WIP: implement server side filters for agents #3539
Conversation
will allow woodpecker-ci#267 TODOs: API to set server-side-agent-filters; WebUI; secure all rpc endpoints; secure set of labels for non-admins
|
Nice. One step would be to add |
|
☝️ that's the idea ... I just wrote down my starting point while chating @ c-base in berling ... and my ideas after brainstorming :D this will take shape next week(s^tm) |
| @@ -187,7 +187,6 @@ func run(c *cli.Context, backends []types.Backend) error { | |||
| "hostname": hostname, | |||
| "platform": engInfo.Platform, | |||
| "backend": backendEngine.Name(), | |||
| "repo": "*", // allow all repos by default | |||
There was a problem hiding this comment.
Might be a breaking change as agent owners were allowed to filter for repos as well. We could solve this by adding the new enforced filters with sth like internal_repo_id and internal_org_id and leave repo untouched
to make sure nothing breaks or leaks
Co-authored-by: Anbraten <6918444+anbraten@users.noreply.github.com>
|
@6543 I've added a commit with the enforced labels and checks I had in mind. What do you think about that approach? |
| workflowID, err := strconv.ParseInt(id, 10, 64) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| workflow, err := s.store.WorkflowLoad(workflowID) | ||
| if err != nil { | ||
| log.Error().Err(err).Msgf("rpc.update: cannot find workflow with id %d", workflowID) | ||
| return err | ||
| } | ||
|
|
||
| currentPipeline, err := s.store.GetPipeline(workflow.PipelineID) | ||
| if err != nil { | ||
| log.Error().Err(err).Msgf("cannot find pipeline with id %d", workflow.PipelineID) | ||
| return err | ||
| } | ||
|
|
||
| repo, err := s.store.GetRepo(currentPipeline.RepoID) | ||
| if err != nil { | ||
| log.Error().Err(err).Msgf("cannot find repo with id %d", currentPipeline.RepoID) | ||
| return err | ||
| } |
There was a problem hiding this comment.
I've added quite a few selects to simply get the repo atm.
| // Server side enforced agent filters | ||
| Filters map[string]string `json:"filters" xorm:"'filters' json"` |
There was a problem hiding this comment.
What kind of filters do you have in mind that should be set through the UI instead of the labels env variable config of the agent itself?
| if a.IsSystemAgent() { | ||
| filters["org-id"] = "*" // allow all orgs | ||
| filters["repo-id"] = "*" // allow all repos | ||
| } else if a.OrgID > 0 { | ||
| filters["org-id"] = fmt.Sprintf("%d", a.OrgID) | ||
| filters["repo-id"] = "*" // allow all repos of the org | ||
| } |
There was a problem hiding this comment.
This is what I had in mind to set agent access labels by filters ☝🏾
| @@ -57,6 +57,13 @@ func queuePipeline(ctx context.Context, repo *model.Repo, pipelineItems []*stepb | |||
| return server.Config.Services.Queue.PushAtOnce(ctx, tasks) | |||
| } | |||
|
|
|||
| func enforcedLabels(task *model.Task, repo *model.Repo) { | |||
There was a problem hiding this comment.
| func enforcedLabels(task *model.Task, repo *model.Repo) { | |
| func enforceLabels(task *model.Task, repo *model.Repo) { |
will allow #267, #1816 etc ...
TODOs: