Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

impersonated_credentials.Credentials.sign_bytes leaks socket #1122

Closed
stewartmiles opened this issue Aug 26, 2022 · 0 comments · Fixed by #1123 or #1112
Closed

impersonated_credentials.Credentials.sign_bytes leaks socket #1122

stewartmiles opened this issue Aug 26, 2022 · 0 comments · Fixed by #1123 or #1112
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@stewartmiles
Copy link
Contributor

_#### Environment details

  • OS: Ubuntu 20.04
  • Python version: 3.8
  • pip version: 22.2.2
  • google-auth version: 2.11.0

Steps to reproduce

  1. Create a service account save the email in a environment variable SA_EMAIL.
  2. Enable service account impersonation for your user (principal YOUR_EMAIL) with the role iam.serviceAccountTokenCreator. i.e:
gcloud iam service-accounts add-iam-policy-binding \
  --role=roles/iam.serviceAccountTokenCreator \
  --member=serviceAccount:${YOUR_EMAIL} ${SA_EMAIL}
  1. Install google-auth and requests into your Python environment
    pip install google-auth requests.
  2. Paste the following code into a test Python file (e.g test.py):
import sys

import google.auth  # type: ignore
import google.auth.impersonated_credentials  # type: ignore

import unittest

class TestSignBlob(unittest.TestCase):

  def test_sign_blob(self):
    credentials, _ = google.auth.default()

    service_account_email = 'agentic-local-sa@agenticcorp.iam.gserviceaccount.com'

    signing_credentials = google.auth.impersonated_credentials.Credentials(
      source_credentials=credentials,
      target_principal=service_account_email,
      target_scopes=('https://www.googleapis.com/auth/devstorage.read_only',),
      lifetime=300)
    self.assertNotEqual(signing_credentials.sign_bytes(b'test'), b'')

if __name__ == '__main__':
  unittest.main()
  1. Run the test
python test.py
  1. Observe that a socket has been leaked on test tear down:
sign_leak.py:20: ResourceWarning: unclosed <ssl.SSLSocket fd=4, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('172.23.11.59', 53774), raddr=('172.217.164.106', 443)>
  self.assertNotEqual(signing_credentials.sign_bytes(b'test'), b'')
ResourceWarning: Enable tracemalloc to get the object allocation traceback

It looks like the bug is here

google-auth-library-python/google/auth/impersonated_credentials.py

Line 289 in bb5c979

authed_session = AuthorizedSession(self._source_credentials)

The requests session object is created but it's never closed. It should eventually be closed by the GC but really since it's no longer required it should be closed in this method.
stewartmiles added a commit to stewartmiles/google-auth-library-python that referenced this issue Aug 26, 2022
@stewartmiles
Fix socket leak in impersonated_credentials
ac64264 
impersonated_credentials.Credentials.sign_bytes() created
a session that wasn't closed leaking a socket. This fixes
the issue by always closing the requests session after
a signing request is complete.

Fixes googleapis#1122
@stewartmiles stewartmiles mentioned this issue Aug 26, 2022
Merged
stewartmiles added a commit to stewartmiles/google-auth-library-python that referenced this issue Aug 26, 2022
@stewartmiles
fix: Fix socket leak in impersonated_credentials
2dcb6d3 
impersonated_credentials.Credentials.sign_bytes() created
a session that wasn't closed leaking a socket. This fixes
the issue by always closing the requests session after
a signing request is complete.

Fixes googleapis#1122
@clundin25 clundin25 added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Aug 26, 2022
clundin25 pushed a commit that referenced this issue Aug 29, 2022
@stewartmiles
fix: fix socket leak in impersonated_credentials (#1123)
b1eb467 
* fix: Fix socket leak in impersonated_credentials

impersonated_credentials.Credentials.sign_bytes() created
a session that wasn't closed leaking a socket. This fixes
the issue by always closing the requests session after
a signing request is complete.

Fixes #1122
@release-please release-please bot mentioned this issue Aug 29, 2022
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
2 participants
@stewartmiles @clundin25