feat: Extend authentication to support Bearer token for many resources #7277
Conversation
boring-cyborg
bot
added
ant
|
Awaiting merge of #7255 before looking into the reported merge conflicts |
|
@jeremylong let me know if you'd rather have this merged into the branch of #7255 to then merge both in one go into main |
|
I've approved #7255 - feel free to merge it. See #7255 (comment) |
…URLs - Add configurability for hostedSuppressionsFile user and password - Add configurability for knownExploitedVulnerabilities user and password Also sanitized the ant tasks: - hostedSuppressionUrl is irrelevant for Purge, so pushed down to Update - retireJs URL/User/Password/ForceUpdate/Enabled and KnownExploited URL/Enabled are also relevant for Update, so pulled up from Check - retireJsForceUpdate brought in line with documentation (original code wrongly used retireJsAnalyzerForceUpdate deviating from the documentation) - Over time methods in Check slipped in-between a "copied from PathConvert comment region", moved those out and transformed the comments into an IntelliJ-and-VS-Code compatible folding region - Removed the obsolete getters for the Task configuration parameters - nvdApiDelay changed into an Integer so that we only set a non-default value when specified in the task - Moved value sanity checks from populateSettings to the setter of the given property - Added configurability of Known Exploited valid for hours
* add NVD_API_DATAFEED_BEARER_TOKEN * add KEV_BEARER_TOKEN * add SUPPRESSION_FILE_BEARER_TOKEN * add HOSTED_SUPPRESSIONS_BEARER_TOKEN * add ANALYZER_RETIREJS_REPO_JS_BEARER_TOKEN * add CENTRAL_CONTENT_BEARER_TOKEN * add ANALYZER_CENTRAL_BEARER_TOKEN * update Javadoc to document the either bearer- or basic-auth aspect of the authentication property keys
…cached/mirrored resources * Add the missing suppressionFile User/Password basic auth * Add suppressionFile Bearer token auth * Add retireJS Bearer token auth * Add KEV Bearer token auth * Add NVD Datafeed Bearer token auth * Add HostedSuppressions Bearer token auth * Synchronize documentation with implementation
…cached/mirrored resources * add suppressionFile auth, both basic and bearer * add RetireJS bearer auth and fixup documentation of the basic auth flags * add KEV auth, both basic and bearer * add NVD datafeed bearer auth * add hostedSuppressions auth, both basic and bearer * add central search auth, both basic (was missing in CliParser) and bearer
…r cached/mirrored resources * add NVD datafeed bearer auth + extend serverId usage to bearer when only password * add KEV auth, both basic and bearer * add suppressionFile bearer auth + extend serverId usage to bearer when only password * add hosted suppressions auth, both basic and bearer * add retireJsUrl bearer auth + extend serverId usage to bearer when only password
* don't handover member fields as instance method parameters * re-order parameters in preparation of adding bearer authentication key
aikebah
force-pushed
the
feat/hc5-extending-auth
branch
from
cc04f55 to
9c5dac9
Compare
|
Looks like an NPE in the test? |
|
Not sure how that suddenly surfaced, was convinced I've run a full build even with the latest fixes, but apparently not. The fixup of the last commit is what currently makes it break. Looking into its root cause (testcase fails to I think the Downloader singleton initialisation within the various bootstraps would best be changed to a Downloader cached by the Engine and initialized during Engine construction. In practice it would be the same as a singleton (as there would typically only a single engine instance), but it would allow for correct behaviour in case of multiple engine instances with different settings running in the JVM and would require no special care in the testcases. |
Would solve the symptom, but I think it's better to solve it by going from singleton to managed-by-engine downloader instance. @jeremylong WDYT? |
|
I experimented a bit to take the root-cause way and make the downloader managed by the engine, but encountered so many places where the downloader (or the engine) would need to passed downwards on calls (and/or cached in local fields) that I think fixing up the testcase to initialize the singleton is the better approach. |
|
@jeremylong Have you already started integrating this (new configuration parameters) into the gradle plugin? Or shall I make a start with updating that? |
|
I havent started, but the changes should be simple. If you don’t get to it,
I'll update it closer to the release
…On Wed, Jan 1, 2025, 10:07 AM Hans Aikema ***@***.***> wrote:
@jeremylong <https://github.com/jeremylong> Have you already started
integrating this (new configuration parameters) into the gradle plugin? Or
shall I make a start with updating that?
—
Reply to this email directly, view it on GitHub
<#7277 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGSVQVCU3V6QTPIKEIQE7L2IQAEFAVCNFSM6AAAAABUMXVGY6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRXGA2DGNZYHA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Description of Change
Builds on top of the changes of #7255 that added pre-emptive basic authentication, so should be merged after that.
Adds HTTP Bearer authentication configuration possibility for
Adds HTTP Basic authentication configuration possibility for:
Related issues
Have test cases been added to cover the new functionality?
no - as testcases would require live endpoints that host the various files behind a HTTP Basic- or HTTP Bearer authentication.