bodhi icon indicating copy to clipboard operation
bodhi copied to clipboard

Published 20 hours ago verified publisher icon fedora-infra

Provide Kerberos client authentication via OIDC

Open TomasTomecek opened this issue 2 years ago • 11 comments

Fixes #4588

TomasTomecek avatar Jun 27 '22 13:06 TomasTomecek

Oh one last thing, please run pre-commit install so that our hooks run on commit, this should take care of one of the CI errors.

abompard avatar Jul 05 '22 08:07 abompard

@abompard thank you for a thorough review! I will first address #4603 and then resolve comments here, I hope I'll finish by the end of the week.

TomasTomecek avatar Jul 13 '22 13:07 TomasTomecek

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset. Warning: Error merging github.com/fedora-infra/bodhi for 4602,0f41ffa5f07aea75a25a84e65dccc85eb1ecb125

softwarefactory-project-zuul[bot] avatar Jul 15 '22 13:07 softwarefactory-project-zuul[bot] 

bodhi/client/oidcclient.py     165      0   100%

:)

TomasTomecek avatar Jul 15 '22 13:07 TomasTomecek

Thanks for the contribution, it looks great!

I am not entirely sure that this code should be in the oidcclient.py module, as I intended for this module to be a pure OIDC client that we could one day publish standalone for other apps to use, and Kerberos authentication isn't really part of OIDC. That said, a Kerberos-capable OIDC client would be useful to other Fedora apps too, so it may indeed be the right place. I need to think about it a bit more, but wherever the code ends up living will not change the API in BodhiClient, so we can merge this and decide later.

I'm happy to send that code to a more generic library: this is really up to you :)

Do you think it would be relevant to try to login with kerberos systematically, and fall back to regular login if it fails? I think it would be pretty cool for both apps and users, no? Maybe then add a flag to the login method to disable the regular browser-based login, so that apps don't get blocked in an interactive process if they don't expect it. What do you think?

That's an excellent idea & I was thinking about it too. It should be implemented now.

Also, please add a release notes fragment as described here

👍

Edit: CI tests now fail on requests-kerberos not being present: where should I specify this dependency?

TomasTomecek avatar Jul 15 '22 13:07 TomasTomecek

This pull request introduces 1 alert when merging 857237dbc56eda5fa8c0827085b11e4ccd8700f6 into bc74709c52fde1e16041c2c1bd087d86a11c7c2e - view on LGTM.com

new alerts:

  • 1 for Module is imported with 'import' and 'import from'

lgtm-com[bot] avatar Jul 15 '22 14:07 lgtm-com[bot]

Edit: CI tests now fail on requests-kerberos not being present: where should I specify this dependency?

In devel/ci/Dockerfile-*

abompard avatar Jul 15 '22 14:07 abompard

Edit: CI tests now fail on requests-kerberos not being present: where should I specify this dependency?

In devel/ci/Dockerfile-*

Shouldn't that be added as a dependency to bodhi-client in the pyproject file?

mattiaverga avatar Jul 15 '22 17:07 mattiaverga

Shouldn't that be added as a dependency to bodhi-client in the pyproject file?

Indeed, but it's been added already.

abompard avatar Jul 17 '22 15:07 abompard

This pull request introduces 1 alert when merging f8abd0136e1f5444d255d5096e463aabf5b01069 into bc74709c52fde1e16041c2c1bd087d86a11c7c2e - view on LGTM.com

new alerts:

  • 1 for Module is imported with 'import' and 'import from'

lgtm-com[bot] avatar Jul 18 '22 08:07 lgtm-com[bot]

This pull request introduces 1 alert when merging a484119bfaf1c57b84eb3f161b53726f363a4f81 into bc74709c52fde1e16041c2c1bd087d86a11c7c2e - view on LGTM.com

new alerts:

  • 1 for Module is imported with 'import' and 'import from'

lgtm-com[bot] avatar Jul 18 '22 08:07 lgtm-com[bot]

Shouldn't that be added as a dependency to bodhi-client in the pyproject file?

It's been added there already, no? Message ID: @.***>

abompard avatar Oct 11 '22 07:10 abompard

rebased

TomasTomecek avatar Oct 12 '22 13:10 TomasTomecek

This pull request introduces 1 alert when merging cd2511c80b3d8f61f28560b9baea1e1c18b25e29 into aed01123ad2c2b7f80a24663f048fda6ed7179a3 - view on LGTM.com

new alerts:

  • 1 for Module is imported with 'import' and 'import from'

lgtm-com[bot] avatar Oct 12 '22 13:10 lgtm-com[bot]

Thanks! As nitpicker-in-chief there are a couple things I would have done differently as to where the methods are located, I'm going to push a commit to your PR so that we can talk on something concrete.

abompard avatar Oct 12 '22 14:10 abompard

Thanks! As nitpicker-in-chief there are a couple things I would have done differently as to where the methods are located, I'm going to push a commit to your PR so that we can talk on something concrete.

it's your codebase, so please advise :)

TomasTomecek avatar Oct 13 '22 07:10 TomasTomecek

So, I've made a few changes, the most visible one is that you no longer have to instantiate BodhiClient with use_kerberos_auth=True, it will always try it (and fallback to browser-based auth if it fails).

Could you try this change with your code please?

abompard avatar Oct 13 '22 09:10 abompard

@abompard thank you! I will try and report my findings here

TomasTomecek avatar Oct 13 '22 10:10 TomasTomecek

I can confirm your changes work just fine :)

> /home/tt/g/packit/packit/packit/utils/bodhi.py(61)__init__()                                                                                                                                                                              
     60             import ipdb; ipdb.set_trace()
---> 61             self.oidc.login(use_kerberos=True)
     62             # in our openshift deployment, ~/.config is not writable, but $HOME is

ipdb> n
Login successful!

TomasTomecek avatar Oct 14 '22 12:10 TomasTomecek