Adds CI to the Public Repo #76
Conversation
CI MessageYour results will arrive shortly |
This comment has been minimized.
This comment has been minimized.
koolzz
changed the title
|
@onvm I disabled you right? |
|
@onvm CI for auth user |
CI MessageYour results will arrive shortly |
This comment has been minimized.
This comment has been minimized.
|
@onvm test CI |
CI MessageUser not authorized to run CI, please contact one of the repo maintainers |
|
@AntonyDrovalov хорош все работет |
koolzz
changed the title
| def init_ci_pipeline(): | ||
|
|
||
| if not verify_request_ip(request): | ||
| print("Incoming webkooh not from a valid Github address") |
| child.expect("Password.*") | ||
| child.sendline(password + "\n") | ||
|
|
||
| if '-dev' in REPO_NAME: |
There was a problem hiding this comment.
Is this because for openNetVM-dev, there are already permissions? So someone can only pull if they are in our team? Not an edit, just a question.
There was a problem hiding this comment.
yep, if you have access to -dev -> it's assumed you can run CI
|
@onvm asdfasdf |
| @app.route(EVENT_URL, methods=['POST']) | ||
| def init_ci_pipeline(): | ||
|
|
||
| if not verify_request_ip(request): |
There was a problem hiding this comment.
When a server has to handle authN/authZ, it should maintain audit logs and error logs. These logs are not to be exposed to github, but they are to be maintained internally.
The ideal way to go about this is to maintain some kind of "request context" that holds request specific info such as the github username, incoming ip, unique fields to identify the caller, and something to identify what gh op triggered the call (pr, issue, etc). this ctx should be passed throughout the ci rig for any call.
For every failure, the values from the req ctx and the failure message should be logged in the error log.
authN/authZ failures, for example, all of these verify_request_* calls and the check to see if the user is in the whitelist, should be logged in an audit log. these logs should contain alerts about who failed to log in and who is not authorized, and why they failed to log in.
|
|
||
| return False | ||
|
|
||
| def verify_request_secret(request): |
There was a problem hiding this comment.
we talked offline, but i would like dealing with the secret to be like this:
- secret encrypted when stored at rest on disk
- ci server loads secret and enc key
- ci server decrypts secret
- ci server calculates and stores hash of secret
- ci server frees secret, enc secret, and key (ensure mem is free and cleared)
|
@onvm lets go my friend |
|
@onvm now that I've started you, lets go |
|
@onvm now that I have definitely started you, lets go |
CI MessageYour results will arrive shortly |
CI MessageRun successful see results: Linter Passed |
|
@nks5295 give this a look it has logging and encryption. Should we also null and delete the request from memory (the one obtained from flask)? |
| return False | ||
|
|
||
| signature = header_signature.split('=')[1] | ||
| secret = decrypt_secret() |
There was a problem hiding this comment.
Are we decrypting the secret each time? That's going to become expensive depending on how many times the CI is triggered.
Is it possible to calculate and store the secret digest during server init, and then to use that in this function when verifying request secrets?
|
|
||
| if (out): | ||
| print("Can't run CI, another CI run in progress") | ||
| log_access_granted(request_ctx, "CI busy, posting busy msg") |
There was a problem hiding this comment.
Access granted will be printed more often than denied. What happens if there is no more disk space for the server to write logs to? Will the server block? Will it die? Can we make access granted logs be printed only if we have a switch in the config file?
Regardless, still worth thinking about log rotation strategy -- how can we leverage either (a) logrotate or (b) have the server do something to manage log size?
| logging.getLogger('werkzeug').setLevel(logging.ERROR) | ||
| logging.basicConfig(filename="access_log", filemode='a', | ||
| format='%(asctime)s, %(name)s %(levelname)s %(message)s', | ||
| datefmt='%d-%b-%y %H:%M:%S', level=logging.INFO) |
There was a problem hiding this comment.
For access denied, log level should be ALERT. For granted, INFO is fine.
| private_key = RSA.import_key(open(webhook_config['private-key-file']).read()) | ||
| global secret_file_name | ||
| global private_key_file_name | ||
| global secret |
6 participants
This PR adds necessary changes and enables the CI usage from the public repo
Summary:
Allows CI to run in the public repository. This is done by extracting the repo name from the github webhook.
Also adds a few security updates:
https://api.github.com/metaUsage:
Create a new PR or tag @onvm to check speed tester stats
Merging notes:
TODO before merging :
Test Plan:
Run CI, it currently runs this version so if everything is fine this will be good to merge.
Review:
Review checklist:
Sanity checks, assigned to @dennisafa @kevindweb
/onvmand/examplesdirectoriesCode style, assigned to @dennisafa @kevindweb
Code design, assigned to @dennisafa @kevindweb
Security @nks5295
Documentation, assigned to @dennisafa @kevindweb