Read a Bitbucket resource using curl with Access Keys - rest

I configured my Bitbucket repo to be read-only accessible via REST API publicly. There are some JSON configuration files that I need to read the content using GET HTTP method.
https://<bitbucket-repo-url>/config.json?raw
I want to switch to a secure method using Access Keys.
I want to try to test this using curl, but I don't know the arguments on including the access keys. Can anyone help?

Access keys are for SSH only. They will not work with any HTTP-based utilities (like curl) or endpoints (like the one you list in your example).
Is this Bitbucket Server (the on-premise version)? If so, https://confluence.atlassian.com/bitbucketserver/permanently-authenticating-with-git-repositories-776639846.html?_ga=2.188793826.854670382.1505151098-758028192.1431549295 may be helpful for you.

Related

Access to read module twin data via Azure IoT Hub's APIs?

I'd like to be able to pull an IoT Edge device's module twin via an HTTPS GET request just like the Azure Portal does. In the portal, I see this firing...
https://my-hub.azure-devices.net/twins/my-device/modules/my-module?api-version=2020-09-30&_=164130947416
...and returning JSON. I'd like to do the same outside of the portal (like in Postman or something).
Obviously, by being logged in to the portal, I have credentials that permit that.
I've tried creating a Shared Access Signature and using it as a header like so...
"Authorization": "SharedAccessSignature sr=my-hub.azure-devices.net&sig=...
...but I get back ErrorCode:IotHubUnauthorizedAccess;Unauthorized
Am I missing something? Maybe a step where I use that SAS to get some additional credential or something?
Or maybe I can't create a SAS that works with any device-id?
In the end, I'd just like to be able to GET the reported properties for a module twin from any of my IoT Hub devices. No setting, no subscribing.
The API you're referring to is documented here. You're doing the right thing, but perhaps your method of creating a Shared Access Signature isn't working. One easy way to create a valid SAS token is by using the az cli command: az iot hub generate-sas-token -n <iot-hub-name>. By default it will create a token for the iothubowner policy, which should give you access to the module twin.
I used Postman, with the Authorization header as you mentioned to check the twin of my device $edgeHub module:
https://<my-iot-hub>.azure-devices.net/twins/<device-id>/modules/$edgeHub?api-version=2020-05-31-preview

How can i validate links within a private github repository

Background
We are writing some documentation for our support team.
We want to include links to files that are stored in private GitHub repositories.
We do not want the documentation to become stale if somebody refactors the code in the private GitHub repositories, so instead I am setting up a CI job that parses the documentation (with jsoup if you are interested) and finds all the links.
Once we have all the links we start checking them.
NOTE: we have written a custom link checker, because one of the critical set of links we have is for our monitoring solution, and sadly (also understandably) the SaaS we are using returns 404's for any unauthenticated requests on the URLs of the alerts.
The SaaS itself uses a 2FA to access the Web UI, so what we have ended up doing is parsing the URLs and then constructing an equivalent call to the SaaS API to validate the link.
For the monitoring system we use, this is easy: all the URLs are the same format.
Question
Can we validate a random GitHub URL as valid (ideally using only curl - I can translate to my chosen HTTP client from there, and curl gives a more generic answer) using a Personal Access Token? And if so, how?
The URLs could be:
simple direct to repo URLs: https://github.com/<org>/<repo>
direct to branch URLs: https://github.com/<org>/<repo>/tree/<branch>
file URLs: https://github.com/<org>/<repo>/blob/<path/to/file>
diff URLs: https://github.com/<org>/<repo>/compare/[<branch>...]<branch>
other URLs that are based on the presence of the repo and do not vary in child path, e.g. https://github.com/<org>/<repo>/pulls, https://github.com/<org>/<repo>/settings/collaboration, etc
plus who knows what other URLs people will add within the docs...
Things I have tried that didn't work
HTTP Basic authentication with the Personal Access Token as the password, e.g.
curl -I -u stephenc:2....token.redacted....b https://github.com/stephenc/<repo-name>
HTTP/1.1 404 Not Found
HTTP Bearer authentication, e.g.
curl -I -H "Authorization: bearer 2....token.redacted....b" https://github.com/stephenc/<repo-name>
HTTP/1.1 404 Not Found
It looks like it works for some URLs (no idea which ones).
I can access curl -u agentgonzo:$TOKEN https://raw.githubusercontent.com/agentgonzo/repo/path/to/file using the API Token as my username, but the same doesn't work on https://github.com URLs. Not sure if this will help you or not.
I got an answer from GitHub Support: No
Since a personal access token won't work for GitHub web UI URLs, no, there isn't a way to verify all possible GitHub private repo URLs without making API calls in some cases.

Access raw file on GitHub Enterprise without user having to create token

I have a repo with shell script and want to put single command to run it in readme file, like:
bash <(curl -L <path_to_raw_script_file>)
Raw file urls for GitHub Enterprise look like this: https://raw.github.ibm.com/<user>/<repo>/<branch>/<path_to_file>?token=<token>, where <token> is unique to the file and generated when accesing it via Raw button in repository or with ?raw=true suffix in url.
The problem is, tokens get invalidated after few days/when file is updated and I wouldn't like to update mentioned command each time token becomes invalid. Is there a way to deal with it?
I know there is a way for user to create personal token and use it to login to github from machine he's runnning script from, but I wanted to keep it as simple as possible.
I was thinking of something like auto-generating that raw file url (since user reading the readme file on github surely does have access to the script located in the same repo), but I am not sure if that's possible.
No input, one-liner.
You can get this link by clicking the raw button in the GHE UI, just remove the token query param at the end.
curl -sfSO https://${USER}:${TOKEN}#${GHE_DOMAIN}/raw/${REPO_OWNER}/${REPO_NAME}/${REF}/${FILE}
I believe you'll always need the tokens - however if you'd like to automate the process you can dynamically request tokens associated with a github Oauth app and not associated with any user profile.
https://developer.github.com/enterprise/2.13/apps/building-oauth-apps/authorizing-oauth-apps/
I know there is a way for user to create personal token and use it to login to GitHub from machine he's runnning script from, but I wanted to keep it as simple as possible.
Actually, using GCM (Git Credential Manager); the PAT will be provided when accessing the raw.xxx URL.
But only with GCM v2.0.692 which supports those URLs. See PR 599.
Fix GitHub Enterprise API URL for raw source code links
This is a simple fix of #598 for GitHub Enterprise instances that use a raw. hostname prefix for raw source code links.
I've verified this fix locally by swapping out the GitHub.dll that is used by Visual Studio.
So it now checks for 'raw.' in the hostname and remove it to get the correct GHE API URL.

Reading/writing to Google Storage from Google Compute Windows 2008 VM

I have a Google Compute VM (LAMP) webserver set up to copy files to a Google Storage Bucket, which then need to be accessed (read and write) by a program on a Google Compute VM (Windows 2008). I can't seem to find any documentation about how a Google Compute Engine Windows VM can access storage buckets.
Is there a way this is possible? Thanks.
I'm doing the same thing, but not with a windows VM, but I think the principle is the same.
First you need to allow Project Access for your VM from the Google Cloud Console https://console.developers.google.com/project, see the screenshot below:
Once you've done this you need to call the metadata server to get an access token from your program. You need to make a HTTP call to the metadata server, here is an example from the docs (https://cloud.google.com/compute/docs/authentication) using curl, bear in mind when programming this you need to also provide the header "Metadata-Flavor: Google":
$ curl "http://metadata/computeMetadata/v1/instance/service-accounts/default/token" \
-H "Metadata-Flavor: Google"
{
"access_token":"ya29.AHES6ZRN3-HlhAPya30GnW_bHSb_QtAS08i85nHq39HE3C2LTrCARA",
"expires_in":3599,
"token_type":"Bearer"
}
You obviously need to code this HTTP call and the parsing of the JSON data in whichever programming language you are using for your program and extract the "access_token", based on the "expires_in" field you might also need to implement a mechanism to fetch a new token once it expires. You can then use the Google supplied cloud storage client library (https://cloud.google.com/storage/docs/json_api/v1/libraries) for your programming language and use the access token above for authenticating calls to cloud storage. I use Java and the Cloud storage class in the API library has this method that can be used:
.setOauthToken("blah")
You can mount the drive with CloudBerry. I would like to find a better way to do it though using only Google Cloud. Please let me know if you find anything better.

Get pull requests for private github repository via API

I want to programmatically get a list of open pull requests for a specific private github repository - ours, as it turns out. I assume I can only do this via the github api (http://developer.github.com/) - feel free to tell me there's another way - but I can't figure out whether the API allows this, either. The given API calls seem to assume the target repository is public, which ours is not. I would have thought there would be a way to authenticate as a user of the given repository via ssh key (the same way committing works), but I don't see anything to that effect. All in all I'm puzzled and not at all sure I can actually do this. Am I missing a crucial part of the documentation, or is there possibly some alternative I can leverage?
Yes, the GitHub Pull Requests API supports private repos also. You just need to authenticate or you will get an error saying that the repository does not exist.
Example using curl and basic authentication:
curl -u "username" https://api.github.com/repos/:user/:repo/pulls
This will then prompt you for your password and return a list of pull requests as described in the API docs.
Also check out the docs on authentication: http://developer.github.com/v3/#authentication