Univention Bugzilla – Bug 52443
Remove expired session from SAML cache
Last modified: 2021-01-26 12:01:23 CET
When a session expired pysaml2 doesn't automatically remove sessions from its cache. We should do this manually when we detect that the session has expired.
univention-management-console.yaml 548722752eab | YAML Bug #52371, Bug #52443, Bug #52442, Bug #52444, Bug #52293, Bug #52272 univention-management-console (11.0.5-24) d41af8466a9c | Bug #52443: Remove expired sessions from saml cache
A "DBNotFoundError" kills the notifier main loop and the communication between umc-web-server and umc-server breaks as a consequence. I can reproduce this with the 90_ucsschool/25_room_management_module.py test (It currently throws a traceback which I wanted to debug in the first place) Call the test. Wait for two "session 'xxx' timed out" messages for the same session id. The second call to "SAML.SP.local_logout(..." in "on_logout()" throws the "DBNotFoundError". Do you have an idea why the session was timed out twice? Any ways we should except that error.
The related stack trace was: Traceback (most recent call last): File "/usr/sbin/univention-management-console-web-server", line 414, in on_logout SAML.SP.local_logout(decode_name_id(self.saml.name_id)) File "/usr/lib/python2.7/dist-packages/saml2/client.py", line 266, in local_logout self.users.remove_person(name_id) File "/usr/lib/python2.7/dist-packages/saml2/population.py", line 56, in remove_person self.cache.delete(name_id) File "/usr/lib/python2.7/dist-packages/saml2/cache.py", line 37, in delete del self._db[code(name_id)] File "/usr/lib/python2.7/shelve.py", line 136, in __delitem__ del self.dict[key] File "/usr/lib/python2.7/bsddb/__init__.py", line 288, in __delitem__ _DeadlockWrap(wrapF) # del self.db[key] File "/usr/lib/python2.7/bsddb/dbutils.py", line 68, in DeadlockWrap return function(*_args, **_kwargs) File "/usr/lib/python2.7/bsddb/__init__.py", line 287, in wrapF del self.db[key] DBNotFoundError: (-30988, 'BDB0073 DB_NOTFOUND: No matching key/data pair found') Fixed 3 aspects: 1. when a timer raises an exception, the UMC-Webserver should crash instead of hang forever 2. handle errors when removing SAML sessions, log as warning 3. the cause was that a new User instance was created, which replaced the current session without removing the old timer. univention-management-console (11.0.5-25) 674aad933cbe | Bug #52273: debian/changelog 4fd4f29413c1 | Bug #52273: handle exception when SAML session does not exists a0dcc76c9761 | Bug #52273: fix duplicated timer execution b58ab4d16f67 | Bug #52273: stop cherrypy correctly when exception in notifier loop happens
What I tested: Upgrade -> OK Login -> OK Login SAML -> OK users/user -> OK portal login -> OK portal edit -> OK jenkins -> OK session is removed from on disk db -> OK A traceback in the notifier loop now stops the server and prints the tb -> OK, it's the little things that make life easier :) Merge 5.0 -> OK YAML -> OK I added a test for the session timeout: [4.4-7 580245d292] Bug #52443: add 82_saml/07_umc_session_timeout
<https://errata.software-univention.de/#/?erratum=4.4x848>