Pulp-cli 0.25.1 token authentication by --header option

xm1234567 · May 23, 2024, 8:27am

Hello,
Has anyone tried pulp-cli 0.25.1 with token authentication in header? The version has an option --header :

  --header TEXT        Custom header to add to each api call. Name
                       and value are colon separated. Can be
                       specified multiple times.

I tried with pulp -v --header 'Authorization: Token xxxxxxxxxxxxxxxx' rpm repository list , it still asks username and password. Not sure if I am doing the right way?
Or maybe this feature is not officially ready yet? seen an issue here Add support for using Token as an authentication method · Issue #925 · pulp/pulp-cli · GitHub

Thanks!

decko · May 23, 2024, 4:29pm

Hi @xm1234567

I think you’re doing it right. Also, you can confirm it by using the -vvv option which should print all calls with headers and bodies to the API.

This is happening because the CLI uses the information it retrieves from the openapi files generated by the API. And we didn’t add the proper support to the CLI to ignore it when you’re sending the Authorization header by hand.

Any contribution to the issue is welcome.

xm1234567 · June 21, 2024, 3:00pm

I tried with pulp-cli 0.25.7 and -vvv, yes, it is Authorization: Basic DWREZWU: , as shown under:

pulp -vvv --header 'Authorization:Token xxxxx --base-url https://x.x.x.x user list
users_list : get https://x.x.x.x/pulp/api/v3/users/?offset=0&limit=25
  User-Agent: Pulp-CLI/0.25.7
  Accept-Encoding: gzip, deflate
  Accept: application/json
  Connection: keep-alive
  Authorization: Basic DWREZWU=
Response: 401
  Server: nginx/1.16.1
  Date: Fri, 21 Jun 2024 14:50:17 GMT
  Content-Type: application/json
  Content-Length: 39
  Connection: keep-alive
  WWW-Authenticate: Token
  Vary: Accept
  Allow: GET, POST, HEAD, OPTIONS
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: same-origin
  Cross-Origin-Opener-Policy: same-origin
  Correlation-ID: 059a84dfa82296c8ee719b409
  Access-Control-Expose-Headers: Correlation-ID
{"detail":"Invalid username/password."}

Sorry, I am not a develop, don’t know Django Wish someone else can contribute this quicky ?

decko · June 21, 2024, 3:34pm

Hey, no problem. We can figure this out together.

Right now, it’s just saying that the access was denied, given an invalid username and/or password.

Have you configured your pulp instance to accept a header as an authentication method?
Can you check the AUTHENTICATION_BACKENDS and the DEFAULT_AUTHENTICATION_CLASSES under REST_FRAMEWORK variables in your settings?

It’s probably something related to the configuration of your instance.

xm1234567 · June 22, 2024, 2:47pm

Hello @decko , I input fake username and password in my test when it asked. The token is the correct, but since it didn’t take in account the token, so then it asked username and password, then I input fake username and password. which lead to Invalid username/password .

In my pulp instance:

AUTHENTICATION_BACKENDS = [
    'social_core.backends.keycloak.KeycloakOAuth2',# Accept Keycloak auth
    'dynaconf_merge',
]

and I use this :

REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = ['rest_framework.authentication.TokenAuthentication','dynaconf_merge']

Here is the whole settings.py file:

Summary

SECRET_KEY = “xxx”
CONTENT_ORIGIN = “http://pulp_content:24816”
DATABASES = {“default”: {“HOST”: “postgres”, “ENGINE”: “django.db.backends.postgresql”, “NAME”: “pulp”, “USER”: “pulp”, “PASSWORD”: “xxx”, “PORT”: “5432”, “CONN_MAX_AGE”: 0, “OPTIONS”: {“sslmode”: “prefer”}}}
CACHE_ENABLED = True
REDIS_HOST = “redis”
REDIS_PORT = 6379
REDIS_PASSWORD = “”
ANSIBLE_API_HOSTNAME = “http://pulp_api:24817”
ANSIBLE_CONTENT_HOSTNAME = “http://pulp_content:24816/pulp/content”
ALLOWED_IMPORT_PATHS = ["/tmp"]
ALLOWED_EXPORT_PATHS = ["/tmp"]
TOKEN_SERVER = “http://pulp_api:24817/token/”
TOKEN_AUTH_DISABLED = False
TOKEN_SIGNATURE_ALGORITHM = “ES256”
PUBLIC_KEY_PATH = “/etc/pulp/keys/container_auth_public_key.pem”
PRIVATE_KEY_PATH = “/etc/pulp/keys/container_auth_private_key.pem”
ANALYTICS = False
STATIC_ROOT = “/var/lib/operator/static/”

CSRF_TRUSTED_ORIGINS = [‘https://x.x.x’,]
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

#Add sha1
ALLOWED_CONTENT_CHECKSUMS = [“sha224”, “sha256”, “sha384”, “sha512”, “sha1”]

#For token creation
REST_FRAMEWORK__DEFAULT_AUTHENTICATION_CLASSES = [‘rest_framework.authentication.TokenAuthentication’,‘dynaconf_merge’]

#For keycloak and token creation
INSTALLED_APPS = [
‘social_django’, # ← for keyloak
‘rest_framework.authtoken’,# ← here is for token creation
‘dynaconf_merge’, # for dynaconf merge token
]

#For keycloak
AUTHENTICATION_BACKENDS = [
‘social_core.backends.keycloak.KeycloakOAuth2’,# Accept Keycloak auth
‘dynaconf_merge’,
]
#For keycloak
TEMPLATES = [{‘APP_DIRS’: True,
‘BACKEND’: ‘django.template.backends.django.DjangoTemplates’,
‘DIRS’: [’/usr/local/lib/python3.8/site-packages/pulpcore/app/templates’],
‘OPTIONS’: {‘context_processors’: [‘django.template.context_processors.debug’,
‘django.template.context_processors.request’,
‘django.contrib.auth.context_processors.auth’,
‘social_django.context_processors.backends’,
‘social_django.context_processors.login_redirect’,
‘django.contrib.messages.context_processors.messages’]}}]

xm1234567 · June 22, 2024, 6:24pm

Is there version requirement for the --header option? On my pulp instance, the pulp core and pump_rpm version are:

{
    "versions": [
        {
            "component": "core",
            "version": "3.45.1",
            "package": "pulpcore",
            "module": "pulpcore.app",
            "domain_compatible": true
        },
...
        {
            "component": "rpm",
            "version": "3.25.0",
            "package": "pulp-rpm",
            "module": "pulp_rpm.app",
            "domain_compatible": true
        },
....

The detailed pulp instance status info:

Summary

{
“versions”: [
{
“component”: “core”,
“version”: “3.45.1”,
“package”: “pulpcore”,
“module”: “pulpcore.app”,
“domain_compatible”: true
},
{
“component”: “ansible”,
“version”: “0.21.1”,
“package”: “pulp-ansible”,
“module”: “pulp_ansible.app”,
“domain_compatible”: false
},
{
“component”: “container”,
“version”: “2.18.0”,
“package”: “pulp-container”,
“module”: “pulp_container.app”,
“domain_compatible”: false
},
{
“component”: “deb”,
“version”: “3.1.1”,
“package”: “pulp_deb”,
“module”: “pulp_deb.app”,
“domain_compatible”: false
},
{
“component”: “maven”,
“version”: “0.8.0”,
“package”: “pulp-maven”,
“module”: “pulp_maven.app”,
“domain_compatible”: false
},
{
“component”: “ostree”,
“version”: “2.2.1”,
“package”: “pulp-ostree”,
“module”: “pulp_ostree.app”,
“domain_compatible”: false
},
{
“component”: “python”,
“version”: “3.11.0”,
“package”: “pulp-python”,
“module”: “pulp_python.app”,
“domain_compatible”: false
},
{
“component”: “rpm”,
“version”: “3.25.0”,
“package”: “pulp-rpm”,
“module”: “pulp_rpm.app”,
“domain_compatible”: true
},
{
“component”: “certguard”,
“version”: “3.45.1”,he

decko · June 23, 2024, 11:32am

Ok. I believe there are a bunch of fixes and changes on the main branch of pulp-cli, even one that corrects the behavior of asking for username/password when using --header.

Can you try it and return here the outcome?

x9c4 · June 26, 2024, 10:25am

I don’t see any.
But hey you asked: Prevent Authorization header to be overwritten by mdellweg · Pull Request #1002 · pulp/pulp-cli · GitHub

I must tell you however this is a bad workaround and it will give the worst user experience for use with short lived bearer tokens. It might be ok for never expiring (only actively being revoked) deployment api tokens.

x9c4 · June 26, 2024, 1:48pm

@xm1234567 Can you confirm that this fixes the issue?

xm1234567 · June 26, 2024, 8:06pm

Hello, sorry for the late reply. I still have the same problem, it still asked username and password when I use --header option. My test environment is:

(venv) # pip list | grep pulp
pulp-cli           0.25.7
pulp-glue          0.25.7

            "component": "core",
            "version": "3.52.0",
            "package": "pulpcore",
            "module": "pulpcore.app",
            "domain_compatible": true

            "component": "rpm",
            "version": "3.25.3",
            "package": "pulp-rpm",
            "module": "pulp_rpm.app",
            "domain_compatible": true

@decko I don’t know if 0.25.7 is what you mean the the main branch ?

Here is the output of the test:

(venv) [root@xxxx ~]# pulp -vvv --header 'Authorization:Token xxxxx' user list
Username: tt
Password: 
users_list : get https://xx.xx.xx/pulp/api/v3/users/?offset=0&limit=25
  User-Agent: Pulp-CLI/0.25.7
  Accept-Encoding: gzip, deflate
  Accept: application/json
  Connection: keep-alive
  Authorization: Basic dHQ6dHQ=
Response: 401
  Server: nginx/1.16.1
  Date: Wed, 26 Jun 2024 19:51:30 GMT
  Content-Type: application/json
  Content-Length: 39
  Connection: keep-alive
  WWW-Authenticate: Token
  Vary: Accept
  Allow: GET, POST, HEAD, OPTIONS
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: same-origin
  Cross-Origin-Opener-Policy: same-origin
  Correlation-ID: 2854b41c45914256bc1f2632d164ffbf
  Access-Control-Expose-Headers: Correlation-ID
{"detail":"Invalid username/password."}
Error: {"detail":"Invalid username/password."}


(venv) [root@xxx ~]# pulp -vvv --header 'Authorization: Token xxxxxx' user list
Username: tt
Password: 
Traceback (most recent call last):
  File "/root/venv/bin/pulp", line 8, in <module>
    sys.exit(main())
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
  File "/root/venv/lib64/python3.9/site-packages/pulpcore/cli/common/generic.py", line 290, in invoke
    return super().invoke(ctx)
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/root/venv/lib64/python3.9/site-packages/pulpcore/cli/common/generic.py", line 290, in invoke
    return super().invoke(ctx)
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/root/venv/lib64/python3.9/site-packages/pulpcore/cli/common/generic.py", line 290, in invoke
    return super().invoke(ctx)
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "/root/venv/lib64/python3.9/site-packages/click/decorators.py", line 92, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "/root/venv/lib64/python3.9/site-packages/click/decorators.py", line 92, in new_func
    return ctx.invoke(f, obj, *args, **kwargs)
  File "/root/venv/lib64/python3.9/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "/root/venv/lib64/python3.9/site-packages/pulpcore/cli/common/generic.py", line 1252, in callback
    result = entity_ctx.list(limit=limit, offset=offset, parameters=kwargs)
  File "/root/venv/lib64/python3.9/site-packages/pulp_glue/common/context.py", line 767, in list
    result: t.Mapping[str, t.Any] = self.call("list", parameters=payload)
  File "/root/venv/lib64/python3.9/site-packages/pulp_glue/common/context.py", line 704, in call
    return self.pulp_ctx.call(
  File "/root/venv/lib64/python3.9/site-packages/pulp_glue/common/context.py", line 357, in call
    result = self.api.call(
  File "/root/venv/lib64/python3.9/site-packages/pulp_glue/common/openapi.py", line 701, in call
    request: requests.PreparedRequest = self.render_request(
  File "/root/venv/lib64/python3.9/site-packages/pulp_glue/common/openapi.py", line 612, in render_request
    request = self._session.prepare_request(
  File "/root/venv/lib64/python3.9/site-packages/requests/sessions.py", line 486, in prepare_request
    p.prepare(
  File "/root/venv/lib64/python3.9/site-packages/requests/models.py", line 369, in prepare
    self.prepare_headers(headers)
  File "/root/venv/lib64/python3.9/site-packages/requests/models.py", line 491, in prepare_headers
    check_header_validity(header)
  File "/root/venv/lib64/python3.9/site-packages/requests/utils.py", line 1040, in check_header_validity
    _validate_header_part(header, value, 1)
  File "/root/venv/lib64/python3.9/site-packages/requests/utils.py", line 1056, in _validate_header_part
    raise InvalidHeader(
requests.exceptions.InvalidHeader: Invalid leading whitespace, reserved character(s), or returncharacter(s) in header value: ' Token xxxxxxxxxxxxxxx'

Strange, same command , I did it several times, and once it says {"detail":"Invalid username/password."}, Another time, it says requests.exceptions.InvalidHeader: Invalid leading whitespace, reserved character(s), or returncharacter(s) in header value: ' Token xxxxxxx'

xm1234567 · June 27, 2024, 2:41pm

I tested with pulp-cli 0.25.7 which is installed by pip and probably is not the same as main branch on github.
I don’t know how to test with the branch. @decko if you can explain to me how?
Also can you check my settings.py is configured correctly to accept a header as an authentication method?

decko · July 2, 2024, 6:15pm

Hi @xm1234567

Sorry for the late response.
I just checked on PiPY and seems that we got the latest 0.26 version there. Could you try to update the CLI and try again?

Also, from where you took the instructions to use Pulp with Keycloak?
I’ve never tested this combination, but looking to your config I’m seeing no major issues.

Could you just try to remove the dynaconf_merge instruction from AUTHENTICATION_BACKENDS and DEFAULT_AUTHENTICATION_CLASSES and see what happens?