-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add checks to determine if a user can trigger jobs #13197
Conversation
/assign @Katharine |
Forgot tests! Adding them now |
@@ -1172,18 +1188,28 @@ func handleRerun(prowJobClient prowv1.ProwJobInterface, createProwJob bool) http | |||
// On Prow instances that require auth even for viewing Deck this is okayish, because the Prowjob UUID | |||
// is hard to guess | |||
// Ref: https://github.com/kubernetes/test-infra/pull/12827#issuecomment-502850414 | |||
if createProwJob { | |||
if r.Method != http.MethodPost { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So previously this would allow only a POST if we were creating a new prowjob. Now, we do nothing if it isn't POST but we don't error. Why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it isn't POST, we do the same thing /rerun
does now (display the config YAML). This preserves the functionality for kubectl create -f "https://prow.k8s.io/rerun?prowjob=blahblah"
and isn't necessarily an error. If someone tries to directly trigger a job but doesn't use a POST request, they'll just see the YAML which I think seems reasonable.
prow/cmd/deck/main.go
Outdated
return | ||
} | ||
if !canTriggerJob(githubCookie.Value, cfg().Deck.RerunAuthConfig) { | ||
http.Redirect(w, r, "/?rerun=denied", http.StatusForbidden) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think http.Redirect
can successfully redirect without a 3XX status code. In particular I think this would need to respond with 303 since this is a response to a POST request.
That being might be more idiomatic to respond with http.StatusForbidded
and a brief error message. The code that sends the POST request could be responsible for handling the request error and redirecting. I'm not sure what all the pros and cons are here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like the best UX would be to go back to the prow status page and show the popup saying they don't have permission to rerun the job. If 303 is necessary for that, I'd still rather do it, even if it's a bit odd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still want to see this happen without sending the user around with links and redirects - I don't think links and redirects are the right way to implement this feature.
If we make rerunning into an API that the frontend can use then we don't need to carry frontend state around the world or insert it into other parts of the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we make rerunning into an API that the frontend can use
+123132
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will come in a later change
prow/cmd/deck/static/prow/prow.ts
Outdated
if (rerunStatus != null) { | ||
if (rerunStatus === "denied") { | ||
modal.style.display = "block"; | ||
rerunCommand.innerHTML = `You don't have permission to rerun that job. Try asking @cjwagner.`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thats evil 👿
Please no 🙏
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we also recommend contacting on-cole to help resolve for any sandwich-related disputes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll just respond to those now.
It's a sandwich.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nits, otherwise LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I continue to oppose the approach taken to providing the endpoint for this feature. Furthermore, the current implementation in this PR is wildly insecure.
In particular:
- Instead of actually using the GitHub oauth token, we check the value of the
github_login
cookie. This is stored in plaintext on the user's machine and with this implementation can trivially be changed to be impersonate any user. Instead, we should use and verify the supplied GitHub OAuth token, or at least cryptographically sign the username cookie so it cannot be manipulated. Functionally this means there is no authentication. - There is still no CSRF protection. As discussed at some length in Deck: Optionally allow to make the rerun button create a new Job #12827 (comment), this is not acceptable once we add authentication.
- The means by which the reruns are triggered is not ideal. The current approach is to redirect the user between several pages and attempt to keep our UI state by including it in query strings. I would significantly prefer to see the rerun endpoint exposed as an API that is then requested by frontend javascript.
Please do not merge without addressing these issues. In particular, the first two are absolutely hard blockers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Authentication fix looks good to me.
Approving on the understanding that CSRF protection and improved UX flow / API design will be added in followup PRs.
LGTM label has been added. Git tree hash: a0889d19c48411f4edab269ad545826b658dc310
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Katharine, mirandachrist The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR adds logic to check if a user is permitted to trigger job reruns but doesn't change the functionality. If the user is permitted to trigger reruns and the
rerunCreatesJob
flag is set to true, then the job will be triggered. Otherwise, it displays a popup that says the feature hasn't been implemented yet.See design doc for more details.
/assign @cjwagner
/cc @fejta