-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement org membership based auth #147
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have had a quick glance and most of these changes look good! There is however a fundamental concern with this approach so I haven't done a full review as it may require some substantial changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great start! Thanks for getting the ball rolling on this it has been a great help. While going through this PR I noticed some other changes I'd like to make with our existing auth approach so I'll be adding those changes and taking this PR to the finish line. Please don't push any changes!
I've kept the comments I was going to leave to give you some context into the changes I'm making. I recommend also looking at the other changes I make in my commits to see further ways some of the logic here can be improved.
src/commands/login.rs
Outdated
.send()?; | ||
|
||
let device_code_response = device_code_response.json::<DeviceCodeResponse>()?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.send()?; | |
let device_code_response = device_code_response.json::<DeviceCodeResponse>()?; | |
.send()? | |
.json::<DeviceCodeResponse>()?; |
wally-registry-backend/src/auth.rs
Outdated
@@ -80,11 +96,13 @@ async fn verify_github_token(request: &Request<'_>) -> Outcome<WriteAccess, Erro | |||
}; | |||
|
|||
let client = Client::new(); | |||
|
|||
// The user is in no orgs we can see so we cannot get their userinfo from that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment is confusing and could do with some extra context into why we are doing this.
// The user is in no orgs we can see so we cannot get their userinfo from that. | |
// Users already logged in may not have given us read:org permission so we | |
// need to still support a basic read:user check. | |
// See: https://github.com/UpliftGames/wally/pull/147 | |
// TODO: Eventually we can transition to only using org level oauth |
wally-registry-backend/src/auth.rs
Outdated
Ok(github_info) => { | ||
return Outcome::Success(WriteAccess::Github(GithubWriteAccessInfo { | ||
user: github_info, | ||
token: token, | ||
})); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use an implicit return here as well field init shorthand for token. Make sure you have rust-analyzer set to give you these hints.
Ok(github_info) => { | |
return Outcome::Success(WriteAccess::Github(GithubWriteAccessInfo { | |
user: github_info, | |
token: token, | |
})); | |
} | |
Ok(github_info) => Outcome::Success(WriteAccess::Github(GithubWriteAccessInfo { | |
user: github_info, | |
token, | |
})), |
wally-registry-backend/src/auth.rs
Outdated
.await; | ||
|
||
let github_org_info = match org_response { | ||
Err(err) => { | ||
return Err(format_err!(err).status(Status::InternalServerError)); | ||
} | ||
Ok(response) => response.json::<Vec<GithubOrgInfo>>().await, | ||
}; | ||
|
||
match github_org_info { | ||
Ok(github_org_info) => match github_org_info.get(0) { | ||
Some(_) => Ok(github_org_info | ||
.iter() | ||
.map(|x| x.organization.login.to_lowercase()) | ||
.collect::<Vec<_>>()), | ||
None => Ok(vec![]), | ||
}, | ||
Err(err) => Err(format_err!("Github auth failed: {}", err).status(Status::Unauthorized)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we are returning a result we can use anyhows context trait and ? to simplify this error handling. I'm also not sure exactly what happened at the end here when collecting the user's orgs.
.await; | |
let github_org_info = match org_response { | |
Err(err) => { | |
return Err(format_err!(err).status(Status::InternalServerError)); | |
} | |
Ok(response) => response.json::<Vec<GithubOrgInfo>>().await, | |
}; | |
match github_org_info { | |
Ok(github_org_info) => match github_org_info.get(0) { | |
Some(_) => Ok(github_org_info | |
.iter() | |
.map(|x| x.organization.login.to_lowercase()) | |
.collect::<Vec<_>>()), | |
None => Ok(vec![]), | |
}, | |
Err(err) => Err(format_err!("Github auth failed: {}", err).status(Status::Unauthorized)), | |
.await | |
.context("Github org membership request failed")?; | |
let github_org_info = org_response | |
.json::<Vec<GithubOrgInfo>>() | |
.await | |
.context("Failed to parse github org membership")?; | |
let orgs: Vec<_> = github_org_info | |
.iter() | |
.map(|org_info| org_info.organization.login.to_lowercase()) | |
.collect(); | |
Ok(orgs) |
Note to self... inform users that they may need to login again to get the new oauth scopes. I accidentally deleted the warning :( Also we should probably ensure org scopes are claimed by the org user id so in the event an org is renamed they don't lose ownership. |
Just thought I'd check in on this PR's status, as it doesn't appear to have any active reviews, I think it's a great feature to have. |
* Nightly workflow
* Refactored TempProject into its own module and started on tests * Created test projects with a diamond-graph This will allow us to test the update tool in all expected situations - One dependency added/removed - One dependency updated - Transitive dependencies changed It's also a nice addition for testing any other commands as well. * Added to primary-registry Metadata and zipped up * Built the update subcommand. * Lockfiles need to be written! * Fixed misspelling of dependency_changes * Reverted test_registry arg back to invisible * Changed target_packages to package_specs Clarity? * Downgrading was added as a concept * Added lockfile method to view packages as packageIds * Installs the new packages now, forgor. * No longer throws if missing lockfile It will generate a new one instead based on the manifest. * Clarity on the filtering process for try_to_use * Added needed imports -- they got stashed by accident * Made the clippy happy and fixed grammar mistakes * Delete root from registry They're not packages to be consumed. * Add new tests, almost done with them all so far. * Added the rest of snapshots missing * Testing now works, yay! * Deleted testing code by mistake and forgot snap They say to run your tests before push.. This is why. * Appleasing the formatter Import in the wrong order... Extra newline at the end... * Made it look... *pretty* and cleaned messes * another blood sarciface for rust fmt * Doing final cleanups per comments upstream * The gods demand it, another formatter sacrifice Co-authored-by: magnalite <[email protected]> * The coolness must be toned down. * A little silly mistake indeed Seemingly forgot to filter out packages to update for try_to_use. instead it kept them and got rid of everything else. --------- Co-authored-by: magnalite <[email protected]>
* Initial copy of upload action * Pivot to svenstaro/upload-release-action * Finalise nightly text
No description provided.