Support custom Authorization header

[bmbouter]

Summary

As a user I can submit a custom header auth token.

Background

There is an auth style used on console.redhat.com which involves using long-lived credentials to then fetch a hours-long credential that is a Bearer style token. That Bearer token would need to be used by pulp-cli to access a Pulp install on console.redhat.com

Examples

It would be great if somehow the CLI could be configured with a Bearer token to submit a header like: Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

We'll wrap the CLI took with a script to do the fetching of this and save it in an environment variable. It would be great if we could just pass this header name and value (or just value?) to the CLI with each call. We want to avoid having to save it into a config file because we'll have to update that file every few hours then.

[bmbouter]

Specific proposal, add a -H and --header option like curl has. Here's an example:

pulp -H "Authorization: Bearer YourAccessToken" file repository create --name file_repo1

[ggainey]

The fast-path would be to expand on the setup here https://github.com/pulp/pulp-cli/blob/main/pulp-glue/pulp_glue/common/openapi.py#L105 I think

[mdellweg]

This is meant for the cli to be used with a special authentication mechanism?
Let's implement that one as a subclass of requests.auth.AuthBase.

In what kind of a process do you expect this variable to be persisted? You are not trying to use the cli as library for scripting, are you?

[bmbouter]

This is meant for the cli to be used with a special authentication mechanism? Let's implement that one as a subclass of requests.auth.AuthBase.

Yes it's for a different auth mechanism. It's a Bearer style token that gets put into the Authorization header. Got a link to an example of a subclass like that?

In what kind of a process do you expect this variable to be persisted? You are not trying to use the cli as library for scripting, are you?

I imagined a bash variable so we'd be scripting using bash.

[mdellweg]

I imagined a bash variable so we'd be scripting using bash.

I was afraid of that. Can't you script using pulp-glue directly? I believe that would be better suited.

Got a link to an example of a subclass like that?

Tons thereof:
https://github.com/psf/requests/blob/main/src/requests/auth.py#L99

[bmbouter]

Thanks for the examples. Where would one merge that subclass to pulp-glue, pulp-cli, requests? Also how in either pulp-glue or pulp-cli would one take an argument and then pass it to this subclass? Is there an example of something like that?

I can't tell if we are saying to do things the same way or not. From a high level the usage would be like:

1. A user (not me personally) passes in data to pulp-cli via command line args.
2. That calls some Python code which maybe we can make do more or less of the work.
3. The requests pulp-cli emits have the correct Authorization header on them.

Help me understand if we're thinking similarly or not please. I can't tell.

[mdellweg]

Glue uses requests. And we can easily pass any "auth" class requests can handle to glue. (There's a PR open that will bring that interface.)

So when we want to use that auth mechanism, we need to "login" at a certain api to get the header token. Then we can use that until it's expired. So eventually, we will fail and a that point, we kind of need a way to "relogin" and retry. Or should we fail and abort any pending operation?
Now for these questions it is really important to distinguish between interactive (cli) or scripted (library) use.
In interactive operation, it might be possible to ask the user for a password again in the middle of a call, but we'd probably want to persist the token on disk for subsequent calls (separate processses).
When scripting a workflow for automation however, you may need to provide the credentials in completely different ways (e.g. a vault).

[decko]

Glue uses requests. And we can easily pass any "auth" class requests can handle to glue. (There's a PR open that will bring that interface.)

Do you have a link to the PR? (would be #882 by any means?)