Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access tokens for flakes #4091

Merged
merged 8 commits into from Sep 30, 2020
Merged

Access tokens for flakes #4091

merged 8 commits into from Sep 30, 2020

Conversation

@kquick
Copy link
Contributor

@kquick kquick commented Sep 29, 2020

This patch updates the ability to specify access tokens in the nix.conf file for use in the github fetcher. This PR builds upon the previous functionality provided by @imalsogreg to allow the specification of more than two access tokens because:

  • Gitlab has two different kinds of access tokens that can be used (4 authorization methods, but just two that are relevant here).

  • Both gitlab and github are available for use by organizations and other groups, so they will exist at locations other than https://github.com and https://gitlab.com, both publicly and privately.

  • There are also non-github and non-gitlab sites hosting git that will have access controls.

This patch provides the ability to specify the access token to use for a specific remote host by matching against the "host" attribute in the corresponding flake input specification.

This adds a new entry to the nix.conf file called access-tokens, which is a space separated list of host=token specifications. It removes the gitlab-access-token provided in PR #3675 because that token is new enough that it is not likely to be broadly used. The github-access-token is still supported, but generates deprecation warnings when used.

kquick added 7 commits Sep 25, 2020
Allows Configuration values that are space-separated key=value pairs.
…ing.

Completes the change begun in commit 56f1e0d to consistently use the
"host" attribute for "github" and "gitlab" inputs instead of a "url"
attribute.
This change provides support for using access tokens with other
instances of GitHub and GitLab beyond just github.com and
gitlab.com (especially company-specific or foundation-specific
instances).

This change also provides the ability to specify the type of access
token being used, where different types may have different handling,
based on the forge type.
src/libstore/globals.hh Outdated Show resolved Hide resolved
@edolstra edolstra merged commit 002ce84 into NixOS:master Sep 30, 2020
2 checks passed
@kquick kquick deleted the access-tokens branch Sep 30, 2020
@imalsogreg
Copy link
Contributor

@imalsogreg imalsogreg commented Dec 2, 2020

@kquick Have you been using this? I'm wondering if I'm doing it wrong, or if we have a bug. Demonstrating below:

I have the access-tokens field set in my nix.conf, and nix picks it up.

[root@nixos:~]# nix show-config | grep token
warning: unknown setting 'gc-check-reachability'
access-tokens = "gitlab.com=PAT:REDACTED github.com=REDACTED"

nix flake info github.com:imalsogreg/some_private_repo fails, and it does so not with a 404, but a 401, suggesting that my token is reaching the curl command within nix. (If I run this with no token, it's a 404).

[root@nixos:~]# nix flake info github:imalsogreg/work_queue
warning: unknown setting 'gc-check-reachability'
error: --- FileTransferError --------------------------------------------------------------------------------- nix
unable to download 'https://api.github.com/repos/imalsogreg/work_queue/commits/HEAD': HTTP error 401 ('Unauthorized')

response body:

{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

Using the same github token, I am able to hit the URL that nix is trying to hit.

curl -H "Authorization: Bearer REDACTED" "https://api.github.com/repos/imalsogreg/work_queue/commits/HEAD"
[[succeeds]]

@stephank
Copy link
Contributor

@stephank stephank commented Dec 2, 2020

The example (in the code comment) shows quotes, but it appears that's not really a syntax construct in nix.conf. It's just parsing it as a literal string including quotes.

@kquick In your case, it's reading your GitHub token as github.com=REDACTED" (notice the ending quote), which is an invalid token. It's also reading your GitLab token as "gitlab.com=PAT:REDACTED, which will never match the gitlab.com host. (I ran into the latter.)

Simply removing the quotes in nix.conf works.

@imalsogreg
Copy link
Contributor

@imalsogreg imalsogreg commented Dec 2, 2020

Thanks @stephank , that was it! Opened a small documentation fix PR here: #4301

@kquick
Copy link
Contributor Author

@kquick kquick commented Dec 2, 2020

Oops, yes, that's a bug in the docs: my local usage doesn't have the quotes. Thanks @stephank and @imalsogreg for the investigation and PR to fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants