Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modify graphql token logic to include refresh #2475

Closed
wants to merge 2 commits into from

Conversation

rayterrill
Copy link
Contributor

@rayterrill rayterrill requested a review from a team as a code owner August 26, 2022 21:29
@jamengual jamengual added waiting-on-review Waiting for a review from a maintainer waiting-on-response Waiting for a response from the user bug Something isn't working labels Aug 26, 2022
@jamengual
Copy link
Contributor

@rayterrill take a look at this: #2128
there was a change of library at some point and I remember Raymond saying that there was another library that was better but did not supported the graphql API but I wonder if that is not the case anymore.

Another thing to note is if in the docs the scopes are correct, AFAIk read:org, read:discussion where required.

Thanks for the contribution again.

@rayterrill
Copy link
Contributor Author

Doing a little more testing around this this morning to see if we can handle this a little slicker.

@rayterrill
Copy link
Contributor Author

@jamengual I think this is the right library to use. I'm not sure what to check on the scopes side - this is working for me with the "normal" Atlantis scopes, and the addition of the "administration: read only" which I'm not sure where we'd need to document this.

Potentially this graphql token piece could be refactored, but this is working for me, and it's a pretty simple change. Hesitant to break this apart too much.

@stasostrovskyi i know you were running into this pretty frequently - any chance you can test with this code and see if the graphql issues you were hitting go away?

@ysoldak
Copy link
Contributor

ysoldak commented Aug 30, 2022

So we basically create a new client on each query to workaround the refresh token problem?

I can try and verify this fix, same company with @stasostrovskyi

@rayterrill
Copy link
Contributor Author

For now @ysoldak. I'm working on another update that will actually refresh the token as-needed vs generating a new one each query - might need some deeper changes to the underlying abstractions.

@ysoldak
Copy link
Contributor

ysoldak commented Aug 30, 2022

I'm testing this fix locally now instead. Seem to be working actually. I.e. token is refreshed as it should.
No extra code needed.

https://github.com/runatlantis/atlantis/compare/master...ysoldak:atlantis:ghv4-plus-ghapp?expand=1

@ysoldak
Copy link
Contributor

ysoldak commented Aug 30, 2022

We shall run this (see prev comment) for some days on our prod and if no prob, I can file a PR then.

@rayterrill
Copy link
Contributor Author

That's pretty much identical to what I have running locally as well - getting that transport in there allows the underlying library to refresh the token as needed.

@ysoldak
Copy link
Contributor

ysoldak commented Aug 30, 2022

Yes, the problem as I see it is in oauth2.StaticTokenSource that is explicitly never refreshes.
But the transport we use for everything else and it works and handles token refresh transparently.

//iterate over the runs inside the suite
suite, _, err := g.client.Checks.ListCheckRunsCheckSuite(context.Background(), repo.Owner, repo.Name, *c.ID, nil)
if err != nil {
return false, errors.Wrap(err, "getting check runs for check suite")
}

for _, r := range suite.CheckRuns {
fmt.Printf("Looking at check run %s\n", *r.Name)
//check to see if the check is required
if isRequiredCheck(*r.Name, required.RequiredStatusChecks.Contexts) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code will crash if no required checks are configured for the repo. While feature flag kind of implies that at least one required check should be set - atlantis/apply - it's completely plausible to have 1 or 2 repos in organization misconfigured or deliberately configured in a different way. If there are no required checks it means that we don't even need to go through CheckRuns.

I understand it's out of scope of this PR, but feels like the best place to point it out :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what you mean @stasostrovskyi - I just tested this again with no required checks configured and it works fine? It should just pass right through that section if none of the checks are required?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what we got when running without required checks

Error: goroutine panic. This is a bug.

runtime error: invalid memory address or nil pointer dereference
runtime/panic.go:260 (0x44c9d5)
runtime/signal_unix.go:835 (0x44c9a5)
github.com/runatlantis/atlantis/server/events/vcs/github_client.go:357 (0xa89acc)
github.com/runatlantis/atlantis/server/events/vcs/github_client.go:430 (0xa8a197)
github.com/runatlantis/atlantis/server/events/vcs/instrumented_client.go:179 (0xa90beb)
github.com/runatlantis/atlantis/server/events/vcs/proxy.go:72 (0xa925e4)
github.com/runatlantis/atlantis/server/events/vcs/pull_status_fetcher.go:28 (0xa92e65)
github.com/runatlantis/atlantis/server/events/apply_command_runner.go:109 (0xc72835)
github.com/runatlantis/atlantis/server/events/command_runner.go:296 (0xc77443)
runtime/asm_amd64.s:1594 (0x467ce0)

I haven't debugged it but it's either required or RequiredStatusChecks are nil in the case when there are no required checks.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHub probably returns nil ("null" in JSON) instead of an empty list as the code expects.

@jamengual
Copy link
Contributor

jamengual commented Aug 30, 2022 via email

@rayterrill
Copy link
Contributor Author

I pulled the change to use the transport into my local copy and it's working correctly for me - passed the 1 hour token expiry mark and I'm able to make graphql calls succesfully.

@ysoldak
Copy link
Contributor

ysoldak commented Aug 30, 2022

Great, shall I make a PR?

@rayterrill
Copy link
Contributor Author

A new PR is fine with me @ysoldak - I can close this one out. Can you include the removal of the extra print statements I have in this PR?

@ysoldak
Copy link
Contributor

ysoldak commented Aug 30, 2022

A new PR is fine with me @ysoldak - I can close this one out. Can you include the removal of the extra print statements I have in this PR?

yes, no prob, will cherry-pick.

@rayterrill rayterrill closed this Aug 30, 2022
@rayterrill rayterrill deleted the graphql_token_fix branch August 30, 2022 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working waiting-on-response Waiting for a response from the user waiting-on-review Waiting for a review from a maintainer
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants