-05 19:18:01,815] { ...ckend/local_unix.py:390} ERROR - User or group name is too long: dfn-de-nfdi-de-punch_punch4nfdi_punch_intra (43)
The reason is that someone put us in the dfn.de-nfdi.de-punch_PUNCH4NFDI_punch_intra
group, which is simply too long to be deployed on linux and the group name shortening does not work like expected. @benoit.roland is already working on this issue (https://git.scc.kit.edu/feudal/feudalAdapterLdf/-/merge_requests/92). However, in general it might be a good idea to not mention punch 4 times in a group name. ;-)
It seems motley_cue
now reports an internal server error when one attempts to deploy a user who is already deployed:
$ curl -H "Authorization: Bearer `oidc-token helmholtz`" -X GET https://c4p-login.gridka.de/user/get_status
{"state":"deployed","message":"username o_freyermuth"}%
$ curl -H "Authorization: Bearer `oidc-token helmholtz`" -X GET https://c4p-login.gridka.de/user/deploy
Internal Server Error
A nice side-effect of not using the status endpoint was that the username returned by deploy
could easily be parsed from the JSON response, while for the get_status
endpoint, additional messy string manipulation is required.
@manuel.giffels Do you see any errors related to such an attempt in the server logs?
I tried to learn from the code what changed, but got lost somewhere between motley_cue
and the feudalAdapter
. It seems a state machine should be triggered and it may be regarded as a bug that Internal server error
is returned when the target state is deployed
and the user is already deployed
, so instead of working around this in oidc-ssh
, maybe we can restore the working behaviour in motley_cue
;-).
Peter Wienemann (3c29b01e) at 18 Feb 18:47
oidc-ssh: Suppress error output of "ssh -o NumberOfPasswordPrompts=0"
Peter Wienemann (78d27236) at 18 Feb 18:41
oidc-ssh: Implement suggestions by shellcheck and shfmt
Peter Wienemann (a0c86a52) at 18 Feb 18:24
oidc-ssh: Add target host to known_hosts file if necessary
Peter Wienemann (bc005ff2) at 15 Feb 20:34
oidc-ssh: Address complaints by shellcheck and shfmt
Peter Wienemann (6bdded0a) at 15 Feb 20:26
oidc-ssh: Improve error handling
Oliver Freyermuth (90d8220b) at 14 Feb 15:03
oidc-ssh: Further improvie readability.
Oliver Freyermuth (422649f1) at 14 Feb 15:00
oidc-ssh: Improve code safety and fix whitespace issues.
Oliver Freyermuth (d822a061) at 14 Feb 14:29
CI: Select runner with tags "docker" and "shared".
Oliver Freyermuth (c901892a) at 14 Feb 10:44
CI: Add shell formatting check workflow.
Oliver Freyermuth (12df56a1) at 14 Feb 08:51
CI: Fix .gitlab-ci.yml by defining sensible stages.
Oliver Freyermuth (937d5a30) at 14 Feb 08:46
CI: Add simple shellcheck workflow.
Oliver Freyermuth (4010d4d4) at 14 Feb 08:46
oidc-ssh: Move to src/ subdirectory, fix copyright years.
Oliver Freyermuth (d6164832) at 14 Feb 08:33
Initial commit.