Malformed scitoken can result in schedd abort
When using the SCITOKENS authentication method, using a malformed scitoken can cause an the schedd daemon configured to use the SCHEDD_AUDIT_LOG to abort with signal 6 (SIGABORT).
The issue is the JWT library used by HTCondor can throw a C++ exception if it fails to decode a token, and this exception is not always being caught.
Patch will always enclose attempts to decode JWT tokens in a try/catch block.
CODE REVIEW looks good to me. A search shows no other places where we seem to throw an uncaught exception. However, we have no docs or tests for scitokens as-as-auth – should we?
Also – I would hope that a malformed token would be a rare request. Should we dprintf that at D_ALWAYS in the catch block?
To reproduce the original problem, setup a minicondor to use SCITOKENS authentication, and then issue a condor_q against a schedd using an empty scitoken file. Note that SCITOKENS are passed from the client to the server with SSL, so you will need to setup a host cert to test. Behold the following setup using a centos 7 container with minihtcondor:
First make a self-signed localhost host cert and update the CA bundle via following commands (as root):
Next setup HTCondor as follows in /etc/condor/config.d/00-test:
Make an empty scitoken file, fire up HTCondor, then try condor_q
The condor_q will cause the schedd to abort.