Error validating group membership

[mcfearsome]

Describe the bug
I had group validation working in the v1.2 tag, but upon switching to latest and adjusting my configuration, everything is working except the fetching of groups it seems.

To Reproduce
Update to latest from v1.2 and adjust sso-auth config as found in the comments on #212
As a side note it seems like the configuration between auth and proxy has drifted a bit.

Relevant logs:

{"allowed_groups":["[email protected]"],"level":"info","msg":"validating groups","service":"sso-proxy","time":"2019-08-07 00:42:22.818","user":"[email protected]"}
{"level":"info","msg":"couldn't fetch user groups","remote_address":"68.81.187.115","service":"sso-proxy","time":"2019-08-07 00:42:27.819","user":"[email protected]"}
{"http_status":500,"level":"info","msg":"error page","page_message":"Error validating group membership, please try again","page_title":"Internal Error","remote_address":"68.81.187.115","service":"sso-proxy","time":"2019-08-07 00:42:27.819"}

Expected behavior
Group validation to work.

[svenmueller]

Related issue #230

[mcfearsome]

I was able to track my issue down to

ticker := time.NewTicker(c.refreshTTL) in filecache.go

It seems I didn't have PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH set and the default of 0s caused the following error:

sso-auth-54d555695f-wtgqn sso-auth 2019/08/12 18:05:53 http: panic serving 10.33.127.48:48524: non-positive interval for NewTicker                                                                                                            
sso-auth-54d555695f-wtgqn sso-auth goroutine 71 [running]:                                                                                                                                                                                    
sso-auth-54d555695f-wtgqn sso-auth net/http.(*conn).serve.func1(0xc0000a40a0)                                                                                                                                                                 
sso-auth-54d555695f-wtgqn sso-auth      /usr/local/go/src/net/http/server.go:1769 +0x139                                                                                                                                                      
sso-auth-54d555695f-wtgqn sso-auth panic(0xa4aec0, 0xc0002d0230)                                                                                                                                                                              
sso-auth-54d555695f-wtgqn sso-auth      /usr/local/go/src/runtime/panic.go:522 +0x1b5                                                                                                                                                         
sso-auth-54d555695f-wtgqn sso-auth net/http.(*timeoutHandler).ServeHTTP(0xc00002ff40, 0xc05be0, 0xc000334440, 0xc0002ce300)                                                                                                                   
sso-auth-54d555695f-wtgqn sso-auth      /usr/local/go/src/net/http/server.go:3193 +0x822                                                                                                                                                      
sso-auth-54d555695f-wtgqn sso-auth github.com/buzzfeed/sso/internal/auth.loggingHandler.ServeHTTP(0xbfb2a0, 0xc00009c008, 0xc000290460, 0xbfb1c0, 0xc00002ff40, 0x1, 0xc06620, 0xc000356a80, 0xc0002ce300)                                    
sso-auth-54d555695f-wtgqn sso-auth      /go/src/github.com/buzzfeed/sso/internal/auth/logging_handler.go:101 +0x147                                                                                                                           
sso-auth-54d555695f-wtgqn sso-auth net/http.serverHandler.ServeHTTP(0xc000302680, 0xc06620, 0xc000356a80, 0xc0002ce300)                                                                                                                       
sso-auth-54d555695f-wtgqn sso-auth      /usr/local/go/src/net/http/server.go:2774 +0xa8                                                                                                                                                       
sso-auth-54d555695f-wtgqn sso-auth net/http.(*conn).serve(0xc0000a40a0, 0xc081a0, 0xc000334080)                                                                                                                                               
sso-auth-54d555695f-wtgqn sso-auth      /usr/local/go/src/net/http/server.go:1878 +0x851                                                                                                                                                      
sso-auth-54d555695f-wtgqn sso-auth created by net/http.(*Server).Serve                                                                                                                                                                        
sso-auth-54d555695f-wtgqn sso-auth      /usr/local/go/src/net/http/server.go:2884 +0x2f4 

[cameronattard]

@mcfearsome thanks for sharing. I think setting this might solve the issues I'm having as well.

[ralavay]

We have the same issue in v2.0 and set PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH make it works. Thank @mcfearsome

Also make sure that you set adminEmail to a real admin email from Gsuite account, otherwise the serviceAccount will not have sufficient permission to query the API.

[antonipp]

We have experienced the exact same issue. The fact that the default value can cause a panic should definitely be fixed.

[Jusshersmith]

Hi all!

Thanks for submitting this issue. We added a default for PROVIDER_*_GROUPCACHE_INTERVAL_REFRESH in #246 which should prevent this from happening in the future.

Apologies for any inconvenience this bug caused!