Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Basic authentication for devfile factory URL #451

Merged
merged 5 commits into from
Feb 23, 2023
Merged

Conversation

vinokurig
Copy link
Contributor

@vinokurig vinokurig commented Feb 22, 2023

What does this PR do?

  • Add a parsing rule to detect credentials in factory URLs if it is in a format https://<username>:<pasword>@hostname.
  • Extract the credentials from factory URLs and pass them to the devfile content request.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

eclipse-che/che#21998

How to test this PR?

  1. Deploy che from the test image: quay.io/ivinokur/che-server:next
  2. Create a factory from a private raw devfile url with personal access token e.g. https://<PAT>@github.com/<path to devfile.yaml>

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

Copy link
Member

@ibuziuk ibuziuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vinokurig could you please provide image for testing in the PR description?

@vinokurig
Copy link
Contributor Author

@ibuziuk

@vinokurig could you please provide image for testing in the PR description?

updated the description

Comment on lines +78 to +83
if (!isNullOrEmpty(username) || !isNullOrEmpty(password)) {
return Optional.of(
format(
"%s:%s",
isNullOrEmpty(username) ? "" : username, isNullOrEmpty(password) ? "" : password));
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit lost, can we really handle a case from auth perspective if either username or password is null / blank? I thought we need both, no?

Copy link
Member

@ibuziuk ibuziuk Feb 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, this is probably for token: case

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually we don't need both parts. If we have only username, we pass the credentials as username:. From the authentication prospective this case is considered as a token. I agree that it looks a bit weird, but it coms from the curl behaviour:

curl https://<token>@dev.azure.com/vinokurig/test/_apis/git/repositories/test/items?path=%2Fdevfile.yaml -v                                                                                        
*   Trying 185.199.109.133:443...
* Connected to raw.githubusercontent.com (185.199.109.133) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io
*  start date: Feb 21 00:00:00 2023 GMT
*  expire date: Mar 20 23:59:59 2024 GMT
*  subjectAltName: host "raw.githubusercontent.com" matched cert's "*.githubusercontent.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user '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'
* h2h3 [:method: GET]
* h2h3 [:path: /vinokurig/private/master/devfile.yaml]
* h2h3 [:scheme: https]
* h2h3 [:authority: raw.githubusercontent.com]
* h2h3 [authorization: Basic <token plus : in Base 64> ]

So curl https://<token>@dev.azure.com/... equals curl https://dev.azure.com/... -H 'Authorization: Basic <token + : in base64>'

Comment on lines +59 to 62
public String fetchContent(String fileURL, String credentials)
throws IOException, DevfileException {
return fetchContent(fileURL, false, credentials);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we use Optional here also?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no need to use Optional or Nullable here. This is an overloaded method which is supposed to receive non null parameters.

}

protected String fetchContent(String fileURL, boolean skipAuthentication)
private String fetchContent(
String fileURL, boolean skipAuthentication, @Nullable String credentials)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be nice to use Optional here also

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that passing Optional as a parameter is a good idea: https://stackoverflow.com/questions/31922866/why-should-java-8s-optional-not-be-used-in-arguments
This is a private method so I don't think it will affect something.

Copy link
Member

@ibuziuk ibuziuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vinokurig great job 👍 please consider a few suggestions (Optionals + more fancy URL tests coverage with paramters)

@ibuziuk
Copy link
Member

ibuziuk commented Feb 22, 2023

@vinokurig also would be nice if you can add some docs references about this cool feature 👍

…i/factory/server/urlfactory/DefaultFactoryUrlTest.java

Co-authored-by: Ilya Buziuk <[email protected]>
@vinokurig vinokurig merged commit b9ededf into main Feb 23, 2023
@vinokurig vinokurig deleted the che-21998 branch February 23, 2023 13:05
@devstudio-release
Copy link

Build 3.6 :: server_3.x/127: Console, Changes, Git Data

@devstudio-release
Copy link

@devstudio-release
Copy link

@che-bot che-bot added this to the 7.62 milestone Feb 23, 2023
@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.6 :: update-digests_3.x/2297: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.6 :: push-latest-container-to-quay_3.x/1815: SUCCESS

Copied: server-rhel8; /job/DS_CI/job/update-digests_3.x triggered;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.13 v4.12 v4.11 v4.10

@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.6 :: copyIIBsToQuay/1041: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.6 :: operator-bundle_3.x/951: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.6 :: sync-to-downstream_3.x/2510: SUCCESS

Build container: devspaces-server synced; /DS_CI/get-sources-rhpkg-container-build_3.x/2370 triggered;

@devstudio-release
Copy link

Build 3.6 :: server_3.x/127: SUCCESS

Upstream sync done; /DS_CI/sync-to-downstream_3.x/2510 triggered

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.6 :: push-latest-container-to-quay_3.x/1817: SUCCESS

Copied: devspaces-operator-bundle; bundle-generated updated;
/job/DS_CI/job/Releng/job/copyIIBsToQuay triggered for OCP v4.13 v4.12 v4.11 v4.10

@devstudio-release
Copy link

Build 3.6 :: copyIIBsToQuay/1043: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.6 :: sync-to-downstream_3.x/2512: SUCCESS

Build container: devspaces-operator-bundle synced; /DS_CI/get-sources-rhpkg-container-build_3.x/2372 triggered; /job/DS_CI/job/dsc_3.x triggered;

@devstudio-release
Copy link

Build 3.6 :: operator-bundle_3.x/951: SUCCESS

Upstream sync done; /DS_CI/sync-to-downstream_3.x/2512 triggered

@devstudio-release
Copy link

Build 3.6 :: update-digests_3.x/2297: SUCCESS

Detected new images: rebuild operator-bundle
* server; /DS_CI/operator-bundle_3.x/951 triggered

@devstudio-release
Copy link

Build 3.6 :: dsc_3.x/663: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.6 :: dsc_3.x/663: SUCCESS

3.6.0 CI

@devstudio-release
Copy link

Build 3.6 :: copyIIBsToQuay/1041: SUCCESS

3.6
arches = x86_64, s390x, ppc64le;
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.6-53
  * LATEST DWO OPERATOR BUNDLE = <a href=https://quay.io/repository/devworkspace/devworkspace-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devworkspace-operator-bundle:0.19-3
+ x86_64-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.6-v4.13-440451-x86_64
  + quay.io/devspaces/iib:3.6-v4.12-440449-x86_64
  + quay.io/devspaces/iib:3.6-v4.11-440447-x86_64
  + quay.io/devspaces/iib:3.6-v4.10-440446-x86_64
  * LATEST DS OPERATOR BUNDLE = <a href=https://quay.io/repository/devspaces/devspaces-operator-bundle?tab=tags>registry-proxy.engineering.redhat.com/rh-osbs/devspaces-operator-bundle:3.6-54
+ s390x-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.6-v4.13-440629-s390x
  + quay.io/devspaces/iib:3.6-v4.13-s390x
  + quay.io/devspaces/iib:next-v4.13-s390x
  + quay.io/devspaces/iib:3.6-v4.12-440624-s390x
  + quay.io/devspaces/iib:3.6-v4.12-s390x
  + quay.io/devspaces/iib:next-v4.12-s390x
  + quay.io/devspaces/iib:3.6-v4.11-440612-s390x
  + quay.io/devspaces/iib:3.6-v4.11-s390x
  + quay.io/devspaces/iib:next-v4.11-s390x
  + quay.io/devspaces/iib:3.6-v4.10-440610-s390x
  + quay.io/devspaces/iib:3.6-v4.10-s390x
  + quay.io/devspaces/iib:next-v4.10-s390x
+ ppc64le-rhel8 IIB(s) copied:
  + quay.io/devspaces/iib:3.6-v4.13-440629-ppc64le
  + quay.io/devspaces/iib:3.6-v4.13-ppc64le
  + quay.io/devspaces/iib:next-v4.13-ppc64le
  + quay.io/devspaces/iib:3.6-v4.12-440624-ppc64le
  + quay.io/devspaces/iib:3.6-v4.12-ppc64le
  + quay.io/devspaces/iib:next-v4.12-ppc64le
  + quay.io/devspaces/iib:3.6-v4.11-440612-ppc64le
  + quay.io/devspaces/iib:3.6-v4.11-ppc64le
  + quay.io/devspaces/iib:next-v4.11-ppc64le
  + quay.io/devspaces/iib:3.6-v4.10-440610-ppc64le
  + quay.io/devspaces/iib:3.6-v4.10-ppc64le
  + quay.io/devspaces/iib:next-v4.10-ppc64le

@devstudio-release
Copy link

Build 3.6 :: server_3.x/128: Console, Changes, Git Data

@devstudio-release
Copy link

@devstudio-release
Copy link

@devstudio-release
Copy link

Build 3.6 :: get-sources-rhpkg-container-build_3.x/2403: FAILURE

server : 3.x :: Failed in 50990583 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay

vinokurig added a commit that referenced this pull request Feb 27, 2023
Add a parsing rule to detect credentials in factory URLs if it is in a format https://<username>:<pasword>@hostname.
Extract the credentials from factory URLs and pass them to the devfile content request.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants