Re: Bodhi 6.0: What's new

2022-04-15 Thread Fabio Valentini 
On Fri, Apr 15, 2022 at 12:54 PM Aurelien Bompard
 wrote:
>
> Hey Fabio!
>
> >  However, testing the fallback to OpenID, it does
> > not work for me with bodhi.stg.fedoraproject.org
> > Trying to access this login URL, I'm getting HTTP 500 / Internal
> > Server Error responses from
> > https://bodhi.stg.fedoraproject.org/dologin.html?openid=https%3A%2F%2Fid
> > which is the URL that I'm redirected to when accessing
> > https://bodhi.stg.fedoraproject.org/login?method=openid
>
> Thanks for the report! It was harder than expected to update the server part 
> in OpenShift, but it's done now, and the error is gone.
> Could you please test again?
> Thanks again!

Thanks for your response! Now I'm not getting "HTTP 500 Internal
server error" responses, so that's a start ...
But now I'm getting HTTP 400 "Bad Request: User not authenticated at
[sic] continue".

This also happens when I try to log into bodhi.stg.fedoraproject.org
in a web browser, so at least my code doesn't seem to be them problem
anymore ...
But if I go to https://bodhi.stg.fedoraproject.org/login?method=openid
manually and try to log in there, it just throws me back to the bodhi
homepage without actually logging me in.

So either way, I don't seem to be able to log in with
id.stg.fedoraproject.org right now *at all*, so it's kinda difficult
to know if my code is working or not. :)

Fabio
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-15 Thread Aurelien Bompard 
Hey Fabio!

>  However, testing the fallback to OpenID, it does
> not work for me with bodhi.stg.fedoraproject.org
> Trying to access this login URL, I'm getting HTTP 500 / Internal
> Server Error responses from
> https://bodhi.stg.fedoraproject.org/dologin.html?openid=https%3A%2F%2Fid
> which is the URL that I'm redirected to when accessing
> https://bodhi.stg.fedoraproject.org/login?method=openid

Thanks for the report! It was harder than expected to update the server part in 
OpenShift, but it's done now, and the error is gone.
Could you please test again?
Thanks again!

Aurélien
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-09 Thread Fabio Valentini 
On Wed, Apr 6, 2022 at 12:38 PM Aurelien Bompard
 wrote:
>
> Hey everyone!
>
> Bodhi 6.0 will be published in a few days, and deployed to production a 
> couple weeks after the Fedora release. It has backwards-incompatible changes, 
> here's what you need to know.
>
> == Authentication ==
> Bodhi gained support for OpenID Connect (OIDC) authentication, like most of 
> Fedora's webapps. OpenID still works but is not the default, you can access 
> it by using `/login?method=openid` as the login URL.

Hi,

I tried to migrate fedora-update-feedback to using this method
(replacing "/login" with "/login?method=openid"), because migrating to
OpenID Connect would be a lot more work and I don't have the time to
do that right now. However, testing the fallback to OpenID, it does
not work for me with bodhi.stg.fedoraproject.org

Trying to access this login URL, I'm getting HTTP 500 / Internal
Server Error responses from
https://bodhi.stg.fedoraproject.org/dologin.html?openid=https%3A%2F%2Fid.stg.fedoraproject.org%2F
which is the URL that I'm redirected to when accessing
https://bodhi.stg.fedoraproject.org/login?method=openid

Using the exact same code paths for the current URL
https://bodhi.fedoraproject.org/login, everything works as expected
(and there are no HTTP 500 / Internal Server Error responses).

Fabio
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-06 Thread Miroslav Suchý 

Dne 06. 04. 22 v 14:31 Aurelien Bompard napsal(a):

* For other Fedora systems, we use Kerberos authentication, are there some 
plans to add it?

Nope, there's no plan for that at the moment.


FYI We recently added the Kerberos support to Copr cli. You can steal the code 
here:

https://pagure.io/copr/copr/pull-request/1820#

https://pagure.io/copr/copr/pull-request/2151#

Miroslav
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-06 Thread Aurelien Bompard 
> * What is the expiration period? Or, can we set the expiration date ourselves?

What expiration do you mean? The buildroot override setting that 
save_override() gives access to is really unrelated to authentication and you 
probably don't need it if you didn't need it before.
If you mean when OpenID auth will be removed from the server, I'm not sure. I 
guess we can give something like 6 months for people to upgrade to OIDC, but if 
there are blockers with this upgrade I'd be happy to help make the transition.

> * Can we use multiple tokens in parallel to ease the transition before the 
> expiration? Or, in other words, is the token revoked once we generate a new 
> one? If not, can we revoke it?

Yes, you can have multiple tokens. To remove a token, I don't have a clear 
procedure, I'd need to have a look at Ipsilon's docs/code to see how it should 
be done.
Basically when you login you get two tokens, one "access token" and one 
"refresh token". The access token is short lived (like an hour I think) and is 
what the bodhi client will transmit to the bodhi server. When it expires, the 
bodhi client will send the "refresh token" to ipsilon to get a new access 
token. The refresh token is long-lived (months I think), but will only be 
communicated to ipsilon, not to Bodhi or any other apps.
When the refresh token expires, the bodhi client will ask the user to 
re-authenticate. There is currently no process to automate that as far as I can 
tell, so you may need to update the JSON file a couple times a year (I'm not 
sure how long those tokens live in prod, I need to check). It's somewhat like 
renewing a certificate.

Cheers!

Aurélien
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-06 Thread Aurelien Bompard 
> I wonder if kerberos going to be supported or not?

Not at this time.


Aurélien
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-06 Thread Frantisek Lachman 
Thank you for your quick answer Aurélien!

I hope this workflow can work for us.

Maybe a few related questions (sorry if it is documented somewhere, any
link is welcome):
* What is the expiration period? Or, can we set the expiration date
ourselves?
* Can we use multiple tokens in parallel to ease the transition before the
expiration? Or, in other words, is the token revoked once we generate a new
one? If not, can we revoke it?

Thanks!
František

On Wed, Apr 6, 2022 at 2:29 PM Aurelien Bompard  wrote:

> Hey Frantisek!
>
> Excellent questions!
>
> > * Our users can use Packit via CLI and use their identity for Bodhi
> connections. With this, it's not nice, but doable to open a web-browser.
> (Not sure how this works in the containerised use-cases.)
>
> The Bodhi CLI will display a URL that you'll have to open in your web
> browser, and wait for input. After logging in, Ipsilon will give you a
> token that you need to copy/paste in the Bodhi CLI.
>
> > * Is there some way to get/generate some token that can be used instead
> of doing this browser workflow?
>
> Yes, you can do the browser workflow on any host and then copy over
> the ~/.config/bodhi/client.json file on the service's worker(s).
>
> > * Do I get it right from what you wrote about `save_override` that we
> can generate the session token elsewhere and reuse it in the service? Do
> you have some details on how this works so we can start working on the move?
>
> That's not what save_override() does, it's just an API endpoint to
> edit buildroot overrides in Bodhi.
>
> > * For other Fedora systems, we use Kerberos authentication, are there
> some plans to add it?
>
> Nope, there's no plan for that at the moment.
>
> Does this answer your questions?
>
> Aurélien
>
>
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-06 Thread Vít Ondruch 

I wonder if kerberos going to be supported or not?


Vít



Dne 06. 04. 22 v 12:37 Aurelien Bompard napsal(a):

Hey everyone!

Bodhi 6.0 will be published in a few days, and deployed to production 
a couple weeks after the Fedora release. It has backwards-incompatible 
changes, here's what you need to know.


== Authentication ==
Bodhi gained support for OpenID Connect (OIDC) authentication, like 
most of Fedora's webapps. OpenID still works but is not the default, 
you can access it by using `/login?method=openid` as the login URL.


Version 6.0 of the Bodhi client uses only OIDC, plain OpenID support 
has been dropped. Version 5.7.5 of the Bodhi client, however, uses the 
new OpenID login URL and has been available for about a month now, 
you'll need at least version 5.7.5 to use the Bodhi client with the 
updated server.


The client's API has changed, so if you have a piece of code that 
imports from `bodhi.client`, you'll have to update it to use the new 
API, and in the meantime use version 5.7.5.


As a user of the `bodhi` CLI, you'll notice that the `--username` and 
`--password` options have disappeared. Instead the Bodhi client will 
ask you to open your browser to a URL to authenticate. The 
authentication tokens will be saved and you'll be able to use the 
`bodhi` CLI without authenticating afterwards (or non-interactively).


== Code reorganization ==
The Bodhi source code has been reorganized to drop the hacks used in 
`setup.py` to support sub-projects. Instead, `bodhi-server`, 
`bodhi-client` and `bodhi-messages` are now actual Python package 
directories in the repo. The import path has not changed.


Bodhi's Python project metadata and dependencies are now managed with 
Poetry .


== Other changes ==
- Serialized `Release` objects sent in the messages don't contain the 
`composes` property anymore
- The `koji-build-group.build.complete` messages now contain an 
`update` property
- In the Bodhi client API, the `save_override()` method has been 
extended to allow setting the expiration date directly

- Misc bug fixes


If you have any questions, feel free to ask the Bodhi team in our 
matrix room: .
If you are importing the bodhi client code in your app/script, or 
using the bodhi client in an "unusual" manner, we'll help you migrate.


Thanks!

Aurélien Bompard

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


OpenPGP_signature
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-06 Thread Aurelien Bompard 
Hey Frantisek!

Excellent questions!

> * Our users can use Packit via CLI and use their identity for Bodhi 
> connections. With this, it's not nice, but doable to open a web-browser. (Not 
> sure how this works in the containerised use-cases.)

The Bodhi CLI will display a URL that you'll have to open in your web browser, 
and wait for input. After logging in, Ipsilon will give you a token that you 
need to copy/paste in the Bodhi CLI.

> * Is there some way to get/generate some token that can be used instead of 
> doing this browser workflow?

Yes, you can do the browser workflow on any host and then copy over the 
~/.config/bodhi/client.json file on the service's worker(s).

> * Do I get it right from what you wrote about `save_override` that we can 
> generate the session token elsewhere and reuse it in the service? Do you have 
> some details on how this works so we can start working on the move?

That's not what save_override() does, it's just an API endpoint to edit 
buildroot overrides in Bodhi.

> * For other Fedora systems, we use Kerberos authentication, are there some 
> plans to add it?

Nope, there's no plan for that at the moment.

Does this answer your questions?

Aurélien
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: Bodhi 6.0: What's new

2022-04-06 Thread Frantisek Lachman 
Hi Aurélien!

thanks for the hard work on the new Bodhi release!

I have a question on the non-interactive way of Bodhi authentication. I
understand that supporting OpenID is hard, but are there some other options
to support this workflow in the future?

A little bit of context:
* We, as a Packit team, work on the automation of various maintenance
tasks. One of them is creating the Bodhi updates. (See packit.dev for more
details.)
* Our users can use Packit via CLI and use their identity for Bodhi
connections. With this, it's not nice, but doable to open a web-browser.
(Not sure how this works in the containerised use-cases.)
* But newly, we support this job in our service that uses `packit` FAS user
to create the updates. Here, it's not possible to open any browser.

So:
* Is there some way to get/generate some token that can be used instead of
doing this browser workflow?
* Do I get it right from what you wrote about `save_override` that we can
generate the session token elsewhere and reuse it in the service? Do you
have some details on how this works so we can start working on the move?
* For other Fedora systems, we use Kerberos authentication, are there some
plans to add it?
* Ideally, I would like to see it solved also for our CLI users, but at
least for Packit's service as a special case.

Thank you in advance for any tips or suggestions!
František Lachman

(CCing the Packit's mailing list.)





On Wed, Apr 6, 2022 at 12:38 PM Aurelien Bompard 
wrote:

> Hey everyone!
>
> Bodhi 6.0 will be published in a few days, and deployed to production a
> couple weeks after the Fedora release. It has backwards-incompatible
> changes, here's what you need to know.
>
> == Authentication ==
> Bodhi gained support for OpenID Connect (OIDC) authentication, like most
> of Fedora's webapps. OpenID still works but is not the default, you can
> access it by using `/login?method=openid` as the login URL.
>
> Version 6.0 of the Bodhi client uses only OIDC, plain OpenID support has
> been dropped. Version 5.7.5 of the Bodhi client, however, uses the new
> OpenID login URL and has been available for about a month now, you'll need
> at least version 5.7.5 to use the Bodhi client with the updated server.
>
> The client's API has changed, so if you have a piece of code that imports
> from `bodhi.client`, you'll have to update it to use the new API, and in
> the meantime use version 5.7.5.
>
> As a user of the `bodhi` CLI, you'll notice that the `--username` and
> `--password` options have disappeared. Instead the Bodhi client will ask
> you to open your browser to a URL to authenticate. The authentication
> tokens will be saved and you'll be able to use the `bodhi` CLI without
> authenticating afterwards (or non-interactively).
>
> == Code reorganization ==
> The Bodhi source code has been reorganized to drop the hacks used in
> `setup.py` to support sub-projects. Instead, `bodhi-server`, `bodhi-client`
> and `bodhi-messages` are now actual Python package directories in the repo.
> The import path has not changed.
>
> Bodhi's Python project metadata and dependencies are now managed with
> Poetry .
>
> == Other changes ==
> - Serialized `Release` objects sent in the messages don't contain the
> `composes` property anymore
> - The `koji-build-group.build.complete` messages now contain an `update`
> property
> - In the Bodhi client API, the `save_override()` method has been extended
> to allow setting the expiration date directly
> - Misc bug fixes
>
>
> If you have any questions, feel free to ask the Bodhi team in our matrix
> room: .
> If you are importing the bodhi client code in your app/script, or using
> the bodhi client in an "unusual" manner, we'll help you migrate.
>
> Thanks!
>
> Aurélien Bompard
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure