chore: Merge branch 'main' of https://github.com/openmcp-project/ui-backend

Author: n3rdc4ptn

.github/workflows/clean-main-images.yml

@@ -4,68 +4,31 @@ on:
   schedule:
     - cron: "5 1 * * *"
   workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Dry run"
+        required: false
+        default: true
+        type: "boolean"
 
 env:
-  REGISTRY: ghcr.io
-  ORG: openmcp-project
   IMAGE_NAME: mcp-ui-backend
   KEEP_X_IMAGES: 5
   TAG_PREFIX: "main-*"
 
 jobs:
   clean:
-    name: "Clean main images"
+    name: Clean main images
     runs-on: ubuntu-latest
     permissions:
       packages: write
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - name: List all ${{ env.TAG_PREFIX }} tags and their version IDs (debug)
-        run: |
-          gh api -H "Accept: application/vnd.github+json" \
-            /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions \
-            --paginate | jq -r '.[] | select(.metadata.container.tags[] | startswith("${{ env.TAG_PREFIX }}")) | "\(.id) \(.metadata.container.tags[])"' | grep '^.* ${{ env.TAG_PREFIX }}' | sort -k2 -r
-
-      - name: Delete old ${{ env.TAG_PREFIX }}* tags using GitHub API, keep ${{ env.KEEP_X_IMAGES }}
-        run: |
-          set -e
-          set -o pipefail
-
-          # Get all ${{ env.TAG_PREFIX }}* tags and their version IDs, sorted by tag (descending)
-          VERSIONS=$(gh api -H "Accept: application/vnd.github+json" \
-            /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions \
-            --paginate | jq -r '.[] | select(.metadata.container.tags[] | startswith("${{ env.TAG_PREFIX }}")) | "\(.id) \(.metadata.container.tags[])"' | grep '^.* ${{ env.TAG_PREFIX }}' | sort -k2 -r)
-
-          # Get the lines to delete (skip the first ${{ env.KEEP_X_IMAGES }} versions)
-          TO_DELETE=$(echo "$VERSIONS" | sed "1,${{ env.KEEP_X_IMAGES }}d")
-
-          echo "Deleting the following tags:"
-          echo "$TO_DELETE" | awk '{print $2}'
-
-          if [ -z "$TO_DELETE" ]; then
-            echo "No tags to delete."
-            exit 0
-          fi
-
-          FAILED_DELETIONS=""
-          while read -r line; do
-            id=$(echo "$line" | awk '{print $1}')
-            tag=$(echo "$line" | awk '{print $2}')
-            echo "Deleting tag $tag (version ID $id)"
-            if ! gh api -X DELETE -H "Accept: application/vnd.github+json" \
-              /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions/$id; then
-              echo "Failed to delete version $id ($tag)"
-              FAILED_DELETIONS="${FAILED_DELETIONS}\n$id ($tag)"
-            fi
-          done <<< "$TO_DELETE"
-
-          if [ -n "$FAILED_DELETIONS" ]; then
-            echo -e "The following deletions failed:\n$FAILED_DELETIONS"
-            exit 1
-          fi
-      - name: List remaining ${{ env.TAG_PREFIX }}* tags and their version IDs (debug)
-        run: |
-          gh api -H "Accept: application/vnd.github+json" \
-            /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions \
-            --paginate | jq -r '.[] | select(.metadata.container.tags[] | startswith("${{ env.TAG_PREFIX }}")) | "\(.id) \(.metadata.container.tags[])"' | grep '^.* ${{ env.TAG_PREFIX }}' | sort -k2 -r
+      - uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 #v1
+        with:
+          dry-run: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true' }}
+          packages: ${{ env.IMAGE_NAME }}
+          delete-tags: ${{ env.TAG_PREFIX }}
+          delete-untagged: true
+          keep-n-tagged: ${{ env.KEEP_X_IMAGES }}
+          delete-ghost-images: true
+          delete-partial-images: true

.gitignore

@@ -8,3 +8,4 @@ tmp
 
 coverage.html
 coverage.out
+.vscode

internal/server/handlerCategory.go

@@ -46,14 +46,16 @@ func _categoryHandler(s *shared, req *http.Request, res *response) (*response, *
 
 	var config k8s.KubeConfig
 	if data.ProjectName != "" && data.WorkspaceName != "" && data.McpName != "" {
-		config, err = openmcp.GetControlPlaneKubeconfig(s.crateKube, data.ProjectName, data.WorkspaceName, data.McpName, data.Authorization, crateKubeconfig)
+		config, err = openmcp.GetControlPlaneKubeconfig(s.crateKube, data.ProjectName, data.WorkspaceName, data.McpName, data.CrateAuthorizationToken, crateKubeconfig)
 		if err != nil {
 			slog.Error("failed to get control plane api config", "err", err)
 			return nil, NewInternalServerError("failed to get control plane api config")
 		}
-		if data.Authorization != "" {
-			config.SetUserToken(data.Authorization)
+		if data.McpAuthorizationToken == "" {
+			slog.Error("MCP authorization token not provided")
+			return nil, NewBadRequestError("MCP authorization token not provided")
 		}
+		config.SetUserToken(data.McpAuthorizationToken)
 	} else {
 		slog.Error("either use %s: true or provide %s, %s and %s headers", useCrateClusterHeader, projectNameHeader, workspaceNameHeader, mcpName)
 		return nil, NewBadRequestError(

internal/server/handlerMain.go

@@ -54,7 +54,8 @@ type ExtractedRequestData struct {
 	McpName                         string
 	ContextName                     string
 	UseCrateCluster                 bool
-	Authorization                   string
+	CrateAuthorizationToken         string
+	McpAuthorizationToken           string
 	Headers                         map[string][]string
 	JQ                              string
 	Category                        string
@@ -87,16 +88,18 @@ func mainHandler(s *shared, req *http.Request, res *response) (*response, *HttpE
 	var config k8s.KubeConfig
 	if data.UseCrateCluster {
 		config = crateKubeconfig
-		config.SetUserToken(data.Authorization)
+		config.SetUserToken(data.CrateAuthorizationToken)
 	} else if data.ProjectName != "" && data.WorkspaceName != "" && data.McpName != "" {
-		config, err = openmcp.GetControlPlaneKubeconfig(s.crateKube, data.ProjectName, data.WorkspaceName, data.McpName, data.Authorization, crateKubeconfig)
+		config, err = openmcp.GetControlPlaneKubeconfig(s.crateKube, data.ProjectName, data.WorkspaceName, data.McpName, data.CrateAuthorizationToken, crateKubeconfig)
 		if err != nil {
 			slog.Error("failed to get control plane api config", "err", err)
 			return nil, NewInternalServerError("failed to get control plane api config")
 		}
-		if data.Authorization != "" {
-			config.SetUserToken(data.Authorization)
+		if data.McpAuthorizationToken == "" {
+			slog.Error("MCP authorization token not provided")
+			return nil, NewBadRequestError("MCP authorization token not provided")
 		}
+		config.SetUserToken(data.McpAuthorizationToken)
 	} else {
 		slog.Error("either use %s: true or provide %s, %s and %s headers", useCrateClusterHeader, projectNameHeader, workspaceNameHeader, mcpName)
 		return nil, NewBadRequestError(
@@ -138,6 +141,15 @@ func mainHandler(s *shared, req *http.Request, res *response) (*response, *HttpE
 }
 
 func extractRequestData(r *http.Request) (ExtractedRequestData, error) {
+	if r.Header.Get(authorizationHeader) == "" {
+		return ExtractedRequestData{}, fmt.Errorf("%s header is required", authorizationHeader)
+	}
+
+	crateToken, mcpToken, err := parseAuthorizationHeaderWithDoubleTokens(r.Header.Get(authorizationHeader))
+	if err != nil {
+		return ExtractedRequestData{}, fmt.Errorf("invalid %s header: %w", authorizationHeader, err)
+	}
+
 	rd := ExtractedRequestData{
 		Path:                            r.URL.Path,
 		Query:                           r.URL.Query(),
@@ -150,7 +162,8 @@ func extractRequestData(r *http.Request) (ExtractedRequestData, error) {
 		WorkspaceName:                   r.Header.Get(workspaceNameHeader),
 		ContextName:                     r.Header.Get(contextHeader),
 		McpName:                         r.Header.Get(mcpName),
-		Authorization:                   r.Header.Get(authorizationHeader),
+		CrateAuthorizationToken:         crateToken,
+		McpAuthorizationToken:           mcpToken,
 		JQ:                              r.Header.Get(jqHeader),
 		Category:                        r.Header.Get(categoryHeader),
 	}
@@ -166,10 +179,6 @@ func extractRequestData(r *http.Request) (ExtractedRequestData, error) {
 		rd.UseCrateCluster = useCrateCluster
 	}
 
-	if rd.Authorization == "" {
-		return ExtractedRequestData{}, fmt.Errorf("%s header is required", authorizationHeader)
-	}
-
 	return rd, nil
 }
 

internal/server/utils.go

@@ -3,6 +3,7 @@ package server
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"strings"
@@ -103,3 +104,21 @@ func ParseJQ(inputJson []byte, inputJQ string) (string, error) {
 
 	return strings.Join(result[:], "\n"), nil
 }
+
+// parseAuthorizationHeaderWithDoubleTokens parses an authorization header that may contain two tokens separated by a comma.
+// It returns the first token and the second token (if present). If the second token is absent, it returns an empty string for it.
+// If the header is empty or contains more than two tokens, it returns an error.
+func parseAuthorizationHeaderWithDoubleTokens(authHeader string) (string, string, error) {
+	if authHeader == "" {
+		return "", "", fmt.Errorf("authorization header is empty")
+	}
+
+	tokens := strings.Split(authHeader, ",")
+	if len(tokens) > 2 {
+		return "", "", fmt.Errorf("authorization header must contain two or less tokens separated by a space")
+	}
+	if len(tokens) == 1 {
+		return tokens[0], "", nil
+	}
+	return tokens[0], tokens[1], nil
+}

internal/server/utils_test.go

@@ -0,0 +1,41 @@
+package server
+
+import (
+	"testing"
+)
+
+func TestParseAuthorizationHeaderWithDoubleTokens(t *testing.T) {
+	tests := []struct {
+		authHeader string
+		token1     string
+		token2     string
+		expectErr  bool
+	}{
+		{"token1,token2", "token1", "token2", false},
+		{"token1", "token1", "", false},
+		{"", "", "", true},
+		{"token1,token2,token3", "", "", true},
+	}
+
+	for _, test := range tests {
+		t.Run(test.authHeader, func(t *testing.T) {
+			token1, token2, err := parseAuthorizationHeaderWithDoubleTokens(test.authHeader)
+
+			if test.expectErr {
+				if err == nil {
+					t.Errorf("expected an error but got none")
+				}
+			} else {
+				if err != nil {
+					t.Errorf("expected no error but got: %v", err)
+				}
+				if token1 != test.token1 {
+					t.Errorf("expected token1 to be %q but got %q", test.token1, token1)
+				}
+				if token2 != test.token2 {
+					t.Errorf("expected token2 to be %q but got %q", test.token2, token2)
+				}
+			}
+		})
+	}
+}