-
Notifications
You must be signed in to change notification settings - Fork 83
Conversation
Codecov Report
@@ Coverage Diff @@
## master #49 +/- ##
==========================================
+ Coverage 50.69% 51.02% +0.32%
==========================================
Files 40 42 +2
Lines 1150 1170 +20
==========================================
+ Hits 583 597 +14
- Misses 500 502 +2
- Partials 67 71 +4
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
dc283a1
to
6644f0f
Compare
pkg/auth/auth_flow_orchestrator.go
Outdated
@@ -0,0 +1,145 @@ | |||
package auth | |||
|
|||
import ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More Unit tests remaining for this package and will be added soon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! I have some questions about the token exchange stuff and potentially simplifying the code (that surrounds each api call)... otherwise looks ready (minus those unit tests you are already adding)... thank you!
cmd/create/execution.go
Outdated
exec, err = cmdCtx.AdminClient().CreateExecution(_ctx, executionRequest, _callOptions...) | ||
return err | ||
} | ||
err = auth.Do(ctx, cmdCtx.AuthClient(), grpcAPICall, callOptions) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to simplify this?
Like here
You can build the authmetadataclient without initializing that singleton connection, then call FlyteClient() and if that returns then you can setup a PerCallRPCCredentials and set it as a dial option (instead of a call option) ... and therefore, you do not need to surround every single call to admin with this...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Created new MR for this flyteorg/flyteidl#156
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will be updating this MR with just changes to flyteidl and couple of modules to be used. Rest there are no changes in flytectl side with this new movement
pkg/auth/admin_grpc_call_util.go
Outdated
func Do(ctx context.Context, authMetadataClient service.AuthMetadataServiceClient, grpcAPICallContext AdminGrpcAPICallContext, callOptions []grpc.CallOption) error { | ||
// Fetch from the cache only when usAuth is enabled. | ||
useAuth := admin.GetConfig(ctx).UseAuth | ||
if useAuth { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm getting rid of this... if we can attempt to setup auth before we Dial(), I think that will simplify the experience a ton....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/auth/auth_flow_orchestrator.go
Outdated
type TokenOrchestrator struct { | ||
} | ||
|
||
// This is a copy of oauth2.internal.tokenJSON as its not accesible outside. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
// This is a copy of oauth2.internal.tokenJSON as its not accesible outside. | |
// This is a copy of oauth2.internal.tokenJSON as it's not accesible outside. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/auth/auth_flow_orchestrator.go
Outdated
|
||
func (f TokenOrchestrator) RefreshTheToken(ctx context.Context, clientConf *oauth2.Config, token *oauth2.Token) *oauth2.Token { | ||
// ClientSecret is empty here. Basic auth is only needed to refresh the token. | ||
client := newBasicClient(clientConf.ClientID, clientConf.ClientSecret) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is concerning.... public clients should not need or attempt to keep secrets.... if that means we can't refresh tokens, then so be it... we can make the default access token expire in 2 hours (or so) to give people a slightly improved experience...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or is the idea that this flow will be used in CI/CD system instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually internally oauth libraries do the same when they refresh the token by sending an empty client secret. I have removed this logic and instead using
/ Token returns the current token if it's still valid, else will
// refresh the current token (using r.Context for HTTP client
// information) and return the new one.
func (s *reuseTokenSource) Token() (*Token, error) {
This automatically refreshes the token if the access token is expired.
pkg/auth/auth_flow_orchestrator.go
Outdated
"refresh_token": {token.RefreshToken}, | ||
"scope": {"all", "offline"}, | ||
} | ||
_, body, err := client.Post(clientConf.Endpoint.TokenURL, payload) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't we use oauth2.Config to Exchange and refresh tokens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed this logic now and uses
pkg/auth/handler_app_call_back.go
Outdated
_, _ = rw.Write([]byte(fmt.Sprintf(`<p>Couldn't get access token due to error: %s</p>`, err.Error()))) | ||
return | ||
} | ||
_, _ = rw.Write([]byte(`<p>Cool! Your authentication was successful and you can close the window.<p>`)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want to go fancy, I would say we should do something like this: https://blakewilliams.me/posts/handling-macos-url-schemes-with-go
(which seems to be supported in OSX and windows... not sure about general Linux support) to silently go back to the app once the user is authenticated/authorized...
but maybe that's too fancy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks cool . Let me add try this in a followup
Signed-off-by: Prafulla Mahindrakar <[email protected]>
a707cab
to
48cbd2a
Compare
Signed-off-by: Prafulla Mahindrakar <[email protected]>
Signed-off-by: Prafulla Mahindrakar <[email protected]>
Signed-off-by: Prafulla Mahindrakar <[email protected]>
Signed-off-by: Prafulla Mahindrakar <[email protected]>
3bbbd29
to
0f5043c
Compare
Signed-off-by: Haytham Abuelfutuh <[email protected]> Signed-off-by: Prafulla Mahindrakar <[email protected]>
Signed-off-by: Haytham Abuelfutuh <[email protected]> Signed-off-by: Prafulla Mahindrakar <[email protected]>
0f5043c
to
ae896c1
Compare
Signed-off-by: Prafulla Mahindrakar [email protected]
TL;DR
Config for querying admin
Type
Are all requirements met?
Complete description
How did you fix the bug, make the feature etc. Link to any design docs etc
Tracking Issue
flyteorg/flyte#945
Follow-up issue
NA