Closed Bug 1523801 Opened 7 years ago Closed 6 years ago

Blacklist listening to some specific exchanges

Categories

(Taskcluster :: Services, enhancement)

Product:
Taskcluster
Component:
Services
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: ydidwania)

References

Details

Let's have a configurable blacklist of "forbidden" exchanges.

In particular, I'd like to avoid listening to any of the queue exchanges, as they publish LOTS of messages and could easily be used to create a "bomb" by creating tasks in response to task-creation messages.

Component: Hooks → Services

Yes, also the hook-* exchanges.

Should we be checking the exchange against the list of blacklisted exchanges when creating/updating a hook itself?
Dustin, is there anything you want me to consider?

I think it makes sense to check it at hook creation / update time, yes.

Let's call it a "denylist" instead of "blacklist". It should be a value in config.yml.

All set! Do you want to make a test hook to see the deny happen? If it works, go ahead and close the bug :D

I want to but i don't have the scopes :)

Reponse Payload:

{
  "code": "InputError",
  "message": "One or more of the exchanges below have been denied access to hooks\n[object Object]\n\n---\n\n* method:     createHook\n* errorCode:  InputError\n* statusCode: 400\n* time:       2019-03-11T14:18:34.900Z",
  "requestInfo": {
    "method": "createHook",
    "params": {
      "hookGroupId": "garbage",
      "hookId": "recurse"
    },
    "payload": {
      "metadata": {
        "name": "rec",
        "description": "rec",
        "owner": "d@m.c",
        "emailOnError": true
      },
      "schedule": [],
      "bindings": [
        {
          "exchange": "exchange/taskcluster-hooks/v1/hook-created",
          "routingKeyPattern": "#"
        }
      ],
      "task": {
        "provisionerId": "aws-provisioner-v1",
        "workerType": "tutorial",
        "payload": {
          "image": "ubuntu:14.04",
          "command": [
            "/bin/bash",
            "-c",
            "echo \"hello World\""
          ],
          "maxRunTime": 600
        },
        "metadata": {
          "name": "Hook Task",
          "description": "Task Description",
          "owner": "name@example.com",
          "source": "https://tools.taskcluster.net/hooks"
        },
        "expires": {
          "$fromNow": "3 months"
        },
        "deadline": {
          "$fromNow": "6 hours"
        }
      },
      "triggerSchema": {
        "type": "object",
        "properties": {},
        "additionalProperties": false
      },
      "hookGroupId": "garbage",
      "hookId": "recurse"
    },
    "time": "2019-03-11T14:18:34.900Z"
  }
}

In the UI:

Error executing operation

One or more of the exchanges below have been denied access to hooks [object Object]

so, it worked, but maybe the error message could be improved?

error message improved: https://github.com/taskcluster/taskcluster/pull/389

Awesome, thanks!

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.