Set up GitHub oauth for rerun button #13008
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
high-level design question (maybe for @cjwagner or @Katharine): how would this fit into things like gerrit? |
|
Why do we want this? The modal popup doesn't do anything other than show you a command you already can't run if you don't have rights. |
We eventually want to make the button trigger the test directly, and we'll need the GitHub oauth to make sure the user has the rights. This is the first step toward that. |
|
I don't want this change, though. Today, when people ask me to rerun a job for them they paste me the command and I just run it. This change would make it not possible for them to do that. |
|
You'll still be able to rerun jobs for people, since the /rerun endpoint will stay the same, and they can send you the job number, which is viewable from the new YAML button. I could also still show the popup (without oauth required) in addition to giving the option to rerun directly (which would require oauth). |
|
I would rather not change the current UX. What is our final state we're designing towards, here? Are we changing the behavior of
The page could also be used to trigger a job (not necessarily by getting there from an exiting job's view) to allow users to trigger runs of jobs that did not have any current ProwJob records. IMO we should present the new feature as a standalone item, let it mature, then migrate to it and remove the old button as necessary. This is similar to the approach @Katharine took in implementing |
|
Throw those out to the SIG on Slack and the mailing list when you've got them, it's great to read :) |
|
I agree with Steve that I don't think it makes sense to launch parts of this piecemeal into production - the end state is strictly better, but the intermediate states include confusing regressions from current functionality, and shouldn't be what we serve users while we keep working on it. |
|
I'll modify this PR so the current popup can still be viewed without oauth, and I'll add a button on the current popup that requires oauth but does nothing (this will turn into the "trigger job directly" button later). Thanks everyone for your input :) |
|
It now doesn't require oauth until you click the "Run" button: |
What about featuregating this? That way, @mirandachrist can get something merged without needing the full thing to be done. Additionally, users like us that have a deck instance that is not publicly accessible might want to never activate this feature, because everyone who gets to the point of seeing the button is permitted to use it |
There was a problem hiding this comment.
This looks good from the perspective of doing the authentication.
I'm not sure I love adding a button that explicitly doesn't work - it would be nice to gate that so everyone doesn't see it when they update. I'm also not totally convinced that it should be a link in the already-logged-in case, but I don't think that's the intended final form?
A side note: you've marked a bunch of comments as "resolved", but they haven't been changed. I assume you use this to mean you have made the changes in your working copy. For the sanity of your reviewers, I would request that you not mark something as resolved until you have pushed up the relevant changes.
prow/cmd/deck/static/pr/pr.ts
Outdated
| @@ -387,8 +387,10 @@ function getFullPRContext(builds: Job[], contexts: Context[]): UnifiedContext[] | |||
| */ | |||
| function loadPrStatus(prData: UserData): void { | |||
| const tideQueries: TideQuery[] = []; | |||
| for (const query of tideData.TideQueries) { | |||
| tideQueries.push(new TideQuery(query)); | |||
| if (tideData.TideQueries != null) { | |||
There was a problem hiding this comment.
Can this happen? According to the definition of TideData, it can't, in which case this check makes no sense.
If you think it can happen, then a) please explain when it happens, and then b) fix the typescript definition of TideData to match. You'll probably subsequently have to make a lot of other changes too.
There was a problem hiding this comment.
This fixed a null pointer error that was coming up in my test instance when there were no TideQueries. Honestly, I'm not really sure what was going on. Should I just change it back?
There was a problem hiding this comment.
This is probably a real bug that should probably be fixed. I haven't traced the code in depth, but my educated guess is as follows:
Go considers nil to be a valid, empty slice. Consequently, it is idiomatic to initialise a slice with nil (by doing e.g. var someSlice []string or whatever). This nil then eventually gets JSON serialised as null (because it's not really an empty slice, it's just null). While the Go structs do not specify omitempty, and so the empty value is included, the empty value is null rather than an empty array ([]). Unfortunately, Go is unusual in thinking that null is a valid array, and so when we later parse that in TypeScript, it is null with no type and any attempt to operate on it fails.
To fix this, we should either change the TypeScript type so it accepts nulls (and then add null checks probably all over the place), or change the Go code so it can never be nil (e.g. by actually initialising to an empty slice somewhere).
In either case, though, the fix probably belongs in another PR - I'd file an issue, remove this change, and follow up later.
There was a problem hiding this comment.
Go is unusual in thinking that null is a valid array
If we're being very pedantic, nil is a valid (zero) value for a slice, but not an array ;)
There was a problem hiding this comment.
Added an issue
prow/githuboauth/githuboauth.go
Outdated
| @@ -92,6 +109,8 @@ func NewAgent(config *config.GitHubOAuthConfig, logger *logrus.Entry) *Agent { | |||
| // redirect user to GitHub OAuth end-point for authentication. | |||
| func (ga *Agent) HandleLogin(client OAuthClient) http.HandlerFunc { | |||
| return func(w http.ResponseWriter, r *http.Request) { | |||
| destPage := r.URL.Query().Get("dest") | |||
| rerunStatus := r.URL.Query().Get("rerun_status") | |||
There was a problem hiding this comment.
This feels very specific to the particular reason we are logging in. Would it make sense to be more generic?
There was a problem hiding this comment.
In the future, this will contain the name of the prow job, so when the page reloads after logging in, the same popup for the same job appears. I renamed it to make it make a little more sense.
prow/githuboauth/githuboauth.go
Outdated
| // Exchanges code from GitHub OAuth redirect for user access token. | ||
| Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) | ||
| // Returns a URL to GitHub's OAuth 2.0 consent page. The state is a token to protect the user | ||
| // from an XSRF attack. | ||
| AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string | ||
| } | ||
|
|
||
| type RealOAuthClient struct { |
There was a problem hiding this comment.
Got rid of this. It was "real" in contrast to the mock OAuthClient in the tests.
prow/cmd/deck/static/prow/prow.ts
Outdated
| if (login === "") { | ||
| i.href = `https://${window.location.hostname}/github-login?rerun_status=work_in_progress`; | ||
| } else { | ||
| runButton.href = `https://${window.location.hostname}/?rerun_status=work_in_progress`; |
There was a problem hiding this comment.
On further thought, I'm also not a huge fan of this being a link at all, but perhaps that's going to change?
There was a problem hiding this comment.
In the future, it will link to the /rerun endpoint and rerun the job, as in Alvaro's PR
There was a problem hiding this comment.
Did we decide against a dialog in the page? I haven't checked the design doc recently.
There was a problem hiding this comment.
We will have a dialog:
runButton will become the button in the bottom right. After the test is triggered, we'll have another dialog saying it was successful.
|
/lint |
There was a problem hiding this comment.
@Katharine: 5 warnings.
In response to this:
/lint
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
mirandachrist
force-pushed
the
oauth
branch
2 times, most recently
from
64fb313
to
93d5f4a
Compare
|
I think these two comments are still outstanding: |
k8s-ci-robot
removed
the
lgtm
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
added
size/XXL
|
I don't think you wanted to include |
k8s-ci-robot
added
needs-rebase
|
@mirandachrist: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
removed
the
needs-rebase
|
Removed @Katharine |
|
You likely want to squash your commits :) |
|
Done |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 7f73954eb39aa90c502ab0826a5cd7d802ae213f
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Katharine, mirandachrist, stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
More specifically, this change will make it check if the user is logged in when they click the rerun button. If they are, the rerun button will do what it already does and show a popup with a command to run to rerun the test.
If the user is not logged in, it will redirect to GitHub oauth, then redirect back to prow.k8s.io
/assign @cjwagner
/cc @fejta
/cc @Katharine