Allow users to add Gerrit HTTP Credentials#46763
Conversation
Bundle size report 📦
Look at the Statoscope report for a full comparison between the commits ea486c8 and 5bea6c7 or learn more. Open explanation
|
|
Codenotify: Notifying subscribers in CODENOTIFY files for diff 5bea6c7...ea486c8.
|
| permssync.SchedulePermsSync(ctx, r.logger, r.db, protocol.PermsSyncRequest{ | ||
| UserIDs: []int32{account.UserID}, | ||
| }) |
There was a problem hiding this comment.
We didn't have this before? 🤨
| if (provider.serviceType === 'sourcegraph-operator') { | ||
| return new URLSearchParams(location.search).has('sourcegraph-operator') | ||
| } | ||
| if (provider.serviceType === 'gerrit') { | ||
| return false | ||
| } |
There was a problem hiding this comment.
Instead of building up a list of hardcoded auth provider names - can we add a property to the authProviders like supportsSignIn?
There was a problem hiding this comment.
Plus 1 on this. I was wondering how the PR managed to get rid of gerrit on the sign in list.
We can theoretically use this to hide the builtin auth provider on customer instances after they finish setting up other auth provider. As there were multiple complaints about it being confusing for the engineers on customer side. Or to hide the sourcegraph-operator as well :)
kopancek
left a comment
There was a problem hiding this comment.
Great work! Sorry for many comments, but I really dived deep into this one as it's important to get it right 🙇
| if (provider.serviceType === 'sourcegraph-operator') { | ||
| return new URLSearchParams(location.search).has('sourcegraph-operator') | ||
| } | ||
| if (provider.serviceType === 'gerrit') { | ||
| return false | ||
| } |
There was a problem hiding this comment.
Plus 1 on this. I was wondering how the PR managed to get rid of gerrit on the sign in list.
We can theoretically use this to hide the builtin auth provider on customer instances after they finish setting up other auth provider. As there were multiple complaints about it being confusing for the engineers on customer side. Or to hide the sourcegraph-operator as well :)
| username: { value: string } | ||
| password: { value: string } | ||
| } | ||
| event.preventDefault() |
There was a problem hiding this comment.
Do we need the preventDefault here? What will happen if it's removed? (I would expect nothing, since the action is defined as onSubmit on the Form element itself, but I may be wrong...
There was a problem hiding this comment.
Based on the React docs: https://reactjs.org/docs/forms.html it seems like you still need to do preventDefault(), otherwise it will do a form submission and do a post request.
| setIsLoading(true) | ||
|
|
||
| addExternalAccount({ | ||
| variables: { | ||
| serviceType: 'gerrit', | ||
| serviceID, | ||
| accountDetails: JSON.stringify({ | ||
| username: target.username.value, | ||
| password: target.password.value, | ||
| }), | ||
| }, | ||
| }) | ||
| .then(() => { | ||
| setIsLoading(false) | ||
| onDidAdd() | ||
| }) | ||
| .catch(() => { | ||
| setIsLoading(false) | ||
| }) | ||
| }, | ||
| [addExternalAccount, onDidAdd, serviceID] |
There was a problem hiding this comment.
Why is this so complicated? Can we use {loading, data, error} from the useMutation hook instead of calling setIsLoading and handling the promise? For calling onDidAdd you could leverage the onCompleted option on the useMutation hook. Or does it not want to work well with useCallback above?
There was a problem hiding this comment.
I just completely blanked on the loading state and the onCompleted option 🤦
Updated, looks a gazillion times better now, thanks!
| if (authProvider.serviceType === 'gerrit') { | ||
| setIsGerritAccountModalOpen(true) | ||
| return | ||
| } |
There was a problem hiding this comment.
We could theoretically get around special casing here by creating another route, say /login/gerrit/openmodal and routing to that from the auth provider button.
But it might be too much hassle for not such a big gain, so feel free to disregard.
| ServiceType string | ||
| } | ||
|
|
||
| func parseConfig(cfg conftypes.SiteConfigQuerier) (ps []Provider, problems conf.Problems) { |
There was a problem hiding this comment.
Consider adding a boolean to return parameters and return true if a gerrit provider config changed (which would mean that the list of providers changed).
| func (p *Provider) ConfigID() providers.ConfigID { | ||
| return providers.ConfigID{ | ||
| Type: extsvc.TypeGerrit, | ||
| ID: p.ServiceID, |
There was a problem hiding this comment.
Other auth providers add an identifier to the providers.ConfigID.ID, should we do a similar thing here?
There was a problem hiding this comment.
So that makes sense in the case of OAuth because you can have multiple OAuth clients for the same host. But here we're using basic HTTP auth, so there's only client for the entire host.
| githuboauth.Init(logger, db) | ||
| gitlaboauth.Init(logger, db) | ||
| bitbucketcloudoauth.Init(logger, db) | ||
| gerrit.Init() |
There was a problem hiding this comment.
Don't we need logger in the gerrit instance? Or db?
There was a problem hiding this comment.
The Gerrit auth provider does nothing fancy because it's basic HTTP auth. The other ones have a logger and db because they do complex stuff with all the back and forth while doing OAuth, and all those actions get initialised from there.
But for Gerrit it's only "oh here's the URL on you go then".
| Login: &blank, | ||
| URL: &blank, |
There was a problem hiding this comment.
Instead of returning empty string, why not omit the lines? These are pointers to a string in the end...
| Login: &blank, | |
| URL: &blank, |
| if err != nil { | ||
| return err | ||
| } | ||
| serializedCreds, err := json.Marshal(creds) |
There was a problem hiding this comment.
Since we store the credentials in the DB as is, what should we do about our dev instances, where DB encryption is off by default if I remember correctly? This might theoretically leak Gerrit credentials...
There was a problem hiding this comment.
I mean in those cases we're also storing private keys and oauth tokens unencrypted as well. I'm not sure if this is any more scary than that.
7616b27 to
aa3a8b4
Compare
f65e34e to
48b27d0
Compare
Closes #46622
Adds a Gerrit auth provider. It does not provide a sign in option. It appears in the Account Security page where users can add Gerrit HTTP credentials to sync Gerrit permissions.
See loom: https://www.loom.com/share/1fa6d6e5f157481a8a62f7a3703e33ca
Test plan
Lots of unit tests added and updated and I did a lot of manual testing as well.