[specific ci=Group23-VIC-Machine-Service] Accept session clone ticket via request header #6587
Conversation
jzt
force-pushed
the
vic-machine/6033
branch
2 times, most recently
from
8c2529d
to
6b09f07
Compare
jzt
changed the title
There was a problem hiding this comment.
https://github.com/vmware/vic/pull/6587/files#diff-82bf77133ff3990110da03c8671f97b0L177
AllowedHeaders: []string{"Authorization", "Content-Type", "User-Agent"},
You'll want to add the new header here so that browsers allow it to be sent as a part of cross-origin requests.
| b.user = c.user | ||
| b.password = c.pass | ||
| } else { | ||
| b.ticket = p.(Session).ticket |
There was a problem hiding this comment.
Can we be defensive here and make this } else if s, ok := p.(Session); ok {?
That way we can have an else block so we don't panic if p isn't either.
There was a problem hiding this comment.
I think that's a case where you want to panic, as such a case would be a programmer error rather than error due to user input.
There was a problem hiding this comment.
Also, we shouldn't really get this far without one or the other as swagger will throw an auth error (though we probably shouldn't rely on that behavior).
| op := trace.NewOperation(params.HTTPRequest.Context(), "VCHCertGet: %s", params.VchID) | ||
|
|
||
| b := BuildDataParams{ | ||
| url: url.URL{Host: params.Target}, |
There was a problem hiding this comment.
Since you're adjusting this pattern anyway, maybe BuildDataParams should take a raw target so we can have the url.URL{Host: params.Target} happen in a single place (i.e., buildData).
| @@ -33,26 +33,37 @@ import ( | |||
| "github.com/vmware/vic/pkg/vsphere/vm" | |||
| ) | |||
|
|
|||
| func buildData(ctx context.Context, url url.URL, user string, pass string, thumbprint *string, datacenter *string, computeResource *string) (*data.Data, error) { | |||
| type BuildDataParams struct { | |||
There was a problem hiding this comment.
I'd only expect this to be used within handlers. Does it need to be exported?
| params.Thumbprint, | ||
| nil, | ||
| nil) | ||
| op := trace.NewOperation(params.HTTPRequest.Context(), "VCHCertGet: %s", params.VchID) |
There was a problem hiding this comment.
Can you ensure that anywhere that you're introducing an operation, it replaces all occurrences of params.HTTPRequest.Context() (not just the first)?
lib/apiservers/service/swagger.json
Outdated
| @@ -830,6 +830,12 @@ | |||
| } | |||
| }, | |||
| "parameters": { | |||
| "session-ticket": { | |||
There was a problem hiding this comment.
Hmm yeah, it looks like the ticket need only be used in the session security definition. I'll remove and re-test.
jzt
force-pushed
the
vic-machine/6033
branch
4 times, most recently
from
57e2ffb
to
abd7458
Compare
| d.Target.CloneTicket = principal.(Session).ticket | ||
| } | ||
|
|
||
| if params.thumbprint != nil { |
There was a problem hiding this comment.
what do we do if there is no thumbprint?
There was a problem hiding this comment.
Being able to call the API without passing a thumbprint just requires that the vSphere target has a well-signed, or otherwise trusted, certificate (like calling the CLI without a thumbprint).
zjs
force-pushed
the
feature/vic-machine-service
branch
from
f7667f3
to
4cc1a61
Compare
jzt
force-pushed
the
vic-machine/6033
branch
5 times, most recently
from
70c771a
to
a40b159
Compare
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the
X-VMWARE-TICKETheader of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.The govmomi changes in this PR will be moved to a PR in the govmomi repo once I've verified that this is the proper approach.
Fixes #6033