Issue #121: BasicAuth REST API #147
Conversation
api/restapi/restapi.go
Outdated
| func NewTLSRESTAPI(apiMAddr ma.Multiaddr, tlsCfg *tls.Config) (*RESTAPI, error) { | ||
| // NewRESTAPI creates a new REST API component. It receives | ||
| // the multiaddress on which the API listens. | ||
| func NewRESTAPIWithConfig(apiMAddr ma.Multiaddr, cfg *Config) (*RESTAPI, error) { |
There was a problem hiding this comment.
Should include the apiMaddr as part of the configuration I guess
There was a problem hiding this comment.
Sounds good -- the only difference that I see so far is that the apiMAddr is required, while everything in the cfg is optional. Not sure if that difference matters much, but for now I'm combining them into a single config (so we'll have NewRESTAPI(cfg *Config)).
api/restapi/restapi.go
Outdated
| @@ -56,6 +56,11 @@ type RESTAPI struct { | |||
| wg sync.WaitGroup | |||
| } | |||
|
|
|||
| type Config struct { | |||
There was a problem hiding this comment.
Don't forget to document public types
|
@hsanjuan @ZenGround0 Just made a push, the current state should be consistent with the Todo list in the OP. |
dgrisham
force-pushed
the
feat/api-basic-auth
branch
2 times, most recently
from
2bf672a
to
9d000a1
Compare
sharness/t0042-basic-auth.sh
Outdated
|
|
||
| test_expect_success "BasicAuth fails without credentials" ' | ||
| id=`cluster_id` | ||
| ipfs-cluster-ctl id | grep -q Unauthorized |
There was a problem hiding this comment.
I'm not convinced checking for 'Unauthorized' in the response is the best approach to this -- e.g. we could accidentally be leaking info in some case but the presence of the word 'Unauthorized' would allow this test to pass anyway.
There was a problem hiding this comment.
@dgrisham check that the command did not return 0 for exit code and then check for Unauthorized (should be ok for the moment).
|
@hsanjuan Two questions on the remaining Todos I have listed:
|
dgrisham
force-pushed
the
feat/api-basic-auth
branch
from
9d000a1
to
ca6cf9a
Compare
ipfs-cluster-ctl/main.go
Outdated
| @@ -105,11 +107,30 @@ func main() { | |||
| Name: "debug, d", | |||
| Usage: "set debug log level", | |||
| }, | |||
| cli.StringFlag{ | |||
| Name: "credentials, c", | |||
| Usage: "specify BasicAuth credentials for server that requires " + | |||
There was a problem hiding this comment.
Would need a hint that they are passed as "user:password"
ipfs-cluster-ctl/main.go
Outdated
| @@ -105,11 +107,30 @@ func main() { | |||
| Name: "debug, d", | |||
| Usage: "set debug log level", | |||
| }, | |||
| cli.StringFlag{ | |||
| Name: "credentials, c", | |||
There was a problem hiding this comment.
perhaps rename to --basic-auth (or even -u, --user USER[:PASSWORD] Server user and password like curl does) . Not sure if it deserves a short-hand alias. I'd like to keep -c for config (in line with server).
There was a problem hiding this comment.
Hm, so right now (I think) an empty password would work by passing --basic-auth <username>: (note the : at the end) but you'd get an error if you just passed --basic-auth <username> (no :). Might be nice to support the latter, I'll make that change.
|
Seems sharness is complaining too. But other than that, should be good to go |
Yes, let's leave it like that for the moment
Sharness is ok |
|
Implements #121 |
dgrisham
force-pushed
the
feat/api-basic-auth
branch
2 times, most recently
from
b38b25a
to
b36b3db
Compare
|
@dgrisham I had the same Travis problem yesterday. Rebasing on top of master should do the trick. |
ipfs-cluster-ctl/main.go
Outdated
| client := &http.Client{Transport: defaultTransport} | ||
| resp, err := client.Do(r) | ||
| if err == nil && resp.StatusCode >= 400 { |
There was a problem hiding this comment.
Now that this has been brought to my attention :)
I think the best place to detect error and set exit code in such case is the end of formatResponse. This ensures the received data/error is shown to the user in the desired format. Only then you can check resp.StatusCode and exit with 2 when it was not a successful request.
There was a problem hiding this comment.
Gotcha, yeah I was definitely planning on discussing/correcting this approach. And out of curiosity, why exit code 2 specifically? Is there a good rule of thumb for the first few exit codes that I can keep in mind?
There was a problem hiding this comment.
Nah, I said 2 because 1 is used for the rest of errors, so just to use a different one for errors which are from responses. It's completely arbitrary...
There was a problem hiding this comment.
Gotcha, good to know. We should document that somewhere for any users who might want to distinguish between to the two.
|
@ZenGround0 Ah, dope, thanks for the tip :) |
dgrisham
force-pushed
the
feat/api-basic-auth
branch
2 times, most recently
from
6f320de
to
2ac98dd
Compare
dgrisham
force-pushed
the
feat/api-basic-auth
branch
from
2ac98dd
to
25a910f
Compare
|
@hsanjuan Tests passing! Let me know if there are any other changes you think I should make. |
|
@hsanjuan Don't merge this quite yet, there are a couple of sharness tests I want to add first. |
ghost
removed
the
@hsanjuan Here's a start to the BasicAuth implementation. Todos:
-c <username>:<password>flagCLUSTER_CREDENTIALS="<username>:<password>"