fix(sagemaker): singleton window bug#8385
Conversation
|
⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done |
|
|
✅ I finished the code review, and didn't find any security or code quality issues. |
| const hyperPodEnv: NodeJS.ProcessEnv = { | ||
| AWS_REGION: region, | ||
| SESSION_ID: session || '', | ||
| SESSION_ID: hostname || '', |
There was a problem hiding this comment.
why can't this be session?
There was a problem hiding this comment.
hostname also uses session but session is randomly generated in the presigned url and this is what's causing a new external window to be opened when the user tries to connect to the workspace.
After discussing with @edwardps, we decided to use a deterministic unique identifier for the hostname instead
| if (domain === '' && eksClusterArn) { | ||
| const { accountId, region, clusterName } = parseEKSClusterArn(eksClusterArn) | ||
| connectionType = 'sm_hp' | ||
| session = `${workspaceName}_${namespace}_${clusterName}_${region}_${accountId}` |
There was a problem hiding this comment.
${workspaceName}_${namespace}
Please check the naming convention(limits) to confirm the characters allow by k8s can be accepted as ssh hostname.
There was a problem hiding this comment.
Added k8s naming convention validation
There was a problem hiding this comment.
Added k8s naming convention validation
This is not to validation if it's k8s compliant. The comment is about if there is any letters allowed by k8s by not allowed by ssh as a ssh hostname.
There was a problem hiding this comment.
misunderstood the ask. corrected to validate if session is compliant with ssh
aws-ajangg
force-pushed
the
fix-singleton-window-bug
branch
from
83cf892 to
9ec8341
Compare
aws-ajangg
force-pushed
the
fix-singleton-window-bug
branch
from
9ec8341 to
b025fb0
Compare
| let connectionType = 'sm_dl' | ||
| if (domain === '') { | ||
| if (!domain && eksClusterArn && workspaceName && namespace) { | ||
| const { accountId, region, clusterName } = parseEKSClusterArn(eksClusterArn) |
There was a problem hiding this comment.
nit - can you use parseArn instead ? may need to import @aws-sdk/util-arn-parser
|
Any testing or unit tests ? Can you update description if done already |
aws-ajangg
force-pushed
the
fix-singleton-window-bug
branch
from
0a9e8db to
d851720
Compare
|
@aakashmandavilli96 |
| ): string { | ||
| const sanitize = (str: string): string => | ||
| str | ||
| .replace(/[^a-zA-Z0-9.-]/g, '-') |
There was a problem hiding this comment.
if capital case will cause issue, should we keep hostname all lower case?
There was a problem hiding this comment.
ssh hostname naming convention is case-insensitive but keeping it lowercase-only is also a safe approach. reverted sanitation to use lower case characters only
| str | ||
| .replace(/[^a-zA-Z0-9.-]/g, '-') | ||
| .replace(/^-+|-+$/g, '') | ||
| .substring(0, 50) |
There was a problem hiding this comment.
which attribute could exceed 50? if it's truncated, does that break our logic?
There was a problem hiding this comment.
workspaceName, namespace, and clusterName could exceed 50. I adjusted limits for each attribute based on the max allotted characters per attribute
const components = [
sanitize(workspaceName, 63), // K8s limit
sanitize(namespace, 63), // K8s limit
sanitize(clusterName, 63), // HP cluster limit
sanitize(region, 16), // Longest AWS region limit
sanitize(accountId, 12), // Fixed
].filter((c) => c.length > 0)
// Total: 63 + 63 + 63 + 16 + 12 + 4 separators + 3 chars for hostname header = 224 < 253 (max limit)
|
|
||
| const session = components | ||
| .join('_') | ||
| .substring(0, 253) |
There was a problem hiding this comment.
Seems the account could be truncated when length is > 253. Is hostname used as unique string or used to carry over the information e.g. for reconnecting?
There was a problem hiding this comment.
hostname is used as a unique string. with the adjustment of character allotment, no attribute will be truncated
| const modifiedUrl = url.toString() | ||
| getLogger().info(`Connection Type: ${connectionType}`) | ||
| getLogger().info(`Modified Presigned URL: ${modifiedUrl}`) | ||
| return { type: connectionType || 'vscode-remote', url: modifiedUrl } |
There was a problem hiding this comment.
nit: why is the URL parsing and string conversion necessary? if so, can we add try and catch for URL parsing of presignedURL?
There was a problem hiding this comment.
URL parsing is necessary because previously the eks cluster name from the eksClusterArn was used as an attribute to create a unique identifier for each session. However, the eks cluster name exceed the max char limit which was at risk of being truncated and might affect other cases like reconnect. After discussing with team, a decision was made to use the hyperpod cluster name from the clusterArn which has a satisfied the max limit.
the url string conversion is necessary in order to parse the attributes in the presigned url. without the conversion, a url object would be returned and cause a type error
URL parsing and string conversion already exist in try/catch. Are you suggesting to add another try catch inside the existing one?
| const { accountId, region, clusterName } = parseArn(clusterArn) | ||
| connectionType = 'sm_hp' | ||
| session = `${workspaceName}_${namespace}_${clusterName}_${region}_${accountId}` | ||
| if (!isValidSshHostname(session)) { |
There was a problem hiding this comment.
nit: avoid nested if
const sessionCandidate = `${workspaceName}_${namespace}_${clusterName}_${region}_${accountId}`;
session = isValidSshHostname(sessionCandidate)
? sessionCandidate
: createValidSshSession(workspaceName, namespace, clusterName, region, accountId);
There was a problem hiding this comment.
nested if has been refactored
|
|
||
| getLogger().info(`Connection Type: ${connectionType}`) | ||
| getLogger().info(`Presigned URL: ${presignedUrl}`) | ||
| const url = new URL(presignedUrl) |
There was a problem hiding this comment.
nit:
What if presignedUrl is undefined ? I know we catch the error but I think this will be to generic.
There was a problem hiding this comment.
added safeguard to throw specific error if presignedUrl is undefined
| } | ||
| } | ||
|
|
||
| function parseArn(arn: string): { accountId: string; region: string; clusterName: string } { |
There was a problem hiding this comment.
can we add tests for these utils?
There was a problem hiding this comment.
tests are added to another pr with unit tests
There was a problem hiding this comment.
tests are added to another pr with unit tests
TODO
8 participants
Problem
Solution
Notes
feature/xbranches will not be squash-merged at release time.