Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add configurable minimum permissions for triggers #60

Merged
merged 1 commit into from
Apr 17, 2023
Merged

Add configurable minimum permissions for triggers #60

merged 1 commit into from
Apr 17, 2023

Conversation

pascal-hofmann
Copy link
Contributor

@pascal-hofmann pascal-hofmann commented Mar 3, 2023
edited
Loading

For private repositories people with Read role (aka pull permission) are seen as collaborators
by the GitHub API. This means, they were able trigger builds with older versions of the plugin.

This change fixes this, and also adds the option to limit triggering of builds to repository admins.

The existing allowUntrusted toggle is dropped from the UI.
This change adds a new drop-down Minimum Permissions on repository to trigger the build with these options:

  • Only users with admin permission
  • Only users that can push to the repository (default)
  • Allow untrusted users to trigger the build

Use-case for the "admin" part:

  • We have PR builds in our organization that need access to credentials with a high blast radius.
  • For repos with these builds all developers in the organisation have write access, but merging to master is restricted to admins (via .github/CODEOWNERS).
  • Allowing everyone to trigger builds is dangerous, as the Jenkinsfile and other scripts that are used in the build could be modified by people with bad intend / hacked accounts. So we also want to be able to limit triggering of builds to admins only.

Bildschirm­foto 2023-03-06 um 15 53 27

@pascal-hofmann
Copy link
Contributor Author

@bluesliverx It would be great to get this merged/released soon.

Our GitHub org has a lot of users, but we trust only a subset of them for certain repositories.

@lprimak
Copy link
Contributor

lprimak commented Mar 3, 2023

@pascal-hofmann I am not sure I understand any reason for this change.
The "allow untrusted builds" no longer makes any sense, and creates a combinatorial explosion
with the dropdown box which makes no sense and is very confusing.

For example, "NONE" equals "allow untrusted builds" and wording is confusing.
"READ" makes no sense to me because if there are no "READ" permissions, the user wouldn't
be able to clone nor comment on the PR anyway.
"ADMIN" may make sense but it's really a stretch, I can't think of a single use case for it.

Am I not understanding something critical here?
What's the exact issue that triggered the need for this change?
Can you create a ticket that explains the issue in detail?

lprimak
lprimak suggested changes Mar 3, 2023
View reviewed changes
Copy link
Contributor

@lprimak lprimak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments on this PR. It doesn't make sense to me

@pascal-hofmann
Copy link
Contributor Author

pascal-hofmann commented Mar 4, 2023
edited
Loading

Hi,
thanks for the quick and honest feedback. I'll create an issue with more details and will also update this PR.

Edit: The existing issue types don't make much sense and request a lot of information that's not relevant. I'll update the PR description / commit message instead.

@pascal-hofmann pascal-hofmann force-pushed the configurable-minimum-permissions branch 3 times, most recently from 54ef976 to a2fe5b6 Compare March 4, 2023 11:27
@pascal-hofmann
Copy link
Contributor Author

pascal-hofmann commented Mar 4, 2023
edited
Loading

@lprimak I updated the PR description to make the intent/reasoning behind this PR clearer.

PS: I converted the PR to a draft because I was not able to test the latest code changes yet. I'll also add an updated screenshot once this is done.

@pascal-hofmann pascal-hofmann marked this pull request as draft March 4, 2023 11:29
@pascal-hofmann pascal-hofmann force-pushed the configurable-minimum-permissions branch 2 times, most recently from 75fde26 to c8a12d2 Compare March 4, 2023 13:46
@lprimak
Copy link
Contributor

lprimak commented Mar 4, 2023

Ok, I can see the issue with private repositories.
I think your solution should work and not break anything.
Please create a ticket nonetheless (you can delete the template if you wish)

@pascal-hofmann pascal-hofmann force-pushed the configurable-minimum-permissions branch from c8a12d2 to 92c36fd Compare March 4, 2023 18:14
@pascal-hofmann
Copy link
Contributor Author

I opened #61 for this.

@pascal-hofmann pascal-hofmann force-pushed the configurable-minimum-permissions branch 2 times, most recently from 9d1174a to f95d24e Compare March 6, 2023 14:52
@pascal-hofmann pascal-hofmann marked this pull request as ready for review March 6, 2023 23:45
@lprimak
Copy link
Contributor

lprimak commented Mar 16, 2023

@pascal-hofmann I already reviewed it (repeated code comments, etc)
I realize there is already repeated code, but I would rather not have any more repeated code on top of that.
Thank you

@pascal-hofmann
Copy link
Contributor Author

pascal-hofmann commented Mar 16, 2023
edited
Loading

@lprimak I just tried creating an abstract base class AbstractTriggerBranchProperty but I can also see this as selectable in the jenkins UI. Do you know how to get rid of this?

Edit: Found it and pushed the refactored version.

@pascal-hofmann pascal-hofmann force-pushed the configurable-minimum-permissions branch from f95d24e to a69c6b6 Compare March 16, 2023 08:43
@pascal-hofmann
Add configurable minimum permissions for triggers
00d64c4 
For private repositories people with `Read` role (aka `pull` permission) are seen as collaborators
by the GitHub API. This means, they were able trigger builds with older versions of the plugin.

This change fixes this, and also adds the option to limit triggering of builds to repository admins.

The existing `allowUntrusted` toggle is dropped from the UI.
This change adds a new drop-down `Minimum Permissions on repository to trigger the build` with
these options:
- Only users with admin permission
- Only users that can push to the repository (default)
- Allow untrusted users to trigger the build
@pascal-hofmann pascal-hofmann force-pushed the configurable-minimum-permissions branch from a69c6b6 to 00d64c4 Compare March 16, 2023 08:48
lprimak
lprimak approved these changes Mar 16, 2023
View reviewed changes
src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRUpdateBranchProperty.java Outdated
*
* @return the strategy options.
*/
@NonNull
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Repeated code. Needs refactor

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRCommentBranchProperty.java Outdated
*
* @return the strategy options.
*/
@NonNull
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Repeated code. Needs refactor

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRReviewBranchProperty.java Outdated
@@ -14,12 +19,13 @@
*/
public class TriggerPRReviewBranchProperty extends BranchProperty {
private boolean allowUntrusted;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be removed along with it's getters and setters

src/main/java/com/adobe/jenkins/github_pr_comment_build/TriggerPRReviewBranchProperty.java Outdated
@@ -30,6 +36,18 @@ public void setAllowUntrusted(boolean allowUntrusted) {
this.allowUntrusted = allowUntrusted;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be removed

@lprimak
Copy link
Contributor

lprimak commented Mar 16, 2023

Can we just remove "allow unstrusted" from all the code instead of deprecating it?

@pascal-hofmann
Copy link
Contributor Author

I‘m not sure what will happen with existing configurations if I do that. I thought this way things just continue to work as expected. If that’s not desired I can remove it completely.

What do you prefer?

@lprimak
Copy link
Contributor

lprimak commented Mar 16, 2023

@bluesliverx what do you think?

@pascal-hofmann
Copy link
Contributor Author

Hey,
is there any update on this? Can I help with getting this merged?

@bluesliverx
Copy link
Contributor

Sorry, finally getting back to this project. After looking through the code, I believe it is done the correct way. While the allowUntrusted flag still shows up in the code, it is marked deprecated and the value is handled correctly to set the new value. I like this quite a bit, thanks for the improvement!

@bluesliverx
Copy link
Contributor

I'm just trying to get the PR to build and then I'll merge. Also, there is a new label type that was just barely merged. I'll work on getting this same functionality added to that after it builds/merges. Unless you beat me to it and then by all means add it to the label trigger (#62) @pascal-hofmann

@bluesliverx bluesliverx merged commit e96c665 into jenkinsci:master Apr 17, 2023
@bluesliverx bluesliverx mentioned this pull request Apr 17, 2023
Merged
@pascal-hofmann pascal-hofmann deleted the configurable-minimum-permissions branch April 17, 2023 18:42
@bluesliverx
Copy link
Contributor

This has been released in 96.v9ff13b69dd66.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lprimak lprimak lprimak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pascal-hofmann @lprimak @bluesliverx