feat: tokenless auth (part II) #308
Conversation
giovanni-guidini
requested review from
adrian-codecov,
scott-codecov,
matt-codecov and
JerrySentry
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #308 +/- ##
==========================================
+ Coverage 95.97% 96.00% +0.02%
==========================================
Files 613 613
Lines 15861 15877 +16
==========================================
+ Hits 15222 15242 +20
+ Misses 639 635 -4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Codecov Report
@@ Coverage Diff @@
## main #308 +/- ##
==========================================
+ Coverage 95.97% 96.00% +0.02%
==========================================
Files 613 613
Lines 15861 15877 +16
==========================================
+ Hits 15222 15242 +20
+ Misses 639 635 -4
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #308 +/- ##
=======================================
- Coverage 95.59 95.57 -0.02
=======================================
Files 728 727 -1
Lines 16370 16258 -112
=======================================
- Hits 15648 15538 -110
+ Misses 722 720 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
giovanni-guidini
force-pushed
the
gio/tokenless/complete-auth
branch
from
c7c8773 to
5e4f182
Compare
giovanni-guidini
force-pushed
the
gio/tokenless/token-auth-conditions
branch
from
57e3903 to
69829a2
Compare
| raise ValidationError("missing branch") | ||
| # The CLI might have pre-prended the branch with something already | ||
| if ":" in branch_info: | ||
| _, branch_info = branch_info.split(":") |
There was a problem hiding this comment.
Would branch_info always have 2 items if it had a ":"?
There was a problem hiding this comment.
I think so. we do fork_slug:branch. And as mentioned by Dana here branches can't have : in them. I don't think repos can either.
| fake_provider_service.get_pull_request.assert_called_with("4") | ||
|
|
||
|
|
||
| def test_commit_tokenless_missing_branch(db, client, mocker): |
There was a problem hiding this comment.
Is tokenless reliant on there being a branch?
There was a problem hiding this comment.
only in this implementation, but it would be weird to not have a branch
There was a problem hiding this comment.
yaaa makes sense, more so me learning how this works heh
| authentication.authenticate(request) | ||
| assert str(exp.value) == "Not valid tokenless upload" | ||
|
|
||
| def test_tokenless_not_supported_services(self): |
There was a problem hiding this comment.
Does tokenless support gh and github and all there uppercase/lowercase variants?
There was a problem hiding this comment.
depends if the upload URL supports that or not. I don't think it does.
If you look in the GetterMixin (here) you'll see that the Service has a limited number of options.
There was a problem hiding this comment.
Good to know in case we ever want to support/change for multiple services
context: codecov/engineering-team#736 We want to accept tokenless uploads for forks of public repos. This is a feature that is currently missing from the CLI and upload. These changes are part I of that. What it adds: * `TokenlessAuthentication` - a new auth class that controls when a tokenless upload is accepted * scaffolding `TokenlessAuth` * `TOKENLESS_AUTH_BY_OWNER_SLUG` feature for internal testing * The logic that will let us accept a tokenless upload What is missing: * Implementation of the methods in `TokenlessAuth`, so that it can actually be used * Hooking up the auth to existing endpoints. Conditions to accept tokenless upload: 1. Request has `X-Tokenless` header, value is the fork repo slug AND `X-Tokenless-PR` header, value is the PR number 2. Request is to one of the new upload endpoints 3. The encoded repo (in the request path) exists AND is public repo 4. (temp) the repo is from an owner that can accept tokenless 5. The git service provider reports that the PR in `X-Tokenless-PR` indeed exists and is from `X-Tokenless` repo to the encoded repo.
Implement `TokenlessAuth` details, so it actually does things. Hook it tokenless auth to the upload endpoints that are supposed to support it.
Or "don't trust the CLI to do it". Introduces a check that changes request data prior to serializing commits to make sure we don't overwrite coverage for existing branch in the upstream repo if the upload comes from a fork (tokenless)
giovanni-guidini
force-pushed
the
gio/tokenless/complete-auth
branch
from
5e4f182 to
332318c
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅ 📢 Thoughts on this report? Let us know! |
Implement
TokenlessAuthdetails, so it actuallydoes things.
Hook it tokenless auth to the upload endpoints that are supposed to support it.