Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http91 bearer token support #117

Merged
merged 5 commits into from
Oct 10, 2024
Merged

http91 bearer token support #117

merged 5 commits into from
Oct 10, 2024

Conversation

davidradl
Copy link
Contributor

Description

Add support for bearer tokens.

Resolves HTTP91

PR Checklist

@davidradl davidradl force-pushed the http91 branch 2 times, most recently from f5bef34 to bea7c28 Compare August 15, 2024 14:22
Copy link
Collaborator

@kristoffSC kristoffSC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to see this change.
Left some comments/questions.

Apart from them, there is a code formater check failing on build.

@davidradl
Copy link
Contributor Author

davidradl commented Aug 15, 2024

@kristoffSC The fix isn't quite ready so I let the pr in draft. I was going to get the code clean before making the pr ready for review. But it is bonus that you have given me feedback anyway - that is really helpful - thanks :-)

  • I was looking at this and thought that it would be better to move this to a new OIDCAuthHeaderValuePreprocessor that implements HeaderValuePreprocessor, we can then look at the config and drive this HeaderValuePreprocessor instead of the basic one. With:
 @Override
    public String preprocessHeaderValue(String rawValue) {
        OidcAccessTokenManager auth = new OidcAccessTokenManager(
                HttpClient.newBuilder().build(),
                oidcTokenRequest.get(),
                oidcAuthURL.get(),
                oidcExpiryReduction.get()
        );
        // apply the OIDC authentication by adding the dynamically calculated header value.
        return "BEARER " + auth.authenticate();
    } 

In this way we preprocess the basic and OIDC authorization header content prior to calling the request. Also the change is minimal for the main code base, as it just tweaks the authorization header leaving the request processing unchanged.

Before this change, the basic auth content could have been processed then we override it with an OIDC header.

I am reworking the fix in this design. WDYT?

@davidradl
Copy link
Contributor Author

@kristoffSC pushed up the new code addressing most of the code review comments - testing now.

@davidradl davidradl force-pushed the http91 branch 4 times, most recently from db8a2e0 to 74f0c72 Compare August 16, 2024 10:52
@davidradl
Copy link
Contributor Author

davidradl commented Aug 19, 2024

@kristoffSC Hi I have been testing against the watsonx APIs, the latest fix is not working (I will sort that out).

During this testing I found that the SSL handshake was failing. I had assumed that it would pickup the default JAVA certificates, but it does not.
1)
https://github.com/getindata/flink-http-connector/blob/05d3b474f403ff68ab6e7abe396[…]ta/connectors/http/internal/utils/JavaNetHttpClientFactory.java .

We can see that the SSLContext is created.

  1. From https://github.com/getindata/flink-http-connector/blob/05d3b474f403ff68ab6e7abe396[…]etindata/connectors/http/internal/security/SecurityContext.java it does something when there is no certifcate supplied. The SSL handshake fails.
  2. If I remove the SSLContext then is uses the certificates in java and the SSL handshake works.

In

it seems to create a Keystote when one has not been supplied. Do we need to do this?

If not we could just not put the SSLContext on the httpRequest when there is no supplied keystore.
if we need this logic, then maybe we should have new option to say use Default java certificates.
Raised #119 for this.
WDYT?

My actions at this stage are to:

  • test specifying the public cert information in flink and config.
  • debug why the bearer token logic is not working

@davidradl
Copy link
Contributor Author

davidradl commented Aug 21, 2024

@kristoffSC the new design is not working because the preprocessing only works if there is a header to preprocess. In my case it was not working as I had not defined a Authentication header in the config - if I do it works. I see the following options:
1- document that an Authentication header needs to be specified in the Config
2- amend the code to add a dummy Authentication header if we are dealing with OIDC. The value will then be supplied by the OIDC header pre processor
3- Go with the original design.

I am looking at option 2 as 1 seems unnecessary extra considerations for the user, 3 seems a bit of a hack. WDYT?

@davidradl davidradl force-pushed the http91 branch 4 times, most recently from e345642 to ed4ec0d Compare August 21, 2024 13:12
@davidradl davidradl requested a review from kristoffSC August 21, 2024 13:13
@davidradl davidradl force-pushed the http91 branch 3 times, most recently from 0c91b48 to 1aae69e Compare August 21, 2024 14:28
@davidradl
Copy link
Contributor Author

davidradl commented Aug 21, 2024

I have included the public certs and it works. By this I mean while testing I put the public server cert in an ssl folder and referred to it in the config. Ideally we should not have to do this as public certs should just work as they are in the JVM- as per previous updates

@davidradl davidradl marked this pull request as ready for review August 21, 2024 17:28
@kristoffSC
Copy link
Collaborator

Hi @davidradl
Regarding public certs -> I've replayed in #119 (comment)

Regarding this Pr here,
I also think option 3 is good, but could you describe what "the dummy header" would be?

@davidradl
Copy link
Contributor Author

davidradl commented Sep 2, 2024

Hi @kristoffSC, In response to your comment

Regarding public certs -> I've replayed in #119 (comment)
Regarding this Pr here, I also think option 3 is good, but could you describe what "the dummy header" would be?

I have coded up option 2, by dummy header - if you search for dummy in the pr code you will see what I mean.
This allows me to add an oidc header pre processor. I think adding another header pre processor like the basic auth one, seems a good place to put this. Do you have a strong view as to why this is not a good idea? Option 2 changes the main code path as you previously noted.

Copy link
Member

@grzegorz8 grzegorz8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have coded up option 2, by dummy header - if you search for dummy in the pr code you will see what I mean.
This allows me to add an oidc header pre processor. I think adding another header pre processor like the basic auth one, seems a good place to put this. Do you have a strong view as to why this is not a good idea? Option 2 changes the main code path as you previously noted.

For me the dummy header looks fine. We can always refactor if we come up with better solution in the future.

I left only a few minor comments.

@davidradl davidradl force-pushed the http91 branch 2 times, most recently from 8e515fc to d54a4c8 Compare October 9, 2024 12:39
@davidradl
Copy link
Contributor Author

@grzegorz8 Hi there I have fixed up the requested changes- please could you review and ee if there is anything else you can spot and GTM if you are good with the changes.

@grzegorz8
Copy link
Member

@grzegorz8 Hi there I have fixed up the requested changes- please could you review and ee if there is anything else you can spot and GTM if you are good with the changes.

Thanks. I'll review it soon.
I have one request, please do not amend commits and force push, because now it is hard to see what was actually changed :)

@davidradl
Copy link
Contributor Author

@grzegorz8 Hi there I have fixed up the requested changes- please could you review and ee if there is anything else you can spot and GTM if you are good with the changes.

Thanks. I'll review it soon. I have one request, please do not amend commits and force push, because now it is hard to see what was actually changed :)

@grzegorz8 sorry - good point- I forgot.

@davidradl
Copy link
Contributor Author

@grzegorz8 On the review comment , saying it was not addressed; I do not see any format changes now introduced by the fix. I see :
Screenshot 2024-10-10 at 11 27 47

@grzegorz8
Copy link
Member

@grzegorz8 On the review comment , saying it was not addressed; I do not see any format changes now introduced by the fix. I see : Screenshot 2024-10-10 at 11 27 47

This is what I see:
Zrzut ekranu 2024-10-10 o 12 47 51
Probably you have "Hide whitespaces" enabled.
Zrzut ekranu 2024-10-10 o 12 48 00

@davidradl
Copy link
Contributor Author

@grzegorz8 On the review comment , saying it was not addressed; I do not see any format changes now introduced by the fix. I see : Screenshot 2024-10-10 at 11 27 47

This is what I see: Zrzut ekranu 2024-10-10 o 12 47 51 Probably you have "Hide whitespaces" enabled. Zrzut ekranu 2024-10-10 o 12 48 00

@grzegorz8 I see - I thought you were referring to line 82. I will make this change.

@davidradl
Copy link
Contributor Author

@grzegorz8 I fixed the format of the one you pointed out and also some in the test files. Let me know if you need anything else changing.

@grzegorz8 grzegorz8 dismissed kristoffSC’s stale review October 10, 2024 11:20

All suggestions have been applied.

@grzegorz8 grzegorz8 merged commit 99ffa43 into getindata:main Oct 10, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants