feat!: use kerberos authentication in pyxis_gql

Substituted HTTP certificate by kerberos authentication in the PyxisGQL class, by including a kerberos authorizer object from the requests-kerberos library. RequestsHTTPTransportWithCert was a workaround that will not be needed anymore with kerberos authentication. We switched back to using RequestsHTTPTransport. Also, we removed the 'cert' param from PyxisGQL class. The removal of 'cert' parameter repercuted to the container module, and to the tests of the container and pyxis_gql. The class ContainerAPI will no more use the parameter 'pyxis_cert'. JIRA: CWFHEALTH-1762 BREAKING CHANGE: the PyxisGQL class will not accept the 'cert' parameter anymore when instantiated. Also, the class ContainerAPI will not accept the 'pyxis_cert' parameter.
redhat-exd-rebuilds · Feb 28, 2023 · f5ad1c2 · f5ad1c2
1 parent 4aa1325
commit f5ad1c2
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 43 deletions.
diff --git a/freshmaker/container.py b/freshmaker/container.py
@@ -23,7 +23,7 @@
 import re
 
 from dataclasses import dataclass, field, fields
-from typing import Any, Dict, List, Optional, Union, Tuple
+from typing import Any, Dict, List, Optional
 
 from freshmaker import conf, log
 from freshmaker.kojiservice import KojiService, KojiLookupError
@@ -322,8 +322,8 @@ def resolve_published(self, pyxis_instance: PyxisGQL):
 
 
 class ContainerAPI:
-    def __init__(self, pyxis_graphql_url: str, pyxis_cert: Union[str, Tuple[str]]):
-        self.pyxis = PyxisGQL(url=pyxis_graphql_url, cert=pyxis_cert)
+    def __init__(self, pyxis_graphql_url: str):
+        self.pyxis = PyxisGQL(url=pyxis_graphql_url)
 
     def find_auto_rebuild_containers_with_older_rpms(
         self,

diff --git a/freshmaker/pyxis_gql.py b/freshmaker/pyxis_gql.py
@@ -21,37 +21,22 @@
 
 from functools import cached_property
 
-from gql import gql, Client
+from gql import Client, gql
 from gql.dsl import DSLQuery, DSLSchema, dsl_gql
 from gql.transport.requests import RequestsHTTPTransport
+from requests_kerberos import OPTIONAL, HTTPKerberosAuth
 
 
 class PyxisGQLRequestError(RuntimeError):
     pass
 
 
-class RequestsHTTPTransportWithCert(RequestsHTTPTransport):
-    """A modified requests transport to support certificate authentication"""
-
-    def __init__(self, *args, **kwargs):
-        self.cert = kwargs.pop("cert", None)
-        if self.cert is None:
-            raise RuntimeError("Missing required keyword argument: cert")
-        super().__init__(*args, **kwargs)
-
-    def connect(self):
-        super().connect()
-        self.session.cert = self.cert
-
-
 class PyxisGQL:
-    def __init__(self, url, cert):
+    def __init__(self, url):
         """Create authenticated Pyxis GraphQL session"""
-        transport = RequestsHTTPTransportWithCert(
-            url=url,
-            retries=3,
-            cert=cert,
-        )
+        pyxis_krb_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL, force_preemptive=True)
+        transport = RequestsHTTPTransport(url=url, retries=3, auth=pyxis_krb_auth)
+
         # Fetch the schema from the transport using an introspection query
         self._client = Client(transport=transport, fetch_schema_from_transport=True)
 

diff --git a/tests/test_container.py b/tests/test_container.py
@@ -195,9 +195,7 @@ def test_find_auto_rebuild_containers_with_older_rpms():
     rpm_nvrs = ["foo-10-123.el8"]
     content_sets = ["rhel-8-for-x86_64-baseos-rpms", "rhel-8-for-aarch64-baseos-rpms"]
 
-    container_api = ContainerAPI(
-        pyxis_graphql_url="graphql.pyxis.local", pyxis_cert=("/path/to/crt", "/path/to/key")
-    )
+    container_api = ContainerAPI(pyxis_graphql_url="graphql.pyxis.local")
     containers = container_api.find_auto_rebuild_containers_with_older_rpms(
         rpm_nvrs=rpm_nvrs, content_sets=content_sets, published=True
     )
@@ -351,7 +349,7 @@ def test_resolve_image_build_metadata():
     ]
     flexmock(KojiService).should_receive("get_task_request").and_return(task_params)
 
-    pyxis_gql = PyxisGQL(url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key"))
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
 
     images = pyxis_gql.find_images_by_nvr("foobar-container-v0.13.0-12.1582340001")
     container = Container.load(images[0])
@@ -533,7 +531,7 @@ def test_resolve_image_compose_sources():
     ]
     flexmock(RetryingODCS).should_receive("get_compose").and_return(odcs_composes).one_by_one()
 
-    pyxis_gql = PyxisGQL(url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key"))
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
 
     images = pyxis_gql.find_images_by_nvr("foobar-container-v0.13.0-12.1582340001")
     container = Container.load(images[0])
@@ -715,9 +713,7 @@ def test_resolve_content_sets():
         odcs_composes
     ).one_by_one()
 
-    pyxis_gql = PyxisGQL(
-        url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key")
-    )
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
 
     images = pyxis_gql.find_images_by_nvr("foobar-container-v0.13.0-12.1582340001")
     container = Container.load(images[0])
@@ -900,9 +896,7 @@ def test_resolve_published():
         odcs_composes
     ).one_by_one()
 
-    pyxis_gql = PyxisGQL(
-        url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key")
-    )
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
 
     images = pyxis_gql.find_images_by_nvr("foobar-container-v0.13.0-12.1582340001")
     container = Container.load(images[0])

diff --git a/tests/test_pyxis_gql.py b/tests/test_pyxis_gql.py
@@ -66,7 +66,7 @@ def test_pyxis_graphql_find_repositories():
         }
     }
 
-    pyxis_gql = PyxisGQL(url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key"))
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
     flexmock(Client).should_receive("execute").and_return(copy.deepcopy(result))
 
     repositories = pyxis_gql.find_repositories()
@@ -99,7 +99,7 @@ def test_pyxis_graphql_get_repository_by_registry_path():
         }
     }
 
-    pyxis_gql = PyxisGQL(url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key"))
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
     flexmock(Client).should_receive("execute").and_return(copy.deepcopy(result))
 
     repository = pyxis_gql.get_repository_by_registry_path(
@@ -202,7 +202,7 @@ def test_pyxis_graphql_find_images_by_installed_rpms():
         }
     }
 
-    pyxis_gql = PyxisGQL(url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key"))
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
     flexmock(Client).should_receive("execute").and_return(copy.deepcopy(result))
 
     rpm_names = ["foo"]
@@ -314,7 +314,7 @@ def test_pyxis_graphql_find_images_by_nvr():
         }
     }
 
-    pyxis_gql = PyxisGQL(url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key"))
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
     flexmock(Client).should_receive("execute").and_return(copy.deepcopy(result))
 
     images = pyxis_gql.find_images_by_nvr("foobar-container-v0.13.0-12.1582340001")
@@ -402,7 +402,7 @@ def test_pyxis_graphql_find_images_by_nvrs():
         }
     }
 
-    pyxis_gql = PyxisGQL(url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key"))
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
     flexmock(Client).should_receive("execute").and_return(copy.deepcopy(result))
 
     nvrs = ["foobar-container-v0.13.0-12.1582340001"]
@@ -465,9 +465,7 @@ def test_pyxis_graphql_find_images_by_names():
         }
     }
 
-    pyxis_gql = PyxisGQL(
-        url="graphql.pyxis.local", cert=("/path/to/crt", "/path/to/key")
-    )
+    pyxis_gql = PyxisGQL(url="graphql.pyxis.local")
     flexmock(Client).should_receive("execute").and_return(copy.deepcopy(result))
 
     images = pyxis_gql.find_images_by_names(["foobar-container"])