Backport cookie splitter #1662
Backport cookie splitter #1662
Conversation
Signed-off-by: Jochen Kressin <[email protected]>
…n set within the current request Signed-off-by: Jochen Kressin <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## 1.x #1662 +/- ##
=======================================
Coverage 72.48% 72.48%
=======================================
Files 88 88
Lines 1926 1926
Branches 251 246 -5
=======================================
Hits 1396 1396
Misses 474 474
Partials 56 56 ☔ View full report in Codecov by Sentry. |
|
The fix has been tested with OS version 1.3.12 and the cookie is successfully split into multiple cookies when the size of the cookie is too large. See the successful cookie splitting in the image below: The Jest integration test can be found here: 2b49375, it appears to have been moved but I would like to get feedback from the team at this point, As the issue is fixed and tests have been wrote, opinions on how to proceed would be favoured. This PR is ready to be moved from Draft into Ready to get feedback on the changes. |
@leanneeliatra is there anything in particular that you were looking for? |
Thank you @DarshitChanpura, yes just guidance really. Can this issue be backported and merged now given I have confirmed it's working and the selenium tests were updated (as linked) or do we need to add more coverage? I'm not sure if what has been done is sufficient as the test was updated. Or is there a need to get all checks passing above for merging. Thanks. |
|
@leanneeliatra What's blocking this PR is passing integ tests. I believe that 1.x hasn't gotten the same fix that 1.3 has yet. This line may need to be added to 1.x. Can you push a commit to add that line in this PR? |
Hi @cwperks thank you, that is done! |
|
Hopefully this will now be ready to be merged & complete the backport process. |
|
@leanneeliatra Looks like the 1.x branch is out of sync and needs to be version bumped. In the security repo, the 1.x branch is given version 1.4 even if it will never be released. Should this repo also point to 1.4.0.0? |
|
@leanneeliatra I opened up a PR to update the 1.x branch: #1688 |
|
Thanks a million Craig for creating the a PR to update the 1.x branch: #1688 Do you mean for this Or, do you mean I should ensure these changes run locally on 1.4.0.0? I tested this on |
|
@leanneeliatra According to the branching strategy of opensearch, the 1.x is a branch that's supposed to be ready for release at any moment for the 1.x line even if there are no planned releases. The last released 1.x minor version was 1.3 which means that 1.x should point to 1.4. The security plugin's build.gradle file in 1.x points to 1.4. Its unrelated to the changes in this PR, but it may have been missed because the version increment automation did not exist at the time that 1.3 was released. |
Okay thank you @cwperks thanks for the references. So from reading I think a solution here would be to rebase off 1.x? To ensure all changes from 1.4 are included? Does that sound correct? |
|
The integ tests are experiencing a new error. Edit: nvm, it is showing on the latest run of 1.3 too: https://github.com/opensearch-project/security-dashboards-plugin/actions/runs/7036213187/job/19148332875 |
|
From what I can see on that PR [1.3] Bump debug and browserify-sign dependencies #1674 the checks seem to be okay? So I think I should address the CI in my own PR and make the edit suggested |
Should I fix the error locally @cwperks? Thanks |
|
@leanneeliatra I don't think that is the culprit I think it is more likely: |
|
FYI The CI check failures are an issue that need to be resolved. There is a difference between 1.3 and 2.x/main that explains the CI failures. In 1.3, The Edit: Opened a PR that incorporates the changes needed from the multiauth PR: #1702 |
Signed-off-by: Jochen Kressin <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
|
Hi @cwperks, I've been trying to wrap my head around the issue here, and while testing locally I stumbled on an alternative solution that does not require multiple changes related to the init method. I realized that in the tests on the 2.x branch we don't really care about what happens in the init method. Then, just to add a little bit more context to the test, I run I figured this way, we don't have to refactor a bunch of code just to make the tests play nice. The tests for OpenId and SAML now run through locally, but I think there were some updates from your PR that may still need to be merged here, e.g. "Stabilize SAML integ test on 1.3". So any advice on that would be appreciated. |
Signed-off-by: Jochen Kressin <[email protected]>
|
The integration tests ran through before the last linting commit. I think the one integration test that failed on this run is the one that you've stabilized in your PR. Can I just merge that branch into this PR? |
Looks good to me and it minimizes the amount of changes on the 1.x line. The only argument I can think of backporting the portion of |
Signed-off-by: Craig Perkins <[email protected]>
|
Thanks for the response @cwperks, and sorry for interrupting the holidays. |
| @@ -48,7 +48,7 @@ runs: | |||
| - id: branch-switch-if-possible | |||
| continue-on-error: true # Defaults onto main if the branch switch doesn't work | |||
| if: ${{ steps.osd-version.outputs.osd-version }} | |||
| run: git checkout ${{ steps.osd-version.outputs.osd-version }} || git checkout ${{ steps.osd-version.outputs.osd-x-version }}x | |||
| run: git checkout 1.3.14 || git checkout ${{ steps.osd-version.outputs.osd-version }} || git checkout ${{ steps.osd-version.outputs.osd-x-version }}x | |||
There was a problem hiding this comment.
why hardcode: git checkout 1.3.14?
There was a problem hiding this comment.
I'm not sure, and maybe that one should go. I cherry picked that commit from Craig's PR, but maybe that was more of a PoC? Without it, the tests would not run, although I can't remember what the error was.
@cwperks Do you know if this was a temporary fix, and what the alternative should be?
There was a problem hiding this comment.
If I remember correctly, this was added temporarily because the 1.x branch was stale and #1688 was not merged yet. Since the branch was stale, it was trying to check out an older patch release of OSD core so I added this line in.
There was a problem hiding this comment.
Hi @DarshitChanpura is the comment you were awaiting addressed above please, just checking? Thank you.
There was a problem hiding this comment.
This line should be removed then I think since the branch is not longer stale.
DarshitChanpura
dismissed
their stale review
waiting for a comment to be addressed.
|
@jochen-kressin @leanneeliatra Would you need any help from the maintainers to get this through? |
I can make that change @DarshitChanpura, hopefully then we are good to go. cc fyi @jochen-kressin Thank you for the prod. |
…on callout. Signed-off-by: [email protected] <[email protected]>
|
@DarshitChanpura that change is now complete. |
|
CI will be unblocked post merge of #1698 |
|
@leanneeliatra @jochen-kressin The CI for 1.x is blocked currently pending 1.4.0 artifact builds to run. Can we rebase this to 1.3 and get it merged there directly? and then forward-port it to 1.x if needed? cc: @cwperks |
|
Backport to 1.3.x was done in #1831 |
|
Closing this PR as it will be covered via: #1752 |
Description
This Pull Request backports cookie-splitter functionality together with later regression fixes to 1.x branch of Security Plugin.
Category
Maintenance
Backport - Distributing main branch features to other living branches
Why these changes are required?
It was a response to a user's demand
What is the old behavior before changes and new behavior after changes?
If the user was granted a large number of roles (>100), their size of the cookie could pass the upper limit defined by the browsers (4093 bytes). This PR solves the issue by splitting them in multiple cookie values.
Described in details in the 1352 - The original cookie splitting PR
Issues Resolved
It's a backport.
Related Issues:
Related PRs:
Testing
Backported functionality comes with the tests
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.