Closed Bug 1179789 Opened 9 years ago Closed 9 years ago

taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit/signed urls)

Categories

(Taskcluster :: Services, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: pmoore, Assigned: pmoore)

References

Details

Attachments

(3 files)

See http://docs.taskcluster.net/auth/temporary-credentials/#signature-generation This utility method already exists in node taskcluster client: https://github.com/taskcluster/taskcluster-client/blob/b9d45bc23b8755bec792138b9b2458a08bd49cd5/lib/client.js#L564-L579 We should also add it to go client. I believe we do this on the client to avoid transmitting private credentials, therefore a utility method in the client makes sense.
Are there any other utility methods that should be added? Would make sense for me to add them at the same time.
Flags: needinfo?(jopsen)
> I believe we do this on the client to avoid transmitting private credentials, > therefore a utility method in the client makes sense. We do it in the client because we can... We very much designed it to work like that. - I hope it's secure, hash functions are not really as random as we sometime hope they are :) > Are there any other utility methods that should be added? Would make sense for me to add them > at the same time. taskcluster.fromNow("2 years 2 min 21s") and taskcluster.fromNowJSON("1 day 2 hours") are pretty nice to have in node when writing tasks, see: https://github.com/taskcluster/taskcluster-client/blob/master/lib/utils.js#L5-L14 https://github.com/taskcluster/taskcluster-client#relative-date-time-utilities But maybe go has better ways of easily making dates, in a more robust manner. Anyways, these are definitely not critical to add. ----------- If you want completeness I would look at support restricted scopes: http://docs.taskcluster.net/auth/authorized-scopes/ It's basically adding a key "authorizedScopes" to the JSON object we base64 encoded and added as ext. Just like how we added certificate. The trick is that you'll need to support both certificate and authorizedScopes in some cases. Also if you haven't, you can look at implementing support for signing URLS: http://docs.taskcluster.net/auth/signed-urls/ This is really just a matter of using bewit... Oh, and yes it works with ext too, so you can use both authorizedScopes and temporary credentials :) ----------- IMO, none of these are critical features... Not even generation of temporary credentials. They are nice to have, and they are features we likely to have to review in the future. Due to size limitations of headers (typically 8kb).
Flags: needinfo?(jopsen)
Component: TaskCluster → General
Product: Testing → Taskcluster
Component: General → Client Libraries
See Also: → 1097780
Blocks: 1235399
Will model this after the temporary credentials canonical implementation (node.js): * https://github.com/taskcluster/taskcluster-client/blob/0b4ee6d64f3ad0262bfda4d1b0a6b1933e121a63/lib/client.js#L562-L650 At the same time, I'll double check consistency of implementation against: * http://docs.taskcluster.net/auth/temporary-credentials/
Summary: taskcluster-client-go: add a utility method for generating temporary credentials → taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit)
Added support for Authorized Scopes to taskcluster-client-go... See http://docs.taskcluster.net/auth/authorized-scopes
Assignee: nobody → pmoore
Status: NEW → ASSIGNED
Attachment #8705781 - Flags: review?(garndt)
(In reply to Pete Moore [:pmoore][:pete] from comment #6) > Still to do: signed urls, i.e. > > * http://docs.taskcluster.net/auth/signed-urls > * > https://github.com/taskcluster/taskcluster-client/blob/ > 0b4ee6d64f3ad0262bfda4d1b0a6b1933e121a63/lib/client.js#L473-L542 This is the PR for signed URLs. Note that it depends on commits made in the first PR of this bug (PR #5 for authorized scopes) so it probably makes sense to only review this after completing the previous review. Then all the commits from the previous review should disappear from this new one.
Attachment #8706850 - Flags: review?(garndt)
Attachment #8705781 - Attachment description: Github Pull Request for taskcluster-client-go → Github Pull Request for taskcluster-client-go - authorized scopes
For completeness, adding the patch which adds the "create temporary credentials from permanent credentials" feature. This was added back in comment 4 - at the time I was not requesting reviews for all my changes, hence why there is no review.
Summary: taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit) → taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit/signed urls)
(In reply to Jonas Finnemann Jensen (:jonasfj) from comment #2) > > Are there any other utility methods that should be added? Would make sense for me to add them > > at the same time. > taskcluster.fromNow("2 years 2 min 21s") and taskcluster.fromNowJSON("1 day > 2 hours") > are pretty nice to have in node when writing tasks, see: > https://github.com/taskcluster/taskcluster-client/blob/master/lib/utils. > js#L5-L14 > https://github.com/taskcluster/taskcluster-client#relative-date-time- > utilities > > But maybe go has better ways of easily making dates, in a more robust manner. Yes, I think go already has this covered with https://golang.org/pkg/time/#Duration and associated functions and methods. Note: for the go implementation[1] of creating temporary credentials from permanent credentials, instead of taking a start time and end time, it simply requires a time.Duration for the credentials to remain valid, with them becoming valid immediately (technically 5 mins in the past, to cover clock-drift issues). 1) https://godoc.org/github.com/taskcluster/taskcluster-client-go/tcclient#Credentials.CreateTemporaryCredentials
Comment on attachment 8705781 [details] [review] Github Pull Request for taskcluster-client-go - authorized scopes Merged in https://github.com/taskcluster/taskcluster-client-go/commit/67c06bf65ae8fd09f5171ba70881de2c714b007e
Attachment #8705781 - Flags: review?(garndt) → review+
Attachment #8706850 - Flags: review?(garndt) → review+
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Component: Client Libraries → Services
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: