Apache Allura™

• Owner: Anonymous --> Igor Bondarenko
• Labels: api, sf-current, sf-4 --> sf-4, api, 42cc, sf-current
• Status: open --> in-progress

Closed #731. ib/7832

Endpoints description (need to add this to API docs wiki page):

• list webhooks:
  • GET /rest/p/<project>/admin/<app>/webhooks
  • e.g. /rest/p/test/admin/git/webhooks
• view webhook:
  • GET /rest/p/<project>/admin/<app>/webhooks/<type>/<id>
  • e.g. /rest/p/test/admin/git/webhooks/repo-push/54db231c04687d300e65db82
• create a webhook:
  • POST /rest/p/<project>/admin/<app>/webhooks/<type>/
  • e.g. /rest/p/test/admin/git/webhooks/repo-push
  • params: url
• edit a webhok:
  • POST /rest/p/<project>/admin/<app>/webhooks/<type>/<id>
  • e.g. /rest/p/test/admin/git/webhooks/repo-push/54db231c04687d300e65db82
  • params: url, secret (each can be omitted if don't want to update)
• delete a webhook:
  • DELETE /rest/p/<project>/admin/<app>/webhooks/<type>/<id>
  • e.g. /rest/p/test/admin/git/webhooks/repo-push/54db231c04687d300e65db82

.

Authentication:

See API auth docs. Works with both bearer tokens and application flow. However, for HTTP methods such as DELETE you'll need to authorize with headers, rather than through request body parameters. I've added support of this to Allura (see [55c074]). We should add this to API auth docs when it lands.

• if you're using application flow you good to go (python oauth lib uses headers already)
• if you're using bearer tokens, pass it as header: headers={'Authorization': 'OAuth BearerToken access_token=<your_token>'}

.

Also, for sourceforge deployment apache is not configured to pass auth headers to wsgi app (at least on sandboxes), so you'll need to add WSGIPassAuthorization On to allura-venv.conf. Probably we need to update some docs for installing Allura somewhere?

QA

Apply this change to python-oauth2 to avoid certificate errors on sandbox.

An API response of "status": "ok" and nested "webhook" dict seems weird, particularly when doing a GET. How about un-nesting the webhook details? The 200 or 201 status code is sufficient to represent the status I think.

Oauth parameters can be passed as a URL param so for DELETE You can do ?access_token=foo and don't have to use an Authorization: header.

That said, adding support for header-based oauth bearer tokens is nice. A few things on that:

• There actually is a spec for it. So the Authorization: header value should start with just "Bearer " per https://tools.ietf.org/html/rfc6750#section-2.1 I.e. the bearer_token_prefix variable.
• You have some log.error lines left in RestController._authenticate_request and OAuthNegotiator._authenticate
• This should be a separate ticket or at least update the title of this ticket so we remember to point it out when we make a changelog in the next release.

Closed #740. Force-pushed ib/7832

Also fixes [#7840]

• Milestone: unreleased --> asf_release_1.3.0