Skip to content
This repository has been archived by the owner on May 21, 2024. It is now read-only.

support new backend authentication for garage-push and garage-deploy #1767

Merged
merged 1 commit into from
Oct 23, 2020

Conversation

aodukha
Copy link
Contributor

@aodukha aodukha commented Oct 15, 2020

it is OTA-5285
Before back-end start support cognito authentication we do in code something like:

curl -X POST /token
-d "grant_type=client_credentials"
-u :

now we have to keep backward compatabitly with old credetials.zip and for new use :
curl -X POST
-d "grant_type=client_credentials"
-d "scope="
-u :

difference bewteen new and old credentials.zip are in treehub.json. New have "scope" and auth-server-url ends with /token

Signed-off-by: Anatoliy Odukha [email protected]

@aodukha aodukha requested a review from pattivacek October 15, 2020 20:01
Copy link
Collaborator

@pattivacek pattivacek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, but this needs to be covered by unit tests. All the existing authentication methods are currently covered in authenticate_test.cc and we have to do something similar for this.

I was also wondering if there are any documentation changes necessary, but it looks like https://docs.ota.here.com/ota-client/latest/provisioning-methods-and-credentialszip.html doesn't going into details about the contents of treehub.json. I don't know if anything else does, either. Your thorough comment is probably good enough.

"ignoreFailures": true
}
]
},
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was never particularly fond of this file being part of the repo in the first place, but if it's going to be there, it really shouldn't have absolute paths that won't work for anyone else. I'd prefer if this file were removed and put it .gitignore, but I'd accept it if the paths were relative.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep. make sense remove the file. anyway configuration for aktualizr does not work

src/sota_tools/oauth2.cc Outdated Show resolved Hide resolved
@@ -17,6 +17,7 @@ boost::filesystem::path certs_dir;
* Parse authentication information from treehub.json. */
TEST(authenticate, good_zip) {
// Authenticates with the ATS portal to the SaaS instance.
// It is outdated test. kepp it for backward compatibility
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@@ -98,12 +99,22 @@ TEST(authenticate, no_json_zip) {
/* Extract credentials from a provided JSON file. */
TEST(authenticate, good_json) {
// Authenticates with the ATS portal to the SaaS instance.
// Outdated. Keep backward compatibility
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is good, but honestly, we can probably get rid of the whole json-only authentication at this point. The last time that was officially supported was over three years ago and it's been "deprecated" ever since. You can worry about that later in another PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://saeljira.it.here.com/browse/OTA-5341 to keep it and update test data after backend release

TEST(authenticate, good_json_v2) {
// Authenticates with new backend.
// Note: update auth_test_goog_v2.json after deploy on prod. current file uses HAT
boost::filesystem::path filepath = "tests/sota_tools/auth_test_goog_v2.json";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intentional that the comment and path here are goog, but the json is goox and the zip is good?

I suggest not supporting json directly but only the zip file. I also suggest creating the zip file with a script at build or test time instead of hardcoding a binary file into the repo. We try to avoid binaries as much as possible, and it makes things much easier to read, debug, and maintain to do it with a script. There are some examples of this already in the repo and it was one of our goals to do this everywhere.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo fixed

@codecov-io
Copy link

codecov-io commented Oct 22, 2020

Codecov Report

Merging #1767 into master will decrease coverage by 0.06%.
The diff coverage is 87.50%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1767      +/-   ##
==========================================
- Coverage   84.58%   84.51%   -0.07%     
==========================================
  Files         174      174              
  Lines       11937    11949      +12     
==========================================
+ Hits        10097    10099       +2     
- Misses       1840     1850      +10     
Impacted Files Coverage Δ
src/sota_tools/oauth2.cc 84.61% <81.81%> (-2.06%) ⬇️
src/sota_tools/authenticate.cc 73.07% <100.00%> (ø)
src/sota_tools/oauth2.h 100.00% <100.00%> (ø)
src/sota_tools/server_credentials.cc 93.50% <100.00%> (+0.08%) ⬆️
src/sota_tools/server_credentials.h 77.77% <100.00%> (+1.30%) ⬆️
src/libaktualizr/storage/sqlstorage_base.h 60.00% <0.00%> (-40.00%) ⬇️
src/libaktualizr/storage/sqlstorage_base.cc 74.82% <0.00%> (-4.09%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4554ed9...d8bc997. Read the comment docs.

ci/gitlab/.gitlab-ci.yml Outdated Show resolved Hide resolved
zabbal
zabbal previously requested changes Oct 22, 2020
Copy link
Contributor

@zabbal zabbal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The space in the stage name is a perfectly valid construct according to gilab docs.

Copy link
Collaborator

@pattivacek pattivacek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend rebasing on master and squashing a few of those tiny fixup commits.

@aodukha aodukha dismissed zabbal’s stale review October 23, 2020 07:31

CI changes are in separate PR

Copy link
Collaborator

@pattivacek pattivacek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code looks fine. However, there are still some lingering issues here:

  • Now up to nine commits including merges. Please rebase and squash some of the smaller fixup commits.
  • The zip file is currently unused. Since the json auth method is deprecated anyway, I would prefer if the zip file were used instead and the new json file excluded.
  • The zip file should be constructed dynamically at build or test time via a script. Binaries should only be added to the repo if absolutely necessary.

@aodukha aodukha force-pushed the feat/new_backend_authentication branch from 1cb841a to 4ef5ba1 Compare October 23, 2020 10:25
@aodukha
Copy link
Contributor Author

aodukha commented Oct 23, 2020

done. also "create zip at run-time" added to OTA-5341 task

Copy link
Collaborator

@pattivacek pattivacek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, that'll work. Thanks for the cleanup effort!

@aodukha aodukha merged commit ebb75ad into master Oct 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants