Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TB] add OAuth entry #20049

Merged
merged 1 commit into from
Jul 19, 2024
Merged

[TB] add OAuth entry #20049

merged 1 commit into from
Jul 19, 2024

Conversation

mustard-mh
Copy link
Contributor

Description

Related Issue(s)

Fixes #

How to test

Once build is passed

Documentation

Preview status

gitpod:summary

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@mustard-mh mustard-mh mentioned this pull request Jul 18, 2024
Merged
16 tasks
@mustard-mh mustard-mh marked this pull request as ready for review July 19, 2024 05:49
@mustard-mh mustard-mh requested review from a team as code owners July 19, 2024 05:49
Siddhant-K-code
Siddhant-K-code reviewed Jul 19, 2024
View reviewed changes
components/server/src/oauth-server/db.ts
Comment on lines +150 to +151
// We scope all so that it can work in papi like a PAT
{ name: "function:*" },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💭 Is it necessary to whitelist all scopes or can we limit it to some extent of internal functions, like we did for the other clients?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we do, because we need to use papi v1 entry. #19597 (comment)

We can update it anyway in the future

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For more context, the limitation is here

gitpod/components/server/src/auth/bearer-authenticator.ts

Lines 115 to 119 in 8df5d2f

// gpl: Once we move PAT to FGA-backed scopes, this special case will go away, and covered by a different SubjectIdKind.
const { isAllAccessFunctionGuard } = FunctionAccessGuard.extractFunctionScopes(scopes);
if (!isAllAccessFunctionGuard) {
return undefined;
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I have no idea when we can do it

Siddhant-K-code
Siddhant-K-code approved these changes Jul 19, 2024
View reviewed changes
Copy link
Member

@Siddhant-K-code Siddhant-K-code left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just made optional & non-blocking suggestion to limit the client's scope.

filiptronicek
filiptronicek approved these changes Jul 19, 2024
View reviewed changes
Copy link
Member

@filiptronicek filiptronicek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, left one minor comment we can tackle in a follow-up

components/server/src/oauth-server/db.ts
allowedGrants: ["authorization_code"],
scopes: [
// We scope all so that it can work in papi like a PAT
{ name: "function:*" },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe still makes sense revisiting after we decide what methods are important to scope this down? Or is that not possible with p-api?

Copy link
Contributor Author

@mustard-mh mustard-mh Jul 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, we have reason to set it to all scopes #20049 (comment) for now

@roboquat roboquat merged commit 910b133 into main Jul 19, 2024
32 checks passed
@roboquat roboquat deleted the tb/auth branch July 19, 2024 06:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Siddhant-K-code Siddhant-K-code Siddhant-K-code approved these changes

@filiptronicek filiptronicek filiptronicek approved these changes

Assignees
No one assigned
Labels
size/S team: team-enterprise team: team-experience
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mustard-mh @filiptronicek @Siddhant-K-code @roboquat