-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): provider do_request to maintain verify in all request, basic headers #145
fix(core): provider do_request to maintain verify in all request, basic headers #145
Conversation
Signed-off-by: tarilabs <[email protected]>
Signed-off-by: tarilabs <[email protected]>
d98aeb8
to
5fab6dd
Compare
These changes look good! Is there any reason not to add a test for it here as well (as opposed to just locally)? |
The test in the original comment requires a OCI registry with self signed certs (and basic auth), and it's not clear to me how to replicate the local setup (I happened to use Zot) I've described in my original comment. Let me know your feedback, thanks! |
We have tests with auth: https://github.com/oras-project/oras-py/blob/main/.github/workflows/auth-tests.yaml What would be the difference between the setup there and the test you have with the self signed certs? Or why would it fail with the latter but not the current tests (and others using auth)? |
To replicate the original failure, now fixed with this PR, the second call (the one augmented with the auth header) would have failed the cert validation with the "SSLError(SSLCertVerificationError" error since it didn't maintain the I can include the test from my original comment, it would not replicate 100% the original scenario. Wdyt? |
Yes, that would be great! And then the final tweak is to bump the version in oras/version.py and add a corresponding note to CHANGELOG.md. Thank you! |
@vsoch pardon me quick q: I can understand changelog, but its not clear to me about version bump: I can see a 2.0 was marked, but I can't find Tag, Release or Pypi of it ? 🤔 |
55bae52
to
739a113
Compare
Signed-off-by: tarilabs <[email protected]>
739a113
to
fc3207d
Compare
Signed-off-by: tarilabs <[email protected]>
Signed-off-by: tarilabs <[email protected]>
@tarilabs it's not clear to me why a self signed certificate would lead to the wrong version number (or rather, not having one). Did you try updating urllib3 first? |
the failure in Details is GHA for fc3207d my understanding is that in the case of this repo GHA job, there is no self-signed-cert/SSL, so I need to say in "my" case of server with:
|
So the with auth workflow is adding an http password but not SSL. Why not add the same self signed cert to the setup? If you think "with auth" is a different use case entirely we arguably should have a third workflow. |
cool, thanks for the feedback; so the next step would be:
have I summarized it correctly? |
0a3e439
to
722e033
Compare
Signed-off-by: tarilabs <[email protected]>
722e033
to
8950923
Compare
Signed-off-by: tarilabs <[email protected]>
res = client.login( | ||
hostname=registry, | ||
tls_verify=False, | ||
username=credentials.user, | ||
password=credentials.password, | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vsoch I've also aligned the previously existing auth test to make use of the self-signed certs server workflow 🤗
let me know if overall this PR now matches your expectations :)
Signed-off-by: tarilabs <[email protected]>
CHANGELOG.md
Outdated
@@ -14,6 +14,7 @@ and **Merged pull requests**. Critical items to know are: | |||
The versions coincide with releases on pip. Only major versions will be released as tags on Github. | |||
|
|||
## [0.0.x](https://github.com/oras-project/oras-py/tree/main) (0.0.x) | |||
- bugfix maintain requests's verify valorization for all invocations, augment basic auth header to existing headers (0.2.0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is also 0.2.0 (your addition is correct!) but let's indent the line below it to be a sub-bullet, and remove the second mention of 0.2.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do! 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done with f848752 🚀
@@ -136,3 +137,34 @@ def test_directory_push_pull(tmp_path, registry, credentials, target_dir): | |||
assert str(tmp_path) in files[0] | |||
assert os.path.exists(files[0]) | |||
assert "artifact.txt" in os.listdir(files[0]) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great! We now have a proper test for ssl.
Signed-off-by: tarilabs <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this work - it's a great contribution on many levels!
Hi 👋
This proposed PR fixes what I believe are
2edit: *3 problems:do_request
do not maintainverify=self._tls_verify
for all therequests
's calls (it does maintain it only on the first one)I'm looking forward to your feedback and if I missed anything?
How was this tested?
locally, I have a pytest as:
I'm using a Zot configured with:
configuration of Zot server:
BEFORE
on main, gives error (
SSLError(SSLCertVerificationError ...
):AFTER
with this PR:
% env | grep ORAS_ ORAS_HOST=localhost ORAS_PORT=8443 ORAS_USER=dinosaur ORAS_PASS=oras_pass ORAS_AUTH=true
I didn't find a way to provide integration testing based on the specific use case here:
but kindly let me know if I missed anything