Skip to content

OAuth: more debug logs, configurable browser #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Jun 21, 2022
Merged

OAuth: more debug logs, configurable browser #136

merged 12 commits into from
Jun 21, 2022

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Jun 21, 2022
edited
Loading

WIP.

This adds more debug logs and adds the SIGSTORE_OAUTH_BROWSER environment variable, which can be used to override the webbrowser's default browser selection (e.g. SIGSTORE_OAUTH_BROWSER=firefox).

Removed the SIGSTORE_OAUTH_BROWSER variable, since it's essentially a duplicate of what webbrowser already does via the BROWSER variable. Instead, this PR adds SIGSTORE_OAUTH_FORCE_OOB, which forcefully disables the in-band OAuth flow if set.

See #96.

woodruffw added 2 commits June 21, 2022 10:51
@woodruffw
oauth: debug logging
a115a7f 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: more debug, configurable browser
01d1986 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw self-assigned this Jun 21, 2022
@woodruffw woodruffw mentioned this pull request Jun 21, 2022
Closed
@kushaldas
Copy link

I am seeing:

I replaced the real values for {AUTH_CODE_VALUE}&state={MYSTATE_VALUE}

DEBUG:sigstore._internal.oidc.oauth:GET: /auth/callback?code={AUTH_CODE_VALUE}&state={MYSTATE_VALUE}
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:sigstore._internal.oidc.oauth:GET: /favicon.ico
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): oauth2.sigstore.dev:443
DEBUG:urllib3.connectionpool:https://oauth2.sigstore.dev:443 "POST /auth/token HTTP/1.1" 400 70
Traceback (most recent call last):
  File "/home/kdas/code/sigstore-python/sigstore/_internal/oidc/oauth.py", line 211, in get_identity_token
    resp.raise_for_status()
  File "/home/kdas/code/sigstore-python/.venv/lib64/python3.10/site-packages/requests/models.py", line 1022, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://oauth2.sigstore.dev/auth/token

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib64/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib64/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/home/kdas/code/sigstore-python/sigstore/__main__.py", line 22, in <module>
    main()
  File "/home/kdas/code/sigstore-python/sigstore/_cli.py", line 254, in main
    _sign(args)
  File "/home/kdas/code/sigstore-python/sigstore/_cli.py", line 333, in _sign
    args.identity_token = get_identity_token(
  File "/home/kdas/code/sigstore-python/sigstore/_internal/oidc/oauth.py", line 213, in get_identity_token
    raise IdentityError from http_error
sigstore._internal.oidc.IdentityError

@woodruffw
Copy link
Member Author

woodruffw commented Jun 21, 2022 via email

@woodruffw
oauth: restrict auth requests even further
91b22a0 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

@kushaldas could you try once more with the changes in 91b22a0? That should prevent any races if the browser attempts to spam us with favicon requests.

@kushaldas
Copy link

@kushaldas could you try once more with the changes in 91b22a0? That should prevent any races if the browser attempts to spam us with favicon requests.

DEBUG:sigstore._internal.oidc.oauth:GET: /auth/callback?code={AUTH_CODE_VALUE}&state={MYSTATE_VALUE}
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): oauth2.sigstore.dev:443
DEBUG:urllib3.connectionpool:https://oauth2.sigstore.dev:443 "POST /auth/token HTTP/1.1" 400 70
Traceback (most recent call last):
  File "/home/kdas/code/sigstore-python/sigstore/_internal/oidc/oauth.py", line 219, in get_identity_token
    resp.raise_for_status()
  File "/home/kdas/code/sigstore-python/.venv/lib64/python3.10/site-packages/requests/models.py", line 1022, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://oauth2.sigstore.dev/auth/token

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib64/python3.10/runpy.py", line 196, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib64/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/home/kdas/code/sigstore-python/sigstore/__main__.py", line 22, in <module>
    main()
  File "/home/kdas/code/sigstore-python/sigstore/_cli.py", line 254, in main
    _sign(args)
  File "/home/kdas/code/sigstore-python/sigstore/_cli.py", line 333, in _sign
    args.identity_token = get_identity_token(
  File "/home/kdas/code/sigstore-python/sigstore/_internal/oidc/oauth.py", line 221, in get_identity_token
    raise IdentityError from http_error
sigstore._internal.oidc.IdentityError

Btw, I am on the slack in #python channel, just in case if you want to have a chat :)

woodruffw added 8 commits June 21, 2022 13:10
@woodruffw
oauth: more debugging
a48eb5f 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: logging
d200977 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: comment out a check for debugging
cd8030b 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: more debugging
a0c5a41 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: more debug
ea196ff 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: allow a user to force OOB
5247b8f 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: debugging
89bc94a 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
oauth: remove old print
30cf6a1 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw requested review from tetsuo-cpp and di June 21, 2022 18:51
@woodruffw
Copy link
Member Author

This should be good to go. It "fixes" the idempotency issue by doing one less call to server.auth_request(). That's not ideal in the long term, however, since the API is still pretty easy to misuse. We should think about making it more misuse-resistant.

di
di reviewed Jun 21, 2022
View reviewed changes
@woodruffw
oauth: include headers in debug logs
96b93bd 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw merged commit 96d7de2 into main Jun 21, 2022
@woodruffw woodruffw deleted the ww/oauth-debug branch June 21, 2022 19:42
This was referenced Jun 21, 2022
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

@tetsuo-cpp tetsuo-cpp Awaiting requested review from tetsuo-cpp

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @kushaldas @di