-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set Github token through workspace master Rest API. Added a force act… #4444
Conversation
…ivation property variable to register Github Oauth provider even without client id/secret Signed-off-by: Sun Seng David Tan <sutan@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conceptually -1
Explained opinion here #4438
@@ -50,6 +50,8 @@ oauth.github.authuri= https://github.com/login/oauth/authorize | |||
oauth.github.tokenuri= https://github.com/login/oauth/access_token | |||
#redirected uris | |||
oauth.github.redirecturis= http://localhost:${SERVER_PORT}/che/api/oauth/callback | |||
# register github even without client id and secret | |||
oauth.github.forceactivation=false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see the place in code that uses this property. Can you point to it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, will remove it
@@ -142,7 +142,8 @@ che.oauth.github.clientsecret=NULL | |||
che.oauth.github.authuri= https://github.com/login/oauth/authorize | |||
che.oauth.github.tokenuri= https://github.com/login/oauth/access_token | |||
che.oauth.github.redirecturis= http://localhost:${SERVER_PORT}/wsmaster/api/oauth/callback | |||
|
|||
# register github even without client id and secret | |||
che.oauth.github.forceactivation=false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate on what will happen if token is not injected but this property is set to true and client secret/id are unset.
What will happen on clicking OAuth button in IDE?
What will happen on an operation with github?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These video shows an attempt to perform a git operation or github operation (would be similar to clicking in OAuth button):
- attempt with default che.oauth.github.forceactivation false
- attempt with che.oauth.github.forceactivation true without setToken
- attempt with che.oauth.github.forceactivation true and setting the token
- Github operation (upload ssh key - old demo, but will show what happen) https://youtu.be/y9cux67RQHY It shows a 404 in a pop in one case + notification error of Oauth failure
- Git operation (push) https://youtu.be/5D6XZlDyPKE . It shows a notification error
&& !isNullOrEmpty(clientSecret) | ||
&& !isNullOrEmpty(authUri) | ||
&& !isNullOrEmpty(tokenUri) | ||
public GitHubOAuthAuthenticator(@Nullable @Named("che.oauth.github.clientid") String clientId, // |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is uncommon for existing codebase to use trailing slashes, can you elaborate on why they are needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I use the default formatter in Che. So these were to keep the current formatting
return; | ||
} | ||
|
||
if (forceActivation != null && forceActivation) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you make forceActivation primitive then nullness check can be avoided.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can it be a default null value (so it's false by default) ?
|
||
if (forceActivation != null && forceActivation) { | ||
configure("NULL", "NULL", redirectUris, authUri, tokenUri, new MemoryDataStoreFactory()); | ||
return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Return is not needed here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's for readability. But I can remove it ...
} | ||
|
||
if (forceActivation != null && forceActivation) { | ||
configure("NULL", "NULL", redirectUris, authUri, tokenUri, new MemoryDataStoreFactory()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If client id/secret are not configured how other params (redirectUris, etc) can be used? Should they be unset too?
@POST | ||
@Path("token") | ||
@Consumes(MediaType.APPLICATION_JSON) | ||
public void setToken(@Required @QueryParam("oauth_provider") String oauthProvider, // |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like one of map's entry can growth infinitely because of this API, and it is not restricted so any user of the product can cause OOM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It means that EnvironmentContext.getCurrent().getSubject().getUserId();
can return any userId ? or be dynamically changed ? are you sure of that ?
If you are sure of that, so getToken shouldn't be available because anyone could still others' token ...
Build success. https://ci.codenvycorp.com/job/che-pullrequests-build/2194/ |
@skabashnyuk I think that User's data and access to other system is more important than anything. In my opinion, setting the token and use another system to do the oauth stuff is actually more secured than letting Codenvy/Che doing the whole thing: the system responsible for oauth would focus on security ... where as we (Che) want to focus our effort on providing the best development tool. |
Can you comment This can be mitigated by using the authorization code flow and only accepting tokens directly from the authorization server's token enpdoint, and by using a state value that is unguessable by an attacker. Are you sure it's not related to what you are proposing? |
Yes OK. Thanks for this. The plan is: we will add validation of token. |
…rce activation property variable to register Github Oauth provider even without client id/secret Signed-off-by: Sun Seng David Tan <sutan@redhat.com>
Build success. https://ci.codenvycorp.com/job/che-pullrequests-build/2205/ |
@sunix - I think your plan sounds appropriate. What is the plan to revise and then get this merged? |
@sunix @skabashnyuk any update here, look like not actual for now? |
not needed anymore thanks |
Set Github token through workspace master Rest API. Added a force activation property variable to register Github Oauth provider even without client id/secret
Signed-off-by: Sun Seng David Tan sutan@redhat.com
What does this PR do?
che.oauth.github.forceactivation
to force registration of Github Oauth provider, even without client id/secret (actually setNULL
string for these value)What issues does this PR fix or reference?
https://issues.jboss.org/browse/CHE-151
Changelog
Set Github token through workspace master Rest API. Added a force activation property variable to register Github Oauth provider even without client id/secret
Release Notes
Set Github token through workspace master Rest API. Added a force activation property variable to register Github Oauth provider even without client id/secret
Docs PR