try_api: implement /patches endpoint (bug 1979247, bug 1983216)

[shtrom]

Reimplement the /try/patches endpoint from old lando, so mach try can submit Try job to this version of Lando using the same API.

---

• repo: add is_try field (bug 1979247)
• settings: add try_api to APPLICATIONS (bug 1979247)
• create_environment_repos: add try repo in suite (bug 1986575)
• try_api: patches endpoint (bug 1979247)
• try_api: use django.test.clients (bug 2008895)
• try_api: add error handling with RFC 7807 responses
• try_api/tests: add client_post fixture
• try_api: check user permission against target_repo
• try_api: remove extra argument to logger
• utils.ninja_auth: move AccessTokenLandoOIDCAuthenticationBackend to main.auth, and rename
• CommitMap: add TRY_REPO_MAPPING to support determining where to lookup CommitMaps from
• Repo: add user_can_push method to check direct required_permission on User
• update for Repo.user_allowed
• tests: update fixtures for Try repo parameters
• create_environment_repos: disable commit message hook for try
• auth: don't create Django users on API requests
• try_api: use SCM rather than VCS in user messaging
• try_api/tests: don't embed b64 literals
• try_api: move some PatchHelper calls out of try/except

addressed + discussion

[shtrom]

Now based on #476 as it relies on the permission checking logic.

[zzzeid]

Few more changes requested. Overall looking good, main comments are around permission checking.

[shtrom]

@zzzeid all comments addressed. The permission check changes are in #476, which can be reviewed/landed independently.

I'm not sure why this PR here shows conflicts at the moment, as I think it's up-to-date with main. In any case, it'll likely need a rebasing before landing, as I suspect we'll get conflicts when applying the patches in sequence.

[zzzeid]

Looking great! Final stretch I think.

[zzzeid]

Looks good - just a bit of cleanup in src/lando/main/auth.py and I think this will be ready to land.

I think we should clean up some of this auth backend business in a separate follow up, I'll file a QoL bug for this. Ideally we'd be able to reuse this functionality as a standard auth backend.

[shtrom]

Looks good - just a bit of cleanup in src/lando/main/auth.py and I think this will be ready to land.

Ok, done 😅

I think we should clean up some of this auth backend business in a separate follow up, I'll file a QoL bug for this. Ideally we'd be able to reuse this functionality as a standard auth backend.

Yeah, Ninja diverges ever so slightly from Django auth. That said, I think the way the Token backend currently is, it should be already usable by Django. The Ninja-specific adaptation is done in ninja_auth.AccessTokenAuth.

[shtrom]

Ideally we'd be able to reuse this functionality as a standard auth backend.

Yeah, Ninja diverges ever so slightly from Django auth. That said, I think the way the Token backend currently is, it should be already usable by Django. The Ninja-specific adaptation is done in ninja_auth.AccessTokenAuth.

More on this: I think this is already the case.

• The auth.AccessTokenLandoOIDCAuthenticationBackend is a plain Django authentication backend at the moment. The fallback mechanism was not the Django auth mechanism, but just something by virtue of this code shimming the mechanism from auth: Skip OIDC flow if Bearer access_token is present (bug 1979246) mozilla/mozilla-django-oidc#551; when that PR is merged, the need for this class vanishes, and we can just use a plain auth.LandoOIDCAuthenticationBackend.
• The Ninja-specific logic is in ninja_auth.AccessTokenAuth. It does use the AccessTokenLandoOIDCAuthenticationBackend authenticator under the hood, but because ninja_auth.AccessTokenAuth requires an Authorization: bearer ... https://github.com/vitalik/django-ninja/blob/b17dcec55efa094092a965c72511cbe2d5631884/ninja/security/http.py#L26-L38, there is no chance we'd hit the fallback because we're already guaranteed to have a bearer token by the time we are in the shim, and that token is either valid, or not, in which case we'd re-throw the HTTPError.

I've removed the fallback for now, but I think this is what would make the auth backend less standard, as it would now only allow Token-based auth... Though I think that I now see where you're going: do you mean to aim for dedicated auth backends for token vs. OIDC flow, rather than one implementing both, so we can mix and match depending on need?

In a way, that's something that would sit better in the mozilla-django-oidc lib, but in a different way than how I implemented it (or maybe very much in the current state of the auth.AccessTokenLandoOIDCAuthenticationBackend) We do retain the fact that the LandoOIDCAuthenticationBackend has the post-user creation hooks, that would need to be shared between the two classes.

Anyway, I'm just rambling at this point, and trying to capture my understanding somewhere. Let's chat about it next time we catch up!

[zzzeid]

lgtm! (with a couple of nits)

[shtrom]

@zzzeid I updated AccessTokenLandoOIDCAuthenticationBackend as per your suggestion, and I'm testing in develop. I'll merge this tomorrow.

[shtrom]

As part of rebasing this to avoid conflicts, I've managed to cleanly separate

• scm: add SCMType enum to helpers

into its own PR: #945

[shtrom]

Pfiou. Rebased on main, with the SCMType logic split out (and landed) to #945, and the line-ending fix for generate_requirements.py split out to #947.

diff from the force-push: https://github.com/mozilla-conduit/lando/compare/03c4ef2be7bfa79219f5d102329b77c3c3b97e63..e51e03fe56fb1ef056b7f47fb67e9421035c2d5c

[shtrom]

Pushing one big squashed commit.

[shtrom]

rebased on main

[lando-prod-mozilla]

Pull request closed by commit a9f2b20