utils: fix invalid JSESSIONID cookie in https setup

[weizhouapache]

Description

This PR fixes #9848

When enable.secure.session.cookie is set to true, use cannot login with error

    2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) jsessionidFromCookie = node017ygldpe44nub1frmqafsj0qmc18
    2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) session.getId() = node017ygldpe44nub1frmqafsj0qmc18
    2024-10-25T09:03:33,898 ERROR [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) JSESSIONID from cookie is invalid.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[weizhouapache]

another option could be removing the check completely

        final String jsessionidFromCookie = HttpUtils.findCookie(cookies, "JSESSIONID");
        if (jsessionidFromCookie == null
                || !(jsessionidFromCookie.startsWith(session.getId() + '.'))) {
            s_logger.error("JSESSIONID from cookie is invalid.");
            return false;
        }

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 15.08%. Comparing base (175eed2) to head (e127a71).
Report is 3 commits behind head on 4.19.

Files with missing lines	Patch %	Lines
utils/src/main/java/com/cloud/utils/HttpUtils.java	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               4.19    #9856      +/-   ##
============================================
- Coverage     15.08%   15.08%   -0.01%     
- Complexity    11203    11204       +1     
============================================
  Files          5404     5404              
  Lines        473423   473423              
  Branches      59987    61748    +1761     
============================================
- Hits          71429    71411      -18     
- Misses       394044   394067      +23     
+ Partials       7950     7945       -5     

Flag	Coverage Δ
uitests	4.30% <ø> (ø)
unittests	15.80% <50.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11444

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-11703)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 43386 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9856-t11703-kvm-ol8.zip
Smoke tests completed. 133 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[weizhouapache]

@blueorangutan package

[blueorangutan]

[SF] Trillian Build Failed (tid-11704)

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11453

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-11706)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 45657 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr9856-t11706-kvm-ol8.zip
Smoke tests completed. 133 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[weizhouapache]

this does not fix a blocker issue, but fixes a regression issue (#9848) of previous security release.
maybe we should add it to the next minor releases.
cc @rohityadavcloud @DaanHoogland @borisstoyanov @GutoVeronezi

[DaanHoogland]

@weizhouapache , a regression should be a BLOCKER for a release, right? especially when it is a new one.
cc @rohityadavcloud @GutoVeronezi @JoaoJandre @borisstoyanov

[JoaoJandre]

@weizhouapache , a regression should be a BLOCKER for a release, right? especially when it is a new one. cc @rohityadavcloud @GutoVeronezi @JoaoJandre @borisstoyanov

I agree with @DaanHoogland , we should look to getting this merged into 4.20

[borisstoyanov]

cLGTM

[dataCobra]

Hello,

is there a reason this PR didn't get added to the new minor release?

I think this is an issue is a blocker and not critical.
We are unable to update to any newer version as long as this PR is not added to a release.

Also the issue got marked as blocker but the PR is not.