New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support plugins from private Pulumi repos #9185
Changes from all commits
7ccbd77
ebe552a
56f99b9
f0c9887
84093eb
9918b8e
e5282da
2bb0b82
283965f
b79a16f
7ffe4bb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -183,7 +183,7 @@ func (source *getPulumiSource) Download( | |
serverURL, | ||
url.QueryEscape(fmt.Sprintf("pulumi-%s-%s-v%s-%s-%s.tar.gz", source.kind, source.name, version.String(), opSy, arch))) | ||
|
||
req, err := buildHTTPRequest(endpoint, "", "", "", "") | ||
req, err := buildHTTPRequest(endpoint, "") | ||
if err != nil { | ||
return nil, -1, err | ||
} | ||
|
@@ -196,47 +196,31 @@ type githubSource struct { | |
name string | ||
kind PluginKind | ||
|
||
tokenType string | ||
token string | ||
username string | ||
secret string | ||
token string | ||
} | ||
|
||
// Creates a new github source adding authentication data in the environment, if it exists | ||
func newGithubSource(organization, name string, kind PluginKind) *githubSource { | ||
return &githubSource{ | ||
organization: organization, | ||
name: name, | ||
kind: kind, | ||
} | ||
} | ||
|
||
// Creates a new github source from authentication data in the environment, if it exists | ||
func newAuthenticatedGithubSource(organization, name string, kind PluginKind) (*githubSource, error) { | ||
ghToken := os.Getenv("GITHUB_TOKEN") | ||
paToken := "" | ||
actor := "" | ||
tokenType := "token" | ||
if ghToken == "" { | ||
tokenType = "" | ||
paToken = os.Getenv("GITHUB_PERSONAL_ACCESS_TOKEN") | ||
actor = os.Getenv("GITHUB_ACTOR") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe consider warning if these env vars are detected as set? To help users transition that might rely on this. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. GITHUB_PERSONAL_ACCESS_TOKEN is an envvar we made up so I can warn on that pretty safely. |
||
} | ||
if ghToken == "" && (paToken == "" || actor == "") { | ||
return nil, errors.New("no GitHub authentication information provided") | ||
// 14-03-2022 we stopped looking at GITHUB_PERSONAL_ACCESS_TOKEN and sending basic auth for github and | ||
// instead just look at GITHUB_TOKEN and send in a header. Given GITHUB_PERSONAL_ACCESS_TOKEN was an | ||
// envvar we made up we check to see if it's set here and log a warning. This can be removed after a few | ||
// releases. | ||
if os.Getenv("GITHUB_PERSONAL_ACCESS_TOKEN") != "" { | ||
logging.Warningf("GITHUB_PERSONAL_ACCESS_TOKEN is no longer used for Github authentication, set GITHUB_TOKEN instead") | ||
} | ||
|
||
source := &githubSource{ | ||
return &githubSource{ | ||
organization: organization, | ||
name: name, | ||
kind: kind, | ||
|
||
tokenType: tokenType, | ||
token: ghToken, | ||
username: actor, | ||
secret: paToken, | ||
token: os.Getenv("GITHUB_TOKEN"), | ||
} | ||
} | ||
|
||
return source, nil | ||
func (source *githubSource) HasAuthentication() bool { | ||
return source.token != "" | ||
} | ||
|
||
func (source *githubSource) GetLatestVersion( | ||
|
@@ -245,7 +229,7 @@ func (source *githubSource) GetLatestVersion( | |
"https://api.github.com/repos/%s/pulumi-%s/releases/latest", | ||
source.organization, source.name) | ||
logging.V(9).Infof("plugin GitHub releases url: %s", releaseURL) | ||
req, err := buildHTTPRequest(releaseURL, source.tokenType, source.token, source.username, source.secret) | ||
req, err := buildHTTPRequest(releaseURL, source.token) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
@@ -275,7 +259,7 @@ func (source *githubSource) GetLatestVersion( | |
func (source *githubSource) Download( | ||
version semver.Version, opSy string, arch string, | ||
getHTTPResponse func(*http.Request) (io.ReadCloser, int64, error)) (io.ReadCloser, int64, error) { | ||
if source.tokenType == "" && source.token == "" && source.username == "" && source.secret == "" { | ||
if !source.HasAuthentication() { | ||
// If we're not using authentication we can just download from the release/download URL | ||
|
||
logging.V(1).Infof( | ||
|
@@ -286,7 +270,7 @@ func (source *githubSource) Download( | |
source.organization, source.name, version.String(), url.QueryEscape(fmt.Sprintf("pulumi-%s-%s-v%s-%s-%s.tar.gz", | ||
source.kind, source.name, version.String(), opSy, arch))) | ||
|
||
req, err := buildHTTPRequest(pluginURL, "", "", "", "") | ||
req, err := buildHTTPRequest(pluginURL, "") | ||
if err != nil { | ||
return nil, -1, err | ||
} | ||
|
@@ -301,7 +285,7 @@ func (source *githubSource) Download( | |
source.organization, source.name, version.String()) | ||
logging.V(9).Infof("plugin GitHub releases url: %s", releaseURL) | ||
|
||
req, err := buildHTTPRequest(releaseURL, source.tokenType, source.token, source.username, source.secret) | ||
req, err := buildHTTPRequest(releaseURL, source.token) | ||
if err != nil { | ||
return nil, -1, err | ||
} | ||
|
@@ -341,7 +325,7 @@ func (source *githubSource) Download( | |
|
||
logging.V(1).Infof("%s downloading from %s", source.name, assetURL) | ||
|
||
req, err = buildHTTPRequest(assetURL, source.tokenType, source.token, source.username, source.secret) | ||
req, err = buildHTTPRequest(assetURL, source.token) | ||
if err != nil { | ||
return nil, -1, err | ||
} | ||
|
@@ -383,7 +367,7 @@ func (source *pluginURLSource) Download( | |
serverURL, | ||
url.QueryEscape(fmt.Sprintf("pulumi-%s-%s-v%s-%s-%s.tar.gz", source.kind, source.name, version.String(), opSy, arch))) | ||
|
||
req, err := buildHTTPRequest(endpoint, "", "", "", "") | ||
req, err := buildHTTPRequest(endpoint, "") | ||
if err != nil { | ||
return nil, -1, err | ||
} | ||
|
@@ -413,17 +397,18 @@ func (source *fallbackSource) GetLatestVersion( | |
return version, nil | ||
} | ||
|
||
// Are we in experimental mode? Try a private github release | ||
// Are we in experimental mode? Try a users private github release | ||
if _, ok := os.LookupEnv("PULUMI_EXPERIMENTAL"); ok { | ||
// Check if we have a repo owner set | ||
repoOwner := os.Getenv("GITHUB_REPOSITORY_OWNER") | ||
var privateErr error | ||
if repoOwner == "" { | ||
privateErr = errors.New("ENV[GITHUB_REPOSITORY_OWNER] not set") | ||
} else { | ||
var private PluginSource | ||
private, privateErr = newAuthenticatedGithubSource(repoOwner, source.name, source.kind) | ||
if privateErr == nil { | ||
private := newGithubSource(repoOwner, source.name, source.kind) | ||
if !private.HasAuthentication() { | ||
privateErr = errors.New("no GitHub authentication information provided") | ||
} else { | ||
version, privateErr = private.GetLatestVersion(getHTTPResponse) | ||
if privateErr == nil { | ||
return version, nil | ||
|
@@ -458,8 +443,10 @@ func (source *fallbackSource) Download( | |
if repoOwner == "" { | ||
err = errors.New("ENV[GITHUB_REPOSITORY_OWNER] not set") | ||
} else { | ||
private, err := newAuthenticatedGithubSource(repoOwner, source.name, source.kind) | ||
if err == nil { | ||
private := newGithubSource(repoOwner, source.name, source.kind) | ||
if !private.HasAuthentication() { | ||
err = errors.New("no GitHub authentication information provided") | ||
} else { | ||
resp, length, err := private.Download(version, opSy, arch, getHTTPResponse) | ||
if err == nil { | ||
return resp, length, nil | ||
|
@@ -660,7 +647,7 @@ func (info PluginInfo) Download() (io.ReadCloser, int64, error) { | |
return source.Download(*info.Version, opSy, arch, getHTTPResponse) | ||
} | ||
|
||
func buildHTTPRequest(pluginEndpoint, tokenType, token, username, secret string) (*http.Request, error) { | ||
func buildHTTPRequest(pluginEndpoint string, token string) (*http.Request, error) { | ||
req, err := http.NewRequest("GET", pluginEndpoint, nil) | ||
if err != nil { | ||
return nil, err | ||
|
@@ -670,12 +657,7 @@ func buildHTTPRequest(pluginEndpoint, tokenType, token, username, secret string) | |
req.Header.Set("User-Agent", userAgent) | ||
|
||
if token != "" { | ||
if tokenType == "" { | ||
tokenType = "Bearer" | ||
} | ||
req.Header.Set("Authentication", fmt.Sprintf("%s %s", tokenType, token)) | ||
} else if secret != "" && username != "" { | ||
req.SetBasicAuth(username, secret) | ||
req.Header.Set("Authorization", fmt.Sprintf("token %s", token)) | ||
} | ||
|
||
return req, nil | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tokenType
was always "token" so I've just trimmed it out