Hey @jflory7 could you assign the task to me?

@alishapapun this task is still on requirement gathering phase as @jflory7 has already mentioned

Additionally, I'm not sure if this should altogether replace specifying a name/email manually or if both options should be available. This needs to be discussed during final requirements gathering before the summer work begins.

So for now there is need to analyze the requirements, and discuss the actual scope of this implementation. Only then, this might be up for development.

@alishapapun this task is still on requirement gathering phase as @jflory7 has already mentioned

Additionally, I'm not sure if this should altogether replace specifying a name/email manually or if both options should be available. This needs to be discussed during final requirements gathering before the summer work begins.

So for now there is need to analyze the requirements, and discuss the actual scope of this implementation. Only then, this might be up for development.

Sure ! Thats sounds good.

Correct. This change needs more research first before writing code. Specifically, a useful next step that anyone could do is to look for resources on how to query the Fedora FAS API. I know there is something out there for this, but I'm not sure where it is. I suggest trying to search online for something, or if you don't have luck with that, asking on the Fedora Infrastructure mailing list. You can share your findings as a comment in this ticket.

The API that deals with the integration FAS into an application is python-fedora. The docs are quiet self explanatory and helpful for the setup. (Since the setup requires few dependencies, creation of virtual environment will be highly recommended).Before using the data regarding the API, we need to authenticate by passing our username and password in the script. Regarding the methods to get the email from username, the process is not nicely documented. With some good research, I was able to find exactly what we need regarding this. In a python file (let it be checking.py present in root directory of cloned repo) write this:-

from fedora.client.fas2 import AccountSystem
from fedora.client import AuthError

fas = AccountSystem(username='Your-FAS-username', password='Your-FAS-Password')
uname = input("Enter username: ")

t = fas.person_by_username(uname)
print(t['email'])

I hope @jflory7 this much information would suffice to claim the task? Or Do I need some more information?
(Let me know if anyone faces any issue regarding this, would be happy to help)

The API that deals with the integration FAS into an application is python-fedora. The docs are quiet self explanatory and helpful for the setup.

Great! I knew we had something for this. :thumbsup:

(Since the setup requires few dependencies, creation of virtual environment will be highly recommended)

I think we can update the dependencies in the requirements/ files and make sure the Docker container is built with the required dependencies too.

Before using the data regarding the API, we need to authenticate by passing our username and password in the script.

Thanks for researching this. It makes sense. I wonder though, can we use the existing authentication method for this? We already ask someone to log into FAS to send a message. If we could use an existing token to authenticate when searching the database, that would be preferred.

I haven't looked into this too much yet though. Does my question make sense here?

I hope @jflory7 this much information would suffice to claim the task? Or Do I need some more information?

Sure! This is an excellent start. I'll go ahead and assign the issue to you. :white_check_mark:

The API that deals with the integration FAS into an application is python-fedora. The docs are quiet self explanatory and helpful for the setup.

Great! I knew we had something for this. 👍

(Since the setup requires few dependencies, creation of virtual environment will be highly recommended)

I think we can update the dependencies in the requirements/ files and make sure the Docker container is built with the required dependencies too.

Before using the data regarding the API, we need to authenticate by passing our username and password in the script.

Thanks for researching this. It makes sense. I wonder though, can we use the existing authentication method for this? We already ask someone to log into FAS to send a message. If we could use an existing token to authenticate when searching the database, that would be preferred.
I haven't looked into this too much yet though. Does my question make sense here?

I hope @jflory7 this much information would suffice to claim the task? Or Do I need some more information?

Sure! This is an excellent start. I'll go ahead and assign the issue to you. ✅

While accessing the database to give details like name and email from username, we need credentials like fas-username and fas-password. Now diving deeper into the python-fedora package I found something, but I am unsure if that could help us . Can you help me to have a deeper insight @jflory7 ?

While accessing the database to give details like name and email from username, we need credentials like fas-username and fas-password. Now diving deeper into the python-fedora package I found something, but I am unsure if that could help us . Can you help me to have a deeper insight @jflory7 ?

Interesting, I'm not sure what client_id and client_secret represent. I imagine there is a clean way to authenticate with OpenID / SAML2 via Ipsilon and use that login to do something like search FAS. I would guess Pagure has implemented this somewhere for assigning tickets / PRs.

I will try to dig deeper and/or find some other Fedora ID management experts to offer pointers.

While accessing the database to give details like name and email from username, we need credentials like fas-username and fas-password. Now diving deeper into the python-fedora package I found something, but I am unsure if that could help us . Can you help me to have a deeper insight @jflory7 ?

Interesting, I'm not sure what client_id and client_secret represent. I imagine there is a clean way to authenticate with OpenID / SAML2 via Ipsilon and use that login to do something like search FAS. I would guess Pagure has implemented this somewhere for assigning tickets / PRs.
I will try to dig deeper and/or find some other Fedora ID management experts to offer pointers.

I was also unsure of what client_id and client_secret represent @jflory7 . Hoping to get a positive response soon :)

I was also unsure of what client_id and client_secret represent @jflory7 . Hoping to get a positive response soon :)

Perhaps @abompard @cverna or @amitosh could clarify what best practice is on how python-fedora can be used with Ipsilon / FAS authentication, since they were recent committers.

You should be able to get some inspiration from:
https://github.com/fedora-infra/supybot-fedora/blob/develop/plugin.py#L172
https://github.com/fedora-infra/supybot-fedora/blob/develop/plugin.py#L491

Edit

This will not work since you want to use OpenID Connect, the client_id, client_secret are used to register an application to the OpenID provider Ipsilon in our case.
I don't think the fas client we have in python-fedora supports OpenID Connect authentication :( so you might need a FAS bot account for happiness package to authenticate with the FAS client.
In
I would open an infra ticket to get some advice on how to proceed.

• I have thought of another way to implement this. As we know for using python-fedora module its only necessary to authenticate that the person is a genuine account holder of fedora having fas-id(username) and password. Its not necessary that the person who logs into to send some happiness should be using his/her username and id to make it happening.
• So for local setup we can make a file where the contributor of the repository will fill in the credentials for username and password( in a file thus making it a flat file configuration) , and code will be changed such that it can read the file and fill in username and password.
• Then its ensured that the file is file is not pushed at every commit and making changes in the .gitignore file.
• In case of development, the authorised administrator can fill their verified username and password,(during automation with ansible) which might solve the problem without much issue.
  Ant feedback from @jonatoni, @cverna, @abompard and @amitosh would be highly helpful .

To implement "Add option to send Happiness Packet to specific FAS account" I have made a json file (fas-admin-details.json) where the username and password is entered and the search functionality works. (Admin-username and Admin-password is the username and password of any authenticated fas-user and their fas-id). I made a PR #196 regarding this. Could you have a look into this @jflory7 ?

I think you could just add to the settings the fas username and fas password to be used. We have a dummy fas account that is used in the infrastructure.

See for example : https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/badges/backend/templates/badges-awarder.py#n40

I think you could just add to the settings the fas username and fas password to be used. We have a dummy fas account that is used in the infrastructure.
See for example : https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/badges/backend/templates/badges-awarder.py#n40

Thanks @cverna for the suggestion. Could you help me how I could incorporate that in my code?

You should probably add something in the settings (https://pagure.io/fedora-commops/fedora-happiness-packets/blob/master/f/happinesspackets/settings) for example for the dev environment in dev.py something like

FAS_USERNAME=os.getenv("FAS_USERNAME")
FAS_PASSWORD=os.getenv("FAS_PASSWORD")

in production these would look like the ansible link I shared.

Then in the code you can use django settings, something like

from django.conf import settings

settings.FAS_USERNAME
settings.FAS_PASSWORD

Hope that helps

You should probably add something in the settings (https://pagure.io/fedora-commops/fedora-happiness-packets/blob/master/f/happinesspackets/settings) for example for the dev environment in dev.py something like
FAS_USERNAME=os.getenv("FAS_USERNAME")
FAS_PASSWORD=os.getenv("FAS_PASSWORD")

in production these would look like the ansible link I shared.
Then in the code you can use django settings, something like
from django.conf import settings

settings.FAS_USERNAME
settings.FAS_PASSWORD

Hope that helps

@cverna I have added the changes in base.py what you asked. For making it functional for local development I have made a flat file configuration which reads the username and password from fas-admin-details.json and reads them in dev.py. Do I need to change anything else?

@cverna the fedoraDummyUser and fedoraDummyUserPassword that you asked to used are actually variables and their values are stored some where( for which I might be needing to import some module or explicitly use the values which are still unknown and its hard to debug in files in ansible. Could you help me get a better insight of how to get the values ?

The fedoraDummyUser and fedoraDummyUserPassword are secrets managed in the fedora infrastructure ansible secret repository. When deploying a application with ansible, these variables would be replaced by the actual secrets.

I just noticed that fedora-happiness-packets is not managed in ansible, which means that before being able to use these ansible variables you need to have a playbook that will install and deploy happiness packet using ansible.

For now you can focus on using the dev.py settings and use your own FAS credentials for testing. Then maybe you could look at getting an ansible playbook to deploy this application in our infrastructure.

@jflory7 do not that the infra team will retire the infracloud this year we are currently working at providing a replacement but the fact that happiness-packets deployment is not managed in ansible means that when the infracloud is retired and the VMs are killed you will not have an easy way to redeploy this application.

@cverna the fedoraDummyUser and fedoraDummyUserPassword that you asked to used are actually variables and their values are stored some where( for which I might be needing to import some module or explicitly use the values which are still unknown and its hard to debug in files in ansible. Could you help me get a better insight of how to get the values ?

The fedoraDummyUser and fedoraDummyUserPassword are secrets managed in the fedora infrastructure ansible secret repository. When deploying a application with ansible, these variables would be replaced by the actual secrets.
I just noticed that fedora-happiness-packets is not managed in ansible, which means that before being able to use these ansible variables you need to have a playbook that will install and deploy happiness packet using ansible.
For now you can focus on using the dev.py settings and use your own FAS credentials for testing. Then maybe you could look at getting an ansible playbook to deploy this application in our infrastructure.
@jflory7 do not that the infra team will retire the infracloud this year we are currently working at providing a replacement but the fact that happiness-packets deployment is not managed in ansible means that when the infracloud is retired and the VMs are killed you will not have an easy way to redeploy this application.

Thanks for the information @cverna . It really helped me get an insight of what I was looking for!

@jflory7 do not that the infra team will retire the infracloud this year we are currently working at providing a replacement but the fact that happiness-packets deployment is not managed in ansible means that when the infracloud is retired and the VMs are killed you will not have an easy way to redeploy this application.

@cverna Thanks for pointing this out. :thumbsup: I read that email but didn't realize this referred to *.fedorainfracloud.org hosts.

Fortunately, Ansible is already on the roadmap in #111. We are also aiming to migrate this to the Fedora Infra OpenShift appliance over the summer, if possible. If you have pointers on how to get an application hosted in OpenShift, that would be helpful.

To follow up here, @alishapapun introduced FAS search functionality in PR #196. :tada: Thanks for your hard work and dedication on this task @alishapapun! :smile:

Closing as complete.