oc login: Show tokenURL message if only IDP is basic and user has not provided username

[sallyom]

• If a user provides oc login -u anything, try for basic auth prompt.
• If only password IDP available, and no username was provided, show the tokenURL message instead of basic auth prompt.

[sallyom]

/assign @soltysh
/cc @stlaz

this is a guess as to what should happen

[soltysh]

I don't think this is a good approach, b/c you're basically forcing username to be passed to pick basic auth. I was rather imagining that when you get information from the server about supported auth methods, and if only basic you'd go with that always. But when more than basic is present always prefer the other one. @stlaz might help you with that and I think that's what @smarterclayton had in mind

[soltysh]

The actual response you're faking here is coming from oauth-server, from here: https://github.com/openshift/oauth-server/blob/dcbeb48c9cedcf0827629556f1e6cdb8538d4ebe/pkg/authenticator/challenger/placeholderchallenger/placeholder_challenger.go#L24

[sallyom]

The actual response you're faking here is coming from oauth-server, from here: https://github.com/openshift/oauth-server/blob/dcbeb48c9cedcf0827629556f1e6cdb8538d4ebe/pkg/authenticator/challenger/placeholderchallenger/placeholder_challenger.go#L2

I saw that, ok - i'll rework this.

[sallyom]

I don't think this is a good approach, b/c you're basically forcing username to be passed to pick basic auth. I was rather imagining that when you get information from the server about supported auth methods, and if only basic you'd go with that always. But when more than basic is present always prefer the other one. @stlaz might help you with that and I think that's what @smarterclayton had in mind

I've reworked this:
Change in openshift/oauth-server to mark the bootstrap basic auth with realm "bootstrap" (as @stlaz and I discussed via slack). Here in oc if bootstrap basic challenge and no other password IDP & no username passed, then show the tokenURL.

[sallyom]

/test e2e-cmd

[stlaz]

you're also going to have to improve

oc/pkg/helpers/tokencmd/basicauth.go

Line 115 in ea0d540

func basicRealm(headers http.Header) (bool, string) {

so that it prefers non-kubeadmin realms

[sallyom]

@stlaz pt-another-l, thanks

[stlaz]

is there any specific code that will handle the warning received from the oauth-server? I couldn't find where the message about the token URL is actually printed in the case of the placeholderchallenger on the oauth-server side

[sallyom]

@stlaz, updated this PR, I fixed all the issues and added unit tests. I have a question about the basic no realm see above. thanks again for your review.

[sallyom]

@stlaz ptal at the unit test changes, head is spinning w/ those, thank you : )

[stlaz]

_, ok := err.(*basicNoUsername)
return ok

or export the error an inline it?

[sallyom]

done, exported/inline, thanks!

[soltysh]

/approve
there are some nits from Standa left, so I'm leaving him final tag

[stlaz]

Needs further improvements and refactoring due to the changes of basic challenge handler.

The test case changes seem wrong -> you can add more but keep the behavior of the old tests. Unless I missed anything, the old tests weren't prompting for password only so just do that instead of turning them into negative tests.

[stlaz]

/hold
to prevent random lgtms :)

[soltysh]

@sallyom can this be changed to half-interactive when you pass username it should still ask you for a password, or we have one covering that case?

[sallyom]

this can be omitted, as the one above covers that, it's "interactive challenge with default user"

[soltysh]

👍

[sallyom]

@stlaz I've updated all test cases, i think you can remove the hold now, and thanks

[stlaz]

nits only \o/

The PR looks good to me now

[stlaz]

godoc please :)

[sallyom]

added!

[stlaz]

// BasicAuthNoUsernameError is an error that means that basic authentication challenge handling was attempted but the required username was not provided from the command line options

• rename to BasicAuthNoUsernameError

[sallyom]

updated, much better, thanks

[stlaz]

/hold cancel

[stlaz]

last nits, I promise

[stlaz]

// BasicAuthNoUsernameError is an error that means that basic authentication challenge handling was attempted but the required username was not provided from the command line options

• rename to BasicAuthNoUsernameError

[stlaz]

NewBasicAuthNoUsernameError()

[sallyom]

yes, much better, updated : )

Also, in request_token.go, updated BasicNoUsernameMessage to BasicAuthNoUsernameMessage

[stlaz]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sallyom, soltysh, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment