Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access tokens for flakes #4091

Merged
merged 8 commits into from Sep 30, 2020
Merged

Access tokens for flakes #4091

merged 8 commits into from Sep 30, 2020

Conversation

kquick
Copy link
Contributor

@kquick kquick commented Sep 29, 2020

This patch updates the ability to specify access tokens in the nix.conf file for use in the github fetcher. This PR builds upon the previous functionality provided by @imalsogreg to allow the specification of more than two access tokens because:

  • Gitlab has two different kinds of access tokens that can be used (4 authorization methods, but just two that are relevant here).

  • Both gitlab and github are available for use by organizations and other groups, so they will exist at locations other than https://github.com and https://gitlab.com, both publicly and privately.

  • There are also non-github and non-gitlab sites hosting git that will have access controls.

This patch provides the ability to specify the access token to use for a specific remote host by matching against the "host" attribute in the corresponding flake input specification.

This adds a new entry to the nix.conf file called access-tokens, which is a space separated list of host=token specifications. It removes the gitlab-access-token provided in PR #3675 because that token is new enough that it is not likely to be broadly used. The github-access-token is still supported, but generates deprecation warnings when used.

@kquick
Update document generation for empty json object values.
83fec38
@kquick
Support StringMap configuration settings.
a439e94 
Allows Configuration values that are space-separated key=value pairs.
@kquick
Complete conversion of "url" to "host" with associated variable renam…
c2f48cf 
…ing.

Completes the change begun in commit 56f1e0d to consistently use the
"host" attribute for "github" and "gitlab" inputs instead of a "url"
attribute.
@kquick
Update to use access-tokens configuration for github/gitlab access.
8fba2a8 
This change provides support for using access tokens with other
instances of GitHub and GitLab beyond just github.com and
gitlab.com (especially company-specific or foundation-specific
instances).

This change also provides the ability to specify the type of access
token being used, where different types may have different handling,
based on the forge type.
@kquick
Fix reference to older name for access-tokens config value.
ef2a14b
@kquick
Re-add support for github-access-token, but mark as deprecated.
5a35cc2
@kquick
Merge branch 'master' into access-tokens
66c3959
edolstra
edolstra reviewed Sep 29, 2020
View reviewed changes
src/libstore/globals.hh Outdated Show resolved Hide resolved
@edolstra edolstra merged commit 002ce84 into NixOS:master Sep 30, 2020
@kquick kquick deleted the access-tokens branch September 30, 2020 15:45
@imalsogreg
Copy link
Contributor

@kquick Have you been using this? I'm wondering if I'm doing it wrong, or if we have a bug. Demonstrating below:

I have the access-tokens field set in my nix.conf, and nix picks it up.

[root@nixos:~]# nix show-config | grep token
warning: unknown setting 'gc-check-reachability'
access-tokens = "gitlab.com=PAT:REDACTED github.com=REDACTED"

nix flake info github.com:imalsogreg/some_private_repo fails, and it does so not with a 404, but a 401, suggesting that my token is reaching the curl command within nix. (If I run this with no token, it's a 404).

[root@nixos:~]# nix flake info github:imalsogreg/work_queue
warning: unknown setting 'gc-check-reachability'
error: --- FileTransferError --------------------------------------------------------------------------------- nix
unable to download 'https://api.github.com/repos/imalsogreg/work_queue/commits/HEAD': HTTP error 401 ('Unauthorized')

response body:

{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest"
}

Using the same github token, I am able to hit the URL that nix is trying to hit.

curl -H "Authorization: Bearer REDACTED" "https://api.github.com/repos/imalsogreg/work_queue/commits/HEAD"
[[succeeds]]

@stephank
Copy link
Contributor

stephank commented Dec 2, 2020

The example (in the code comment) shows quotes, but it appears that's not really a syntax construct in nix.conf. It's just parsing it as a literal string including quotes.

@kquick In your case, it's reading your GitHub token as github.com=REDACTED" (notice the ending quote), which is an invalid token. It's also reading your GitLab token as "gitlab.com=PAT:REDACTED, which will never match the gitlab.com host. (I ran into the latter.)

Simply removing the quotes in nix.conf works.

@imalsogreg
Copy link
Contributor

Thanks @stephank , that was it! Opened a small documentation fix PR here: #4301

@kquick
Copy link
Contributor Author

kquick commented Dec 2, 2020

Oops, yes, that's a bug in the docs: my local usage doesn't have the quotes. Thanks @stephank and @imalsogreg for the investigation and PR to fix!

@nrdxp
Copy link
Contributor

nrdxp commented Dec 3, 2021

Would it be possible to use this as is, or possibly extend it a bit to provide aws credentials (primarily for uploading to s3 cache). As it is, because a post-build-hook seems to clear the callers environment, it is impossible to set s3 credentials without root access for Nix daemon users. If not, I may need to open a proper issue for that.

@kquick
Copy link
Contributor Author

kquick commented Dec 3, 2021

The credentials from the access-tokens are only used in the nix libfetcher code for git urls. The nix libstore s3 code uses the aws-sdk-cpp library, so I suspect that will need some explicit support (viz. https://sdk.amazonaws.com/cpp/api/LATEST/md__docs__credentials__providers.html) to either use those credentials or some other mechanism (unless something is already providing this: I haven't used the S3 store myself).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra edolstra left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kquick @imalsogreg @stephank @nrdxp @edolstra