Add JWT token auth

[fdobrovolny]

closes #2359
https://pulp.plan.io/issues/2359

[pep8speaks]

Hello @BrnoPCmaniak! Thanks for updating the PR.

Cheers ! There are no PEP8 issues in this Pull Request. 🍻

Comment last updated on September 25, 2017 at 16:40 Hours UTC

[bmbouter]

The requirement we heard from users is that they want to generate tokens without having Pulp installed, so I think this function should go away and we need docs describing from a high level about how users can generate the JWT using non-pulp tools. Does that make any sense? I could also not be understanding this.

[bmbouter]

ohhhhh this is in a Python codeblock and isn't actual code. This is perfect. Thank you!

[mikeadamz]

Let me know if you need help with this, I've recently spent a bunch of time implementing JWT elsewhere.

[bmbouter]

@mikeadamz Some help testing would be ideal. Overall we're looking for this PR to fulfill the use cases of the authentication portion of the MVP. Getting a Pulp3 vagrant environment going is what I recommend to test out pulp. Also here are some Pulp3 dev notes we maintain on the wiki.

[fdobrovolny]

The doc failure will be solved when pulp/pulp-ci#428 is merged.

[daviddavis]

Why are you using JWT here? Typically I see Bearer being used like on the jwt.io site.

[fdobrovolny]

@daviddavis It's the default value from the library they decided to use JWT instead of Bearer, which they originally used, to maintain compatibility with django-oauth2-provider which also uses it. Source: jpadilla/django-rest-framework-jwt#4

[daviddavis]

A couple observations from testing. First, I assumed I could get a jwt token by using basic auth. However, it looks like I have to POST username and password. I think it would be handy to be able to use basic auth to get a jwt (but maybe not?). Maybe we can open a plan.io issue and worry about it later.

Also, I get a 401 response when using an outdated jwt token (which I expect) but also a weird "Error decoding signature" error in the response body:

$ http -v --auth-type jwt get :8000/api/v3/repositories/                                                                                                                              
GET /api/v3/repositories/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTA2Mzc1NTE3fQ.JoS2KFN7rj22PSZJAjf7F1tIKF4RroJWhFLf7zvL7ro
Connection: keep-alive
Host: localhost:8000
User-Agent: HTTPie/0.9.9



HTTP/1.0 401 Unauthorized
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 38
Content-Type: application/json
Date: Mon, 11 Sep 2017 21:56:45 GMT
Server: WSGIServer/0.2 CPython/3.5.4
Vary: Accept
WWW-Authenticate: JWT realm="api"
X-Frame-Options: SAMEORIGIN

{
    "detail": "Error decoding signature."
}

For basic auth when I use a bad username/password, I get something more expected:

{
    "detail": "Invalid username/password."
}

Other than that, everything seems to work well. 👍

[fdobrovolny]

@daviddavis It was in the original MVP, but then we decided not to include it to maximize the usage of the library vs rewriting it. I wasn't present the decision so I'm not exactly sure. You can read more on it here: https://pulp.plan.io/issues/2359#note-11

[fdobrovolny]

ok test

[fdobrovolny]

@daviddavis @bmbouter I changed the error message and even fixed a bug which I didn't know about (when a user that no longer exists try to login), But I have to add few things so if you could re-review it would be great.

[daviddavis]

Retested and it works 👍

Any clue on the docs failure?

[bmbouter]

The docs builder error is that the jwt library is not installed in the docs building environment. That environment is bootstrapped on each Jenkins slave here.

It looks like python3 is being used to build all docs environments. Adding jwt in as a dependency to install in that environment is probably what we need to do. The best thing to do is to have the setup.py build the environment so that we can stay DRY on these deps, but there are several issues preventing that from being done including:

1. That job runs both pulp2 and pulp3 jobs and only pulp3 has the setup.py that names its required Python deps
2. We would need the docs builder that builds nightly to build from source, but we would need the docs builder for PRs to build from the branch of the PR. Only that branch would have the updated setup.py change needed to have the docs builder pass.

For all of ^ reasons, I recommend:

1. Add and merge jwt as a dependency for all docs build environments here.
2. rebuild these docs by force pushing a meaningless change.
3. Merge this after docs builders are happy.

[bmbouter]

I posted a PR that should fix the doc builders here: pulp/pulp-ci#434

[bmbouter]

ok test

[bmbouter]

I think these need to be s/pulp/pulpcore/ right? Also the indention needs to line up too (iirc).

[bmbouter]

Same comments here as above.

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

ok test

[bmbouter]

I applied the changes to pulp_packaging and pushed them to Jenkins with JJB. One more test will show if it all works for realz.

[bmbouter]

ok test

[bmbouter]

The latest test passed so this is good to merge. @BrnoPCmaniak I think this is good to merge. It's pretty sweet so consider identifying that it's merged via a short note to pulp-dev and linking to the nightly docs whenever they get built.