fix: handle missing gitlab credentials (#692)

SwissDataScienceCenter · Dec 15, 2023 · fb83840 · fb83840
1 parent 1dd8198
commit fb83840
Show file tree

Hide file tree

Showing 9 changed files with 929 additions and 1,205 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,7 +25,7 @@ jobs:
           poetry install
       - name: Test with pytest
         run: |
-          poetry run pytest
+          make auth_tests  
   
   test-revproxy:
     runs-on: ubuntu-latest
@@ -36,7 +36,7 @@ jobs:
           go-version: 1.19
       - name: Test
         run: |
-          go test -timeout 300s -p 1 -v github.com/SwissDataScienceCenter/renku-gateway/cmd/revproxy github.com/SwissDataScienceCenter/renku-gateway/internal/stickysessions
+          make revproxy_tests 
 
   publish-images:
     runs-on: ubuntu-latest

diff --git a/Dockerfile b/Dockerfile
@@ -1,20 +1,22 @@
-FROM python:3.7-slim
-
-RUN pip install --upgrade pip==22.1.2 && \
+FROM python:3.11-slim-bookworm as builder
+WORKDIR /code
+RUN pip install --upgrade pip && \
     pip install poetry && \
-    addgroup renku --gid 1000 && \
-    adduser renku --uid 1000 --gid 1000
+    virtualenv .venv
+COPY pyproject.toml poetry.lock ./
+RUN poetry install --without dev --no-root
+COPY app ./app
+RUN poetry install --without dev
 
-COPY pyproject.toml poetry.lock /code/
+FROM python:3.11-slim-bookworm
 WORKDIR /code
-
-RUN poetry config virtualenvs.create false && \
-    poetry install
-
-COPY ./ /code
-
+ENV TINI_VERSION v0.19.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+RUN chmod a+x /tini && \
+    addgroup renku --gid 1000 && \
+    adduser renku --uid 1000 --gid 1000
+COPY --chown=1000:1000 --from=builder /code/.venv .venv
+COPY --chown=1000:1000 --from=builder /code/app app
 USER 1000:1000
-
-CMD ["gunicorn", "-b", "0.0.0.0:5000", "app:app",  "-k", "gevent"]
-
+ENTRYPOINT [ "/tini", "-g", "--", "./.venv/bin/gunicorn", "-b", "0.0.0.0:5000", "app:app" ]
 EXPOSE 5000
diff --git a/Makefile b/Makefile
@@ -16,40 +16,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-DOCKER_REPOSITORY?=renku/
-IMAGE?=renku-gateway
+auth_tests:
+	poetry run flake8 -v
+	poetry run pytest
 
-DOCKER_LABEL?=$(shell git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/^* //')
-ifeq ($(DOCKER_LABEL), master)
-	DOCKER_LABEL=latest
-endif
-
-GIT_MASTER_HEAD_SHA:=$(shell git rev-parse --short=7 --verify HEAD)
-
-# Note that this is the default target executed when typing 'make'
-build:
-	@echo "Building image: docker build -t ${DOCKER_REPOSITORY}${IMAGE}:${GIT_MASTER_HEAD_SHA} ."
-	@docker build -t ${DOCKER_REPOSITORY}${IMAGE}:${GIT_MASTER_HEAD_SHA} .
-
-tag: build
-	@echo "Tagging image: docker tag ${DOCKER_REPOSITORY}${IMAGE}:${GIT_MASTER_HEAD_SHA} ${DOCKER_REPOSITORY}${IMAGE}:${DOCKER_LABEL}"
-	@docker tag ${DOCKER_REPOSITORY}${IMAGE}:${GIT_MASTER_HEAD_SHA} ${DOCKER_REPOSITORY}${IMAGE}:${DOCKER_LABEL}
-
-push: tag
-	@echo "Pushing image image: docker push ${DOCKER_REPOSITORY}${IMAGE}:${DOCKER_LABEL}"
-	@docker push ${DOCKER_REPOSITORY}${IMAGE}:${DOCKER_LABEL}
-
-start:
-	@echo "Start"
-	@docker pull ${DOCKER_REPOSITORY}${IMAGE}
-    @docker run -p 5000:5000 ${DOCKER_REPOSITORY}${IMAGE}
-
-dev-docker:
-	@echo "Running development server to develop against renku running inside docker"
-	FLASK_APP=app:app FLASK_DEBUG=1 HOST_NAME=http://localhost:5000 flask run
-
-dev:
-	./run-telepresence.sh
-
-login:
-	@echo "${DOCKER_PASSWORD}" | docker login -u="${DOCKER_USERNAME}" --password-stdin ${DOCKER_REGISTRY}
+revproxy_tests:
+	go test -timeout 300s -p 1 -v github.com/SwissDataScienceCenter/renku-gateway/cmd/revproxy github.com/SwissDataScienceCenter/renku-gateway/internal/stickysessions
diff --git a/app/auth/notebook_auth.py b/app/auth/notebook_auth.py
@@ -71,9 +71,10 @@ def process(self, request, headers):
             headers["Renku-Auth-Access-Token"] = access_token
             headers["Renku-Auth-Refresh-Token"] = keycloak_oidc_client.refresh_token
             headers["Renku-Auth-Id-Token"] = keycloak_oidc_client.token["id_token"]
-            headers["Renku-Auth-Git-Credentials"] = get_git_credentials_header(
-                [gitlab_oauth_client]
-            )
+            if gitlab_oauth_client:
+                headers["Renku-Auth-Git-Credentials"] = get_git_credentials_header(
+                    [gitlab_oauth_client]
+                )
         else:
             headers["Renku-Auth-Anon-Id"] = request.cookies.get("anon-id", "")
 

diff --git a/app/auth/oauth_client.py b/app/auth/oauth_client.py
@@ -126,4 +126,4 @@ def _fix_expiration_time(self):
 
     def expires_soon(self):
         """Check if the client instance expires soon."""
-        return self._expires_at and self._expires_at < time.time() + 5
+        return self._expires_at and self._expires_at < time.time() + 180
diff --git a/app/auth/oauth_redis.py b/app/auth/oauth_redis.py
@@ -72,15 +72,17 @@ def set_oauth_client(self, name, oauth_client):
         """Put a client object into the store."""
         return self.set_enc(name, oauth_client.to_json().encode())
 
-    def get_oauth_client(self, name, no_refresh=False):
+    def get_oauth_client(
+        self, name, no_refresh=False
+    ) -> Optional[RenkuWebApplicationClient]:
         """Get a client object from the store, refresh if necessary."""
         value = self.get_enc(name)
         if value is None:
-            return
+            return None
 
         oauth_client = RenkuWebApplicationClient.from_json(value.decode())
 
-        # We refresh 5 seconds before the token/client actually expires
+        # We refresh 3 minutes before the token/client actually expires
         # to avoid unlucky edge cases.
         if not no_refresh and oauth_client.expires_soon():
             try: