feat: add GitHub team allowlist configuration option #1694
Conversation
paulerickson
force-pushed
the
github_team_allowlist_config
branch
from
c02d16c
to
b1f23dc
Compare
chenrui333
changed the title
|
@paulerickson hey, thanks for updating the PR. Original PR had quite a bit of comments seems like code stayed largely the same, would you be able to address the feedback from there? Comments are largely around moving the functionality into command runner and possibly moving the flag into server config. |
|
I'd also like to ask that we consider the security implications of default allowing all teams to perform all actions. Maybe we should require people to set this and refuse any commands from users unless they are authorized? Regarding the moving of team allowlists around I think it should be controlled serverside in a config. I am wondering however if maybe it should even be configurable on a per repository basis. For example I might have a repository used to bootstrap new aws accounts into my organization and because of the required privileges this comes with we want it locked down to as few people as possible while others can be utilized by larger groups of people. Currently our threat model shows that the most critical points to cover currently due to lack of controls (which this helps build) is the repository itself and the verification of the payloads from Github webhook. |
paulerickson
force-pushed
the
github_team_allowlist_config
branch
from
b1f23dc
to
b88afd0
Compare
|
So sorry for the lack of updates! I fixed up a couple of things, but got stuck with server config, which was not so obvious to me. I have rebased again and am taking another crack at it now. |
paulerickson
force-pushed
the
github_team_allowlist_config
branch
from
b88afd0
to
a82a789
Compare
|
@msarvar can you clarify whether this comment was already addressed or else what change is being suggested?
The new flag is already defined in server.go, and the string parsing mirrors that of the similar flag |
|
I have moved the permissions check from event handler to command runner, which I think someone requested: b8fce3a |
| t := strings.TrimSpace(team) | ||
| c := strings.TrimSpace(command) |
There was a problem hiding this comment.
I don't think this necessary, is there a reason for this trimming?
There was a problem hiding this comment.
Not that I can see. Removed in fbcd74f
| // IsCommandAllowedForAnyTeam returns true if any of the teams is allowed to execute the command | ||
| // and false otherwise. | ||
| func (checker *TeamAllowlistChecker) IsCommandAllowedForAnyTeam(teams []string, command string) bool { | ||
| c := strings.TrimSpace(command) |
| Equals(t, true, checker.IsCommandAllowedForAnyTeam(teams, `plan`)) | ||
| Equals(t, true, checker.IsCommandAllowedForAnyTeam(teams, `release`)) | ||
| Equals(t, false, checker.IsCommandAllowedForAnyTeam(teams, `noop`)) | ||
| } |
There was a problem hiding this comment.
Let's add some tests for wildcard as well.
There was a problem hiding this comment.
Added in 23c5cd9
server/events/vcs/github_client.go
Outdated
| } | ||
| for _, t := range teams { | ||
| membership, _, err := g.client.Teams.GetTeamMembershipBySlug(g.ctx, org, *t.Slug, user.Username) | ||
| if err == nil && membership != nil { |
There was a problem hiding this comment.
We should return if there is an error or at least log the error.
There was a problem hiding this comment.
I logged it here: ac049ea
I think continuing with no groups is a simple way to handle it unless we can retry or do some better handling in a higher layer
server/events/vcs/github_client.go
Outdated
| for { | ||
| teams, resp, err := g.client.Teams.ListTeams(g.ctx, org, opts) | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
Let's wrap the error here. Something like `errors.Wrap(err, "retrieving github teams")
There was a problem hiding this comment.
addressed in ac049ea
|
@paulerickson Hey, pr looks good. Left couple comments, let me know what you think |
paulerickson
force-pushed
the
github_team_allowlist_config
branch
from
b8fce3a
to
fdfa88f
Compare
Co-authored-by: PePe (Jose) Amengual <jamengual@sonatype.com> Co-authored-by: Troy Neeriemer <tneeriemer@sonatype.com> Co-authored-by: Ted Roby <troby+github@sonatype.com> Co-authored-by: Paul Erickson <perickson@sonatype.com>
paulerickson
force-pushed
the
github_team_allowlist_config
branch
from
fdfa88f
to
ac049ea
Compare
Thanks, @msarvar. I think I've addressed everything, and rebased from master |
|
Relates to #308 |
…-test-job * 'master' of github.com:runatlantis/atlantis: (79 commits) release: 0.18.0 (#1965) feat: streaming terraform logs in real-time (#1937) build(deps): bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.10 (#1961) docs: update website links (#1964) docs: clarify example for `--azuredevops-token` flag (#1712) docs: typo in heading level (#1960) fix: fallback to default TF version in apply step (#1931) feat: add GitHub team allowlist configuration option (#1694) Add in Dockerfile support for last Terraform 1.0.x version in AVAILABLE_TERRAFORM_VERSIONS (#1957) build(deps): bump github.com/spf13/viper from 1.10.0 to 1.10.1 (#1956) deps: terraform 1.1.2 (#1952) release: 0.17.6 (#1947) docker: make multi-platform atlantis image (#1943) docker(testing): fix arch ref for `linux/arm/v7` docker(testing): updating image build process docs: fix policy check documentation examples (#1945) build: make multi-platform image for testing-env atlantis-base: fix context atalntis-base: update platforms and path trigger atlantis-base: update platforms ...
| return nil, errors.Wrap(err, "retrieving GitHub teams") | ||
| } | ||
| for _, t := range teams { | ||
| membership, _, err := g.client.Teams.GetTeamMembershipBySlug(g.ctx, org, *t.Slug, user.Username) |
There was a problem hiding this comment.
What about the rate limiting? Wound't it be better to use the GraphQL so we could just pull the orgs teams of a user?
https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting
There was a problem hiding this comment.
👍 I haven't worked with the GraphQL API, but it does seem like some calls could be saved that way
There was a problem hiding this comment.
@paulerickson Thanks for the answer I could try to switch this feature to use GraphQL :)
|
It would be great if it had project based allowance. Somehing like : --gh-team-allowlist "{ghteam}:{project}:{command}" Thanks for your work! |
|
@marcportabellaclotet-mt please open a new issue for that. Sounds like a good idea. |
* Add GitHub team allowlist configuration option Co-authored-by: PePe (Jose) Amengual <jamengual@sonatype.com> Co-authored-by: Troy Neeriemer <tneeriemer@sonatype.com> Co-authored-by: Ted Roby <troby+github@sonatype.com> Co-authored-by: Paul Erickson <perickson@sonatype.com> * Check team allowlist in command runner, rather than event controller * Remove unneeded trimming * Test wildcard groups and commands * Improve error logging Co-authored-by: PePe (Jose) Amengual <jamengual@sonatype.com> Co-authored-by: Troy Neeriemer <tneeriemer@sonatype.com> Co-authored-by: Ted Roby <troby+github@sonatype.com>
Summary
Configure permissions by GitHub team, with a list of teams and commands they are permitted to use.
Usage
atlantis server --gh-team-allowlist "myteam:plan, secteam:apply"Background
This change is intended to replace #1206.
The code is the same, so all credit/blame goes to @jamengual & co-authors—I have only squashed those 75 revisions down to one, rebased on master, and resolved a few minor conflicts & incompatibilities.