#6692 Exports should be scriptable; Simple oauth API via bearer tokens
closed
General
2015-08-20
2013-09-20
No
Currently difficulties in project exports are:
- requires a manual form submission
- email is used to notify when ready
- resulting filename is non-deterministic
It should be possible to automate a project export with a script, with minimal difficulty.
Use API to trigger export, use API to poll for status & get filename (full connection path?).
Goal: have a script (or use a utility like curl-oauth to avoid the oauth complexities and be able to do it all in a shell script) to hit the new API to start an export. Then check the new export status API until the export is no longer busy, then the script can download the file.
Last edit: Libri Nozze 2016-08-05
allura:cj/6692forge-classic:cj/6692sfx:cj/6692The
forge-classicandsfxchanges are for adding the OAuth account menu item, because the third-party apps section was removed from Subscriptions and integrated into the improved OAuth page.I like it. I have a lot of feedback though:
bearer tokens
authorized_applicationswas removed in one place, it's also unnecessary in PreferencesController.indexOauth page:
Being picky since security is important
name=request_token.name,is added. Why?test_bearer_tokenwould be better as 4 separate tests so we don't have to worry about changes to the mock & the request carrying over from one test case to the next.allura/tests/functional/test_auth.pythat only cover the /auth/oauth/ page (and 2 of those fail & need to be updated). We should write the tests since we're touching the functionality a little bit here.backup APIs
exportmethods of ProjectAdminController andProjectAdminRestControllershare a lot in common. What would you think of ProjectAdminController.export calling ProjectAdminRestController.export and converting any HTTP exception into a flash message? The API should have thebulk_export_enabledcheck too.test_exportso each case has a name would help me at least (test_export_no_exportable_tools, test_export_i_don't_know_why_the_2nd_one_fails)overall
Can we provide a sample shell script that uses the API? We also need to document the API. Particularly note the http codes, e.g. so people know 503 means task busy not server having problems.
ProjectAdminRestController._check_securitychecks forreadso that the export status check doesn't have to be authenticated. But, I guess if the script that queued the export is already authenticated, re-using the auth for the status check isn't a big deal.I noticed the body of the 403 page but I have no idea how that's happening, as I'm just raising a standard
HTTPForbiddenexception. Maybe I should return None like the other parts of that method do, but that just allows anon access with no error indicating that the auth failed (unless anon is disallowed later on).The
name=request_token.namewas a part of a rolled-back change, and should have been removed.Yeah, I think it's safer to require 'admin' for that whole controller
403: Right, certainly unrelated code causing that. I guess see if its a quick fix? If not, ticket up with what you did find out.
Changes pushed to
allura:cj/6692[d6d1e6] removed the
revoke_oauthmethod and its functional test. But it's still referenced byOAuthRevocationFormWhat about these items from my previous comments?
I forgot to mention: with the change to
_check_security, the 302/403 issue resolved itself.allura:cj/6692(rebased and force-pushed)Oh, I was wrong, but I was able to fix it.
Not exactly sure what you mean by "even more tests."
Allura/allura/tests/functional/test_auth.py:TestOAuthalready has functional tests of all the functionality on the/auth/oauthpage, and I converted the valid case of the bearer token tests to a functional (non-mocked) test. Are you suggested we add tests to cover the interactive oauth process?