Refactor URL access mode management

[PastelMobileSuit]

Currently, all requests go through lfsapi.DoWithAuth() to make requests. This code is associated with a remote, and sets/checks an Access Mode based on the LFS API URL for the associated remote. If the access mode is None, an unauthenticated request is made, and otherwise credentials are added to the request. If a None request fails, the access mode is set to Basic, and a new request is made.

However, there are two types of requests made with Git LFS: API requests, and transfer adapter requests. While all requests against the API will use the remote URL, the transfer adapter can route requests to a totally different URL. However, since the same auth/request code is being used, these requests will use the access mode for the remote URL, even though the request can be against something totally different. If we've already discovered the remote URL requires credentials, this will cause credentials to be sent across to the separate transfer adapter URL, even if it doesn't require authentication.

We should instead refactor the auth code to remove the access mode management. Instead, the lfsapi package and the tq (transfer adapter) package should handle access mode themselves for their respective URLs, and only use shared code to get credentials and actually make the requests. This should ensure we're sending credentials at the right times for the right URLs.

[ttaylorr]

Currently, all requests go through `lfsapi.DoWithAuth()` to make requests.

Thanks for this overview. Since I don't spend a lot of time in package 'lfsapi', I often have to remind myself of these details, so it's very helpful to have them written down here.

However, since the same auth/request code is being used, these requests will use the access mode for the remote URL, even though the request can be against something totally different.

It sounds like that this is the crux of the issue: that we assume all HTTP requests being sent to package 'lfsapi' are associated with a Git LFS API-compliant remote, but some aren't (particularly in the integration test that you sent to me off-list).

We should instead refactor the auth code to remove the access mode management.

I agree with this, and it sounds like a great path forward. What do you think about the following: * `lfshttp`: this new package would contain most of the low-level HTTP implementation from the existing package `lfsapi`, but without the remote management, and higher-level details, like that. For example, this package might contain the extra headers code (configurable via `git config http.<url>.extraHeaders`), but would avoid such details as the remote access level management. In particular, this package could be treated like net/http is treated from the standard library, but would act as a thin wrapper around that package, with LFS-specific details (as mentioned above). * `lfsapi`: this package would contain the set of features that are currently implemented in package `lfsapi`, excluding the features that are mentioned in package `lfshttp` above. For instance, I imagine that most function calls would terminate or return with a delegating call into `lfshttp`, but could add extra details, such as the remote access-level management. One thing that would be worth considering is how these two new packages might fit into a larger push to support multiple protocol schemes in the API. I know that @bk2204 has planned on looking into this, so perhaps it would be good to get both of your perspectives on whether or not the above proposal would suitable for supporting multiple protocols?

[PastelMobileSuit]

@ttaylorr That sounds like a good approach to me, it seems cleaner and more correct to have the basic http client code separated out into its own package, and have higher-level packages interacting with that.

With regards to the lfsapi package: I'm fine with this as described, as long as we make access-mode management externally controllable somehow (it's currently all done inside the doWithAuth() and getCreds() functions). The crux of the issue is the fact that those two functions assume and perform access management based on the idea that all requests are going to be made against the remote, but the transfer adapter in the tq package instead routes requests to a separate URL. Maybe a way to call into DoWithAuth() while explicitly specifying the URL endpoint requests are being made against could solve the problem?

[ttaylorr]

I'm fine with this as described, as long as we make access-mode management externally controllable somehow (it's currently all done inside the `doWithAuth()` and `getCreds()` functions).

I definitely agree. My thought when composing my original message was that it might be interesting to explore whether we could teach doWithAuth() to not even invoke getCreds(), and instead make sure that a package like lfsapi (as opposed to lfshttp) would do the necessary bits instead.

Maybe a way to call into `DoWithAuth()` while explicitly specifying the URL endpoint requests are being made against could solve the problem?

I think that that's another good approach, too. I think my preference would be that an lfshttp package (exposing a Do() or DoWithAuth() function) didn't even have an implementation for getCreds(), instead of changing whether or not a hypothetical implementation was invoked based on a calling parameter of the function. That said, it might end up being much harder in practice to totally divorce the two, so the above stanza might be a good half-way point between the two.

[PastelMobileSuit]

@ttaylorr Ah okay, I think I see what you're saying. Are you proposing that the package that calls into Do() or DoWithAuth() would handle getting the credentials and adding them to the request before calling those functions? I think that's a good idea and am 👍 on that approach.

I think the tq and lfsapi package will both need to use the same credential logic. I think we could easily extract the getCreds() function into a shared package, and move the calls to it out of DoWithAuth() and into the tq and lfsapi packages before DoWithAuth() is called. Then, tq and lfsapi can do their own endpoint/access mode management.

[ttaylorr]

Are you proposing that the package that calls into Do() or DoWithAuth() would handle getting the credentials and adding them to the request before calling those functions? I think that's a good idea and am 👍 on that approach.

Thanks for clarifying: I think that we're on the same page and I'd be comfortable going forward with that approach.

I think the tq and lfsapi package will both need to use the same credential logic.

What do you think about lfsapi being the only package to have getCreds() (or similar)? I think that in this case, tq would call lfsapi (which would add credentials) which would in turn call lfshttp to perform the actual request?

I think that you also highlight an important problem of flexibility, so it may be worth trying which one you think will be most workable and seeing how it feels to implement it. If you're feeling like we picked a path that we'd like to get off of, we can always try out the other, too.

[PastelMobileSuit]

@ttaylorr That sounds like a good plan to me!

[PastelMobileSuit]

I've spent some time today looking at the URL access management stuff and I don't feel it makes sense to extract the access mode management stuff out and allow the tq package to manage it itself.

As it stands right now, URL access mode is only set from within the doWithAuth() code. If doWithAuth() makes a request that fails because of an authorization error, it uses the server response to figure out what type of authentication should be used, updates the access mode accordingly, then uses that information to authenticate a new request. That flow seems correct to me, and it feels like that should be the domain of the auth code and only the auth code.

I also don't think we'll be able to remove the reliance on using lfsapi.Client in tq. Most requests there will need to go through the normal authorization flow, and since lfsapi.Client wraps lfshttp.Client to do the work it needs, and since we can skip the lfsapi.Client-specific code by just calling Do instead of DoWithAuth, I think it makes sense to use the lfsapi.Client for all tq requests.

I think a better approach would be to just eliminate the assumption that all requests are going to be made against the LFS API URL. That's currently baked into the auth code, and I think we could solve that by passing in an apiEndpoint argument to DoWithAuth(), which we will use for the URL access mode. In most cases this will be the LFS API URL, but when tq is performing a transfer, it can generate the 'API URL' for that request and provide that to DoWithAuth(). That way, the auth code will still be responsible for determining what kind of authentication needs to be used and reauthenticating failed requests, but the caller will be responsible for telling the auth code the base URL that actually needs authenticating.

[PastelMobileSuit]

/cc @ttaylorr and @bk2204 for increased visibility around this new approach

[ttaylorr]

As it stands right now, URL access mode is _only_ set from within the `doWithAuth()` code. [ ... ]

Thanks for the overview of how the current/new `doWithAuth()` function is implemented. I agree that that flow seems correct to me, but I want to double check that we're on the same page in terms of understanding before we make a decision. My understanding is that: (1) a caller issues an HTTP request and then eventually we wind up in `doWithAuth()`. (2) Then, the `doWithAuth()` function assumes that we're authenticating against an implementation of the Git LFS API, and (3) falls back to create a new request if that assumption is incorrect.

I think a better approach would be to just eliminate the assumption that all requests are going to be made against the LFS API URL.

That seems like it would be a solution to the problem, though I'm hesitant to rubber-stamp it without understanding further the impact that it would make throughout the codebase. Could you expand a little on how you think that this would look?

[ ... ], and I think we could solve that by passing in an `apiEndpoint` argument to `DoWithAuth()`, which we will use for the URL access mode.

I don't think that I'm a huge fan of this, since it creates a class of function calls that are always given `nil` (e.g., when we are calling `DoWithAuth()` _knowing_ that we're not talking to a Git LFS server). Do you think that we could split the function in two, such that there is a function that we call when we are talking to a Git LFS server (that takes an `apiEndpoint`) and a function that we call when we aren't?

[PastelMobileSuit]

@ttaylorr Thanks for the response! To address your points/questions/feedback:

My understanding is that: (1) a caller issues an HTTP request and then
eventually we wind up in doWithAuth(). (2) Then, the doWithAuth()
function assumes that we're authenticating against an implementation of
the Git LFS API, and (3) falls back to create a new request if that
assumption is incorrect.

It actually works a bit differently. Callers directly call DoWithAuth() if they want to make an HTTP request that might require authentication, and Do() otherwise. Do() will never authenticate a request, and never gets down into doWithAuth() whereas DoWithAuth() calls doWithAuth() directly. Additionally, the doWithAuth() function will authenticate against the request URL, not the Git LFS API endpoint - that API endpoint is only used to determine what the access mode for the URL is, which in turn is used to determine what method doWithAuth() should use to authenticate. So a more accurate flow (including some credential helper stuff as I believe it's important to the flow) would be:

1. A caller wants to issue a request and authenticate if required, and calls DoWithAuth(), which then calls into doWithAuth().
2. doWithAuth() is provided a request and a remote. It checks the URL access mode for the LFS API endpoint for the provided remote, and passes that down to getCreds()
3. getCreds() looks at the provided URL access mode to determine how to authenticate (no authentication, Basic, NTLM, etc.). It uses the request URL to do this, not the LFS API endpoint, and I believe it injects the credentials directly into the request.
4. doWithAuth() does the HTTP request. If the request is a success, doWithAuth() is finished.
5. If the request fails with an authorization error, doWithAuth() examines the HTTP response to determine what kind of authentication is being asked for, and updates the URL access mode for the LFS API endpoint accordingly.
6. If the failed request was unauthenticated, we recur through DoWithAuth() and go back to step 1 of the flow. Since the URL access mode has been changed, this second request will be authenticated.
7. Otherwise, if the failed request was authenticated through a credential helper, the credentials are rejected, and we recur through DoWithAuth() and go back to step 1. The same authentication method will be used for this request, but the current set of credentials was rejected, meaning a different credential helper will be used to authenticate.

So basically there's a lot of important logic going on internally at the end of doWithAuth() to figure out if we need to authenticate differently.

That seems like it would be a solution to the problem, though I'm
hesitant to rubber-stamp it without understanding further the impact
that it would make throughout the codebase.

Could you expand a little on how you think that this would look?

Certainly! Basically, everything is correct with the flow as-is, the only problem is that we're tied to the LFS API Endpoint to determine the URL access mode, which is incorrect. The actual authentication is happening properly against the request URL, the code is just looking in the wrong place to determine how to authenticate.

Basically, with my proposal, we'd add a separate argument to DoWithAuth()/doWithAuth() called apiEndpoint. This would be a string, and is the URL that we're planning to check the Access mode against. If we're making an actual LFS API request, this would just be the LFS API URL for the provided remote. If we're not, this argument would still be provided, but would be a shortened, base form of the request URL.

As an example, the transfer adapter in our tests reroutes requests to http://127.0.0.1/storage/<oid>. The apiEndpoint argument in this case would be http://127.0.0.1/storage. The caller would have to handle determining this, as I don't think we have enough information about the URL format to generate it ourselves in doWithAuth().

I don't think that I'm a huge fan of this, since it creates a class of
function calls that are always given nil (e.g., when we are calling
DoWithAuth() knowing that we're not talking to a Git LFS server).

Do you think that we could split the function in two, such that there is
a function that we call when we are talking to a Git LFS server (that
takes an apiEndpoint) and a function that we call when we aren't?

Yep! So for clarification, the apiEndpoint argument won't always be the LFS API endpoint and will always need to be provided (I know the name is a bit confusing so I'll make sure that's changed if this is implemented).

I have this mostly implemented already in a local branch. I'm actually planning to expose two public functions from the auth code: DoWithAuth() and DoAPIRequestWithAuth(). DoWithAuth() takes an apiEndpoint argument and would be called from the transfer adapter code. DoAPIRequestWithAuth() won't take that argument, instead finding the LFS API endpoint for the provided remote and passing that down into doWithAuth(), causing everything to work as it does now. That would be called whenever we make an actual API request.

[ttaylorr]

Hi, @PastelMobileSuit -- thanks for your detailed response and for helping me grok this code.

Basically, with my proposal, we'd add a separate argument to `DoWithAuth()`/`doWithAuth()` called `apiEndpoint`. This would be a string, and is the URL that we're planning to check the Access mode against.

OK, this makes much more sense to me, especially with your explanation. I think that adding an extra parameter to refer to the URL that we're trying to glean an access mechanism from makes sense, but what if we instead: 1. passed in the _access_ ourselves, and 2. exported functionality in package 'lfsapi' to determine the access level from a given URL I think that this would be good step towards breaking up that code further, and hopefully making it easier to test and build confidence in. It also seems clearer to me that we would pass one URL to the DoWithAuth() call, and that another argument would be _how_ we want to execute that request. What do you think about that as an alternative?

[PastelMobileSuit]

Just spoke to @ttaylorr and we've decided the best way to do this is to change the URL Access Mode to a struct with an Upgrade() function to allow it to be changed. Callers can then pass the URL Access Mode into DoWithAuth() and DoWithAuth() will change it as necessary, then callers can set the access mode again on the URL after DoWithAuth() has returned. This will allow us to completely separate out the API Endpoint stuff from the Auth code and make it the caller's responsibility without making it responsible for the actual management of the access mode.