-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use proxy (if provided) for OIDC configuration #422
Conversation
alpine-server/src/main/java/alpine/server/auth/OidcConfigurationResolver.java
Outdated
Show resolved
Hide resolved
|
Hi @stevespringett, I don't really know how you usually handle your PRs, so allow me to notify you on this one. Happy to help if needed, don't hesitate to ask. |
@nscuro any input? |
Thanks for the PR @zgael! The same will need to be done for the We should also consider Moreover, I think we need to support the standard |
Certainly. If its common then it makes sense to move it here. |
Factorize proxy code as it is now used in two places. Take into account NO_PROXY variable (following curl behavior)
Hi @nscuro, thanks for pointing out what I missed in OidcUserInfoAuthenticator, nice catch. Took me some time, but I just pushed another version to take your remarks into account :
I tried writing unit tests to check the proxy logic was working as intended, but it seemed to me it was a bit annoying to mock the config while I was not passing it as parameter of my new class (OidcProxyHelper). |
@nscuro Any news on this topic ? |
@zgael Apologies for the long delay, I'll have a look in the next few days. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this looks good, but I'd like to get a consistent proxy behavior with how DT does it. I don't think we should maintain such logic in both DT and Alpine.
String proxyHost = Config.getInstance().getProperty(Config.AlpineKey.HTTP_PROXY_ADDRESS); | ||
String proxyPort = Config.getInstance().getProperty(Config.AlpineKey.HTTP_PROXY_PORT); | ||
String noProxy = Config.getInstance().getProperty(Config.AlpineKey.NO_PROXY); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will only take the Alpine config into account (ALPINE_HTTP_PROXY_ADDRESS
etc.), but not the "standard" way of configuring proxies (http_proxy
etc.).
We need to support both ways, in a way that is consistent with how DT is doing it. I've gone ahead and ported the logic from DT to Alpine in #456, as I suggested in #422 (comment). Once merged, you'll be able to do this:
final var proxyCfg = ProxyUtil.getProxyConfig();
if (proxyCfg.shouldProxy(configURL)) {
return new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyCfg.getHost(), proxyCfg.getPort()));
}
return false; | ||
} | ||
for (String noProxyHost : noProxy.split(",") ) { | ||
if ("*".equals(noProxyHost)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
YodaCondition: The non-constant portion of an equals check generally comes first.
if ("*".equals(noProxyHost)) { | |
if (Objects.equals(noProxyHost, "*")) { |
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
Command | Usage |
---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Help us improve LIFT! (Sonatype LiftBot external survey)
Was this a good recommendation for you? Answering this survey will not impact your Lift settings.
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
🛠 Lift Auto-fixSome of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.1 # Download the patch
curl https://lift.sonatype.com/api/patch/github.com/stevespringett/Alpine/422.diff -o lift-autofixes.diff
# Apply the patch with git
git apply lift-autofixes.diff
# Review the changes
git diff Want it all in a single command? Open a terminal in your project's directory and copy and paste the following command: curl https://lift.sonatype.com/api/patch/github.com/stevespringett/Alpine/422.diff | git apply Once you're satisfied, commit and push your changes in your project. Footnotes |
As discussed in Dependency Track boards, proxies are not supported for OIDC configuration.
As the feature involves multiple projects :
there is not one obivous place where the fix should be done.
I chose to perform everything inside this project as it is closely related to Dependency Track (where the issue is blocking).
Change summary : Instead of calling directly oauth-sdk's resolve OIDC config method, I chose to split it in two steps (that are actually performed internally by the function) :
Feel free to discuss, ask questions, request changes if necessary.