Add session gateway#84
Add session gateway#84merenbach merged 4 commits intoargoproj:masterfrom merenbach:add-session-gateway
Conversation
|
Could you rebase the changes onto master so we can see just the delta between this and the |
|
@jessesuen rebased on to master. |
server/server.go
Outdated
| return ctx, fmt.Errorf("user is not allowed access") | ||
| } | ||
|
|
||
| return ctx, fmt.Errorf("empty metadata") |
There was a problem hiding this comment.
This interceptor should return grpc errors instead of generic go errors. Specifically it should be:
grpc.Errorf(codes.Unauthenticated, message)
| } | ||
|
|
||
| // AuthFuncOverride overrides the authentication function and let us not require auth to receive auth. | ||
| func (s *Server) AuthFuncOverride(ctx context.Context, fullMethodName string) (context.Context, error) { |
There was a problem hiding this comment.
I don't see where this method is used?
cmd/argocd/commands/app.go
Outdated
| conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie() | ||
| defer util.Close(conn) | ||
| _, err := appIf.Create(context.Background(), &app) | ||
| _, err := appIf.Create(DefaultClientContext(clientOpts), &app) |
There was a problem hiding this comment.
Wrapping the context in every place where we make an gRPC call isn't the right approach. There is a common function in apiclient.go, NewConn() where you can adjust the DialOptions when establishing the connection. There is where we would want to add another dial option from grpc.WithPerRPCCredentials() with the token.
See this example:
grpc/grpc-go#106 (comment)
|
LGTM |
|
@jessesuen @alexmt I've added a feature flag in the environment to disable authentication checks by default (so as not to break existing workflows). To run with this flag enabled and auth required, modify the Setting |
|
Hey sorry I haven't had time to review latest changes, but will do so now. The feature flag is a good idea, especially since UI needs to catch up. |
| func endpointCredentials(endpoint string) jwtCredentials { | ||
| credentials := jwtCredentials{} | ||
|
|
||
| localConfig, err := config_util.ReadLocalConfig() |
There was a problem hiding this comment.
I won't gate this checkin, but I think we need to move the reading/parsing of the local config, tobe done when creating the API client. A use case is that I should be able to create an argocd client without having an .argocd directory. In this case I would supply an API token when instantiating the client.
jessesuen
left a comment
jessesuen
left a comment
There was a problem hiding this comment.
My only comment is to have other ways of creating a client without requiring there exists .argocd directory (so long as a token is supplied). This can be addressed in a subsequent checkin.
Addressed the security vulnerabilities reported by the Twistlock security scan. Contributes to: automation-saas/native-AWS#2815 Signed-off-by: Sujeily Fonseca <sujeily.fonseca@ibm.com>
Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com>
Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com>
3 participants
Background
To follow on #82, and in an effort to address #72 and #29, this PR implements the passing of credentials to the backend to support access control.
Implementation
When a token is not provided, gate off all backend access. This requires
tokens(plural) in metadata from CLI client (it gets converted to a list, so just made it plural); orGrpc-Metadata-Tokens: INSERT_JWT_HEREin all HTTP headers (except for login!).Replace
context.Background()calls with our own newDefaultClientContext(clientOpts), which injects the token (if it exists) into the metadata passed to gRPC on the backend. If it doesn't exist, an access denied error will appear in the command line.Nothing involving server-side cookie setting has been implemented at this time. Full support for Web access can be implemented with just JS right now by setting request headers (i.e.,
Grpc-Metadata-Tokens) and storing in cookie client-side. cc @alexmt interested in your thoughts.Important
This will break the Web client unless a token is retrieved and passed along with requests.