Page MenuHomePhabricator

Warn but continue when installing bot certificates with `arc install-certificate`
Closed, ResolvedPublic


I wish we can generate cli token for bot user too, so i can perform arc conduit or other stuff from bot.

When navigating to bot settings, the UI say you can install with arc certificate but that seems a wrong advice.
Now we need a cli-[\w]{32} ish token to do this.

There is a windows Conduit Api Token that generate api-[\w]{32}ish token that actually works but wich can't be installed via arc install-certificates.
But we can ~/.arcrc and paste an api token instead of a cli one ! It works but isn't documented, nor easy to do for users.

Event Timeline

epriestley renamed this task from Install certificate for bot to Warn but continue when installing bot certificates with `arc install-certificate`.Aug 22 2016, 8:12 PM
epriestley added a subscriber: epriestley.

This will sort of introduce you to modifying arc.

When setting up arc as a human user, you normally run arc install-certificate. This walks you through a handshake on the web UI and saves an API token in ~/.arcrc.

When you do the handshake, you get a cli-******* ("Command Line Interface") token.

You can also generate a token explicitly in SettingsConduit API Tokens. If you do this, you get an api-******** token.

Today, arc install-certificate rejects api-* tokens. This was intended to simplify and error-proof things, as we had a series of errors prior to the last rewrite where users just didn't read one line of simple instructions and instead made something far more complicated up which had nothing to do with what they were supposed to be doing.

A secondary consideration is that "bot" users can normally only generate api-* tokens, and these are probably better passed with --conduit-token than stored in ~/.arcrc, so anything you're doing with bot stuff is more automatable/repeatable. However, a lot of users really seem to want to put bot tokens in ~/.arcrc, so I think we should mostly give up and let them. These tokens work fine and the cli-* and api-* tokens are generally interchangeable.

To hit this issue:

  • Run arc install-certificate.
  • Pretend you can't read, and manually go to SettingsConduit API Tokens in the web UI instead of just following the actual link you're given.
  • Generate an API token explicitly, which should have the form api-******.
  • Paste that into the prompt on the CLI.

Currently, your token will be rejected for not beginning cli-. Instead, let's accept api- tokens but prompt the user:

You are installing a standard API token, but a CLI API token was expected. If you're writing
a script, consider passing the token at runtime with --conduit-token instead of installing it.
Install this token anyway? [y/N]

The relevant check is in ArcanistInstallCertificateWorkflow, near line 121:

if (strncmp($token, 'cli-', 4) !== 0) {

If you answer "y" to this prompt, the token should install normally and authenticated commands like arc list should work.

You can use phutil_console_confirm(...) to prompt the user with a y/n decision.