#7832 APIs to manage webhooks

v1.3.0
closed
General
2015-08-20
2015-02-09
No

We should support APIs to manage webhooks so that 3rd-party sites can use oauth to configure a webhook on behalf of a user. This is a common practice to make it easier for the user.

Related

Tickets: #7840

Discussion

  • Dave Brondsema

    Dave Brondsema - 2015-02-09
    • labels: api --> api, sf-current, sf-4
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-02-19
    • Owner: Anonymous --> Igor Bondarenko
    • Labels: api, sf-current, sf-4 --> sf-4, api, 42cc, sf-current
    • Status: open --> in-progress
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-02-23
    • status: in-progress --> review
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-02-23

    Closed #731. ib/7832

    Endpoints description (need to add this to API docs wiki page):

    • list webhooks:
      • GET /rest/p/<project>/admin/<app>/webhooks
      • e.g. /rest/p/test/admin/git/webhooks
    • view webhook:
      • GET /rest/p/<project>/admin/<app>/webhooks/<type>/<id>
      • e.g. /rest/p/test/admin/git/webhooks/repo-push/54db231c04687d300e65db82
    • create a webhook:
      • POST /rest/p/<project>/admin/<app>/webhooks/<type>/
      • e.g. /rest/p/test/admin/git/webhooks/repo-push
      • params: url
    • edit a webhok:
      • POST /rest/p/<project>/admin/<app>/webhooks/<type>/<id>
      • e.g. /rest/p/test/admin/git/webhooks/repo-push/54db231c04687d300e65db82
      • params: url, secret (each can be omitted if don't want to update)
    • delete a webhook:
      • DELETE /rest/p/<project>/admin/<app>/webhooks/<type>/<id>
      • e.g. /rest/p/test/admin/git/webhooks/repo-push/54db231c04687d300e65db82

    .

    Authentication:

    See API auth docs. Works with both bearer tokens and application flow. However, for HTTP methods such as DELETE you'll need to authorize with headers, rather than through request body parameters. I've added support of this to Allura (see [55c074]). We should add this to API auth docs when it lands.

    • if you're using application flow you good to go (python oauth lib uses headers already)
    • if you're using bearer tokens, pass it as header: headers={'Authorization': 'OAuth BearerToken access_token=<your_token>'}

    .

    Also, for sourceforge deployment apache is not configured to pass auth headers to wsgi app (at least on sandboxes), so you'll need to add WSGIPassAuthorization On to allura-venv.conf. Probably we need to update some docs for installing Allura somewhere?

    QA

    Apply this change to python-oauth2 to avoid certificate errors on sandbox.

     

    Last edit: Igor Bondarenko 2015-02-23
  • Dave Brondsema

    Dave Brondsema - 2015-02-24

    An API response of "status": "ok" and nested "webhook" dict seems weird, particularly when doing a GET. How about un-nesting the webhook details? The 200 or 201 status code is sufficient to represent the status I think.

    Oauth parameters can be passed as a URL param so for DELETE You can do ?access_token=foo and don't have to use an Authorization: header.

    That said, adding support for header-based oauth bearer tokens is nice. A few things on that:

    • There actually is a spec for it. So the Authorization: header value should start with just "Bearer " per https://tools.ietf.org/html/rfc6750#section-2.1 I.e. the bearer_token_prefix variable.
    • You have some log.error lines left in RestController._authenticate_request and OAuthNegotiator._authenticate
    • This should be a separate ticket or at least update the title of this ticket so we remember to point it out when we make a changelog in the next release.
     
    • Igor Bondarenko

      Igor Bondarenko - 2015-02-25

      Good points. Created [#7840] for header auth stuff.

       

      Related

      Tickets: #7840

  • Dave Brondsema

    Dave Brondsema - 2015-02-24
    • status: review --> in-progress
    • Reviewer: Dave Brondsema
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-02-25
    • status: in-progress --> review
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-02-25

    Closed #740. Force-pushed ib/7832

    Also fixes [#7840]

     

    Related

    Tickets: #7840

  • Dave Brondsema

    Dave Brondsema - 2015-02-27
    • status: review --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2015-03-09
    • labels: sf-4, api, 42cc, sf-current --> sf-4, api, 42cc
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-06-18
    • Milestone: unreleased --> asf_release_1.3.0
     

Log in to post a comment.