Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support generic secret in docker auth #494
base: main
Are you sure you want to change the base?
feat: support generic secret in docker auth #494
Changes from 1 commit
68004ba
4ce88b6
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach is rather forgiving, as it treats all cases where the authentication is not via username and password, as
_json_key
right away, without verification. This is quite error-prone.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I probably should have avoided using the specific
_json_key
as the example. The implementation should actually cover any case. Let me see if i can explain better given the following example:(showing the auth value base64 decoded for clarity)
previously, the webhook would make no attempt to unwrap this
auth
value, because it doesn't match theuser:pass
format it expects, i.e.,vault:secret/data/creds#USER:vault:secret/data/creds#PW
. instead, it would fail with thesplitting auth credentials failed
error. there are certainly issues with the previous implementation. one being that it is restrictive, and another being that it doesn't support transit values, i.e.,vault:v1:aGkK:vault:v1:YnllCg==
could be a validusername:password
but will fail with the samesplitting auth credentials failed
error.my goal with this change is to leave the previous functionality (including assumptions) in tact, but opening up the possibility for the user to put whatever they need to inside of the auth value. instead of failing with the
splitting auth credentials failed
error, it will now make an attempt to unwrap the value (we've already verified it starts with the vault prefix at this point) and, if successful, swap it in. this gives the user full control of the auth value. it could be a_json_key
or it could beuser:pass
or anything else.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your observation is astute. Indeed, the main issue here is that using len(split) for control flow can be quite misleading for someone reading the code. It's not immediately clear how the length of the split array relates to the logic being implemented, which can make the code harder to understand and maintain. A more explicit and self-explanatory approach to control flow would likely improve code readability and reduce potential confusion for other developers working with this code.
The thing I wrote about verification, is for the same reason. If someone sees a verification function being called e.g.:
Immediately knows what is happening, and what values can be used.