-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor permission system + rename whitelist to allowlist #936
Refactor permission system + rename whitelist to allowlist #936
Conversation
Build succeeded.
|
yes, please let's leave koji as it is now and do this only for the CI PR builds |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice, LGTM!
interesting that no tests need an update 🤔
removed code is unreachable, it gets denied even sooner 🙃😪 |
4df438f
to
df86589
Compare
@TomasTomecek @lachmanfrantisek please check, there is also description of allow/deny changes in last commit Edit: small correction:
|
Build succeeded.
|
BTW, do we differentiate between git-forges? What about GitLab namespace, that matches the name of the GitHub one that is whitelisted... |
there's no difference between user and namespace either; which probably makes sense? (even though if we enforce allowing namespace and write/pr author, there's no reason to manipulate with users) shouldn't be a big problem to fix, since it's only github right now (gitlab and pagure is not checked against database) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making it more straightforward!
DOCS_URL = "https://packit.dev/packit-as-a-service/" | ||
FAQ_URL = f"{DOCS_URL}#faq" | ||
DOCS_URL = "https://packit.dev/docs" | ||
FAQ_URL = f"{DOCS_URL}/faq" | ||
FAQ_URL_HOW_TO_RETRIGGER = ( | ||
f"{DOCS_URL}#how-to-re-trigger-packit-service-actions-in-your-pull-request" | ||
f"{DOCS_URL}/packit-as-a-service/" | ||
"#how-to-re-trigger-packit-service-actions-in-your-pull-request" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing that!
packit_service/worker/whitelist.py
Outdated
# whitelist checks dont apply to CentOS (Pagure, Gitlab) | ||
if isinstance( | ||
event, | ||
for callback, related_events in ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about some mapping, this is becoming too magical to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is a mapping, without map :D i'll add it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My point was more about readability. Just that it's really clear what is going on here.
also I could probably switch the naming of whitelist since I'm probably going to touch the database because of github vs gitlab |
Build succeeded.
|
Build failed.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for another group of comments...
packit_service/worker/allowlist.py
Outdated
) | ||
] | ||
|
||
def unchecked_event( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about some prefix for those methods? Something like validate_unchecked_event
, validate_release_push_event
,...
for related_events, callback in CALLBACKS.items(): | ||
if isinstance(event, related_events): | ||
return callback(event, project, service_config, job_configs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally, I like that approach, but tbh, I am still not sure about the readability of this.
But let's use this and improve later if someone complains...;)
definitely won't be last one till finish :D |
7e6afc1
to
27f10a4
Compare
Build failed.
|
27f10a4
to
57d1da0
Compare
Build succeeded.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! That was a huge amount of work. 🚀
Disables checking of user's write permissions in the repository that PR is created against. Fixes packit#920 Signed-off-by: Matej Focko <mfocko@redhat.com>
Signed-off-by: Matej Focko <mfocko@redhat.com>
Signed-off-by: Matej Focko <mfocko@redhat.com>
- Separate handling of events into methods - Move check for write access to repository from job processing to allowlisting - Fix tests - Change behaviour on pull requests - Priority before: write access > Packit admins > (allowlisted namespace OR repository) - Priority now: Packit admins > allowlisted namespace > (author of pr OR write access) Signed-off-by: Matej Focko <mfocko@redhat.com>
- Add specific types to event callbacks - Enable checking permissions on GitLab - Move callbacks to dictionary Signed-off-by: Matej Focko <mfocko@redhat.com>
Fixes packit#937 Signed-off-by: Matej Focko <mfocko@redhat.com>
57d1da0
to
c6c92a7
Compare
Build succeeded.
|
Build succeeded (gate pipeline).
|
TODO
resolution: keeping as is
GitLab namespace (they are multi-part, we probably want to support allowlistingredhat
, but accepting all nested namespaces, e.g.redhat/rpms
)we need to differentiate between users with permissions on GitLab and GitHubresolution: turned on for MRs, push and issue comments
resolution: done, not pushed, may be merged together with enum for gitlab/github
Differentiating GitLab/GitHub allowed users (with related not done TODOs) will be done in follow-up PR
Changes
write access > ( Packit admins OR allowlisted namespace of repository OR user that triggered event )
Packit admins > ( allowlisted namespace AND ( author of pull request OR write access ) )
allowlisted user OR namespace
allowlisted namespace AND write permissions of user
Fixes #920
Fixes #937