Page MenuHomePhabricator
Create Task
Maniphest T11531

Support http.cookiefile for Diffusion mirrors
Closed, InvalidPublic
Actions

Assigned To
None
Authored By
hach-que
Aug 25 2016, 9:29 AM
Tags
Referenced Files
F1787629: pasted_file
Aug 26 2016, 12:22 AM
F1787624: pasted_file
Aug 26 2016, 12:22 AM
F1787626: pasted_file
Aug 26 2016, 12:22 AM
Subscribers
epriestley
hach-que

Description

Google Cloud allows you to upload the source code for applications and tie it back into their debugging and error analysis tools. This is really useful because it means when you have an error in production, you can click on the error and have it take you straight to the line of code that caused the issue (and for services with Debug/Trace enabled, it allows you to debug production and trace RPC requests).

I'd like to be able to mirror a Phabricator repository to Google Cloud, but the way they authenticate is really silly.

Instead of using SSH or standard HTTP credentials, they use HTTP cookies, which apparently is a thing in Git you can configure with http.cookiefile. Their recommended setup instructions are (I've masked my actual credentials):

touch ~/.gitcookies
chmod 0600 ~/.gitcookies

git config --global http.cookiefile ~/.gitcookies

tr , \\t <<\__END__ >>~/.gitcookies
source.developers.google.com,TRUE,/,TRUE,2147483647,o,.....=......
__END__

There's no way for me to set .gitcookies from the Phabricator UI, so I'm unable to set up mirroring properly. For Diffusion, the implementation for this would probably use a libphutil temporary file and pass in -o http.cookiefile /tmpfilepath whenever performing operations on the repository (mirroring, cloning, etc.)

Event Timeline

hach-que created this task.Aug 25 2016, 9:29 AM
epriestley added a subscriber: epriestley.Aug 25 2016, 2:25 PM

Is there a valid technical reason for Google to work like this?

Have you asked them to provide more standard authentication?

hach-que added a comment.Aug 26 2016, 12:22 AM

I have no idea what the technical reasons are for Google's implementation to be like this. I don't have a support contract with them (they start at US$200 a month), so I have no way of asking for them to do something different. The options for setting up a repository in their system looks like this:

pasted_file (866×589 px, 93 KB)

Normally what they ask you to do is to install the Cloud SDK, which installs a credential helper in Git that presumably manages all of this for you. They also support mirroring from GitHub or BitBucket, but they do this with OAuth so it's specifically cloning from only these services.

That said, I'm pretty sure they're doing this so they don't have to implement SSH credential or HTTP basic authentication management for Git in their application, neither of which exist right now. And given that almost anyone interacting with their services has the Cloud SDK already installed, the way they're doing it probably works for 99% of their customers already.

The way that I tried was by changing the dropdown under "Push code from a local Git repository to your Cloud repository" to "Manually generated credentials", then I clicked on "Generate and store your Git credentials":

pasted_file (252×593 px, 30 KB)

I hoped this would provide me with an SSH key, but instead after going through Google OAuth, I got this page:

pasted_file (637×1 px, 69 KB)

which is where I got stuck since I can't configure a HTTP cookie file for Phabricator's mirroring.

epriestley added a comment.Aug 26 2016, 12:47 AM

I want to avoid implementing things in Phabricator just because there's a low barrier to entry to ask us and we're responsive -- over time, this tends to punish us for being responsive by cluttering our codebase with cruft to work around weird decisions that other companies are making in their products.

Generally, I think if a user is making a decision to use a particular product or technology like Google Cloud, it's on them to bear the costs of that technology selection. In this case, the cost of Google support was foreseeable when you selected that technology. I really don't want to position Phabricator as "Google Support (Free Version)".

hach-que added a comment.Aug 26 2016, 12:51 AM

There isn't really an alternative technology choice here however - not only does AWS not have an equivalent service integration of this functionality, but using AWS for this would require using EC2 for compute, which would drastically increase (e.g. double costs) elsewhere. Azure is a pile of junk in my experience, which is why I'm avoiding that service as well.

My only option here would be to mirror the repository to GitHub and then configure Google Cloud to mirror from that. But that involves pushing repositories that have sensitive credentials in them to a completely unnecessary third-party, and I really don't want to do that for obvious reasons.

hach-que closed this task as Invalid.EditedAug 26 2016, 1:02 AM

Oh, so for the hell of it I tried using the cookie data (it's in a username=token format) as the basic HTTP authentication credentials, and it appears to work! I have no idea why Google tries to get you to set up cookies when basic HTTP authentication works just fine.... :/

Phabricator · Built by Phacility