saml2aws icon indicating copy to clipboard operation
saml2aws copied to clipboard
verified publisher icon Versent

"TerminateProcess: Access is denied" when using Browser Provider

Open ncgisudo opened this issue 3 years ago • 2 comments

When using Windows and the Browser provider (provider=Browser) it is possible to receive the error "TerminateProcess: Access is denied" immediately after completing the browser step. When this occurs, saml2aws does not write out the credentials file.

The following environment applies:

  • OS: Windows 10
  • saml2aws version: 2.36.2
  • Provider: Browser
  • The issue is intermittent because it sometimes succeeds
  • Multiple people are having the issue within my organisation

Debug log snippet:

Downloading browsers... Downloaded browsers successfully time="2023-01-17T16:09:11Z" level=info msg="opening browser" URL="https://redactedUrlHere" provider=browser time="2023-01-17T16:09:28Z" level=info msg="clean up browser" provider=browser TerminateProcess: Access is denied. Error authenticating to IdP. github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107 main.main ./main.go:188 runtime.main runtime/proc.go:250 runtime.goexit runtime/asm_amd64.s:1571

Some notes/findings:

  • Purely based on the log snippet, it would appear that the issue is relating to failing to kill the browser process.
  • Based on that it is intermittent, it seems that the issue is a race condition
  • Given that multiple in my organisation are having this issue it is clearly not just my machine, but could possibly be due to other software present.
  • This issue appears to never occur when running on Linux.

ncgisudo avatar Jan 17 '23 16:01 ncgisudo

I looked into this a bit. Whilst I do think the TerminateProcess: Access is denied is genuinely caused by my environment, it makes me wonder if this should really cause saml2aws to not write out any obtained credentials.

Could the failure to terminate the process be changed to only being a warning, allowing the rest of saml2aws to continue? (i.e. fail to kill the process and log a warning but go on to write out the obtained credentials anyway)

ncgisudo avatar Feb 07 '23 10:02 ncgisudo

Really, I think I could reword this issue as:

  • When using provider=Browser, if close() in browser fails (even though the actual login succeeded) then saml2aws doesn't save the token

The reason it fails when this occurs is:

  • For (at least) browser, close() is called in Authenticate(), and it is expected that Authenticate() completes without error
  • This means cleanup of the provider is essentially a mandatory step of Authenticate. Perhaps instead a "cleanup" function, per provider, could be defined so that it can be called individually/not be part of Authenticate()?

ncgisudo avatar Mar 06 '23 10:03 ncgisudo