Closed Bug 1453837 Opened 7 years ago Closed 6 years ago

"TypeError: '<' not supported between instances of 'str' and 'int'" in auth backend under Python 3

Categories

(Tree Management :: Treeherder, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: emorley, Assigned: emorley)

References

Details

Attachments

(1 file)

Running this (see https://docs.python.org/2/using/cmdline.html#cmdoption-3): `python -3 -m pytest tests/webapp/api/test_auth.py` Gives: ``` treeherder/auth/backends.py:140: DeprecationWarning: comparing unequal types not supported in 3.x session_expiry_in_ms = min(accesstoken_exp_in_ms, idtoken_exp_in_ms) ``` (Note I'll soon by suppressing the DeprecationWarning in the pytest setup.cfg config, so that will need commenting out first to see it.) Investigating, this is a real bug that is affecting us even under Python 2. Currently the `min()` call will always return `accesstoken_exp_in_ms` (which is an int), and never `idtoken_exp_in_ms` (which is still a string). (Since when comparing a string and int in Python 2, it always returns the int.) When I changed: idtoken_exp_in_ms = user_info['exp'] * 1000 ...to: idtoken_exp_in_ms = int(user_info['exp']) * 1000 The test started failing with an HTTP 400, and the following log output: [2018-04-12 20:52:48,955] WARNING [treeherder.auth.backends:143] Updating session to expire in -1523565868 seconds [2018-04-12 20:52:48,960] ERROR [django.security.SuspiciousOperation:80] The request's session was deleted before the request completed. The user may have logged out in a concurrent request, for example. So it seems that: 1) We're currently never using the ID token expiry at all, even when it was lower 2) We're missing test coverage for ID token 3) The tests we have already might be using incorrect mocked data or else there is a 2nd bug in the ID token expiry handling that is causing the HTTP 400 and `-1523565868 seconds` (for example it looks like we might be confusing relative time deltas with timestamps)
Assignee: nobody → emorley

I found several more bugs whilst looking into this:

  • the tests currently use the wrong value for id token's exp (they use a value like 500 when it should be a unix timestamp)
  • the Django session length is only set when fetching an existing user, and not in the case of creating a new user
  • the presence of the id token header isn't validated
  • several permuatations of invalid id token result in HTTP 500 rather than a 403
  • already expired expiration times can result in a negative Django session length rather than a useful error
  • test coverage is low

I've almost finished a branch that addresses these. Hopefully with that complete, we should be able to start trying out Python 3 on prototype with the aim of landing it soon.

Morphing this to be about just fixing the failures under Python 3, since the scope of fixing the other auth backend issues has increased so worth splitting them out to a separate bug.

Summary: The auth backend ID token expiry handling is broken → "TypeError: '<' not supported between instances of 'str' and 'int'" in auth backend under Python 3
Blocks: 1529223
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: