Auth Token feature

[barreiro]

as discussed in #1922

[barreiro]

This feature is now ready for review

[lampajr]

Hey Luis, sorry for delay! I am planning to review this one by today/tomorrow.. I'll come back to you asap 🚀

[lampajr]

Hey again,

Here a first round of review, overall looks good and looks working. I tried the use case where I try to upload a new run and it looks working using the generated API key.

curl -s --url-query "test=optaplanner-jmh-benchmarks-8x" -X POST -H "content-type: application/json" -H 'X-Horreum-API-Key: <MY_KEY>' 'http://localhost:8080/api/run/data' -d @/tmp/op-run.json

There are still a couple of comments:

1. @barreiro could you please rebase this on top of master? those changes shouldn't affect this feature but just to be sure.
2. Return error msg when the API Key validation failed, I tried to run the same upload command with either a fake key or a revoked one and in both cases no error is returned to the user even if the request failed.

Here an example:
If don't send any auth token, the rest will return a generic error msg:

$ curl -s --url-query "test=optaplanner-jmh-benchmarks-8x" --url-query "owner=optaplanner-team" --url-query "start=2024-07-09T09:45:38" --url-query "stop=2024-07-09T09:45:38" -X POST -H "content-type: application/json"  'http://localhost:8080/api/run/data' -d @/tmp/op-run.json

Cannot upload to test optaplanner-jmh-benchmarks-8x% 

and in the logs I see (in DEBUG)

DEBUG [io.hyp.too.hor.svc.TestServiceImpl] (executor-thread-1) Failed to retrieve test optaplanner-jmh-benchmarks-8x as this user ( = []) is not uploader for optaplanner-team and token null does not match

If I send, instead, a revoked token:

$ curl -s --url-query "test=optaplanner-jmh-benchmarks-8x" --url-query "owner=optaplanner-team" --url-query "start=2024-07-09T09:45:38" --url-query "stop=2024-07-09T09:45:38" -X POST -H "content-type: application/json" -H 'X-Horreum-API-Key: HUSR_0A1CE383_38D9_4AFB_B094_99B0D6D6BE73' 'http://localhost:8080/api/run/data' -d @/tmp/op-run.json

there is no response at all and no logs as well, I think it could be very useful to return at least an error msg, even a generic "cannot upload to test ..."

3. In the UI, when there is no API keys set the webview still shows the table columns:
   

I would suggest to show just the button when there is no API keys set similarly to what we are doing in other places - or showing a message like "No API keys set" and below the button (that's actually just a minor).

[johnaohara]

@barreiro this looks great!

For this PR, we need user docs adding

For future PR's i think we need to open issues to;

• add global management of keys at admin level
• remove "tokens" and "machine accounts" features

[barreiro]

@lampajr

1. rebase this on top of master

👍

2. Return error msg when the API Key validation failed,

This is not possible, unfortunately. The error msg in your example comes from the exception that is thown in the service logic. For authentication failure you get a simple 401 Unauthorized response that comes from quarkus. The IdentityProvider, where validation of API key happens, can authenticate the request but it can't rule out authentication through other mechanisms.

For reference, a better way to deal with this would be to curl -i or curl -w "%{http_code}" to see the response.

3. The UI

👍

[johnaohara]

@barreiro we need docs, is there a separate PR for docs?