Make cache service work with authenticated asset downloads #6120
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #6120 +/- ##
=======================================
Coverage 98.98% 98.98%
=======================================
Files 396 396
Lines 39557 39558 +1
=======================================
+ Hits 39157 39158 +1
Misses 400 400 ☔ View full report in Codecov by Sentry. |
okurz
approved these changes
Jan 15, 2025
* Use API credentials in cache service downloads * See https://progress.opensuse.org/issues/170380
* Use signatures * Use more compact coding style
The openQA user agent code so far preserves manually set headers including the `X-API-…` headers used for authentication. This is probably not required and has the problematic side-effect that those headers are not updated when following redirections. That means authentication fails when a redirection is in place. This is the case when querying assets of a job as done by the cache service. In order to make the cache service work when authentication for assets is enabled via 4c8ed39 this change updates the `X-API-…` headers regardless of whether they are already present. Any custom values will be overridden but preserving custom values is not required anyways. (The accepted header will still be preserved.) Related ticket: https://progress.opensuse.org/issues/174154
okurz
approved these changes
Jan 16, 2025
When the `/api/v1/auth` route is used via the NGINX configuration `auth_request` the request URL is not the URL relevant for authentication because the request URL/path will always be `/api/v1/auth`. Instead the `X-Original-URI` is used to specify the actual path as done in the NGINX config template. Related ticket: https://progress.opensuse.org/issues/170380
|
I pushed one more commit because I forgot to include these changes into the commit yesterday. |
okurz
approved these changes
Jan 16, 2025
Wabri
approved these changes
Jan 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR incorporates #6114 which should probably be merged first.
It will tweak the cache service and the openQA user agent in general so both work when authenticated asset downloads are enabled. See https://progress.opensuse.org/issues/170380 and individual commit messages for details.
If wanted I can also extend tests. (Maybe I'll have to adapt tests anyway.) I tested this locally. Before this change it didn't work and with it it works when connecting directly and when using NGINX.