Closed Bug 1491186 Opened 6 years ago Closed 6 years ago

validate that non-generic actions are not run with action_perm = generic

Categories

(Firefox Build System :: Task Configuration, task)

Product:
Firefox Build System
Component:
Task Configuration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr60 fixed, firefox62 fixed, firefox64 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- fixed
firefox62 --- fixed
firefox64 --- fixed

People

(Reporter: dustin, Assigned: dustin)

Details

Attachments

(2 files)

Bug 1491186: sanity check action scopes
46 bytes, text/x-phabricator-request
mozilla
: review+
tomprince
: review+
Details | Review
Bug 1491186: don't sanity check scopes for kind=task
46 bytes, text/x-phabricator-request
bhearsum
: review+
Details | Review
It's hard to see why someone would do this, but let's make such actions fail on contact anyway. I think this means that ci-admin needs to configure *generic* hooks to pass some indication to the task that this is a generic run; and then the in-tree action code needs to fail fast if that indication is present but cb_name points to a non-generic action.
This provides a modicum of assurance that, for example, a non-generic action is not being run with generic scopes. While scopes would prevent any serious damage from such an action, this provides an extra layer of security to prevent such abuse.
Comment on attachment 9010299 [details] Bug 1491186: sanity check action scopes Aki Sasaki [:aki] has approved the revision.
Attachment #9010299 - Flags: review+
Comment on attachment 9010299 [details] Bug 1491186: sanity check action scopes Tom Prince [:tomprince] has approved the revision.
Attachment #9010299 - Flags: review+
Pushed by dmitchell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/090051ce866f sanity check action scopes r=aki,tomprince
https://hg.mozilla.org/mozilla-central/rev/090051ce866f
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
This appears to have broken release promotion on Maple. From https://tools.taskcluster.net/groups/PC32PCpzQy2U_aK7vpxKpA/tasks/bE30WPeoT_i5me8Pp-5ZIw/details: [task 2018-09-25T00:18:01.880Z] + ./mach --log-no-times taskgraph action-callback [task 2018-09-25T00:18:02.404Z] loading config from `taskcluster/ci/config.yml` [task 2018-09-25T00:18:03.236Z] Traceback (most recent call last): [task 2018-09-25T00:18:03.236Z] File "/builds/worker/checkouts/gecko/taskcluster/mach_commands.py", line 252, in action_callback [task 2018-09-25T00:18:03.236Z] test=False) [task 2018-09-25T00:18:03.236Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/actions/registry.py", line 353, in trigger_action_callback [task 2018-09-25T00:18:03.236Z] sanity_check_task_scope(callback, parameters, graph_config) [task 2018-09-25T00:18:03.236Z] File "/builds/worker/checkouts/gecko/taskcluster/taskgraph/actions/registry.py", line 332, in sanity_check_task_scope [task 2018-09-25T00:18:03.236Z] raise Exception('Expected task scope {} for this action'.format(expected_scope)) [task 2018-09-25T00:18:03.236Z] Exception: Expected task scope assume:repo:hg.mozilla.org/projects/maple:action:generic for this action AFAICT, maple is configured the same way as mozilla-beta, so this is likely to break when this is uplifted. I'm guessing we need to change something in tree or in Ship It to fix it?
Flags: needinfo?(dustin)
How are you running that action? The task has scopes assume:repo:hg.mozilla.org/projects/maple:branch:default https://hg.mozilla.org/projects/maple/file/tip/taskcluster/taskgraph/actions/registry.py#l203 # tasks get all of the scopes the original push did, yuck; this is not # done with kind = hook. repo_scope = 'assume:repo:{}/{}:branch:default'.format( match.group(1), match.group(2)) action['repo_scope'] = repo_scope so, it sounds like we should make this particular scope check only apply for `kind: hook`.
Flags: needinfo?(dustin)
(In reply to Dustin J. Mitchell [:dustin] pronoun: he from comment #8) > How are you running that action? The task has scopes > > assume:repo:hg.mozilla.org/projects/maple:branch:default > > https://hg.mozilla.org/projects/maple/file/tip/taskcluster/taskgraph/actions/ > registry.py#l203 > # tasks get all of the scopes the original push did, yuck; > this is not > # done with kind = hook. > repo_scope = 'assume:repo:{}/{}:branch:default'.format( > match.group(1), match.group(2)) > action['repo_scope'] = repo_scope > > so, it sounds like we should make this particular scope check only apply for > `kind: hook`. The action is run by Ship It, which looks like it uses https://github.com/mozilla/release-services/blob/master/src/shipit/api/shipit_api/models.py#L133 to generate the action task.
Ship-it looks like it's doing the right thing.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment on attachment 9011778 [details] Bug 1491186: don't sanity check scopes for kind=task Ben Hearsum (:bhearsum) has approved the revision.
Attachment #9011778 - Flags: review+
I landed this since tomprince is away. Tom, feel free to re-open for an r- :)
Pushed by dmitchell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9a765e968a4a don't sanity check scopes for kind=task r=bhearsum
https://hg.mozilla.org/mozilla-central/rev/9a765e968a4a
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: