Closed Bug 1856960 Opened 2 years ago Closed 2 years ago

mach try --push-to-lando validates the ID token locally instead of the access token

Categories

(Developer Infrastructure :: Try, defect)

Product:
Developer Infrastructure
Component:
Try
Type:
defect

Tracking

(firefox120 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox120 --- fixed

People

(Reporter: gerard-majax, Assigned: sheehan)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1856960: validate the Lando access token expiration manually r?glob,zeid
48 bytes, text/x-phabricator-request
Details | Review

Happened to me this morning, retried several times over ~15 min before giving up and removing $HOME/.mozbuild/lando_auth0_user_token.json which worked (after validating the code). Previous token was acquired yesterday.

estimates: Runs 18 tasks (18 selected, 0 dependencies)
estimates: Total task duration 14:06:59
estimates: In the top 44% of durations
estimates: Should take about 1:20:15 (Finished around 2023-10-04 11:27)
Auth0 token validated.
Using 01abf930014033b2a323982947a0027d248b0a4f as the hg base commit.
Submitting stack of 1 nodes and the try commit.
Patches gathered for submission.
Submitting patches to Lando.
abort: error submitting patches to Lando.
Appropriate token is expired. Please log out and back in.
Blocks: lando-try-push

(i can confirm I had the same issue)

again:

estimates: Runs 18 tasks (18 selected, 0 dependencies)
estimates: Total task duration 14:06:59
estimates: In the top 44% of durations
estimates: Should take about 1:20:15 (Finished around 2023-10-06 17:09)
Auth0 token validated.
Using 461a9c98a535b9896e9d394bdfee72ce90cf7afd as the hg base commit.
Submitting stack of 1 nodes and the try commit.
Patches gathered for submission.
Submitting patches to Lando.
abort: error submitting patches to Lando.
Appropriate token is expired. Please log out and back in.

Thanks to :gerard-majax for the report and sending me their token, I was able to spot the bug. The fix is trivial and I should have a patch up shortly.

We are validating the users ID token locally while Lando validates their access token. The ID token has a longer expiration time than the access token. We just need to switch to validating their access token.

Assignee: nobody → sheehan
Summary: mach try --push-to-lando with validated token refused → mach try --push-to-lando validates the ID token locally instead of the access token

The token verification code path checks the ID token is valid and not expired,
however the ID token and the access token have different expirations, causing
pushes to be rejected by Lando after local verification succeeds. Since
auth0-python doesn't provide an access token verification, we decode the
access token and manually verify the token is not about to expire.

Pushed by cosheehan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8a2ba5840fd6 validate the Lando access token expiration manually r=zeid

https://hg.mozilla.org/mozilla-central/rev/8a2ba5840fd6

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Component: Lando → Try
Product: Conduit → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: