Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

issue with swfit authtoken cached in db when copying database to testing sites #627

Open
danmarsden opened this issue Aug 21, 2024 · 0 comments

Comments

@danmarsden
Copy link
Member

In the scenario where a production site and testing site point at the same swift object store - typically the testing site is given access using a read-only user account using forced config settings or other processes - different from the user account configured in prod.

The access token "openstack_authtoken" is cached at the db layer though, so there's a short period of time when the restored site has access to that "token" providing full write access over the object storage container and this would allow the testing site to both store stuff in object storage (and if configured) delete stuff from object storage which should not be possible.

We should improve the handling of this cache so that if the site-url changes, the token is no longer valid and gets cleared.

relevant code for this is around here:
https://github.com/catalyst/moodle-tool_objectfs/blob/MOODLE_402_STABLE/classes/local/store/swift/client.php#L76

one idea - when a token is generated store the user that generated that token in a separate config item - then when using the token again - check that the value stored in tool_objectfs | openstack_username matches the same value as the one stored in the new config item and if it doesn't, clear the authtoken.

There are probably other approaches that might work too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant