[MGNLSSO-184] Property Expansion in magnolia-sso/config.yaml fails on creation of SSOCallbackServlet Created: 22/Sep/22  Updated: 24/May/23  Resolved: 08/Dec/22

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: 3.0.0
Fix Version/s: 3.0.1

Type: Bug Priority: Major
Reporter: Denis Lobo Assignee: Nguyen Phung Chi
Resolution: Fixed Votes: 1
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 3.75d Time Spent: 3.75d
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
Problem/Incident
Relates
relates to MGNLSSO-265 Possibility to implement custom SsoCo... Closed
documentation
to be documented by DOCU-2728 Update SSO docs re: passing secrets a... Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLSSO-202 Implementation Technical task Completed Nguyen Phung Chi  
MGNLSSO-203 PiQA Technical task Closed  
MGNLSSO-204 Review Technical task Closed Evzen Fochr  
MGNLSSO-205 QA Technical task Closed Evzen Fochr  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:
Epic Link: SSO support for custom IdPs
Sprint: AdminX 24
Story Points: 2
Team: AdminX
Work Started:

 Description   

Intro:

I'm currently trying to use the recent version of magnolia-sso:3.0.

I followed the instructions on the documentation of the module, however it seems that property expansion in yaml files (see: https://docs.magnolia-cms.com/product-docs/6.2/Administration/Architecture/Configuration-management.html#_environment_variables) is not working, when the SSOCallbackServlet bean is loaded/created.

The module configuration itself seems to work. I also debugged the code and saw that on one occassion the env property is correctly resolved. 

But this mechanism does not seem to work, when the SSOCallbackServlet is loaded.

Steps to reproduce

  1. Use magnolia-sso:3.0
  2. create a config.yaml definition in another maven module (filepath: /src/main/resources/magnolia-sso/config.yaml)
  3. Use env properties with !env directive (e.g.)
    1. oidc.discoveryUri: !env ${oidc.discoveryUri}
  1. Provide env prop via IDE or shell
  2. start magnolia with -Dmagnolia.yaml.envsubst=true as VM option

Expected results

  • SSO-Module is configured correctly
  • SSOCallbackServlet can be created 

Actual results

  • SSO Module seems to be configured correctly (at least no error stackstrace during mgnl-startup)
  • SSOCallbackServlet creation fails with stacktrace (see below)

 

 

2022-09-22 13:15:13,485 INFO  info.magnolia.cms.filters.CompositeFilter         : Initializing filter [Wrapper for DamDownloadServlet servlet]
2022-09-22 13:15:13,486 INFO  info.magnolia.cms.filters.CompositeFilter         : Initializing filter [Wrapper for SSOCallbackServlet servlet]
2022-09-22 13:15:13,487 ERROR info.magnolia.cms.filters.ServletDispatchingFilter: Unable to load servlet class info.magnolia.sso.SsoCallbackServlet : Failed to create instance of [class info.magnolia.sso.SsoCallbackServlet]
info.magnolia.objectfactory.MgnlInstantiationException: Failed to create instance of [class info.magnolia.sso.SsoCallbackServlet]
    at info.magnolia.objectfactory.guice.GuiceComponentProvider.newInstanceWithParameterResolvers(GuiceComponentProvider.java:138) ~[magnolia-core-6.2.20.jar:?]
    at info.magnolia.objectfactory.guice.GuiceComponentProvider.newInstanceWithParameterResolvers(GuiceComponentProvider.java:120) ~[magnolia-core-6.2.20.jar:?]
    at 
 ... //rest omitted 

Caused by: info.magnolia.objectfactory.MgnlInstantiationException: Failed to resolve param [0] of type [class info.magnolia.sso.config.Pac4jConfigProvider]
    at info.magnolia.objectfactory.ObjectManufacturer.resolveParameters(ObjectManufacturer.java:146) ~[magnolia-core-6.2.20.jar:?]
    at info.magnolia.objectfactory.ObjectManufacturer.newInstance(ObjectManufacturer.java:91) ~[magnolia-core-6.2.20.jar:?]
... //rest omitted


Caused by: com.google.inject.ProvisionException: Unable to provision, see the following errors:1) Error injecting constructor, info.magnolia.config.source.yaml.YamlReaderException: YAML parsing error in LayeredResource{path='/magnolia-sso/config.yaml', layeredResources=[ClasspathResource{origin=classpath,path=/magnolia-sso/config.yaml,file}]} at line 22, column 21:
      oidc.discoveryUri: !env ${oidc.discoveryUri}
                         ^: Can't construct a java object for !env; exception=Invalid tag: !env
  at info.magnolia.sso.config.Pac4jConfigProvider.<init>(Pac4jConfigProvider.java:79)
  at info.magnolia.objectfactory.guice.GuiceComponentConfigurationModule.bindImplementation(GuiceComponentConfigurationModule.java:160) (via modules: com.google.inject.util.Modules$OverrideModule -> com.google.inject.util.Modules$OverrideModule -> info.magnolia.objectfactory.guice.GuiceComponentProviderBuilder$1 -> info.magnolia.objectfactory.guice.GuiceComponentConfigurationModule)
  while locating info.magnolia.sso.config.Pac4jConfigProvider

 

Development notes

To me it seems that property expansion is not applied on the latter. My understanding was that property expansion is not working on yaml-decorations, but should work on yaml definitions. AFAIK the config.yaml should be a yaml-definition, right ?

Further notes:

  • We are on mgnl 6.2.20, so yaml config instead of microprofile
  • We could succesfully use magnolia-sso:2.0.6, but apperently we need the basic auth feature

Feature docu link: https://docs.magnolia-cms.com/product-docs/6.2/Administration/Architecture/Configuration-management.html#_environment_variables

Comment from mgeljic 
interesting, I suppose we could support this via yamlReader#registerCustomConstruct(EnvSubst.TAG, new EnvSubst(...)); since SSO config typically contains client id/secret, env vars are legit and we don't have a more universal solution yet for injecting secrets at runtime. Worth noting that in MP config, env vars are supported ootb


Generated at Mon Feb 12 10:51:53 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.