test-infra: Deck OAuth Authentication not working with Apps Auth enabled

What happened:

I followed the getting started guide (setup prow using Apps Auth, ref https://github.com/kubernetes/test-infra/issues/10423). After that, I followed the OAuth setup guide for enabling the PR status page (created a GitHub OAuth App for that).

When navigating to the PR status page, after successfully authorizing on the GitHub page, deck panics on /github-login/redirect with:

{"client":"github","component":"deck","file":"prow/github/client.go:889","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"App()","severity":"info","subcomponent":"oauth","time":"2021-10-01T21:47:26Z"}
2021/10/01 21:47:26 http: panic serving 100.96.0.14:59986: runtime error: invalid memory address or nil pointer dereference
goroutine 367736 [running]:
net/http.(*conn).serve.func1(0xc000e0c6e0)
	GOROOT/src/net/http/server.go:1824 +0x153
panic(0x1ef7e60, 0x332f350)
	GOROOT/src/runtime/panic.go:971 +0x499
k8s.io/test-infra/prow/github.(*appsRoundTripper).addAppAuth(0xc0006aac60, 0xc000918900, 0x4)
	prow/github/app_auth_roundtripper.go:86 +0x39f
k8s.io/test-infra/prow/github.(*appsRoundTripper).RoundTrip(0xc0006aac60, 0xc000918900, 0xc0006aac60, 0xc04dfe79addf8d5c, 0xf38be16f946e)
	prow/github/app_auth_roundtripper.go:70 +0x5b
net/http.send(0xc000918800, 0x25327c0, 0xc0006aac60, 0xc04dfe79addf8d5c, 0xf38be16f946e, 0x3359700, 0xc0001bcc98, 0xc04dfe79addf8d5c, 0x1, 0x0)
	GOROOT/src/net/http/client.go:251 +0x454
net/http.(*Client).send(0xc00075bb90, 0xc000918800, 0xc04dfe79addf8d5c, 0xf38be16f946e, 0x3359700, 0xc0001bcc98, 0x0, 0x1, 0xc0003e72d0)
	GOROOT/src/net/http/client.go:175 +0xff
net/http.(*Client).do(0xc00075bb90, 0xc000918800, 0x0, 0x0, 0x0)
	GOROOT/src/net/http/client.go:717 +0x45f
net/http.(*Client).Do(0xc00075bb90, 0xc000918800, 0xc001c2c218, 0x1, 0x1)
	GOROOT/src/net/http/client.go:585 +0x35
k8s.io/test-infra/prow/github.(*client).doRequest(0xc00075bec0, 0x25707a0, 0xc000058340, 0x21ed02e, 0x3, 0xc0008f2588, 0x12, 0x0, 0x0, 0x0, ...)
	prow/github/client.go:1172 +0x5f9
k8s.io/test-infra/prow/github.(*client).requestRetryWithContext(0xc00075bec0, 0x25707a0, 0xc000058340, 0x21ed02e, 0x3, 0x21ed65a, 0x4, 0x0, 0x0, 0x0, ...)
	prow/github/client.go:1033 +0x1c6
k8s.io/test-infra/prow/github.(*client).requestRawWithContext(0xc00075bec0, 0x25707a0, 0xc000058340, 0xc001c2d2c8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
	prow/github/client.go:990 +0x185
k8s.io/test-infra/prow/github.(*client).requestWithContext(0xc00075bec0, 0x25707a0, 0xc000058340, 0xc001c2d2c8, 0x1d7fec0, 0xc001386ea0, 0xc000a6e550, 0xc0012f6840, 0xc001c2d2d0)
	prow/github/client.go:968 +0x50
k8s.io/test-infra/prow/github.(*client).GetAppWithContext(0xc00075bec0, 0x25707a0, 0xc000058340, 0x0, 0x0, 0x0)
	prow/github/client.go:4622 +0x1a5
k8s.io/test-infra/prow/github.(*client).getUserData(0xc00075bec0, 0x25707a0, 0xc000058340, 0xc001c2d4f0, 0x15b7e54)
	prow/github/client.go:1243 +0x6b
k8s.io/test-infra/prow/github.(*client).BotUser(0xc00075bec0, 0x0, 0x0, 0x0)
	prow/github/client.go:1286 +0xf0
k8s.io/test-infra/prow/githuboauth.(*authenticatedUserIdentifier).LoginForRequester(0xc0004a0460, 0x21eed40, 0x5, 0xc0014f028d, 0x28, 0x0, 0x0, 0x0, 0xc0019aa8a0)
	prow/githuboauth/githuboauth.go:83 +0x82
k8s.io/test-infra/prow/githuboauth.(*Agent).HandleRedirect.func1(0x256aab0, 0xc000198000, 0xc000918200)
	prow/githuboauth/githuboauth.go:294 +0xc22
net/http.HandlerFunc.ServeHTTP(0xc001107100, 0x256aab0, 0xc000198000, 0xc000918200)
	GOROOT/src/net/http/server.go:2069 +0x44
net/http.(*ServeMux).ServeHTTP(0xc0004d0f80, 0x256aab0, 0xc000198000, 0xc000918200)
	GOROOT/src/net/http/server.go:2448 +0x1ad
k8s.io/test-infra/prow/metrics.traceHandlerWithCustomTimer.func1.1(0x256ad50, 0xc00053e2a0, 0xc000918200)
	prow/metrics/http.go:143 +0x123
net/http.HandlerFunc.ServeHTTP(0xc001107180, 0x256ad50, 0xc00053e2a0, 0xc000918200)
	GOROOT/src/net/http/server.go:2069 +0x44
github.com/gorilla/csrf.(*csrf).ServeHTTP(0xc0004dc180, 0x256ad50, 0xc00053e2a0, 0xc000918100)
	external/com_github_gorilla_csrf/csrf.go:297 +0x542
net/http.serverHandler.ServeHTTP(0xc00079e000, 0x256ad50, 0xc00053e2a0, 0xc000276e00)
	GOROOT/src/net/http/server.go:2887 +0xa3
net/http.(*conn).serve(0xc000e0c6e0, 0x2570810, 0xc002156280)
	GOROOT/src/net/http/server.go:1952 +0x8cd
created by net/http.(*Server).Serve
	GOROOT/src/net/http/server.go:3013 +0x39b
{"client":"githuboauth","component":"deck","error":"oauth2: server response missing access_token","file":"prow/githuboauth/githuboauth.go:318","func":"k8s.io/test-infra/prow/githuboauth.(*Agent).serverErrorAndPrint","level":"error","msg":"Error Exchange code for token.","severity":"error","time":"2021-10-01T21:47:27Z"}

What you expected to happen:

deck to be able to identify the authenticated user (via OAuth App) also if Apps Auth is enabled.

How to reproduce it (as minimally and precisely as possible):

Follow the getting started guide (setup prow using Apps Auth) and then the OAuth setup guide.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 17 (16 by maintainers)

Most upvoted comments

yeah it ended up being a lot more involved and nuanced than it initially appeared, although the resulting code change was rather simplistic.

+1
smg247 on Apr 21, 2022

/cc @smg247

I think this is the issue you were hitting when setting up the PoC deck instance with GH apps

+1
petr-muller on Jan 11, 2022
Read more comments on GitHub
← test-infra: crier failed to report job after pod pending timeout, no commit found
test-infra: Delete ancient jobs which have never passed →