feat(client): Use requests AuthBase classes #2595
Conversation
uda
force-pushed
the
use-requests-auth-classes
branch
3 times, most recently
from
8a5226e
to
4ffaa1c
Compare
This comment was marked as resolved.
This comment was marked as resolved.
uda
changed the title
uda
changed the title
Codecov Report
@@ Coverage Diff @@
## main #2595 +/- ##
==========================================
+ Coverage 87.99% 96.36% +8.37%
==========================================
Files 87 87
Lines 5656 5674 +18
==========================================
+ Hits 4977 5468 +491
+ Misses 679 206 -473
Flags with carried forward coverage won't be shown. Click here to find out more.
|
uda
changed the title
If it helps get things done, sure! We'll just have to make sure later we get the same behavior once we refactor if needed. |
There was a problem hiding this comment.
Thanks a lot for looking into this @uda!
I had another look and had a few ideas for the inheritance/typing issues (as well as a silly naming idea).
This does however break the behavior when credentials are set using environment variables and a user wants to set netrc to override that (username / password should be discouraged, but users have better ideas...), for example, running in the CI the CI_JOB_TOKEN is set it will prevent the netrc creds from being loaded, instead of the old API logic (as can seen in the tests changes)
Just to clarify, people cannot use netrc with passwords for the GitLab API for basic auth, as that's been disabled for years (see my other comment). They might be using .netrc with tokens as a way to have technology-agnostic auth stored locally (e.g. for API, git over https and packages). But I agree that's still plain-text on a machine. I've seen these used in CI for this purpose though, so maybe we can add a breaking change trailer for this once we're done, or document and test it.
uda
force-pushed
the
use-requests-auth-classes
branch
from
31d1f6a
to
e2cda40
Compare
|
Let me know when you want to merge and I'll rebase, so I don't chase my tail rebasing 😄 |
nejch
force-pushed
the
use-requests-auth-classes
branch
from
e2cda40
to
8131e6b
Compare
|
Sorry for keeping this open for so long @uda. I can maybe add a final push here so you don't need to go through the back and forth, but I basically want to check the new netrc behavior and maybe test it. From what I can tell from requests code, when explicitly providing auth, netrc is completely ignored, so we can document this as a breaking change. We'll get this merged though :) |
BREAKING CHANGE: python-gitlab now explicitly passes auth to requests, meaning it will only read netrc credentials if no token is provided, fixing a bug where netrc credentials took precedence over OAuth tokens. This also affects the CLI, where all environment variables now take precedence over netrc files.
nejch
force-pushed
the
use-requests-auth-classes
branch
from
8131e6b
to
c34adaf
Compare
Added some tests and docs, as the behavior has changed. |
Changes
Use Private / Job / OAuth token auth classes based on requests'
AuthBaseclass to provide an encapsulated mechanism for passing authentication credentials.Additionally this helps with #2425 since we always pass the
authargument, so unless hitting redirects requests should always prefer the passed token over netrc credentials.This does however break the behavior when credentials are set using environment variables and a user wants to set
netrcto override that (username / password should be discouraged, but users have better ideas...), for example, running in the CI theCI_JOB_TOKENis set it will prevent the netrc creds from being loaded, instead of the old API logic (as can seen in the tests changes)Documentation and testing
This changes internal implementation by leveraging standard
requestsmechanisms, if the tests cover this part, they should succeed or fail the same way they did before.Update: I misunderstood the logic re. token precedence and assumed, after rewriting the tests I got the logic