Unnamed temp credentials with issuerId seem not to respect scope expansion

RESOLVED WORKSFORME

Status

Taskcluster
Authentication
RESOLVED WORKSFORME
2 years ago
2 years ago

People

(Reporter: pmoore, Assigned: pmoore)

Tracking

Details

(Assignee)

Description

2 years ago
This was an HTTP request made:


POST /v1/task/Z_ZL1B1BQZWaGF8BWjG27A/define HTTP/1.1
Host: queue.taskcluster.net
Authorization: Hawk id="garbage/BIvlCDrWRQKZYQYsuOdkWA", mac="*****", ts="1457479789", nonce="*****", ext="*****"
Content-Type: application/json


{
  "provisionerId": "win-provisioner",
  "workerType": "win2008-worker",
  "schedulerId": "go-test-test-scheduler",
  "taskGroupId": "OtioOl9VSY2hDOipuh4HXA",
  "routes": [
    "tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163",
    "tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163"
  ],
  "priority": "high",
  "retries": 5,
  "created": "2016-03-08T23:29:49.159Z",
  "deadline": "2016-03-09T23:29:49.159Z",
  "expires": "2016-03-09T23:29:49.159Z",
  "scopes": [
    "test-worker:image:toastposter/pumpkin:0.5.6"
  ],
  "payload": {
    "features": {
      "relengApiProxy": true
    }
  },
  "metadata": {
    "description": "Stuff",
    "name": "[TC] Pete",
    "owner": "pmoore@mozilla.com",
    "source": "http://everywhere.com/"
  },
  "tags": {
    "createdForUser": "cbook@mozilla.com"
  },
  "extra": {
    "index": {
      "rank": 12345
    }
  }
}



This is the decoded (and formatted and obfuscated) ext value in the Authorization header:

{
    "certificate":{
        "version":1,
        "scopes":[
            "auth:azure-table-access:fakeaccount/DuMmYtAbLe",
            "queue:define-task:win-provisioner/win2008-worker",
            "queue:get-artifact:private/build/sources.xml",
            "queue:route:tc-treeherder.mozilla-inbound.*",
            "queue:route:tc-treeherder-stage.mozilla-inbound.*",
            "queue:task-priority:high",
            "test-worker:image:toastposter/pumpkin:0.5.6"
        ],
        "start":1457479489159,
        "expiry":1457483389159,
        "seed":"*****",
        "signature":"*****",
        "issuer":"mozilla-ldap/pmoore@mozilla.com/dev"
    }
}



The HTTP response received was:

		{
		  "code": "AuthenticationFailed",
		  "message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes\n----\nerrorCode:  AuthenticationFailed\nstatusCode: 401\nrequestInfo:\n  method:   defineTask\n  params:   {\"taskId\":\"Z_ZL1B1BQZWaGF8BWjG27A\"}\n  payload:  {\n  \"provisionerId\": \"win-provisioner\",\n  \"workerType\": \"win2008-worker\",\n  \"schedulerId\": \"go-test-test-scheduler\",\n  \"taskGroupId\": \"OtioOl9VSY2hDOipuh4HXA\",\n  \"routes\": [\n    \"tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163\",\n    \"tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163\"\n  ],\n  \"priority\": \"high\",\n  \"retries\": 5,\n  \"created\": \"2016-03-08T23:29:49.159Z\",\n  \"deadline\": \"2016-03-09T23:29:49.159Z\",\n  \"expires\": \"2016-03-09T23:29:49.159Z\",\n  \"scopes\": [\n    \"test-worker:image:toastposter/pumpkin:0.5.6\"\n  ],\n  \"payload\": {\n    \"features\": {\n      \"relengApiProxy\": true\n    }\n  },\n  \"metadata\": {\n    \"description\": \"Stuff\",\n    \"name\": \"[TC] Pete\",\n    \"owner\": \"pmoore@mozilla.com\",\n    \"source\": \"http://everywhere.com/\"\n  },\n  \"tags\": {\n    \"createdForUser\": \"cbook@mozilla.com\"\n  },\n  \"extra\": {\n    \"index\": {\n      \"rank\": 12345\n    }\n  }\n}\n  time:     2016-03-08T23:29:49.258Z\ndetails:\n{\n  \"status\": \"auth-failed\",\n  \"message\": \"ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes\"\n}",
		  "requestInfo": {
		    "method": "defineTask",
		    "params": {
		      "taskId": "Z_ZL1B1BQZWaGF8BWjG27A"
		    },
		    "payload": {
		      "provisionerId": "win-provisioner",
		      "workerType": "win2008-worker",
		      "schedulerId": "go-test-test-scheduler",
		      "taskGroupId": "OtioOl9VSY2hDOipuh4HXA",
		      "routes": [
		        "tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163",
		        "tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163"
		      ],
		      "priority": "high",
		      "retries": 5,
		      "created": "2016-03-08T23:29:49.159Z",
		      "deadline": "2016-03-09T23:29:49.159Z",
		      "expires": "2016-03-09T23:29:49.159Z",
		      "scopes": [
		        "test-worker:image:toastposter/pumpkin:0.5.6"
		      ],
		      "payload": {
		        "features": {
		          "relengApiProxy": true
		        }
		      },
		      "metadata": {
		        "description": "Stuff",
		        "name": "[TC] Pete",
		        "owner": "pmoore@mozilla.com",
		        "source": "http://everywhere.com/"
		      },
		      "tags": {
		        "createdForUser": "cbook@mozilla.com"
		      },
		      "extra": {
		        "index": {
		          "rank": 12345
		        }
		      }
		    },
		    "time": "2016-03-08T23:29:49.258Z"
		  },
		  "details": {
		    "status": "auth-failed",
		    "message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes"
		  }
		}



The formatted message looks like:


ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes
----
errorCode:  AuthenticationFailed
statusCode: 401
requestInfo:
  method:   defineTask
  params:   {"taskId":"Z_ZL1B1BQZWaGF8BWjG27A"}
  payload:  {
  "provisionerId": "win-provisioner",
  "workerType": "win2008-worker",
  "schedulerId": "go-test-test-scheduler",
  "taskGroupId": "OtioOl9VSY2hDOipuh4HXA",
  "routes": [
    "tc-treeherder.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163",
    "tc-treeherder-stage.mozilla-inbound.bcf29c305519d6e120b2e4d3b8aa33baaf5f0163"
  ],
  "priority": "high",
  "retries": 5,
  "created": "2016-03-08T23:29:49.159Z",
  "deadline": "2016-03-09T23:29:49.159Z",
  "expires": "2016-03-09T23:29:49.159Z",
  "scopes": [
    "test-worker:image:toastposter/pumpkin:0.5.6"
  ],
  "payload": {
    "features": {
      "relengApiProxy": true
    }
  },
  "metadata": {
    "description": "Stuff",
    "name": "[TC] Pete",
    "owner": "pmoore@mozilla.com",
    "source": "http://everywhere.com/"
  },
  "tags": {
    "createdForUser": "cbook@mozilla.com"
  },
  "extra": {
    "index": {
      "rank": 12345
    }
  }
}
  time:     2016-03-08T23:29:49.258Z
details:
{
  "status": "auth-failed",
  "message": "ext.certificate issuer `mozilla-ldap/pmoore@mozilla.com/dev` doesn't have sufficient scopes"
}


This appears to be a bug, since defineTask requires:

* queue:define-task:<provisionerId>/<workerType>, or
* queue:create-task:<provisionerId>/<workerType>, or
* (queue:define-task:<provisionerId>/<workerType> and queue:task-group-id:<schedulerId>/<taskGroupId>)

and clientId `mozilla-ldap/pmoore@mozilla.com/dev` has "queue:*"
and the unnamed temporary credentials of the request have "queue:define-task:win-provisioner/win2008-worker"
The issuer, mozilla-ldap/pmoore@mozilla.com/dev, has

    assume:*
    auth:*
    aws-provisioner:*
    docker-worker:*
    hooks:*
    index:*
    project:*
    purge-cache:*
    queue:*
    scheduler:*
    secrets:*

but the temporary credentials specify

            "auth:azure-table-access:fakeaccount/DuMmYtAbLe",
            "queue:define-task:win-provisioner/win2008-worker",
            "queue:get-artifact:private/build/sources.xml",
            "queue:route:tc-treeherder.mozilla-inbound.*",
            "queue:route:tc-treeherder-stage.mozilla-inbound.*",
            "queue:task-priority:high",
            "test-worker:image:toastposter/pumpkin:0.5.6"

and the issuer doesn't satisfy test-worker:image:toastposter/pumpkin:0.5.6
Assignee: nobody → pmoore
(Assignee)

Comment 2

2 years ago
Whoops, thanks Dustin!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.