SecReview: proxy read only servo buildbot interface somewhere public

RESOLVED FIXED

Status

mozilla.org
Security Assurance: Review Request
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: bhearsum, Assigned: rforbes)

Tracking

Details

(Whiteboard: [pending secreview][Web])

(Reporter)

Description

5 years ago
Read-only WebStatus is here: http://buildbot-master-servo-01.srv.servo.releng.use1.mozilla.com:8001/

I'm not sure what the entry point URL should be, or which system should handle the proxying. Dustin, maybe you have a better idea?

Setting sec-review? per IRC.
Flags: sec-review?(jstevensen)
My suggestion is to proxy this via http://servo-buildbot.pub.build.mozilla.org.  Exactly how that's implemented isn't important.  HTTP because there are no credentials involved.

Updated

5 years ago
Flags: sec-review?(jstevensen) → sec-review?(gdestuynder)
Moving over to webappsec per :kang's advice.

I'm happy to discuss the finer points in whatever medium is easiest.  I'm the Buildbot maintainer so I have a decent amount of knowledge of its internals.

Note that it is not currently possible to run the web UI on a different host from the master itself.  There's probably about 1 FTE-year of work to do to get to that point, so if Mozilla happened to want that badly enough, I'm sure I could make good use of a contractor ;)

For comparison, this is very similar to http://buildbot.rust-lang.org -- just not hosted in labs.  The servo-related networks are well isolated from the releng network.
Component: Release Engineering: Automation (General) → Security Assurance: Review Request
Flags: sec-review?(gdestuynder)
QA Contact: catlee → mcoates
Summary: proxy read only servo buildbot interface somewhere public → SecReview: proxy read only servo buildbot interface somewhere public
Whiteboard: [pending secreview]
The major issue with this project is that the exposesd web interface runs on the build masters.
Those machines, if compromised, can compromise all the build system (in this case, servo).

I did recommend splitting the UI from the master hence comment 2, as it seems to be a difficult task.
* Who is/are the point of contact(s) for this review?

Ben and me

* Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

Buildbot is a continuous-integration framework being used to build and test Servo.

* Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

http://buildbot.net
https://github.com/buildbot/buildbot

* Does this request block another bug? If so, please indicate the bug number

Bug 861283

* This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

Ben?

* To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?

Yes; https://intranet.mozilla.org/2013Q2Goals#Release_Engineering
    [ON TRACK] initial support for Servo builds bug 861283

* Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

Yes; Servo is expected to be a part of Firefox eventually

* Are there any portions of the project that interact with 3rd party services?

No

* Will your application/service collect user data? If so, please describe 

No

* If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

see comment 2

* Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite

Me, Ben
(Reporter)

Comment 5

5 years ago
(In reply to Dustin J. Mitchell [:dustin] from comment #4)
> * This review will be scheduled amongst other requested reviews. What is the
> urgency or needed completion date of this review?
> 
> Ben?

Without asking that this bump other work, as soon as possible. Right now I'm stuck relaying logs to the people that actually need them. Hopefully the Rust already has a publicly accessible Buildbot will hurry this along?

> * Does this feature or code change affect Firefox, Thunderbird or any
> product or service the Mozilla ships to end users?
> 
> Yes; Servo is expected to be a part of Firefox eventually

It's worth noting that Servo is still in very early stages, though, and will likely be code dropped into other repositories when the time comes to integrate.
Component: Security Assurance: Review Request → Release Engineering: Automation (General)

Updated

5 years ago
Component: Release Engineering: Automation (General) → Security Assurance: Review Request
Assignee: nobody → gdestuynder
:kang looked at this from the opesec side and this now needs a websec review, assigning to :rforbes
Assignee: gdestuynder → rforbes
(Reporter)

Comment 7

5 years ago
Any update or timeline here? I'm acting as a human proxy until this is done, which isn't very efficient for the Servo folks.
(Reporter)

Updated

5 years ago
Flags: needinfo?(rforbes)
(Assignee)

Comment 8

5 years ago
is there an instance up that I can run some pen tests against?
Flags: needinfo?(rforbes)
buildbot-master-servo-01.srv.servo.releng.use1.mozilla.com.
You can have your way with buildbot.buildbot.net, too.  I'd love to make a good chemspill release :)
(Reporter)

Comment 11

5 years ago
(In reply to Dustin J. Mitchell [:dustin] from comment #9)
> buildbot-master-servo-01.srv.servo.releng.use1.mozilla.com.

Use port 8001 for this, please. That's the exact read-only interface that we want to proxy.
(Assignee)

Comment 12

5 years ago
can i get an account on the buildbot.buildbot.net system?

thanks!
(Assignee)

Comment 13

5 years ago
ok, so i went through this.  sorry it took me so long.  i didn't find anything to call out.  i will say that on our network we will require SSL connection since there is a login, and our preference would be to not have a single user name and password that is shared.  other than that, feel free to deploy.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 14

5 years ago
(In reply to Raymond Forbes[:rforbes] from comment #13)
> ok, so i went through this.  sorry it took me so long.  i didn't find
> anything to call out.  i will say that on our network we will require SSL
> connection since there is a login, and our preference would be to not have a
> single user name and password that is shared.  other than that, feel free to
> deploy.

Thanks Raymond.

I'm not sure what you mean by using SSL or usernames+passwords though...the Servo interface is read-only, HTTP, and doesn't require any authentication: http://buildbot-master-servo-01.srv.servo.releng.use1.mozilla.com:8001/. I'd be fine with adding SSL at whatever the frontend host ends up being, but this is supposed to be a public interface - so a username and password doesn't really make sense to me...
(Assignee)

Comment 15

5 years ago
to be clear, i was looking at buildbot.buildbot.net.  i thought that was a representation of what we would be doing.  when i go there the site is not ssl and there is a login page.  that is what i was basing it on.
(Reporter)

Comment 16

5 years ago
(In reply to Raymond Forbes[:rforbes] from comment #15)
> to be clear, i was looking at buildbot.buildbot.net.  i thought that was a
> representation of what we would be doing.  when i go there the site is not
> ssl and there is a login page.  that is what i was basing it on.

Ah, OK. Does that mean we're OK without authentication for the Servo master?
I'm sorry to have muddied the waters so!  I think that the servo buildmaster is a strict subset of buildbot.buildbot.net in terms of attack surface, so if bb.bb.net is OK, servo is too.  Raymond, please let me know if you disagree.
(Assignee)

Comment 18

5 years ago
that sounds ok to me.  go ahead with your plans.
Whiteboard: [pending secreview] → [pending secreview][Web]
You need to log in before you can comment on or make changes to this bug.