kubeapps icon indicating copy to clipboard operation
kubeapps copied to clipboard

Published 20 hours ago verified publisher icon vmware-tanzu

Handle grpc authentication errors

Open antgamdia opened this issue 2 years ago • 1 comments

Description of the change

As reported at #5295, the axios interceptor handling the logout does not work anymore (bc all the requests are handled by the grpc client). This PR is to intercept the auth-related errors to force a programmatic logout.

Benefits

If an auth error happens, we will log the user out.

Possible drawbacks

Maybe we don't want to kick the user out in some points, but we can fine-tune it later.

Applicable issues

  • fixes #5295

Additional information

Problem: I've found some grpc calls NOT returning the proper status code... this forced me to add some ugly workarounds looking for certain keywords to appear to detect a true auth error.

Demo:

errorsAuth

WIP as there are still several test cases to fix

antgamdia avatar Sep 02 '22 19:09 antgamdia

Deploy Preview for kubeapps-dev canceled.

Built without sensitive environment variables

Name Link
Latest commit 5469f1df65116622c98097bb0f3fe596d9b95a90
Latest deploy log https://app.netlify.com/sites/kubeapps-dev/deploys/6317cc0e08c68d00080d144c

netlify[bot] avatar Sep 02 '22 19:09 netlify[bot]

To investigate: using goharbor.com chart repo+ credentials + kicks me out, verify which grpc code we are returning when adding repos. Edit: it happens when the Helm validation returns the response code from the repo, in this case, 401. But we should shallow this 401 and return a proper code instead. 400-alike maybe?

antgamdia avatar Sep 07 '22 16:09 antgamdia

Tested the case, and it is returning a GRPC status 9 (Failed precondition).

grpc-message: Unable to add package repository "asdasda" using the plugin "helm.packages": rpc error: code = FailedPrecondition desc = Failed repository validation: &{401 {"errors":[{"code":"UNAUTHORIZED","message":"UnAuthorized"}]}%0A}
grpc-status: 9

That wraps the HTTP 401 returned by Harbor, indeed.

Maybe we need to process the 401 error in the backend and map it correctly. If it is a 401 that Harbor sends, I would return a grpc status 7 (Permission denied) or 3 (Invalid argument). However, the PERMISSION_DENIED status could be confused with the user not having permissions to perform the operation itself in Kubeapps APIs, which is not the case. We might want to return instead the grpc status 3 (Invalid argument) and specify a more readable message text.

castelblanque avatar Sep 08 '22 10:09 castelblanque