search

lando / platformsh

The Official Platform.sh Lando Plugin
https://docs.lando.dev/platformsh
GNU General Public License v3.0
6 stars 4 forks source link

Improve `platform`CLI reauthentication #71

Open pirog opened 4 years ago

pirog commented 4 years ago

Right now we make use of the PLATFORMSH_CLI_TOKEN envvar to automatically authenticate the platform cli tool. This is set from the value in ~/.lando/cache/APPNAME.meta.cache which is set during lando init based on the platform token/account you use. It can also be set if lando pull or lando push are run and ~/.lando/cache/APPNAME.meta.cache has not been set yet.

You can test the above out with:

  1. lando init --source platformsh --platformsh-site lando-d8
  2. lando start && lando pull -r database -m web/sites/default/files (does not require auth)
  3. lando destroy && lando start
  4. lando pull -r database -m web/sites/default/files (will prompt for auth)

This works pretty good but the handling is awkward in a few places:

  1. If your token is revoked or you want to switch to another token you currently need to either lando init or lando pull --auth to update ~/.lando/cache/APPNAME.meta.cache with the correct token. More problematically PLATFORM_CLI_TOKEN is set only on a container create which means that a lando rebuild is currently required to update that value in-container.
  2. It's not obvious that you need to re lando init or lando pull --auth to reset the token. It's more likely the user will attempt to lando platform auth:api-token-login which is probably not going to work as expected.

Proposed improvement:

  1. Set envvar only when needed for tooling.

Lando now lets you set specific environment variables in specific tooling commands. We are currently using this for lando pull and lando push for the relationship dump and connection strings. We should should not set PLATFORMSH_CLI_TOKEN globally in the application and instead set it on a per-tooling basis for any commands where lando is managing and relies on the auth to be set a certain way. This should sandbox landos need for auth so that other auth concerns can be managed by the user in the way they want. We may want to also set another envvar globally that contains the token so users can leverage that if they want.

  1. Have lando pull and push ask for auth if needed

Right now lando pull and lando push will only ask for authentication if they see that there is no token set in ~/.lando/cache/APPNAME.meta.cache. This is good but it doesnt handle the use case of the token being revoked well. Perhaps instead we should only ask the user for auth if they do not have a valid token eg we should use the platform api to validate the token before we determine whether we need to ask for auth or not.

thasmo commented 3 years ago

This does not work for me. I've set a valid token in PLATFORMSH_CLI_TOKEN locally but running the following ...

lando destroy --force
lando init --source platformsh --platformsh-site projectname
lando start
lando pull (interactive)

... will always result in ...

Verifying you are authenticated against platform.sh...
The API token is invalid.                                                   
  [RequestException]
  Authentication is required.
  Please log in by running:                                         
      platform login                                                
  To log in using an API token, run: platform auth:api-token-login  
  [LoginRequiredException]                                          
  Authentication is required.                                       
  Please log in by running:                                         
      platform login                                                
  To log in using an API token, run: platform auth:api-token-login

After manually deleting ~/.lando/cache/platformsh.tokens it seems that lando init does ask for a token, but it seems it still does not respect/read PLATFORMSH_CLI_TOKEN from the environment. Not providing a token seems to hang the process after Killing ....

➜ lando init --source platformsh --platformsh-site projectname
? Enter a Platform.sh access token [hidden]
Starting landoinittypo310_init_1 ... done
Killing landoinittypo310_init_1 ... done

Providing a token manually will result in a crash.

➜ lando init --source platformsh --platformsh-site projectname
? Enter a Platform.sh access token [hidden]
Starting landoinittypo310_init_1 ... done
Killing landoinittypo310_init_1 ... done

 ██████╗██████╗  █████╗ ███████╗██╗  ██╗██╗██╗██╗
██╔════╝██╔══██╗██╔══██╗██╔════╝██║  ██║██║██║██║
██║     ██████╔╝███████║███████╗███████║██║██║██║
██║     ██╔══██╗██╔══██║╚════██║██╔══██║╚═╝╚═╝╚═╝
╚██████╗██║  ██║██║  ██║███████║██║  ██║██╗██╗██╗
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝╚═╝╚═╝╚═╝

Running lando init interactively results in an error, because the project has a Git repo locally already.

Whoooops! Looks like you've already got a git repo here!
Either delete this repo or try to lando init in a folder without .git in it
Killing landoinitpixotypo310lts_init_1 ... done
Removing landoinitpixotypo310lts_init_1 ... done
Removing network landoinitpixotypo310lts_default
Removing volume landoinitpixotypo310lts_data_init
Removing volume landoinitpixotypo310lts_home_init
ERROR ==>

This is a pretty old issue; is there more up to date documentation regarding this issue. At the moment it seems lando platform commands are not useable.

pirog commented 3 years ago

It’s not supposed to work the way you are using it.

On Fri, Apr 9, 2021 at 6:21 AM Thomas Deinhamer @.***> wrote:

This does not work for me. I've set a valid token in PLATFORMSH_CLI_TOKEN locally but running the following ...

lando destroy --force

lando init --source platformsh --platformsh-site projectname

lando start

lando pull (interactive)

... will always result in ...

Verifying you are authenticated against platform.sh...

The API token is invalid.

[RequestException]

Authentication is required.

Please log in by running:

  platform login

To log in using an API token, run: platform auth:api-token-login

[LoginRequiredException]

Authentication is required.

Please log in by running:

  platform login

To log in using an API token, run: platform auth:api-token-login

After manually deleting ~/.lando/cache/platformsh.tokens it seems that lando init does ask for a token, but it seems it still does not respect/read PLATFORMSH_CLI_TOKEN from the environment. Not providing a token seems to hang the process after Killing ....

➜ lando init --source platformsh --platformsh-site typo3-10 ? Enter a Platform.sh access token [hidden]

Starting landoinittypo310_init_1 ... done

Killing landoinittypo310_init_1 ... done

This is a pretty old issue; is there more up to date documentation regarding this issue. At the moment it seems lando platform commands are not useable.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/lando/lando/issues/2398#issuecomment-816582900, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFOFUABLNJQMCZSHILX3NDTH3IJNANCNFSM4N76L3VA .

thasmo commented 3 years ago

I'm trying to figure out how it is supposed to work for a local platform.sh project with an existing .lando.yml configuration. As far as I understand I need to run lando init for every local project, to set the platform.sh CLI token for Lando. If so, I'm looking for a way to run lando init in a non-interactive way which also does not rewrite or change the existing .lando.yml configuration.

Best I came up with now is running this command.

lando init --recipe platformsh --source cwd --platformsh-site "Project Title XY" --platformsh-auth "$PLATFORMSH_CLI_TOKEN"

Unfortunately it does rewrite the .lando.yml configuration, changes the name value, changes indentation, etc.

Is there currently a way to configure platform.sh authentication for an existing local platform.sh project without using lando init? lando init seems to be a good choice when creating new projects but seems to have some quirks when using it for already set up projects containing a .lando.yml configuration.

pirog commented 3 years ago

You do not need to run lando init every time. If it already has a Landofile you can git clone && lando start. When you go tolando pull it will ask you to authenticate if it needs to authenticate. If you want to authenticate manually you can do so with the usual lando platform commands.

That said, you will probably want to accept what lando init does to your existing Landofile re: setting the name and recipe to ensure that things work as expected. If you manually change these values you are in unsupported territory.

thasmo commented 3 years ago

@pirog Thank you! Got it now. The first time when using lando pull, it asks for a platform.sh CLI token. Would it be possible to use the contents of PLATFORMSH_CLI_TOKEN as the default/fallback value, if no token is provided manually? The issue description states Right now we make use of the PLATFORMSH_CLI_TOKEN envvar to automatically authenticate the platform cli tool. but this does not apply to lando pull if I understand correctly. Is PLATFORMSH_CLI_TOKEN used somewhere automatically?