Skip to content

Make it possible for Go agents to use auth tokens from HTTP header#10237

Merged
mshaposhnik merged 8 commits intomasterfrom
agents_headers
Jul 3, 2018
Merged

Make it possible for Go agents to use auth tokens from HTTP header#10237
mshaposhnik merged 8 commits intomasterfrom
agents_headers

Conversation

@mshaposhnik
Copy link
Copy Markdown
Contributor

@mshaposhnik mshaposhnik commented Jul 2, 2018
edited
Loading

What does this PR do?

For now Go agents is able to extract aithentication tokens only from request query parameters,
which is inconvenient for proxy authetication and has some other disadvantages.
This PR makes possible to pass tokens via Authorization header and refactors readiness/liveness probes to use them.

What issues does this PR fix or reference?

Release Notes

N/A

Docs PR

N/A

@mshaposhnik mshaposhnik requested a review from garagatyi as a code owner July 2, 2018 07:13
@benoitf benoitf added the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Jul 2, 2018
sleshchenko
sleshchenko reviewed Jul 2, 2018
View reviewed changes
agents/go-agents/core/auth/auth.go Outdated
token := req.URL.Query().Get("token")
if token == "" {
header := req.Header.Get("Authorization")
if header != "" && strings.HasPrefix(strings.ToLower(header), "bearer") {
Copy link
Copy Markdown
Member

@sleshchenko sleshchenko Jul 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's impossible in our authentication implementation but still, you check bearer word and cut bearer what if there will be a token that starts with bearer that is not type but just part of token like bearer9SUcJXjsdenx. Maybe it would be better to check if token is prefixed with bearer

Copy link
Copy Markdown
Contributor Author

@mshaposhnik mshaposhnik Jul 2, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bearer word indicates type of token, there also can be Basic or Digest which is not supported. So we cut it away to have pure token. Or do i understood your question wrong ?

Copy link
Copy Markdown
Member

@sleshchenko sleshchenko Jul 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Markdown helps me to confuse you =)
Let me rephrase, you check bearer word without space and cut bearer with space (7 characters) Maybe it would be better to check if token is prefixed with **bearer ** with space.

Copy link
Copy Markdown
Contributor Author

@mshaposhnik mshaposhnik Jul 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok

...g/eclipse/che/api/workspace/server/hc/probe/server/ExecServerLivenessProbeConfigFactory.java Outdated

public ExecServerLivenessProbeConfigFactory(int successThreshold) {
@Inject
public ExecServerLivenessProbeConfigFactory(
Copy link
Copy Markdown
Member

@sleshchenko sleshchenko Jul 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are able not to change current approach with public available liveness probes.
@skabashnyuk WDYT? Should we revert it here and create an issue for implementing exclude in JWT proxy?

garagatyi
garagatyi approved these changes Jul 2, 2018
View reviewed changes
Copy link
Copy Markdown

@garagatyi garagatyi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@mshaposhnik mshaposhnik merged commit 29eef88 into master Jul 3, 2018
@benoitf benoitf removed the status/code-review This issue has a pull request posted for it and is awaiting code review completion by the community. label Jul 3, 2018
@benoitf benoitf added this to the 6.8.0 milestone Jul 3, 2018
@mshaposhnik mshaposhnik mentioned this pull request Jul 6, 2018
Closed
@mshaposhnik mshaposhnik deleted the agents_headers branch July 9, 2018 06:37
hbhargav pushed a commit to hbhargav/che that referenced this pull request Dec 5, 2018
@mshaposhnik
Make it possible for Go agents to use auth tokens from HTTP header (e…
7bfcea6 
…clipse-che#10237)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skabashnyuk skabashnyuk skabashnyuk approved these changes

@sleshchenko sleshchenko sleshchenko approved these changes

+1 more reviewer

@garagatyi garagatyi garagatyi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

6.8.0

Development

Successfully merging this pull request may close these issues.

5 participants

@mshaposhnik @skabashnyuk @garagatyi @sleshchenko @benoitf