This repository was archived by the owner on Sep 30, 2024. It is now read-only.
feat/dotcom: add Enterprise Portal auth proxy#63652
Merged
Merged
Conversation
Member
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. Join @bobheadxi and the rest of your teammates on |
Comment on lines
121
to
155
Check notice
Code scanning / Semgrep OSS
Semgrep Finding: security-semgrep-rules.semgrep-rules.generic.comment-tagging-rule
ec1affc to
e924bdb
Compare
b780497 to
68e4937
Compare
jac
approved these changes
Jul 8, 2024
b28ad2a to
6f62c8a
Compare
82ec79f to
dd04155
Compare
Co-authored-by: Andre Eleuterio <andreeleuterio@users.noreply.github.com>
evict
approved these changes
Jul 9, 2024
bobheadxi
referenced
this pull request
Jul 10, 2024
Closes https://linear.app/sourcegraph/issue/CORE-211 See https://linear.app/sourcegraph/issue/CORE-100 for a higher-level view - this is the first proof-of-concept for achieving our migration strategy to extract Enterprise subscription data out of dotcom while retaining the existing UI until a future project ships a dedicated Enterprise Portal UI (https://linear.app/sourcegraph/project/kr-p-enterprise-portal-user-interface-dadd5ff28bd8). The integration uses generated ConnectRPC client code + `react-query`, the latter of which has already been used elsewhere for SSC integrations. This is partly supported by https://github.com/connectrpc/connect-query-es which offers mostly-first-class integration with `react-query`, but I had to do some fenangling to provide the query clients directly as I can't get the React provider thing to work. The ConnectRPC clients point to the proxies introduced in https://github.com/sourcegraph/sourcegraph/pull/63652 which authenticates the requests for Enterprise Portal, until we ship https://linear.app/sourcegraph/project/kr-p1-streamlined-role-assignment-via-sams-and-entitle-2f118b3f9d4c/overview ## Test plan ### Local First, `sg start dotcom` Choose a subscription you have locally. Use `psql -d sourcegraph` to connect to local database, then: ``` sourcegraph=# delete from product_licenses where product_subscription_id = '<local subscription ID>'; DELETE 1 sourcegraph=# update product_subscriptions set id = '58b95c21-c2d0-4b4b-8b15-bf1b926d3557' where id = '<local subscription ID>'; UPDATE 1 ``` Now annoyingly the UI will break because there is no license, we need: ```gql query getGraphQLID { dotcom { productSubscription(uuid:"58b95c21-c2d0-4b4b-8b15-bf1b926d3557") { id # graphQL ID } } } mutation createLicense { dotcom { generateProductLicenseForSubscription(productSubscriptionID:"<graphQLID>", license:{ tags:["dev"] userCount:100 expiresAt:1814815397 }) { id } } } ``` This effectively lets us have a "pretend S2" subscription locally. Visiting the subscription page now at https://sourcegraph.test:3443/site-admin/dotcom/product/subscriptions/58b95c21-c2d0-4b4b-8b15-bf1b926d3557  The data matches the "real" data currently at https://sourcegraph.com/site-admin/dotcom/product/subscriptions/58b95c21-c2d0-4b4b-8b15-bf1b926d3557 ### Against dotcom ``` sg start web-standalone ``` follow https://www.loom.com/share/6cb3b3ca475b4b9392aa4b11938e76e6?sid=6cd1a689-d75d-4133-bcff-b0c7d25b23f1 and then check out some product subscriptions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of https://linear.app/sourcegraph/issue/CORE-211
This introduces authenticated proxies that allow dotcom site admins access to dev and production Enterprise Portal instances, authenticated with client credentials issued to the dotcom instance. The medium-term goal is to use this proxy so that we can use the existing subscriptions UI, backed by the new Enteprise Portal deployments (e.g. https://github.com/sourcegraph/sourcegraph/pull/63653, tracking issue: https://linear.app/sourcegraph/issue/CORE-100/enterprise-portal-migrate-away-from-dotcom-db-as-source-of-truth), until we have a dedicated UI for Enterprise Portal (https://linear.app/sourcegraph/project/kr-p-enterprise-portal-user-interface-dadd5ff28bd8)
This is required until we ship https://linear.app/sourcegraph/project/kr-p1-streamlined-role-assignment-via-sams-and-entitle-2f118b3f9d4c/overview, which will allow SAMS to be the source-of-truth for who is a site admin in Sourcegraph.com. Once we have that information, we can use the user's SAMS session directly in Enterprise Portal to authorize access to Enterprise Portal data.
Test plan
Set up
dev-privatewith dev credentials: https://github.com/sourcegraph/dev-private/pull/101sg start dotcom, create a personal access token, and try to make ConnectRPC requests matching the spec to the new endpoints:Note that the URL path after
/.api/enterpriseportal/dev/, i.e./enterpriseportal.subscriptions.v1.SubscriptionsService/ListEnterpriseSubscriptions, and the shape of the parameters, are all the same as if you curl'd the Enterprise Portal API directly, per the Connect protocol: https://connectrpc.com/docs/protocol/Both local and dev reach out to the existing SAMS dev deployment for credentials, so the
dev-privatecredentials work OOTB for both.