Closed
Bug 1179789
Opened 9 years ago
Closed 9 years ago
taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit/signed urls)
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pmoore, Assigned: pmoore)
References
Details
Attachments
(3 files)
See http://docs.taskcluster.net/auth/temporary-credentials/#signature-generation
This utility method already exists in node taskcluster client:
https://github.com/taskcluster/taskcluster-client/blob/b9d45bc23b8755bec792138b9b2458a08bd49cd5/lib/client.js#L564-L579
We should also add it to go client.
I believe we do this on the client to avoid transmitting private credentials, therefore a utility method in the client makes sense.
Assignee | ||
Comment 1•9 years ago
|
||
Are there any other utility methods that should be added? Would make sense for me to add them at the same time.
Flags: needinfo?(jopsen)
Comment 2•9 years ago
|
||
> I believe we do this on the client to avoid transmitting private credentials,
> therefore a utility method in the client makes sense.
We do it in the client because we can... We very much designed it to work like that.
- I hope it's secure, hash functions are not really as random as we sometime hope they are :)
> Are there any other utility methods that should be added? Would make sense for me to add them
> at the same time.
taskcluster.fromNow("2 years 2 min 21s") and taskcluster.fromNowJSON("1 day 2 hours")
are pretty nice to have in node when writing tasks, see:
https://github.com/taskcluster/taskcluster-client/blob/master/lib/utils.js#L5-L14
https://github.com/taskcluster/taskcluster-client#relative-date-time-utilities
But maybe go has better ways of easily making dates, in a more robust manner.
Anyways, these are definitely not critical to add.
-----------
If you want completeness I would look at support restricted scopes:
http://docs.taskcluster.net/auth/authorized-scopes/
It's basically adding a key "authorizedScopes" to the JSON object we base64 encoded and added as ext.
Just like how we added certificate. The trick is that you'll need to support both certificate and
authorizedScopes in some cases.
Also if you haven't, you can look at implementing support for signing URLS:
http://docs.taskcluster.net/auth/signed-urls/
This is really just a matter of using bewit... Oh, and yes it works with ext too, so you can use both
authorizedScopes and temporary credentials :)
-----------
IMO, none of these are critical features... Not even generation of temporary credentials.
They are nice to have, and they are features we likely to have to review in the future.
Due to size limitations of headers (typically 8kb).
Flags: needinfo?(jopsen)
Assignee | ||
Updated•9 years ago
|
Component: TaskCluster → General
Product: Testing → Taskcluster
Assignee | ||
Updated•9 years ago
|
Component: General → Client Libraries
Assignee | ||
Comment 3•9 years ago
|
||
Will model this after the temporary credentials canonical implementation (node.js):
* https://github.com/taskcluster/taskcluster-client/blob/0b4ee6d64f3ad0262bfda4d1b0a6b1933e121a63/lib/client.js#L562-L650
At the same time, I'll double check consistency of implementation against:
* http://docs.taskcluster.net/auth/temporary-credentials/
Assignee | ||
Comment 4•9 years ago
|
||
Added method for generating temporary credentials:
* https://godoc.org/github.com/taskcluster/taskcluster-client-go/tcclient#Credentials.CreateTemporaryCredentials
Updated existing integration test to cancel a task using temp creds:
* https://github.com/taskcluster/taskcluster-client-go/blob/325909b8598b805b0ec5ac1d7601470efe556699/codegenerator/generatemodel/integration_test.go#L198-L208
Assignee | ||
Updated•9 years ago
|
Summary: taskcluster-client-go: add a utility method for generating temporary credentials → taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit)
Assignee | ||
Comment 5•9 years ago
|
||
Added support for Authorized Scopes to taskcluster-client-go...
See http://docs.taskcluster.net/auth/authorized-scopes
Assignee | ||
Comment 6•9 years ago
|
||
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Pete Moore [:pmoore][:pete] from comment #6)
> Still to do: signed urls, i.e.
>
> * http://docs.taskcluster.net/auth/signed-urls
> *
> https://github.com/taskcluster/taskcluster-client/blob/
> 0b4ee6d64f3ad0262bfda4d1b0a6b1933e121a63/lib/client.js#L473-L542
This is the PR for signed URLs. Note that it depends on commits made in the first PR of this bug (PR #5 for authorized scopes) so it probably makes sense to only review this after completing the previous review. Then all the commits from the previous review should disappear from this new one.
Attachment #8706850 -
Flags: review?(garndt)
Assignee | ||
Updated•9 years ago
|
Attachment #8705781 -
Attachment description: Github Pull Request for taskcluster-client-go → Github Pull Request for taskcluster-client-go - authorized scopes
Assignee | ||
Comment 8•9 years ago
|
||
For completeness, adding the patch which adds the "create temporary credentials from permanent credentials" feature. This was added back in comment 4 - at the time I was not requesting reviews for all my changes, hence why there is no review.
Assignee | ||
Updated•9 years ago
|
Summary: taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit) → taskcluster-client-go: add missing auth methods (generate temp creds, authorized scopes, bewit/signed urls)
Assignee | ||
Comment 9•9 years ago
|
||
(In reply to Jonas Finnemann Jensen (:jonasfj) from comment #2)
> > Are there any other utility methods that should be added? Would make sense for me to add them
> > at the same time.
> taskcluster.fromNow("2 years 2 min 21s") and taskcluster.fromNowJSON("1 day
> 2 hours")
> are pretty nice to have in node when writing tasks, see:
> https://github.com/taskcluster/taskcluster-client/blob/master/lib/utils.
> js#L5-L14
> https://github.com/taskcluster/taskcluster-client#relative-date-time-
> utilities
>
> But maybe go has better ways of easily making dates, in a more robust manner.
Yes, I think go already has this covered with https://golang.org/pkg/time/#Duration and associated functions and methods.
Note: for the go implementation[1] of creating temporary credentials from permanent credentials, instead of taking a start time and end time, it simply requires a time.Duration for the credentials to remain valid, with them becoming valid immediately (technically 5 mins in the past, to cover clock-drift issues).
1) https://godoc.org/github.com/taskcluster/taskcluster-client-go/tcclient#Credentials.CreateTemporaryCredentials
Comment 10•9 years ago
|
||
Comment on attachment 8705781 [details] [review]
Github Pull Request for taskcluster-client-go - authorized scopes
Merged in https://github.com/taskcluster/taskcluster-client-go/commit/67c06bf65ae8fd09f5171ba70881de2c714b007e
Attachment #8705781 -
Flags: review?(garndt) → review+
Comment 11•9 years ago
|
||
Comment on attachment 8706850 [details] [review]
Github Pull Request for taskcluster-client-go - signed urls
merged in https://github.com/taskcluster/taskcluster-client-go/commit/e2898f6e533b3797099c96cfdb2f3d974dabe43d
Attachment #8706850 -
Flags: review?(garndt) → review+
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Component: Client Libraries → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•