Git Token Based Authentication #192
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Catalin-Stratulat-Ericsson The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Catalin-Stratulat-Ericsson
requested review from
kispaljr,
liamfallon and
efiacor
and removed request for
s3wong and
tliron
|
| @@ -43,6 +44,9 @@ const ( | |||
|
|
|||
| //Secret.Data key required for the caBundle | |||
| CaBundleDataName = "ca.crt" | |||
|
|
|||
| //Secret.Data key substring required for the token | |||
There was a problem hiding this comment.
| //Secret.Data key substring required for the token | |
| // Secret.Data key substring required for the token |
| var _ repository.Credential = &TokenAuthCredentials{} | ||
|
|
||
| func (b *TokenAuthCredentials) Valid() bool { | ||
| return true |
There was a problem hiding this comment.
Just checking is this OK? Is there nothing to validate?
There was a problem hiding this comment.
see i think this might just be a misworded function name because the basic-auth(username & password resolver & ca bundle resolver both return true for this method also) only the gcw resolver returns the following.
func (b *GcloudWICredential) Valid() bool
{
timeLeft := time.Until(b.token.Expiry)
return timeLeft > 5*time.Minute
}
which to me means that check if the value is still valid based on a time interval/expiry mechanism which i dont believe apply in the other cases?
maybe a different name for the function something like expiryValidity() or something along the lines if my understanding is correct?
There was a problem hiding this comment.
I think any checks we can do on validity or expiry of the token would be good.
Does the method not have to be called Valid()? I assume this must be an implementation of an interface that is being called by someone?
There was a problem hiding this comment.
in theory yes but this commit only allows the use of git tokens such as personal access tokens which is what we are using since were interacting with git instances for services such as github, gitlab, gitea etc and i believe these type of tokens do not actually include the expiry date in the token itself (just the key which to use) but rather manage this on the server side of the git instance itself.
As such the only way to know if the token is valid(expiry or by the value of the key itself) is to actually attempt to communicate with the git instance itself which is done after this process which simply checks that the secret data given matches what were looking for and is configured in the right way to feed it as an auth to this attempt at communicating with git
There was a problem hiding this comment.
if lets say we added JWT or perhaps other types of tokens to our list and added ability to process them which could contain other data within their token string such as the expiration date etc then another Resolver would have to be created and that Resolver Valid() method could process that information and return a more accurate validity check instead of just returning true
This PR adds the ability for the porch server to utilize secrets with tokens (Personal Access Tokens) and use those in authentication with the git instance instead of just basic authentication using username & password in porch repositories.
Documentation Relating to these changes can be found in PR#221