-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[specific ci=Group23-VIC-Machine-Service] Accept session clone ticket via request header #6587
Conversation
8c2529d
to
6b09f07
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/vmware/vic/pull/6587/files#diff-82bf77133ff3990110da03c8671f97b0L177
AllowedHeaders: []string{"Authorization", "Content-Type", "User-Agent"},
You'll want to add the new header here so that browsers allow it to be sent as a part of cross-origin requests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work!
b.user = c.user | ||
b.password = c.pass | ||
} else { | ||
b.ticket = p.(Session).ticket |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we be defensive here and make this } else if s, ok := p.(Session); ok {
?
That way we can have an else
block so we don't panic if p
isn't either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's a case where you want to panic, as such a case would be a programmer error rather than error due to user input.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, we shouldn't really get this far without one or the other as swagger will throw an auth error (though we probably shouldn't rely on that behavior).
op := trace.NewOperation(params.HTTPRequest.Context(), "VCHCertGet: %s", params.VchID) | ||
|
||
b := BuildDataParams{ | ||
url: url.URL{Host: params.Target}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you're adjusting this pattern anyway, maybe BuildDataParams
should take a raw target so we can have the url.URL{Host: params.Target}
happen in a single place (i.e., buildData
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, fixed!
@@ -33,26 +33,37 @@ import ( | |||
"github.com/vmware/vic/pkg/vsphere/vm" | |||
) | |||
|
|||
func buildData(ctx context.Context, url url.URL, user string, pass string, thumbprint *string, datacenter *string, computeResource *string) (*data.Data, error) { | |||
type BuildDataParams struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd only expect this to be used within handlers
. Does it need to be exported?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, fixed
params.Thumbprint, | ||
nil, | ||
nil) | ||
op := trace.NewOperation(params.HTTPRequest.Context(), "VCHCertGet: %s", params.VchID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you ensure that anywhere that you're introducing an operation, it replaces all occurrences of params.HTTPRequest.Context()
(not just the first)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks
lib/apiservers/service/swagger.json
Outdated
@@ -830,6 +830,12 @@ | |||
} | |||
}, | |||
"parameters": { | |||
"session-ticket": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem to be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm yeah, it looks like the ticket need only be used in the session security definition. I'll remove and re-test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cool, glad CloneSession worked out. quick pass lgtm
57e2ffb
to
abd7458
Compare
d.Target.CloneTicket = principal.(Session).ticket | ||
} | ||
|
||
if params.thumbprint != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what do we do if there is no thumbprint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Being able to call the API without passing a thumbprint just requires that the vSphere target has a well-signed, or otherwise trusted, certificate (like calling the CLI without a thumbprint).
f7667f3
to
4cc1a61
Compare
70c771a
to
a40b159
Compare
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the X-VMWARE-TICKET header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.
This change allows the vic-machine-server to accept a vSphere session clone ticket in the
X-VMWARE-TICKET
header of incoming requests. This ticket is used by govmomi to clone the user's session to allow the vic-machine-server govmomi client to make vSphere requests on the user's behalf.The govmomi changes in this PR will be moved to a PR in the govmomi repo once I've verified that this is the proper approach.
Fixes #6033