Add jit access endpoint support in the cli #554
Conversation
VXianOng
changed the title
| input.Credentials = append(input.Credentials, model.Credential{ | ||
| "type": "jit_access", | ||
| "credential-type": "git_source", | ||
| "username": "x-access-token", | ||
| "endpoint": "$GITHUB_JITACCESS_TOKEN_ENDPOINT", | ||
| }) |
There was a problem hiding this comment.
You will need to pass a host property to tell the proxy which hosts can use JIT. The property username is not used for JIT access, the request is authenticated using the job token, so this property can be removed.
Also I wanted to mention this is already possible to do without environment variables by specifying a jit_access credential in the job definition passed to Dependabot CLI using the -f flag:
$ dependabot update -f job.jsonor
$ dependabot update -f job.ymlThe definition would be something like:
job:
# job definition goes here, this goes to dependabot-core
credentials:
- type: jit_access
credential-type: git_source
host: github.com
endpoint: example.comThere was a problem hiding this comment.
Thanks for catching the missing host! Fixing that and removing username.
Yes! I used that -f flag to test this locally for proof of concept but on ADO Dependabot, it looks like we are passing credentials through env variables and we construct the credentials input in the CLI (in this file) so Im thinking to just use the same approach here. The jit_access endpoint value here will be unique to each jobs we run. Are you suggesting to prepopulate the jit_access credential type in the input before we call the CLI? That might work too, I'll have to take another look on our service.
During my test, I have two credential type in my job file -- one with github token and one for jit_access. This is how it looks like and what I'm attempting to add here!
credentials:
- type: git_source
password: SAMPLE_TOKEN
username: x-access-token
host: github.com
- type: jit_access
host: github.com
credential-type: git_source
endpoint: $GITHUB_JITACCESS_TOKEN_ENDPOINT
There was a problem hiding this comment.
Update: I think I found the place where I can insert credentials in our job definition before calling the CLI! I'll work on that first, if it works out then I wont need to pass a new env var anymore
There was a problem hiding this comment.
Yeah it's best to put it all in the job definition. We started using environment variables as a convenience running on our local machines because we had $LOCAL_GITHUB_ACCESS_TOKEN set already, makes it easier to run jobs with the short-hand dependabot update go_modules dependabot/cli, but for production it's best to provide the full job and credentials in a file.
Add a new env var
$GITHUB_JITACCESS_TOKEN_ENDPOINTfor jit_access endpoint support. The goal here is to allow the proxy to query this endpoint for a new token when our original credentials expire (requests started getting Unauthorize response).