[develop] check dcv sessions using uid to avoid username truncation

[timfurlong]

Description of changes

• The _is_session_valid function of the DCV authenticator would not work for long usernames. This is because the ps aux command truncates lengthy usernames. For example, the processes started by the dcvextauth user display as dcvexta+ in the ps aux output
• This change fixes the above by querying by UID rather than username

Tests

• test/unit/dcv/test_dcv_authenticator.py mocked out the changed functions with mock_verify_session_existence, and I couldn't think of an easy way to replicate the behavior without actually starting a process using a long username. Suggestions for a better approach to testing this are more than welcome!
• Since automated testing seemed impractical in this case, I went with a manual approach. I started a dcv session using dcv create-session using a user with a long username (14 characters long). I then restarted the dcv authenticator process, and queried it using:

curl --retry 3 --max-time 5 -s -k -X GET -G https://localhost:8444 -d action=requestToken \
        -d authUser=$longusername -d sessionID=$sessionID

Prior to this change, this curl command would result in a timeout.

Checklist

• Make sure you are pointing to the right branch.
• If you're creating a patch for a branch other than develop add the branch name as prefix in the PR title (e.g. [release-3.6]).
• Check all commits' messages are clear, describing what and why vs how.
• Make sure to have added unit tests or integration tests to cover the new/modified code.
• Check if documentation is impacted by this change.

Please review the guidelines for contributing and Pull Request Instructions.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (c03e02b) 76.27% compared to head (7cf285d) 76.55%.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #2472      +/-   ##
===========================================
+ Coverage    76.27%   76.55%   +0.27%     
===========================================
  Files           13       13              
  Lines         1901     1902       +1     
===========================================
+ Hits          1450     1456       +6     
+ Misses         451      446       -5     

Flag	Coverage Δ
unittests	76.55% <100.00%> (+0.27%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[enrico-usai]

here you should use: /usr/bin/id as first argument, see https://bandit.readthedocs.io/en/1.7.5/plugins/b607_start_process_with_partial_path.html

[enrico-usai]

Could you also test by passing shell=True to check_output?
see https://bandit.readthedocs.io/en/1.7.5/plugins/b603_subprocess_without_shell_equals_true.html

[enrico-usai]

Hi @timfurlong thanks for creating this patch!
I think we never faced this issue because DCV is enabled only for default users that have short names (ec2-user, centos, ubuntu).

I left a comment.
Thanks!

[timfurlong]

Hi @timfurlong thanks for creating this patch! I think we never faced this issue because DCV is enabled only for default users that have short names (ec2-user, centos, ubuntu).

I left a comment. Thanks!

Hi @enrico-usai thanks for the feedback! I made a couple of small changes in response to your comment. Please let me know if you'd like to see any other changes.

[timfurlong]

@enrico-usai Just bumping this PR. Can you please approve/merge?

[enrico-usai]

An alternative to define this test and avoid code duplication (e.g. mocking part) is using @pytest.mark.parametrize(, passing sessionid, expected_error as parameters.
You can see test_get_request_token_parameter defined above as an example.