Open Bug 1825409 Opened 3 years ago Updated 3 years ago

Treeherder should inject bewit when linking to private Taskcluster artifacts

Categories

(Tree Management :: Treeherder, defect)

Product:
Tree Management
Component:
Treeherder
Type:
defect

Tracking

(Not tracked)

People

(Reporter: aosmond, Unassigned)

Details

Anyone with "team_moco" permissions should be able to access the build artifacts for h264s tasks in https://treeherder.mozilla.org/jobs?repo=try&revision=62ec326108e04b9a6f6b349fe86f87fb80e9ccec

However I get permission denied despite being logged into my MoCo account on treeherder.

If I inspect the task and access it another path, e.g.:
https://firefox-ci-tc.services.mozilla.com/tasks/cNBHpXyDT-qufGFP8xvBpw

Then I am able to download it while logged in (and cannot if signed out, as expected). Not a big deal, I can work with this, but presumably we should fix this if possible?

I agree. team_moco should be able to download these files. On Element, :aosmond pointed me to (https://phabricator.services.mozilla.com/D96938)[https://phabricator.services.mozilla.com/D96938], which took care of the problem on the Taskcluster side. That explains why files can be downloaded when inspecting the task on Taskcluster.

I see what's going on, then! Private artifacts have a short-lived token (called bewit embedded on the URL. The taskcluster UI takes care of injecting this bewit, e.g.: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Ku480fVKTSuSIxbUOICwFw/runs/0/artifacts/private%2Fopenh264%2Fopenh264-linux32-0a48f4d2e9be2abb4fb01b4c3be83cf44ce91a6e.zip?bewit=[A VERY LONG BASE64 STRING]. However, Treerherder doesn't handle this case.

I'm not sure what's the right way to fix this, though. Any idea, :pmoore?

Flags: needinfo?(pmoore)
Summary: Cannot download h264s zips directly on treeherder despite team_moco permissions, works via task inspector UI → Treeherder should inject bewit when linking to private Taskcluster artifacts

The request needs to be signed, either with a bewit (which should be generated at the time the download is requested, not cached anywhere, since it has a limited expiration anyway) or with an HTTP Authorization header. It seems the taskcluster Task Inspector UI has chosen to do this with a bewit, and indeed it looks like treeherder does not sign the requests at all. I'm not sure why the taskcluster Task Inspector UI uses a bewit rather than adding an HTTP Authorization header to the request. Normally bewits should only be used when the request needs to be made by an unauthenticated client.

The taskcluster web-client is here:

It should be possible for treeherder to use this client to sign artifact requests when the user is logged in, either by injecting the Authorization header, or by adding a bewit at runtime.

The danger of using a bewit is that if somebody shares the link to the artifact e.g. over a matrix/slack channel, anyone in that channel would have access. By requiring that an Authorization header is present, only authorized users would be able to download it.

I will raise a separate issue for taskcluster to see if we can switch from using bewits to using the Authorization header instead in the taskcluster Task Inspector UI.

Flags: needinfo?(pmoore)
You need to log in before you can comment on or make changes to this bug.