-
-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: implement server side filters for agents #3539
base: main
Are you sure you want to change the base?
Conversation
will allow woodpecker-ci#267 TODOs: API to set server-side-agent-filters; WebUI; secure all rpc endpoints; secure set of labels for non-admins
Nice. One step would be to add |
☝️ that's the idea ... I just wrote down my starting point while chating @ c-base in berling ... and my ideas after brainstorming :D this will take shape next week(s^tm) |
@@ -187,7 +187,6 @@ func run(c *cli.Context, backends []types.Backend) error { | |||
"hostname": hostname, | |||
"platform": engInfo.Platform, | |||
"backend": backendEngine.Name(), | |||
"repo": "*", // allow all repos by default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be a breaking change as agent owners were allowed to filter for repos as well. We could solve this by adding the new enforced filters with sth like internal_repo_id
and internal_org_id
and leave repo
untouched
to make sure nothing breaks or leaks
Co-authored-by: Anbraten <6918444+anbraten@users.noreply.github.com>
@6543 I've added a commit with the enforced labels and checks I had in mind. What do you think about that approach? |
workflowID, err := strconv.ParseInt(id, 10, 64) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
workflow, err := s.store.WorkflowLoad(workflowID) | ||
if err != nil { | ||
log.Error().Err(err).Msgf("rpc.update: cannot find workflow with id %d", workflowID) | ||
return err | ||
} | ||
|
||
currentPipeline, err := s.store.GetPipeline(workflow.PipelineID) | ||
if err != nil { | ||
log.Error().Err(err).Msgf("cannot find pipeline with id %d", workflow.PipelineID) | ||
return err | ||
} | ||
|
||
repo, err := s.store.GetRepo(currentPipeline.RepoID) | ||
if err != nil { | ||
log.Error().Err(err).Msgf("cannot find repo with id %d", currentPipeline.RepoID) | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added quite a few selects to simply get the repo atm.
// Server side enforced agent filters | ||
Filters map[string]string `json:"filters" xorm:"'filters' json"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What kind of filters do you have in mind that should be set through the UI instead of the labels env variable config of the agent itself?
if a.IsSystemAgent() { | ||
filters["org-id"] = "*" // allow all orgs | ||
filters["repo-id"] = "*" // allow all repos | ||
} else if a.OrgID > 0 { | ||
filters["org-id"] = fmt.Sprintf("%d", a.OrgID) | ||
filters["repo-id"] = "*" // allow all repos of the org | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is what I had in mind to set agent access labels by filters ☝🏾
@@ -57,6 +57,13 @@ func queuePipeline(ctx context.Context, repo *model.Repo, pipelineItems []*stepb | |||
return server.Config.Services.Queue.PushAtOnce(ctx, tasks) | |||
} | |||
|
|||
func enforcedLabels(task *model.Task, repo *model.Repo) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func enforcedLabels(task *model.Task, repo *model.Repo) { | |
func enforceLabels(task *model.Task, repo *model.Repo) { |
will allow #267, #1816 etc ...
TODOs: