Move AuthorisationRequestManager interface towsmaster/che-core-api-factory module in order to avoid circular dependency.
Rework the get oauth token method to return an oauth token from kubernetes secrets if token is not found in the system memory of the che-server pod. If provider name value is not configured in the kubernetes secret oauth token, get the token by mapping it by provider url from the secret and oauth provider name from the aouth config secret.
Pass status code to Exception on Unauthorised to GitHub Error in order to be able to recognise GitHub Server url if oAuth is not configured and no PAT is present.
Add necessary checks to the GithubURLParser and AbstractGithubURLParser classes in order to support PAT for GitHub Enterprise server without configuring oAuth.
Change the getHostName() function to getProviderUrl() in order to fix an error while updating an oauth token on workspace start.
Throw ScmUnauthorizedException if an oAuth token is not valid, for the dashboard to open the authorisation page and update the token.
If user rejects an scm provider authorisation request while creating or starting existed workspace store the name of the scm provider in the workspace-preferences config-map. The workspace create/start step must proceed without token fetch step. If user creates another workspace or starts existed workspace from an scm provider which name is stored in the config-map, do not ask the authorisation as it was already rejected once.
Return the SSH factory resolver in order to handle SSH urls from unsupported SCM providers.
Add a priority value for all factory resolvers to be able to control resolver's priority.
---------
Co-authored-by: Aleksandr Shmaraiev <oshmarai@redhat.com>
Add a null check to prevent NullPointer exception while reading body from the GitHub API response. response.body() should not return null according to the java documentation, but the NullPointer exception was found in the customer debug logs
Duplicate the git-credentials secret creation step on create personal access token secret. Currently this step is performed on workspace provision step but in this case the PAT secret might be initialised when the provision is finished. In order to synchronise the personal access token secret and git credentials secret creation step duplicate the git credentials secret creation step after the PAT secret creation step.
Refactor the get(scmServerUrl) function in the KubernetesPersonalAccessTokenManager class
Change user.getName() to user.getLogin() in the GitHub getTokenScopes() API request, in order to fix a bug where NullPointer exception is appeared when a GitHub user request returns a user with null in the name field.
Ignore the che.eclipse.org/scm-username annotation when fetching token from a PAT secret. Instead fetch the username from the isValid(<token>) request.
Pass string to ObjectMapper instead of InputStream in order to avoid No content to map due to end-of-input error caused by jdk.internal.net.http.ResponseSubscribers$HttpResponseInputStream.
An error was discovered in our customers environment
On workspace start iterate user PAT secrets. If a PAT secret is not included to the devworkspace-merged-git-credentials secret, create a git credentials secret based on the PAT secret.
Remove the redundant logic of creation an empty workspace-credentials-secret secret.
Add a parsing rule to detect credentials in factory URLs if it is in a format https://<username>:<pasword>@hostname.
Extract the credentials from factory URLs and pass them to the devfile content request.
In order to be able to use the generated github token from the workspace pod in the github CLI tool, add the necessary token scope to the list of default scopes.
To update next year:
find . -name "*" -exec sed -i -r -e "s@-2023 Red Hat@-2024 Red Hat@g" {} \;
Change-Id: I2167da69ac584e743e61f4bbe699f06296911857
Signed-off-by: Nick Boldt <nboldt@redhat.com>
Signed-off-by: Nick Boldt <nboldt@redhat.com>
Currently when user rejects the oauth page for GitHub factory, Che tries to continue the factory flow without authentication (possible only for public repo). Apply the logic for the other git authentication providers.
Inject the che.integration.github.disable_subdomain_isolation env variable property to handle the subdomain isolation GitHub option while returning the GitHub raw file location.
Fix the /token/refresh/ factory API method by picking out the hostname from the url parameter and passing it to personalAccessTokenManager.getAndStore(hostname) instead of the entire factory url
Refactor the factory flow and isolate the place where the OAuth token is fetched and stored to the git secret.
Create a new API method with the isolated flow.
The API method is going to be used for the token verification step when a factory is restarted from dashboard.
Currently the GitHub OAuth provider is hardcoded to https://github.com endpoint. In order to support Github Enterprise Server, the endpoint of the GitHub OAuth provider is configurable by the oauth secret.
Do not throw an exception when validating an expired oauth token, return false instead.
When a factory starts and oauth token is found, che-server checks the token:
current behaiviour: if the oauth token is not valid, the validation check throws an exception and the factory creation is interrupted.
PR behaviour: if the oauth token is not valid, the validation check returns false instead of an error, so token regeneration mechanism starts and the factory is created successfully.
GitHub allows to use only 60 unauthorized reqests per host. In order to avid API rate limit exceeded GitHub eroor,
substitute the unauthorized GitHub API request to an HTTP repository request.
Before, it was done only in case of private repositories
Now it will try on all public and private repositories
If there is no oAuth configured for the current SCM URL, try to fetch
with unauthenticated access
Igor Vinokur