Even looking back to before scope expressions landed in 2018:
```js
/** Report task completed */
api.declare({
method: 'post',
route: '/task/:taskId/runs/:runId/completed',
name: 'reportCompleted',
stability: API.stability.stable,
scopes: [
[
// Legacy
'queue:resolve-task',
'assume:worker-id:<workerGroup>/<workerId>',
], [
'queue:resolve-task:<taskId>/<runId>',
],
],
deferAuth: true,
input: undefined, // No input at this point
output: 'task-status-response.json#',
title: 'Report Run Completed',
description: [
'Report a task completed, resolving the run as `completed`.',
].join('\n'),
}, function(req, res) {
var taskId = req.params.taskId;
var runId = parseInt(req.params.runId, 10);
// Backwards compatibility with very old workers, should be dropped in the
// future
var target = req.body.success === false ? 'failed' : 'completed';
return resolveTask.call(this, req, res, taskId, runId, target);
});
```
that's still referencing parameters that aren't in the request. In fact, I can trace this all the way back to the first days of the queue. The legacy scopes were made "legacy" in [2015](https://github.com/taskcluster/taskcluster-queue/pull/67).
It looks like the scope-expression stuff only validates that parameters exist in the case where that branch is evaluated -- which makes sense for efficiency reasons. So I think this is just an error that occurs when a reportCompleted call is made with the wrong scopes?
Nope:
```
rubin ~ $ curl -s -d '' https://community-tc.services.mozilla.com/api/queue/v1/task/ajzXn8BTQgGE_BJVwPX2og/runs/0/completed | jq -r .message
This request requires Taskcluster credentials that satisfy the following scope expression:
```
{
"AnyOf": [
"queue:resolve-task:ajzXn8BTQgGE_BJVwPX2og/0",
{
"AllOf": [
"queue:resolve-task",
"assume:worker-id:random-local-worker/dummy-worker-GYbKKpHVS"
]
}
]
}
```
---
* method: reportCompleted
* errorCode: InsufficientScopes
* statusCode: 403
* time: 2020-05-14T15:02:00.906Z
```
that workerId / workerGroup is the fake worker that has claimed the task in the docker-worker integration tests.
Bug 1637982 Comment 1 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Even looking back to before scope expressions landed in 2018:
```js
/** Report task completed */
api.declare({
method: 'post',
route: '/task/:taskId/runs/:runId/completed',
name: 'reportCompleted',
stability: API.stability.stable,
scopes: [
[
// Legacy
'queue:resolve-task',
'assume:worker-id:<workerGroup>/<workerId>',
], [
'queue:resolve-task:<taskId>/<runId>',
],
],
deferAuth: true,
input: undefined, // No input at this point
output: 'task-status-response.json#',
title: 'Report Run Completed',
description: [
'Report a task completed, resolving the run as `completed`.',
].join('\n'),
}, function(req, res) {
var taskId = req.params.taskId;
var runId = parseInt(req.params.runId, 10);
// Backwards compatibility with very old workers, should be dropped in the
// future
var target = req.body.success === false ? 'failed' : 'completed';
return resolveTask.call(this, req, res, taskId, runId, target);
});
```
that's still referencing parameters that aren't in the request. In fact, I can trace this all the way back to the first days of the queue. The legacy scopes were made "legacy" in [2015](https://github.com/taskcluster/taskcluster-queue/pull/67).
It looks like the scope-expression stuff only validates that parameters exist in the case where that branch is evaluated -- which makes sense for efficiency reasons. So I think this is just an error that occurs when a reportCompleted call is made with the wrong scopes?
Nope:
```
rubin ~ $ curl -s -d '' https://community-tc.services.mozilla.com/api/queue/v1/task/ajzXn8BTQgGE_BJVwPX2og/runs/0/completed | jq -r .message
This request requires Taskcluster credentials that satisfy the following scope expression:
````
{
"AnyOf": [
"queue:resolve-task:ajzXn8BTQgGE_BJVwPX2og/0",
{
"AllOf": [
"queue:resolve-task",
"assume:worker-id:random-local-worker/dummy-worker-GYbKKpHVS"
]
}
]
}
````
---
* method: reportCompleted
* errorCode: InsufficientScopes
* statusCode: 403
* time: 2020-05-14T15:02:00.906Z
```
that workerId / workerGroup is the fake worker that has claimed the task in the docker-worker integration tests.
Even looking back to before scope expressions landed in 2018:
```js
/** Report task completed */
api.declare({
method: 'post',
route: '/task/:taskId/runs/:runId/completed',
name: 'reportCompleted',
stability: API.stability.stable,
scopes: [
[
// Legacy
'queue:resolve-task',
'assume:worker-id:<workerGroup>/<workerId>',
], [
'queue:resolve-task:<taskId>/<runId>',
],
],
deferAuth: true,
input: undefined, // No input at this point
output: 'task-status-response.json#',
title: 'Report Run Completed',
description: [
'Report a task completed, resolving the run as `completed`.',
].join('\n'),
}, function(req, res) {
var taskId = req.params.taskId;
var runId = parseInt(req.params.runId, 10);
// Backwards compatibility with very old workers, should be dropped in the
// future
var target = req.body.success === false ? 'failed' : 'completed';
return resolveTask.call(this, req, res, taskId, runId, target);
});
```
that's still referencing parameters that aren't in the request. In fact, I can trace this all the way back to the first days of the queue. The legacy scopes were made "legacy" in [2015](https://github.com/taskcluster/taskcluster-queue/pull/67).
It looks like the scope-expression stuff only validates that parameters exist in the case where that branch is evaluated -- which makes sense for efficiency reasons. So I think this is just an error that occurs when a reportCompleted call is made with the wrong scopes?
Nope:
````
rubin ~ $ curl -s -d '' https://community-tc.services.mozilla.com/api/queue/v1/task/ajzXn8BTQgGE_BJVwPX2og/runs/0/completed | jq -r .message
This request requires Taskcluster credentials that satisfy the following scope expression:
```
{
"AnyOf": [
"queue:resolve-task:ajzXn8BTQgGE_BJVwPX2og/0",
{
"AllOf": [
"queue:resolve-task",
"assume:worker-id:random-local-worker/dummy-worker-GYbKKpHVS"
]
}
]
}
```
---
* method: reportCompleted
* errorCode: InsufficientScopes
* statusCode: 403
* time: 2020-05-14T15:02:00.906Z
````
that workerId / workerGroup is the fake worker that has claimed the task in the docker-worker integration tests.