Skip to content

Support Gitlab secure files as source of authentication

Needed for https://gitlab.teklia.com/workers/image-captioning/-/merge_requests/4/diffs#note_209317
Refs https://redmine.teklia.com/issues/4643

The goal is to use Gitlab secure files as a source for Arkindex authentication, instead of using a local file in ~/.config/arkindex/cli.yaml.

The behaviour will be triggered by a new optional CLI flag --gitlab-secure-file=<NAME> where <NAME> is the secure file's name we need to retrieve and parse.

To do so, the cli will need to make a sequence of 2 REST API calls towards gitlab instance:

  • first you'll need to check that these env variables are set:
    • CI (should be true, but it just needs to be set to something)
    • CI_API_V4_URL (should be https://gitlab.teklia.com/api/v4 for our own instance)
  • List current project secure files
    • the project ID is known as CI_PROJECT_ID env variable
    • you'll need to iterate over results until you find the secure file with name matching <NAME> from CLI
  • Once you have a match, use the secure file ID to download it
    • project id is the same
    • secure id is provided by previous call's match

Regarding authentication:

  • the CI_JOB_TOKEN environment variable is supposed to NOT work, but this would warrant some test (just trying to list the secure files in CI with curl -H "Private-Token: $CI_JOB_TOKEN https://gitlab.teklia.com/api/v4/projects/<ID>/secure_files could work
  • otherwise you simply need to add another CLI opton --gitlab-api-token=<TOKEN> which we will be able to use in CI with some specific tokens from a real user (this would also allow you to easily test the calls while developing).

To test/develop, you should do something like:

export CI=true
export CI_API_V4_URL=https://gitlab.teklia.com/api/v4
elements -p prod --gitlab-secure-file=arkindex-cli.yaml list --corpus <private_corpus_id> --type page

A good place to inject the profiles is directly in the Profiles class initialization: instead of loading from file or env, load from gitlab in that config.

If the option is specified, but no secure file is available or incompatible (not in YAML, not the correct structure), simply crash with an error message 💥