-
-
Notifications
You must be signed in to change notification settings - Fork 874
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sources/ldap: clean-up certs written from db #7617
Conversation
✅ Deploy Preview for authentik-storybook canceled.
|
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #7617 +/- ##
==========================================
- Coverage 92.60% 91.17% -1.44%
==========================================
Files 587 587
Lines 29071 29075 +4
==========================================
- Hits 26922 26509 -413
- Misses 2149 2566 +417
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I'm not sure if this works as intended, as this would clean up the certificate files while the server connection is still open; I'm not sure if there's any logic in ldap3 that will try to re-connect with the same server where this would cause issues; ideally we'd create the files upon connect and remove them upon disconnect, although that might require a custom ldap3 Server class
I'm running this in my enviornment - sync works and the temp dir is cleaned up after At a cursory glance the cert chain is validated upon socket open: https://github.com/cannatag/ldap3/blob/8077d25461bb00ee28232a777f3ecb716b4bb985/ldap3/core/tls.py#L188-L189 so if the socket remains open after |
* main: (125 commits) sources/ldap: clean-up certs written from db (#7617) web: bump the eslint group in /tests/wdio with 1 update (#7635) core: compile backend translations (#7637) core: bump psycopg from 3.1.12 to 3.1.13 (#7625) core: bump ruff from 0.1.5 to 0.1.6 (#7626) core: bump twilio from 8.10.1 to 8.10.2 (#7627) web: bump the eslint group in /web with 1 update (#7629) web: bump the esbuild group in /web with 2 updates (#7630) web: bump rollup from 4.4.1 to 4.5.0 in /web (#7631) web: bump core-js from 3.33.2 to 3.33.3 in /web (#7633) core: bump goauthentik.io/api/v3 from 3.2023103.3 to 3.2023103.4 (#7634) web: bump the wdio group in /tests/wdio with 4 updates (#7636) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_TW (#7628) root: specify node and python versions in respective config files, deduplicate in CI (#7620) translate: Updates for file web/xliff/en.xlf in zh-Hans (#7619) translate: Updates for file web/xliff/en.xlf in zh_CN (#7618) tests: better per-test timeouts (#7612) web: bump API Client version (#7613) stages/identification: add option to pretend user exists (#7610) events: stop spam (#7611) ...
* main: (157 commits) sources/ldap: clean-up certs written from db (#7617) web: bump the eslint group in /tests/wdio with 1 update (#7635) core: compile backend translations (#7637) core: bump psycopg from 3.1.12 to 3.1.13 (#7625) core: bump ruff from 0.1.5 to 0.1.6 (#7626) core: bump twilio from 8.10.1 to 8.10.2 (#7627) web: bump the eslint group in /web with 1 update (#7629) web: bump the esbuild group in /web with 2 updates (#7630) web: bump rollup from 4.4.1 to 4.5.0 in /web (#7631) web: bump core-js from 3.33.2 to 3.33.3 in /web (#7633) core: bump goauthentik.io/api/v3 from 3.2023103.3 to 3.2023103.4 (#7634) web: bump the wdio group in /tests/wdio with 4 updates (#7636) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_TW (#7628) root: specify node and python versions in respective config files, deduplicate in CI (#7620) translate: Updates for file web/xliff/en.xlf in zh-Hans (#7619) translate: Updates for file web/xliff/en.xlf in zh_CN (#7618) tests: better per-test timeouts (#7612) web: bump API Client version (#7613) stages/identification: add option to pretend user exists (#7610) events: stop spam (#7611) ...
* main: (63 commits) sources/ldap: clean-up certs written from db (#7617) web: bump the eslint group in /tests/wdio with 1 update (#7635) core: compile backend translations (#7637) core: bump psycopg from 3.1.12 to 3.1.13 (#7625) core: bump ruff from 0.1.5 to 0.1.6 (#7626) core: bump twilio from 8.10.1 to 8.10.2 (#7627) web: bump the eslint group in /web with 1 update (#7629) web: bump the esbuild group in /web with 2 updates (#7630) web: bump rollup from 4.4.1 to 4.5.0 in /web (#7631) web: bump core-js from 3.33.2 to 3.33.3 in /web (#7633) core: bump goauthentik.io/api/v3 from 3.2023103.3 to 3.2023103.4 (#7634) web: bump the wdio group in /tests/wdio with 4 updates (#7636) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_TW (#7628) root: specify node and python versions in respective config files, deduplicate in CI (#7620) translate: Updates for file web/xliff/en.xlf in zh-Hans (#7619) translate: Updates for file web/xliff/en.xlf in zh_CN (#7618) tests: better per-test timeouts (#7612) web: bump API Client version (#7613) stages/identification: add option to pretend user exists (#7610) events: stop spam (#7611) ...
* dev: (21 commits) sources/ldap: clean-up certs written from db (#7617) web: bump the eslint group in /tests/wdio with 1 update (#7635) core: compile backend translations (#7637) core: bump psycopg from 3.1.12 to 3.1.13 (#7625) core: bump ruff from 0.1.5 to 0.1.6 (#7626) core: bump twilio from 8.10.1 to 8.10.2 (#7627) web: bump the eslint group in /web with 1 update (#7629) web: bump the esbuild group in /web with 2 updates (#7630) web: bump rollup from 4.4.1 to 4.5.0 in /web (#7631) web: bump core-js from 3.33.2 to 3.33.3 in /web (#7633) core: bump goauthentik.io/api/v3 from 3.2023103.3 to 3.2023103.4 (#7634) web: bump the wdio group in /tests/wdio with 4 updates (#7636) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_TW (#7628) root: specify node and python versions in respective config files, deduplicate in CI (#7620) translate: Updates for file web/xliff/en.xlf in zh-Hans (#7619) translate: Updates for file web/xliff/en.xlf in zh_CN (#7618) tests: better per-test timeouts (#7612) web: bump API Client version (#7613) stages/identification: add option to pretend user exists (#7610) events: stop spam (#7611) ...
Details
Cert based ldap auth introduced in #5850 does not clean-up the temporary certificate files written out from the DB - when running in Kubernetes this eventually fills up
/dev/shm
and causes the worker to crashloop.This PR ensures the files are cleaned up in a
finally
block.Checklist
ak test authentik/
)make lint-fix
)If an API change has been made
make gen-build
)If changes to the frontend have been made
make web
)make i18n-extract
)If applicable
make website
)