-
Notifications
You must be signed in to change notification settings - Fork 643
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(client): Use requests AuthBase classes #2595
Conversation
8a5226e
to
4ffaa1c
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Codecov Report
@@ Coverage Diff @@
## main #2595 +/- ##
==========================================
+ Coverage 87.99% 96.36% +8.37%
==========================================
Files 87 87
Lines 5656 5674 +18
==========================================
+ Hits 4977 5468 +491
+ Misses 679 206 -473
Flags with carried forward coverage won't be shown. Click here to find out more.
|
If it helps get things done, sure! We'll just have to make sure later we get the same behavior once we refactor if needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for looking into this @uda!
I had another look and had a few ideas for the inheritance/typing issues (as well as a silly naming idea).
This does however break the behavior when credentials are set using environment variables and a user wants to set netrc to override that (username / password should be discouraged, but users have better ideas...), for example, running in the CI the CI_JOB_TOKEN is set it will prevent the netrc creds from being loaded, instead of the old API logic (as can seen in the tests changes)
Just to clarify, people cannot use netrc with passwords for the GitLab API for basic auth, as that's been disabled for years (see my other comment). They might be using .netrc
with tokens as a way to have technology-agnostic auth stored locally (e.g. for API, git over https and packages). But I agree that's still plain-text on a machine. I've seen these used in CI for this purpose though, so maybe we can add a breaking change trailer for this once we're done, or document and test it.
31d1f6a
to
e2cda40
Compare
Let me know when you want to merge and I'll rebase, so I don't chase my tail rebasing 😄 |
e2cda40
to
8131e6b
Compare
Sorry for keeping this open for so long @uda. I can maybe add a final push here so you don't need to go through the back and forth, but I basically want to check the new netrc behavior and maybe test it. From what I can tell from requests code, when explicitly providing auth, netrc is completely ignored, so we can document this as a breaking change. We'll get this merged though :) |
BREAKING CHANGE: python-gitlab now explicitly passes auth to requests, meaning it will only read netrc credentials if no token is provided, fixing a bug where netrc credentials took precedence over OAuth tokens. This also affects the CLI, where all environment variables now take precedence over netrc files.
8131e6b
to
c34adaf
Compare
Added some tests and docs, as the behavior has changed. |
Changes
Use Private / Job / OAuth token auth classes based on requests'
AuthBase
class to provide an encapsulated mechanism for passing authentication credentials.Additionally this helps with #2425 since we always pass the
auth
argument, so unless hitting redirects requests should always prefer the passed token over netrc credentials.This does however break the behavior when credentials are set using environment variables and a user wants to set
netrc
to override that (username / password should be discouraged, but users have better ideas...), for example, running in the CI theCI_JOB_TOKEN
is set it will prevent the netrc creds from being loaded, instead of the old API logic (as can seen in the tests changes)Documentation and testing
This changes internal implementation by leveraging standard
requests
mechanisms, if the tests cover this part, they should succeed or fail the same way they did before.Update: I misunderstood the logic re. token precedence and assumed, after rewriting the tests I got the logic