Skip to content

[develop] check dcv sessions using uid to avoid username truncation #2472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 16 commits into
base: develop
Choose a base branch
from
Open

[develop] check dcv sessions using uid to avoid username truncation #2472

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
54f71c5
check dcv sessions using uid to avoid username truncation
cloud303-tfurlong Sep 25, 2023
e01dafe
Merge branch 'develop' into develop
timfurlong Oct 2, 2023
7bd2d33
make fixes suggested in PR #2472
cloud303-tfurlong Oct 2, 2023
fcda8b4
_is_session_valid unit test to increase coverage
cloud303-tfurlong Oct 3, 2023
03372f3
Merge branch 'develop' into develop
timfurlong Oct 4, 2023
1a24ee3
Merge branch 'develop' into develop
timfurlong Oct 5, 2023
19ed5d9
Merge branch 'develop' into develop
timfurlong Oct 6, 2023
a534c75
Merge branch 'develop' into develop
timfurlong Oct 9, 2023
ecb01b0
Merge branch 'develop' into develop
timfurlong Oct 12, 2023
1021253
Merge branch 'develop' into develop
enrico-usai Oct 17, 2023
7507675
run black
cloud303-tfurlong Oct 17, 2023
6457e0c
Merge remote-tracking branch 'origin/develop' into develop
cloud303-tfurlong Oct 17, 2023
d1ca8d4
fix line too long for linter
cloud303-tfurlong Oct 17, 2023
4a71bcf
Merge branch 'develop' into develop
enrico-usai Oct 19, 2023
44ed173
Merge branch 'develop' into develop
enrico-usai Oct 19, 2023
7cf285d
Merge branch 'develop' into develop
enrico-usai Nov 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 11 additions & 7 deletions cookbooks/aws-parallelcluster-platform/files/dcv/pcluster_dcv_authenticator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -361,13 +361,17 @@ def _is_session_valid(user, session_id):
# TODO change this method if DCV updates his behaviour.
"""
logger.info("Verifying NICE DCV session validity..")

# Query by uid rather than username to avoid truncation by ps command
uid = subprocess.check_output(["id", "-u", user]).decode("utf-8").strip()
Copy link
Contributor

@enrico-usai enrico-usai Sep 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here you should use: /usr/bin/id as first argument, see https://bandit.readthedocs.io/en/1.7.5/plugins/b607_start_process_with_partial_path.html

Copy link
Contributor

@enrico-usai enrico-usai Sep 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also test by passing shell=True to check_output?
see https://bandit.readthedocs.io/en/1.7.5/plugins/b603_subprocess_without_shell_equals_true.html


# Remove the first and the last because they are the heading and empty, respectively
# All commands and arguments in this subprocess call are built as literals
processes = subprocess.check_output(["/bin/ps", "aux"]).decode("utf-8").split("\n")[1:-1] # nosec B603
processes = subprocess.check_output(["/bin/ps", "aunx"]).decode("utf-8").split("\n")[1:-1] # nosec B603

# Check the filter is empty
if not next(
filter(lambda process: DCVAuthenticator.check_dcv_process(process, user, session_id), processes), None
filter(lambda process: DCVAuthenticator.check_dcv_process(process, uid, session_id), processes), None
):
raise DCVAuthenticator.IncorrectRequestError("The given session does not exists")
logger.info("The NICE DCV session is valid.")
Expand All @@ -377,21 +381,21 @@ def _verify_session_existence(user, session_id):
retry(DCVAuthenticator._is_session_valid, func_args=[user, session_id], attempts=20, wait=1)

@staticmethod
def check_dcv_process(row, user, session_id):
def check_dcv_process(row, uid, session_id):
"""Check if there is a dcvagent process running for the given user and for the given session_id."""
# row example:
# centos 63 0.0 0.0 4348844 3108 ?? Ss 23Jul19 2:32.46 /usr/libexec/dcv/dcvagent --mode full \
# 1000 63 0.0 0.0 4348844 3108 ?? Ss 23Jul19 2:32.46 /usr/libexec/dcv/dcvagent --mode full \
# --session-id mysession
# ubuntu 2949 0.3 0.4 860568 34328 ? Sl 20:10 0:18 /usr/lib/x86_64-linux-gnu/dcv/dcvagent --mode full \
# 2000 2949 0.3 0.4 860568 34328 ? Sl 20:10 0:18 /usr/lib/x86_64-linux-gnu/dcv/dcvagent --mode full \
# --session-id mysession
fields = row.split()
command_index = 10
session_name_index = 14
user_index = 0
uid_index = 0

return (
fields[command_index].endswith("/dcv/dcvagent")
and fields[user_index] == user
and fields[uid_index] == uid
and fields[session_name_index] == session_id
)

Expand Down