Page MenuHomePhabricator
Create Task
Maniphest T9692

Warn but continue when installing bot certificates with `arc install-certificate`
Closed, ResolvedPublic
Actions

Description

I wish we can generate cli token for bot user too, so i can perform arc conduit or other stuff from bot.

When navigating to bot settings, the UI say you can install with arc certificate but that seems a wrong advice.
Now we need a cli-[\w]{32} ish token to do this.

There is a windows Conduit Api Token that generate api-[\w]{32}ish token that actually works but wich can't be installed via arc install-certificates.
But we can ~/.arcrc and paste an api token instead of a cli one ! It works but isn't documented, nor easy to do for users.

Revisions and Commits

rARC Arcanist
D16448rARC9e82ef979e81 Added a warning prompt if the user tries to use an API cert instead of a CLI…

Related Objects

Event Timeline

tycho.tatitscheff created this task.Nov 2 2015, 9:44 PM
tycho.tatitscheff updated the task description. (Show Details)
tycho.tatitscheff added projects: Arcanist, User Preferences.
tycho.tatitscheff added a subscriber: tycho.tatitscheff.
tycho.tatitscheff updated the task description. (Show Details)Nov 2 2015, 9:53 PM
joshuaspence added a subscriber: joshuaspence.Nov 3 2015, 8:26 AM
jithinvmohan added a subscriber: jithinvmohan.Nov 5 2015, 9:15 AM
tycho.tatitscheff mentioned this in Q254: Use arc with a bot account (Answer 287).Dec 19 2015, 4:47 PM
epriestley moved this task from Backlog to vNext on the Arcanist board.Jul 21 2016, 2:06 PM
epriestley added a project: Contributor Onboarding.Aug 22 2016, 6:26 PM
epriestley renamed this task from Install certificate for bot to Warn but continue when installing bot certificates with `arc install-certificate`.Aug 22 2016, 8:12 PM
epriestley assigned this task to jcox.Aug 22 2016, 8:25 PM
epriestley added a subscriber: epriestley.

This will sort of introduce you to modifying arc.

When setting up arc as a human user, you normally run arc install-certificate. This walks you through a handshake on the web UI and saves an API token in ~/.arcrc.

When you do the handshake, you get a cli-******* ("Command Line Interface") token.

You can also generate a token explicitly in SettingsConduit API Tokens. If you do this, you get an api-******** token.

Today, arc install-certificate rejects api-* tokens. This was intended to simplify and error-proof things, as we had a series of errors prior to the last rewrite where users just didn't read one line of simple instructions and instead made something far more complicated up which had nothing to do with what they were supposed to be doing.

A secondary consideration is that "bot" users can normally only generate api-* tokens, and these are probably better passed with --conduit-token than stored in ~/.arcrc, so anything you're doing with bot stuff is more automatable/repeatable. However, a lot of users really seem to want to put bot tokens in ~/.arcrc, so I think we should mostly give up and let them. These tokens work fine and the cli-* and api-* tokens are generally interchangeable.

To hit this issue:

  • Run arc install-certificate.
  • Pretend you can't read, and manually go to SettingsConduit API Tokens in the web UI instead of just following the actual link you're given.
  • Generate an API token explicitly, which should have the form api-******.
  • Paste that into the prompt on the CLI.

Currently, your token will be rejected for not beginning cli-. Instead, let's accept api- tokens but prompt the user:

You are installing a standard API token, but a CLI API token was expected. If you're writing
a script, consider passing the token at runtime with --conduit-token instead of installing it.
Install this token anyway? [y/N]

The relevant check is in ArcanistInstallCertificateWorkflow, near line 121:

if (strncmp($token, 'cli-', 4) !== 0) {
  ...

If you answer "y" to this prompt, the token should install normally and authenticated commands like arc list should work.

You can use phutil_console_confirm(...) to prompt the user with a y/n decision.

epriestley moved this task from Backlog to Basic on the Contributor Onboarding board.Aug 22 2016, 8:25 PM
jcox added a revision: D16448: Added a warning prompt if the user tries to use an API cert instead of a CLI cert.Aug 25 2016, 3:02 PM
tycho.tatitscheff awarded a token.Aug 25 2016, 3:17 PM
jcox closed this task as Resolved by committing rARC9e82ef979e81: Added a warning prompt if the user tries to use an API cert instead of a CLI….Aug 25 2016, 3:34 PM
jcox added a commit: rARC9e82ef979e81: Added a warning prompt if the user tries to use an API cert instead of a CLI….
Phabricator · Built by Phacility