uSync.Triggers

[KevinJump]

Feature Proposal : An unauthenticated (but secured) method for triggering uSync actions (e.g import or export).

See : https://github.com/KevinJump/uSync8/tree/v8/dev-api-trigger/uSync.Triggers

uSync.Triggers will be a separate package you can install to add a trigger end point to your site, that you can then use from command lines, or CI/CD pipelines to trigger uSync commands.

e.g
http:;//myumbraco.site/umbraco/usync/trigger/import?key=[YOUR-GUID-VALUE]

• the GUID-VALUE will be required and will have to match a value in the sites web.config
• without this value in the web.config the trigger will not work.

  <add key="uSync.TriggerKey" value="YOUR-GUID-VALUE"/>

Alongside Import you will also be able to trigger an export.

additional options for a trigger will be:

Option	Default Value	Note
Group	ImportAtStartupGroup setting	the group of handlers to run usally this is settings/content or all
Set	DefaultSet	The handler set from the usync8.config file to use when running the action
Force	false	Import only - should the import be forced (eg. import even when there are no changes
Folder	Default uSync folder	Where to import/export

Folder: the folder will default to the uSync folder and with no config changes - you will not be able to
used afolder outside of the /usync folder for a site.
this can be turned off with another setting in the web.config

<add key="uSync.TriggerFolderLimits" value="false"/>

At the moment the process returns a string. indicating the number of changes and number of items eg.

0 changes from 88 items

[KevinJump]

A Beta for experimentation and feedback is here :

https://www.nuget.org/packages/uSync.Triggers

[mattbrailsford]

Re the Guid on the querying, whilst good to ensure the request was intentional and lines up with the config, it’s not very hidden and would be potentially discoverable.

At minimum I wonder if this should be a POST request so the key isn’t present in the querystring and maybe you could also require https.

Better might be some kind of authentication to prevent someone else attempting to run a command

[KevinJump]

Better might be some kind of authentication to prevent someone else attempting to run a command

yep - this is where i need some feedback, I can build timestamped / hashed auth.

its a question of how easy that would be to put into people's CI/CD pipeline, I suppose i could have a console app that hashes, keys and does the posts, (so its not running curl, etc). then the auth could be more complex while not over complicating command line stuff.

[KevinJump]

Added authentication following the models builder code (but using Authorization vs Action)

so example would be :

curl -u [email protected]:password https://localhost:port/umbraco/usync/trigger/import?key=[key]

will only work if the user has access to the settings section.

however i need to test:

• i don't think the models builder method increments failed attempts,
• not sure it would then lock out a user for multiple failed logins.
• not sure how it works when you are using OAuth or something for your backoffice users.

[KevinJump]

OK - it does lockout after invalid password attempts ✔️

[KevinJump]

Fast and furious - beta002 (should have called this an alpha!)

• now accepts the username/password in the header. (see curl below)
• import/export as post (or get still)
• no longer doing the key, simple uSync.Triggers = true in the web.config to turn it on.
  • as its now secured by user - although the key would add an extra level, of you do need to know it and not just be a user with the right permissions ?????

   <add key="uSync.Triggers" value="True"/>

curl examples

import:

    curl -u user:password http://my.site/umbraco/usync/triggers/import

import with options

e.g Import only settings:

    curl -X POST -d 'group=settings' -u user:password http://my.site/umbraco/usync/triggers/import

[simonech]

Personally I'm not a big fan of tying CI/CD operations to users in the Umbraco backend. If an admin forgets the password and resets it, the automation will stop working.
Also this won't work during automated installation where I might want to import all my doctypes but I don't have any admin user yet.
But maybe I understood wrong what you wrote in previous comments.

[KevinJump]

beta004 (https://www.nuget.org/packages/uSync.Triggers/8.9.7-beta004)

now lets you choose between basic (username/password) and HMAC signature authentication.

in the site web.config

    <!-- enable triggers -->
    <add key="uSync.Triggers" value="True"/>
    <add key="uSync.TriggerScheme" value="Hmac"/>
    <add key="uSync.TriggerHmacKey" value="[HMACKEY]/>

If you use HMAC you then need something to generate the HMAC key - so you can't just use CURL.

so the uSyncTriggersCLI package ( https://www.nuget.org/packages/uSyncTriggerCLI ) can be used for that.

usynctrigger import https://mysite/umbraco -h [HMACKEY]

it can also be used for basic auth

usynctrigger import https://mysite/umbraco -u [USER] -p [PASS]