Add Azure DevOps Server support

[vinokurig]

What does this PR do?

• Add Azure DevOps Server support to use with PAT ONLY, as the azure Devops Api does not support oauth2, see: Support for Microsoft Azure DevOps Server (TFS) che#23306 (comment)
• Change the gitconfig storage configmap to a secret because we are going to mount sensitive data to the devworkspace system scope gitconfig, see: Change the git-userdata configmap to secret che-dashboard#1313

Depends on eclipse-che/che-dashboard#1313

Screenshot/screencast of this PR

What issues does this PR fix or reference?

fixes eclipse-che/che#23306

How to test this PR?

1. Deploy che with the pull request image: quay.io/eclipse/che-server:pr-754.
2. In the Dev azure Server instance create a personal access token with full access.
3. Create a personal access token, use the Organization input to enter the Collection name.
4. Start a workspace from an azure devops server repository with a devfile.

See: workspace starts with the devfile resolve.

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Release Notes

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[vinokurig]

/retest

[vinokurig]

/retest

[tolusha]

When use set serverUrl, then hostname is null, which is used later in getRepositoryLocation

[vinokurig]

The hostName does not rely on serverUrl, we set it independently:

che-server/wsmaster/che-core-api-factory-azure-devops/src/main/java/org/eclipse/che/api/factory/server/azure/devops/AzureDevOpsURLParser.java

Lines 198 to 200 in 4c865ce

	return new AzureDevOpsUrl()
	.withHostName(
	url.startsWith("git@ssh.") ? azureDevOpsScmApiEndpointHost : URI.create(url).getHost())

[tolusha]

Can we refactor this fuction?
For instance, move if (OAUTH_PROVIDER_NAME.equals(params.getScmProviderName())) { before if (!isValidScmServerUrl(params.getScmProviderUrl())) {

[vinokurig]

We need to check if the token belongs to Azure DevOps SAAS or Server first. The isValidScmServerUrl function name is a bit misleading, so I renamed it.

[tolusha]

We have AzureDevOps class for contants

[vinokurig]

done

[tolusha]

Do we really need this changes in context of azure?

[vinokurig]

Yes, we need to specify the unauthorized exception as Azure also returns an unauthorized exception in this case.

[ibuziuk]

what is the response from Azure in this case?

[vinokurig]

I moved the json validation check to a separate private function, enhanced the check with JSON parser and updated the Javadoc.

[ibuziuk]

@vinokurig I'm a bit lost with Gitlab change in general.
Could you clarify why are we changing AbstractGitlabUrlParser.java in the context of the Azure TFS onboarding? How come GitLab flow is affected by the Azure Devops Server ?

[vinokurig]

When we resolve a factory url we iterate over provider implementations and check if the url corresponds to any known implemented provider.
In the Gitlab implementation, when we resolve a public Gitlab Server repo url but neither oauth is configured nor a PAT is added, we use the isApiRequestRelevant()function:
The function extracts the server url from the repository url and with this server url we make a test Gitlab Server API call. The idea is: if the test api call returns unauthorised error, it means that the extracted server url is a Gitlab Server url and we treat the repository url as a Gitlab Server url.

The problem is that Azure Devops Server Api returns unauthorized response on any invalid API request, so when we iterate the Azure repo url through the Gitlab implementation, the url is tested by the isApiRequestRelevant()function and according to the response status it becomes a Gitlab url.

To be able to distinguish the unauthorized response of Azure Devops Server url and Gitlab Server url, we check the error message format, if it is in JSON format, we can assume that the url is a Gitlab repo, but if the error message is a plain text, we continue the iteration because the url is an Azure Devops Server repo.

[ibuziuk]

@artaleks9 @dmytro-ndp folks, please provide your approval before merging as well. Looks like Gitlab test is failing right now (please make sure that all PR checks are merged before we merge)

[openshift-ci]

@vinokurig: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v14-gitlab-with-oauth-setup-flow	7681e71	link	true	/test v14-gitlab-with-oauth-setup-flow

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dmytro-ndp]

@vinokurig : after the review of this feature demo, I can admit that adding extraheader under the [http] section manually, with need to encode the personal access token and enter it in the 'Import Git Config' text area of User Preferences, could be a challenge for regular user.
Do you think it's possible to get rid of this step by reusing existing Personal Access Token entered on the 'User Preferences > Personal Access Token' page?

[vinokurig]

@dmytro-ndp
That's a good point, we have discussed it with @ibuziuk and decided to keep the manual flow to be sure that this logic will not break the factory flow with other providers. Since we are adding authorization header to all git requests we want user to be aware of that and if something goes wrong, the user will be able to revert the header.
When we are sure that this is safe we will add a mechanism that will automatically add the configuration to the workspace gitconfig.

[SkorikSergey]

@vinokurig : hello
FYI:

verification of eclipse-che/che#23306 issue fix up has been passed.

See test details below:

Test scenario to check eclipse-che/che#23306 issue:

1. Deploy che with the pull request image: quay.io/eclipse/che-server:pr-754.
2. In the Dev azure Server instance create a personal access token with full access.
3. Create a personal access token, use the Organization input to enter the Collection name.
4. Change gitconfig according to documentation
5. Start a workspace from an azure devops server repository with a devfile.
6. Create new file and commit changes to new brach.
7. Push changes and check them on Azure Server test repo page.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ibuziuk, SkorikSergey, vinokurig

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[SkorikSergey]

@vinokurig After adding token according to this documentation I have also started workspace from private repo GitHub Enterprise Server(OAuth accepted). Workspace started successfully but project was not cloned. After removing token from gitconfig works as expected.

[ibuziuk]

@vinokurig I think we should at very least mention this caveat in the docs

[devspacesbuild]

Build 3.20 :: server_3.x/389: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: sync-to-downstream_3.x/8902: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.x/9021: Console, Changes, Git Data

[devspacesbuild]

Build 3.20 :: get-sources-rhpkg-container-build_3.x/9021:

server : 3.x :: Failed in 66972204 : BREW:BUILD/STATUS:UNKNOWN
FAILURE:; copied to quay