New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(feat) add ability to allow anonymous usage mode based on "auth.public" site config and "allow-anonymous-usage" license tag #52440
Conversation
@@ -16,6 +16,9 @@ const ( | |||
InternalTag = "internal" | |||
// DevTag denotes licenses used in development environments | |||
DevTag = "dev" | |||
// AllowAnonymousUsageTag denotes licenses that allow anonymous usage, a.k.a public access to the instance | |||
// Warning: This should be used with care and only at special, probably trial/poc stages with customers | |||
AllowAnonymousUsageTag = "allow-anonymous-usage" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: this is a new special license tag that is required to allow auth.public
site config to take effect.
Codenotify: Notifying subscribers in CODENOTIFY files for diff 35c3b8f...89fa487.
|
func (svc) Start(ctx context.Context, observationCtx *observation.Context, ready service.ReadyFunc, config env.Config) error { | ||
return frontend_shared.CLIMain(ctx, observationCtx, ready, EnterpriseSetupHook) | ||
return frontend_shared.CLIMain(ctx, observationCtx, ready, EnterpriseSetupHook, extraContextMiddleware) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: I had to create an extra middleware that is passed from enterprise code, which will set certain context values. This is used because currently the code which controls access in regular oss code, whereas licensing is located in enterprise. So enterprise talks to main access control logic via context.
Perhaps, not the nicest code, but this is the only easy way if we want to guard this new feature based on license tags. Other proper ways will require way more refactoring, which I don't think worth it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kopancek, I found a better approach using existing auth.RegisterMiddelwares
instead of drilling down new extra middleware argument 🙌 . Also, added unite tests. I would appreciate it if you could re-take a look.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The approach looks good to me, would add some tests for the changed logic, especially the AllowAnonymousRequest
and the new middleware.
cmd/frontend/auth/non_public.go
Outdated
if checkAllowAnonymousRequest(req) { | ||
return true | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we combine this with the other clauses? Also it seems like checkAllowAnonymousRequest
is already doing the conf.AuthPublic
check... E.g. something like:
if checkAllowAnonymousRequest(req) { | |
return true | |
} | |
return checkAllowAnonymousRequest(req) || strings.HasPrefix(req.URL.Path, "/.assets/") || defaultCode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally, I like to keep clauses separate for simplicity purposes, as combining them will make reading it harder. Besides all the rest of the existing clauses follow the same convention of being separate.
…c" site config and "allow-anonymous-usage" license tag
f441e8c
to
616f026
Compare
…w middleware argument (tests) add tests
616f026
to
89fa487
Compare
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-5.0 5.0
# Navigate to the new working tree
cd .worktrees/backport-5.0
# Create a new branch
git switch --create backport-52440-to-5.0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d8a8e5bedb08073227ac01589c3eafa4268ec590
# Push it to GitHub
git push --set-upstream origin backport-52440-to-5.0
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-5.0 Then, create a pull request where the |
… on "auth.publi… (#52506) Closes #52439. Original PR #52440. ## Test plan - `sg start dotcom` and generate license with `allow-anonymous-usage` tag - Restart in enterprise mode `sg start enterprise` and set newly created license - Set `auth.public=true` in site config - Check that instance allows searching and browsing public repositories ## Demo https://github.com/sourcegraph/sourcegraph/assets/6717049/344f9b1e-f54a-4148-9bc8-f0f3d3bb4cd7
…c" site config and "allow-anonymous-usage" license tag (#52440)
Closes #52439.
Test plan
sg start dotcom
and generate license withallow-anonymous-usage
tagsg start enterprise
and set newly created licenseauth.public=true
in site configDemo
Screen.Recording.2023-05-25.at.15.18.24.mov