Username and password not working for private template source

[tetchel]

[INFO: 14:40:53.651 CLIWrapper.ts:169]: Running CLI command: cwctl --json --insecure templates repos add --conid local --url https://raw.githubusercontent.com/tetchel/codewind-templates-private/master/devfiles/index.json --name tim stacks --username tetchel --password ********
[DBUG: 14:40:54.132 CLIWrapper.ts:249]: Successfully ran CLI command cwctl --json --insecure templates repos add --conid local --url https://raw.githubusercontent.com/tetchel/codewind-templates-private/master/devfiles/index.json --name tim stacks --username tetchel --password ********, Output was:
{"error":"ADD_REPO_ERROR","error_description":"Error: Bad Request - Get template summaries failed.\nUnexpected HTTP status for https://raw.githubusercontent.com/tetchel/codewind-templates-private/master/devfiles/index.json: 404"}
[ERRO: 14:40:54.134 SourcesPageWrapper.ts:140]: Error adding new template repo https://raw.githubusercontent.com/tetchel/codewind-templates-private/master/devfiles/index.json Error: Bad Request - Get template summaries failed.
Unexpected HTTP status for https://raw.githubusercontent.com/tetchel/codewind-templates-private/master/devfiles/index.json: 404

I can't get my username/password to work with a public github private repository. @eharris369 tried too on GHE and had the same result. PATs work, though.

Also, cwctl should exit with a failure code in this case.

[rwalle61]

Thanks for raising this, it looks like cwctl templates repos add does not support private GH repos

I didn't add it originally because the implementation is slightly different to GHE, and at the time the spec was only GHE. (Although I did make cwctl project create work with private GH repos).

We are seeing 404 because PFE does not validate credentials before GETing the devfile. I guess GitHub returns 404 rather than 401 to GET requests for files when given incorrect credentials. (By contrast, GitHub returns 401 to requests to clone a repo when given incorrect credentials - which is why cwctl project create --url <secureTemplateURL> returns 401)

If we need to support private GH template repos I can add it - @tobespc do we need to?

[rwalle61]

As for GHE, that should be working.

Does cwctl templates add --url <GHERepo> --username .. --password .. work outside the IDE? It works for me and a couple other people, and the only way I can reproduce the 404 for GHE is by putting in incorrect credentials or a devile that does not exist.

I'm happy to debug with you if that helps

[rwalle61]

Re supporting private GH repos, I have confirmed with @tobespc that it is still not part of the spec for now

[rwalle61]

@tobespc @tetchel @eharris369 are we iceboxing this or resolving it?

[tobespc]

still waiting to hear back from icp4a

[tetchel]

It does not seem to work for me on GHE either.

I tried GETing that URL while logged in using the HTTP client I use in the VS Code plugin too and also got a 404. So it may be a quirk of the IBM SSO wrapping the GHE authentication (eg, if I try and log into a private window with that username/password I get a 2FA prompt); basic auth may not be sufficient.

[tobespc]

supporting private template sources is out of scope for codewind with the current requirements. Moving to icebox

[tetchel]

supporting private template sources is out of scope

do you mean private github repos? they still work with access tokens

[jopit]

It probably is due to SSO: https://developer.github.com/v3/auth/

Also, according to that document, github is removing api auth using username/password later this year. I think we should leave the ability to use username/password in codewind, since template sources could be hosted at sites other than github and those sites could use username/password authentication.

[rwalle61]

@tetchel hmm I don't know why it's not working for you on GHE. At least 2 members of Portal besides me have managed to access that GHE template repo using their GHE creds, which for them is their IBM intranet password

[tetchel]

Do any of those people have 2fa enabled on ghe? Basically, we need to come up with a support statement. We support github public in these cases, and github private in these cases.

I suppose basic auth (username/pw) should still work in theory for an arbitrary webserver that accepted it and gave the expected status codes, too.

[jagraj]

@jopit @tetchel
As per your request, I tried to configure template source repository with my public GitHub account which is not associated with any GHE account. I configured index.json in one of private repo and the actual template source also in private repo. With this setup we can only access template source using access token or Userid and access token as password. If both index.json and template source in public repos then Userid/pwd combination works fine and also access token too. Looks like Userid/pwd access works for public repos and not for private repos.

[tetchel]

To summarize what I have seen:

	GH	GHE
Access Token	✅	✅
Credentials	❓	❓

I'm still not certain if 2fa is the breaker here; I just know Erin and I have it on and it does not work for us, but has been reported to work for some others (#3153 (comment)) so that is my best guess.

Jag, in your comment above, did you have 2fa enabled on those accounts?

edit: jag did not have 2fa enabled, so I'm not sure why credentials worked for some. Removed 2fa from the table.

[tetchel]

Looks like Userid/pwd access works for public repos and not for private repos.

The username and password are never checked for public repos. So you can enter any bogus username and password, or none, and public repos will still work.