-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ansible-galaxy collection - validate and refresh KeycloakToken #79145
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to the warning, the rest looks good.
6973c5b
to
647efb3
Compare
7ed80da
to
e7820cc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving, but there's room for improvement if you're up to it :)
lib/ansible/galaxy/token.py
Outdated
data = json.loads(to_text(resp.read(), errors='surrogate_or_strict')) | ||
token_data = json.loads( | ||
base64.b64decode(data['id_token'].split('.')[1] + "==") | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This incantation looks out of place. It leaks into a low-level abstraction of decoding and parsing the internals.
I'd move at least the last instruction into a pure function so it'd look something like
bearer_token_struct = parse_bearer_token(resp.read())
It could return a data structure with both the access token and the id token, if it replaces both instructions.
I don't have visibility into what the HTTP response structure it, but often this data also includes some checksum/signature. Such a function could also verify the integrity and raise an error if it's corrupted somehow.
Maybe it could also normalize the time fields into datetime objects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good suggestions, thanks. I implemented signature checking. I'm not sure I can assume the JSON web key sets url is relative to the auth URL, so I added a new server config option to achieve that in case the auth_url does not match AH - maybe not backportable now, but it's better I think.
I also fixed normalizing the datetime fields in parse_bearer_token.
Need to figure out how to get sanity tests passing, but I think this is close to done now.
b53e503
to
2033f3d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got a few more comments...
add expiration property to KeycloakToken warn when token expires handle expired token when waiting for imports to complete after publishing to AH changelog
Handle refreshing in KeycloakToken.get() before tokens expire Make the warning a debug msg since there is no error Use global constant for early KeycloakToken expiration Co-authored-by: Sviatoslav Sydorenko <[email protected]>
) Add an openid_configuration galaxy server option. Since we don't want to hardcode the AH URL, the bugfix is now opt-in only. On the plus side, now the auth_url can be derived from the OpenID config, so users only need to configure 1 of these options. validate bearer token before using expiration data from it normalize datetime fields before returning token data add cryptograph to unit test requirements for ansible-galaxy tweak user_agent string so getting AH OpenID config works (comment order seems to have requirements?) Co-authored-by: Sviatoslav Sydorenko <[email protected]>
8a99535
to
57517b9
Compare
SUMMARY
This should fix refreshing KeycloakTokens while waiting for import results. I'm not sure how to test it though...
Fixes #70019
ISSUE TYPE
COMPONENT NAME
ansible-galaxy collection publish