Refactor permission system + rename whitelist to allowlist #936
Conversation
|
Build succeeded.
|
|
yes, please let's leave koji as it is now and do this only for the CI PR builds |
removed code is unreachable, it gets denied even sooner 🙃😪 |
mfocko
force-pushed
the
disable-repo-permissions
branch
from
4df438f
to
df86589
Compare
|
@TomasTomecek @lachmanfrantisek please check, there is also description of allow/deny changes in last commit Edit: small correction:
|
|
Build succeeded.
|
BTW, do we differentiate between git-forges? What about GitLab namespace, that matches the name of the GitHub one that is whitelisted... |
there's no difference between user and namespace either; which probably makes sense? (even though if we enforce allowing namespace and write/pr author, there's no reason to manipulate with users) shouldn't be a big problem to fix, since it's only github right now (gitlab and pagure is not checked against database) |
| DOCS_URL = "https://packit.dev/packit-as-a-service/" | ||
| FAQ_URL = f"{DOCS_URL}#faq" | ||
| DOCS_URL = "https://packit.dev/docs" | ||
| FAQ_URL = f"{DOCS_URL}/faq" | ||
| FAQ_URL_HOW_TO_RETRIGGER = ( | ||
| f"{DOCS_URL}#how-to-re-trigger-packit-service-actions-in-your-pull-request" | ||
| f"{DOCS_URL}/packit-as-a-service/" | ||
| "#how-to-re-trigger-packit-service-actions-in-your-pull-request" |
There was a problem hiding this comment.
Thanks for fixing that!
packit_service/worker/whitelist.py
Outdated
| # whitelist checks dont apply to CentOS (Pagure, Gitlab) | ||
| if isinstance( | ||
| event, | ||
| for callback, related_events in ( |
There was a problem hiding this comment.
What about some mapping, this is becoming too magical to me.
There was a problem hiding this comment.
it is a mapping, without map :D i'll add it
There was a problem hiding this comment.
My point was more about readability. Just that it's really clear what is going on here.
|
also I could probably switch the naming of whitelist since I'm probably going to touch the database because of github vs gitlab |
|
Build succeeded.
|
|
Build failed.
|
packit_service/worker/allowlist.py
Outdated
| ) | ||
| ] | ||
|
|
||
| def unchecked_event( |
There was a problem hiding this comment.
What about some prefix for those methods? Something like validate_unchecked_event, validate_release_push_event,...
| for related_events, callback in CALLBACKS.items(): | ||
| if isinstance(event, related_events): | ||
| return callback(event, project, service_config, job_configs) |
There was a problem hiding this comment.
Personally, I like that approach, but tbh, I am still not sure about the readability of this.
But let's use this and improve later if someone complains...;)
definitely won't be last one till finish :D |
mfocko
changed the title
mfocko
force-pushed
the
disable-repo-permissions
branch
from
7e6afc1
to
27f10a4
Compare
|
Build failed.
|
mfocko
force-pushed
the
disable-repo-permissions
branch
from
27f10a4
to
57d1da0
Compare
|
Build succeeded.
|
Disables checking of user's write permissions in the repository that PR is created against. Fixes packit#920 Signed-off-by: Matej Focko <mfocko@redhat.com>
Signed-off-by: Matej Focko <mfocko@redhat.com>
Signed-off-by: Matej Focko <mfocko@redhat.com>
- Separate handling of events into methods
- Move check for write access to repository from job processing to allowlisting
- Fix tests
- Change behaviour on pull requests
- Priority before:
write access > Packit admins > (allowlisted namespace OR repository)
- Priority now:
Packit admins > allowlisted namespace > (author of pr OR write access)
Signed-off-by: Matej Focko <mfocko@redhat.com>
- Add specific types to event callbacks - Enable checking permissions on GitLab - Move callbacks to dictionary Signed-off-by: Matej Focko <mfocko@redhat.com>
Fixes packit#937 Signed-off-by: Matej Focko <mfocko@redhat.com>
mfocko
force-pushed
the
disable-repo-permissions
branch
from
57d1da0
to
c6c92a7
Compare
|
Build succeeded.
|
|
Build succeeded (gate pipeline).
|
TODO
resolution: keeping as is
GitLab namespace (they are multi-part, we probably want to support allowlistingredhat, but accepting all nested namespaces, e.g.redhat/rpms)we need to differentiate between users with permissions on GitLab and GitHubresolution: turned on for MRs, push and issue comments
resolution: done, not pushed, may be merged together with enum for gitlab/github
Differentiating GitLab/GitHub allowed users (with related not done TODOs) will be done in follow-up PR
Changes
write access > ( Packit admins OR allowlisted namespace of repository OR user that triggered event )Packit admins > ( allowlisted namespace AND ( author of pull request OR write access ) )allowlisted user OR namespaceallowlisted namespace AND write permissions of userFixes #920
Fixes #937