Thanks to visit codestin.com
Credit goes to github.com

Skip to content

SEAB-7134: Fix auth-related 500 #6106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
svonworl merged 2 commits into from
May 1, 2025
Merged

SEAB-7134: Fix auth-related 500 #6106

svonworl merged 2 commits into from
May 1, 2025

Conversation

@svonworl
Copy link
Contributor

@svonworl svonworl commented May 1, 2025
edited
Loading

Description
This PR fixes a NullPointerException due to a missing null check in SamPermissionsImpl.canDoAction. The exception is thrown when an unauthenticated request is made to the Zip generation endpoint for an unpublished HOSTED workflow. We get there because WorkflowResource overrides canRead to add the permissionsImpl (SAM) checks, wherein the flaw is located.

Note that you can't reproduce this on qa, and that the problem only happens for HOSTED workflows.

How did the user trigger this? Per the logs, my best theory is that the user had copied the download link from the UI, and, days later, pasted it into their browser. We can tell that the user wasn't using the dockstore UI when the 500 occurred, because in the logged diagnostic info, the x-session-id-fingerprint is null.

I suspect that this PR also fixes https://ucsc-cgl.atlassian.net/browse/SEAB-6939

For some still-valid (IMHO) recommendations about the architecture of the auth code, see the longest paragraph in this PR description (of yore):
#4989

Review Instructions
On staging, via the API, try to download a Zip for an unpublished HOSTED workflow, as an unauthenticated user (no token), and confirm that you get a proper non-500 error response.

Issue
https://ucsc-cgl.atlassian.net/browse/SEAB-7134

Security and Privacy

If there are any concerns that require extra attention from the security team, highlight them here and check the box when complete.

  • Security and Privacy assessed

e.g. Does this change...

  • Any user data we collect, or data location?
  • Access control, authentication or authorization?
  • Encryption features?

Please make sure that you've checked the following before submitting your pull request. Thanks!

  • Check that you pass the basic style checks and unit tests by running mvn clean install
  • Ensure that the PR targets the correct branch. Check the milestone or fix version of the ticket.
  • Follow the existing JPA patterns for queries, using named parameters, to avoid SQL injection
  • If you are changing dependencies, check the Snyk status check or the dashboard to ensure you are not introducing new high/critical vulnerabilities
  • Assume that inputs to the API can be malicious, and sanitize and/or check for Denial of Service type values, e.g., massive sizes
  • Do not serve user-uploaded binary images through the Dockstore API
  • Ensure that endpoints that only allow privileged access enforce that with the @RolesAllowed annotation
  • Do not create cookies, although this may change in the future
  • If this PR is for a user-facing feature, create and link a documentation ticket for this feature (usually in the same milestone as the linked issue). Style points if you create a documentation PR directly and link that instead.

@svonworl svonworl self-assigned this May 1, 2025
@svonworl svonworl changed the base branch from develop to release/1.17.0 May 1, 2025 06:47
@svonworl svonworl requested review from denis-yuen and kathy-t May 1, 2025 07:03
@codecov
Copy link

codecov bot commented May 1, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.19%. Comparing base (64dfeaf) to head (95c41a3).
Report is 1 commits behind head on release/1.17.0.

Additional details and impacted files 
@@                 Coverage Diff                  @@
##             release/1.17.0    #6106      +/-   ##
====================================================
- Coverage             74.23%   74.19%   -0.04%     
+ Complexity             5662     5660       -2     
====================================================
  Files                   389      389              
  Lines                 20326    20328       +2     
  Branches               2099     2100       +1     
====================================================
- Hits                  15088    15082       -6     
- Misses                 4236     4244       +8     
  Partials               1002     1002
Flag Coverage Δ
bitbuckettests 25.94% <0.00%> (-0.01%) ⬇️
hoverflytests 27.62% <0.00%> (-0.01%) ⬇️
integrationtests 56.09% <0.00%> (-0.01%) ⬇️
languageparsingtests 10.82% <0.00%> (-0.01%) ⬇️
localstacktests 21.34% <0.00%> (-0.01%) ⬇️
regressionintegrationtests ?
toolintegrationtests 29.90% <0.00%> (-0.01%) ⬇️
unit-tests_and_non-confidential-tests 26.30% <100.00%> (+<0.01%) ⬆️
workflowintegrationtests 37.36% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sonarqubecloud
Copy link

sonarqubecloud bot commented May 1, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@denis-yuen
Copy link
Member

denis-yuen commented May 1, 2025

How did the user trigger this? Per the logs, my best theory is that the user had copied the download link from the UI, and, days later, pasted it into their browser. We can tell that the user wasn't using the dockstore UI when the 500 occurred, because in the logged diagnostic info, the x-session-id-fingerprint is null.

Hmmm, the warning is from google search console indicating that it was crawled. Maybe someone had the link in documentation or something? There's only the one which is a little odd. Alternatively, maybe the crawl takes a certain amount of time and someone unpublished halfway through.

Screenshot from 2025-05-01 10-18-04

@svonworl svonworl merged commit 46de46a into release/1.17.0 May 1, 2025
23 of 24 checks passed
@svonworl svonworl deleted the feature/seab-7134/fix-auth-500 branch May 1, 2025 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@denis-yuen denis-yuen denis-yuen approved these changes

+1 more reviewer

@kathy-t kathy-t kathy-t approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@svonworl svonworl

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@svonworl @denis-yuen @kathy-t