Add checks to determine if a user can trigger jobs #13197
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
area/prow
|
/assign @Katharine |
|
Forgot tests! Adding them now |
k8s-ci-robot
added
size/L
| @@ -1172,18 +1188,28 @@ func handleRerun(prowJobClient prowv1.ProwJobInterface, createProwJob bool) http | |||
| // On Prow instances that require auth even for viewing Deck this is okayish, because the Prowjob UUID | |||
| // is hard to guess | |||
| // Ref: https://github.com/kubernetes/test-infra/pull/12827#issuecomment-502850414 | |||
| if createProwJob { | |||
| if r.Method != http.MethodPost { | |||
There was a problem hiding this comment.
So previously this would allow only a POST if we were creating a new prowjob. Now, we do nothing if it isn't POST but we don't error. Why?
There was a problem hiding this comment.
If it isn't POST, we do the same thing /rerun does now (display the config YAML). This preserves the functionality for kubectl create -f "https://prow.k8s.io/rerun?prowjob=blahblah" and isn't necessarily an error. If someone tries to directly trigger a job but doesn't use a POST request, they'll just see the YAML which I think seems reasonable.
prow/cmd/deck/main.go
Outdated
| return | ||
| } | ||
| if !canTriggerJob(githubCookie.Value, cfg().Deck.RerunAuthConfig) { | ||
| http.Redirect(w, r, "/?rerun=denied", http.StatusForbidden) |
There was a problem hiding this comment.
I don't think http.Redirect can successfully redirect without a 3XX status code. In particular I think this would need to respond with 303 since this is a response to a POST request.
That being might be more idiomatic to respond with http.StatusForbidded and a brief error message. The code that sends the POST request could be responsible for handling the request error and redirecting. I'm not sure what all the pros and cons are here.
There was a problem hiding this comment.
I feel like the best UX would be to go back to the prow status page and show the popup saying they don't have permission to rerun the job. If 303 is necessary for that, I'd still rather do it, even if it's a bit odd
There was a problem hiding this comment.
I still want to see this happen without sending the user around with links and redirects - I don't think links and redirects are the right way to implement this feature.
If we make rerunning into an API that the frontend can use then we don't need to carry frontend state around the world or insert it into other parts of the code.
There was a problem hiding this comment.
If we make rerunning into an API that the frontend can use
+123132
There was a problem hiding this comment.
This will come in a later change
prow/cmd/deck/static/prow/prow.ts
Outdated
| if (rerunStatus != null) { | ||
| if (rerunStatus === "denied") { | ||
| modal.style.display = "block"; | ||
| rerunCommand.innerHTML = `You don't have permission to rerun that job. Try asking @cjwagner.`; |
There was a problem hiding this comment.
Can we also recommend contacting on-cole to help resolve for any sandwich-related disputes?
There was a problem hiding this comment.
I'll just respond to those now.
It's a sandwich.
There was a problem hiding this comment.
I continue to oppose the approach taken to providing the endpoint for this feature. Furthermore, the current implementation in this PR is wildly insecure.
In particular:
- Instead of actually using the GitHub oauth token, we check the value of the
github_logincookie. This is stored in plaintext on the user's machine and with this implementation can trivially be changed to be impersonate any user. Instead, we should use and verify the supplied GitHub OAuth token, or at least cryptographically sign the username cookie so it cannot be manipulated. Functionally this means there is no authentication. - There is still no CSRF protection. As discussed at some length in Deck: Optionally allow to make the rerun button create a new Job #12827 (comment), this is not acceptable once we add authentication.
- The means by which the reruns are triggered is not ideal. The current approach is to redirect the user between several pages and attempt to keep our UI state by including it in query strings. I would significantly prefer to see the rerun endpoint exposed as an API that is then requested by frontend javascript.
Please do not merge without addressing these issues. In particular, the first two are absolutely hard blockers.
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: a0889d19c48411f4edab269ad545826b658dc310
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Katharine, mirandachrist The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This PR adds logic to check if a user is permitted to trigger job reruns but doesn't change the functionality. If the user is permitted to trigger reruns and the
rerunCreatesJobflag is set to true, then the job will be triggered. Otherwise, it displays a popup that says the feature hasn't been implemented yet.See design doc for more details.
/assign @cjwagner
/cc @fejta