action #174301
closedEnable usual authentication methods for assets served by NGINX size:M
Description
Motivation¶
This ticket is a concrete approach to cover the most crucial aspect of #174154. Checkout that ticket for details.
Acceptance criteria¶
- AC1: It is possible to enable authentication for openQA tests assets served by NGINX.
- AC2: NGINX accepts the usual authentication methods openQA provides.
- AC2.1: basic auth via personal access token
- AC2.2: API key/secret
- AC2.3: web session
Acceptance tests¶
- AT2.1: Invoke a command like
curl -u Demo:…:… http://localhost/assets/other/openSUSE-Tumbleweed-DVD-x86_64-Snapshot20230109-Media.iso.sha256(orcurl -i -u Demo:…:… 'http://localhost:9526/tests/4416/asset/other/openSUSE-Tumbleweed-DVD-x86_64-Snapshot20250112-Media.iso.sha256') and see whether you get a correct 200 (or 302) response or a 403 response depending on whether the credentials are correct or wrong. - AT2.2: Invoke a command like
MOJO_CLIENT_DEBUG=1 openqa-cli api http://localhost/assets/other/openSUSE-Tumbleweed-DVD-x86_64-Snapshot20230109-Media.iso.sha256and see whether you get a correct 200 response or a 403 response depending on whether the credentials are correct or wrong. - AT2.3: Open a test details page, select "Logs and assets" and try to download an asset. When logged in, the download prompt should appear; otherwise a login is supposed be triggered (or one gets an auth-related error message).
Suggestions¶
- Configure NGINX locally as it is described on https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication
- Checkout commit https://github.com/Martchus/openQA/commit/b5950273aa4168b20a4c31f03ecc451465d466c9 for a simple example which already covers AC2.1.
Updated by mkittler about 2 months ago
- Related to action #174154: Prevent unauthorized openQA asset download added
Updated by jbaier_cz about 2 months ago
- Subject changed from Enable usual authentication methods for assets served by NGINX to Enable usual authentication methods for assets served by NGINX size:M
- Description updated (diff)
- Status changed from New to Workable
- Target version changed from Tools - Next to Ready
Updated by ybonatakis 18 days ago
- Assignee deleted (
ybonatakis)
I got already confused. As the description says AC2.1 is already implemented. But I dont know the details of the implementation. Reading https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication I thought that those changes would have to be reverted but I dont know what was the initial approach. The instructions seem to not work and I would expect changes in the WebAPI.pm.
Updated by mkittler 18 days ago
Just for clarification: The description links an example for AC2.1 https://github.com/Martchus/openQA/commit/b5950273aa4168b20a4c31f03ecc451465d466c9. It does not state that this commit is a final implementation and that it has been merged yet (it probably hasn't).
Updated by ybonatakis 17 days ago
mkittler wrote in #note-7:
Just for clarification: The description links an example for AC2.1 https://github.com/Martchus/openQA/commit/b5950273aa4168b20a4c31f03ecc451465d466c9. It does not state that this commit is a final implementation and that it has been merged yet (it probably hasn't).
No but they were other changes than those. but it also possible I confused with something else in between. Nevermind, I am looking to your PR and looks good in a quick look.
Updated by openqa_review 16 days ago
- Due date set to 2025-01-29
Setting due date based on mean cycle time of SUSE QE Tools
Updated by mkittler 16 days ago
- Status changed from In Progress to Feedback
PR for the cache service and the user agent in general: https://github.com/os-autoinst/openQA/pull/6120
Updated by mkittler 14 days ago
- Status changed from Feedback to Resolved
With https://github.com/os-autoinst/openQA/pull/6120 merged all ACs are fulfilled. It worked at least when I tested it locally. So I'm resolving the ticket now because before we can enable it in production the remaining points of #174154 need to be covered first (at least the point about openqa-clone-job for which I created https://github.com/os-autoinst/openQA/pull/6125).