From 25f6e9c256638e5cb02e076de1283fb870db7445 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 21 Nov 2024 10:03:32 -0500 Subject: [PATCH 1/5] correct this env variable and the ondemand.d config key (#3970) --- apps/dashboard/config/configuration_singleton.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb index 68ecff7324..d2788d95bb 100644 --- a/apps/dashboard/config/configuration_singleton.rb +++ b/apps/dashboard/config/configuration_singleton.rb @@ -391,8 +391,8 @@ def ood_bc_card_time # Returns the number of milliseconds to wait between calls to the system status page # The default is 30s and the minimum is 10s. def status_poll_delay - status_poll_delay = ENV['STATUS_POLL_DELAY'] - status_poll_delay_int = status_poll_delay.nil? ? config.fetch(:status_delay, '30000').to_i : status_poll_delay.to_i + status_poll_delay = ENV['OOD_STATUS_POLL_DELAY'] + status_poll_delay_int = status_poll_delay.nil? ? config.fetch(:status_poll_delay, '30000').to_i : status_poll_delay.to_i status_poll_delay_int < 10_000 ? 10_000 : status_poll_delay_int end From 7d16de7fc36cb87a1714d4f7fcea76044ac015ea Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 21 Nov 2024 10:03:45 -0500 Subject: [PATCH 2/5] update changleog for 3.1.7 and 3.1.9 (#3971) --- CHANGELOG.md | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 52d3355255..7dcc4b0c47 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] ### Added -- BatchConnect form labels can now be made dynamic with data-label-* in [3498](https://github.com/OSC/ondemand/pull/3498). +- BatchConnect form labels can now be made dynamic with data-label-* in [3598](https://github.com/OSC/ondemand/pull/3598). - BatchConnect form auto_modules directive can now filter by string or regex in [3574](https://github.com/OSC/ondemand/pull/3574). - Saved settings widget in [#3545](https://github.com/OSC/ondemand/pull/3545). - BatchConnect cards can now edit and relaunch the session in [3358](https://github.com/OSC/ondemand/pull/3358). @@ -96,6 +96,36 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. [3627](https://github.com/OSC/ondemand/pull/3627). This prevents the leaking of sensitive environment variables to the job when `copy_environment` is used. +- The shell app now has several configurations to stop or extend ssh sessions. This is + a security issue becuase an ssh session can remain open long after the authentication + system has ended that session. I.e., it can go on forever. So, the shell app now + disables ping pong by default and has configurations for how long sessions can + exist with and without activity in [3810](https://github.com/OSC/ondemand/pull/3815) + and [3805](https://github.com/OSC/ondemand/pull/3805). + +## [3.1.10] - 11-07-2024 + +### Fixed + +- Fixed Ubuntu 24.04 packaging issue in [3936](https://github.com/OSC/ondemand/pull/3936). +- MOTD in `md.erb` format should also respond to sanitize_html in [3876](https://github.com/OSC/ondemand/pull/3876). + +## [3.1.9] - 10-08-2024 + +### Fixed + +- Support for higher versions of httpd in [3779](https://github.com/OSC/ondemand/pull/3779) and [3852](https://github.com/OSC/ondemand/pull/3852). +- `ood_auth_map` now accounts for more than just characters in [3779](https://github.com/OSC/ondemand/pull/3779). +- Uploads always succeed even when the chown operation afterwards fails in [3861](https://github.com/OSC/ondemand/pull/3861). +- The ood_portal.conf now accounts for /dex (dex_uri) when enabling maintenance mode in [3779](https://github.com/OSC/ondemand/pull/3779). + +### Security + +- The shell app now has several configurations to stop or extend ssh sessions. This is + a security issue becuase an ssh session can remain open long after the authentication + system has ended that session. I.e., it can go on forever. So, the shell app now + disables ping pong by default and has configurations for how long sessions can + exist with and without activity in [3815](https://github.com/OSC/ondemand/pull/3815). ## [3.1.7] - 06-25-2024 @@ -1443,6 +1473,8 @@ Similar changelog as [3.0.0]. This version was not released to the general publi - From 1.3.7 - 1.4.2 updated app versions [Unreleased]: https://github.com/OSC/ondemand/compare/v3.1.0...HEAD +[3.1.10]: https://github.com/OSC/ondemand/compare/v3.1.9...v3.1.10 +[3.1.9]: https://github.com/OSC/ondemand/compare/v3.1.7...v3.1.9 [3.1.7]: https://github.com/OSC/ondemand/compare/v3.1.4...v3.1.7 [3.1.4]: https://github.com/OSC/ondemand/compare/v3.1.1...v3.1.4 [3.1.1]: https://github.com/OSC/ondemand/compare/v3.1.0...v3.1.1 From 063ef433b98ef4cfe503512b7bd0c8ee76f30e81 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 21 Nov 2024 10:04:16 -0500 Subject: [PATCH 3/5] ensure CurrentUser is available in ondemand.d files (#3967) Ensure CurrentUser is available in ondemand.d files by requiring the appropriate libraries. --- apps/dashboard/config/configuration_singleton.rb | 1 + apps/dashboard/lib/current_user.rb | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb index d2788d95bb..8957072a86 100644 --- a/apps/dashboard/config/configuration_singleton.rb +++ b/apps/dashboard/config/configuration_singleton.rb @@ -1,5 +1,6 @@ require 'pathname' require 'dotenv' +require_relative '../lib/current_user' # Dashboard app specific configuration singleton definition # following the first proposal in: diff --git a/apps/dashboard/lib/current_user.rb b/apps/dashboard/lib/current_user.rb index 3455e4040a..47e16a4b82 100644 --- a/apps/dashboard/lib/current_user.rb +++ b/apps/dashboard/lib/current_user.rb @@ -1,5 +1,9 @@ # frozen_string_literal: true +require 'etc' +require 'singleton' +require 'active_support/core_ext/module/delegation' + # The CurrentUser class represents the current user on the system from Etc. # It has a name, a home directory, gid, uid and so on. # From 144f6278173b7bab16960b7d1d3f7cd32f5812d2 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 21 Nov 2024 10:04:28 -0500 Subject: [PATCH 4/5] only respond to root owned files (#3969) --- apps/dashboard/config/configuration_singleton.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb index 8957072a86..1d91350275 100644 --- a/apps/dashboard/config/configuration_singleton.rb +++ b/apps/dashboard/config/configuration_singleton.rb @@ -436,7 +436,10 @@ def can_access_core_app?(name) def read_config files = Pathname.glob(config_directory.join("*.{yml,yaml,yml.erb,yaml.erb}")) - files.sort.each_with_object({}) do |f, conf| + files.sort.select do |f| + # only resond to root owned files in production. + rails_env == 'production' ? File.stat(f).uid.zero? : true + end.each_with_object({}) do |f, conf| begin content = ERB.new(f.read, trim_mode: "-").result(binding) yml = YAML.safe_load(content, aliases: true) || {} From 2eaee28683bba31992fb1427825e921237f9fbca Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 21 Nov 2024 12:10:00 -0500 Subject: [PATCH 5/5] change this key slightly and an env variable (#3972) * change this key slightly and an env variable * give new env var precedence and fix tests --- apps/dashboard/config/configuration_singleton.rb | 4 ++-- .../test/config/configuration_singleton_test.rb | 14 +++++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb index 1d91350275..9db8aa902c 100644 --- a/apps/dashboard/config/configuration_singleton.rb +++ b/apps/dashboard/config/configuration_singleton.rb @@ -401,8 +401,8 @@ def status_poll_delay # to update the sessions card information. # The default and minimum value is 10s = 10_000 def bc_sessions_poll_delay - bc_poll_delay = ENV['POLL_DELAY'] - bc_poll_delay_int = bc_poll_delay.nil? ? config.fetch(:sessions_poll_delay, '10000').to_i : bc_poll_delay.to_i + bc_poll_delay = ENV['OOD_BC_SESSIONS_POLL_DELAY'] || ENV['POLL_DELAY'] + bc_poll_delay_int = bc_poll_delay.nil? ? config.fetch(:bc_sessions_poll_delay, '10000').to_i : bc_poll_delay.to_i bc_poll_delay_int < 10_000 ? 10_000 : bc_poll_delay_int end diff --git a/apps/dashboard/test/config/configuration_singleton_test.rb b/apps/dashboard/test/config/configuration_singleton_test.rb index 4aa3ccd231..6ec5f3d4e6 100644 --- a/apps/dashboard/test/config/configuration_singleton_test.rb +++ b/apps/dashboard/test/config/configuration_singleton_test.rb @@ -510,7 +510,7 @@ def no_config_env test 'bc_sessions_poll_delay reads from config' do Dir.mktmpdir do |dir| with_modified_env({ OOD_CONFIG_D_DIRECTORY: dir.to_s }) do - sessions_config = { 'sessions_poll_delay' => '99999' } + sessions_config = { 'bc_sessions_poll_delay' => '99999' } File.open("#{dir}/sessions_config.yml", 'w+') { |f| f.write(sessions_config.to_yaml) } assert_equal(99_999, ConfigurationSingleton.new.bc_sessions_poll_delay) @@ -523,4 +523,16 @@ def no_config_env assert_equal(10_000, ConfigurationSingleton.new.bc_sessions_poll_delay) end end + + test "bc_sessions_poll_delay respnods to new environment variable" do + with_modified_env('OOD_BC_SESSIONS_POLL_DELAY': '30000') do + assert_equal(30_000, ConfigurationSingleton.new.bc_sessions_poll_delay) + end + end + + test "bc_sessions_poll_delay's new variable has precedence over the old" do + with_modified_env('OOD_BC_SESSIONS_POLL_DELAY': '30000', POLL_DELAY: '40000') do + assert_equal(30_000, ConfigurationSingleton.new.bc_sessions_poll_delay) + end + end end