Open zimbatm opened 5 months ago
It's possible. We already limit certain builder endpoints for projects: https://github.com/Mic92/buildbot-nix/blob/b0526ceab2ec89bed5e194a206391a7d85a833e7/buildbot_nix/__init__.py#L663 This can be also extended to limit logs visible of project itself.
Could it also be extended to the builder activity?
Ill look into it tomorrow, should be done with a prototype by the evening
Very briefly looking into this, I instrumented buildbots authentication with the following code:
any_endpoint_matcher = util.AnyEndpointMatcher(role="admin", defaultDeny=False)
old_match = any_endpoint_matcher.match
def match(self: util.AnyEndpointMatcher, ep: Any, action: Any, options: Any) -> Any:
import inspect
if options is None:
options = {}
try:
epobject, epdict = self.master.data.getEndpoint(ep)
for klass in inspect.getmro(epobject.__class__):
log.info(
"matching on {klass} with action: {action}",
klass=klass.__name__,
action=action,
)
except:
pass
old_match(ep, action, options)
import types
any_endpoint_matcher.match = types.MethodType(match, any_endpoint_matcher)
allow_rules.append(any_endpoint_matcher)
Which then prints me a list of endpoints that buildbot is looking for auth for, said list reveals:
ProjectsEndpoint
comes into play on the /#/projects
URL. Interestingly at /#/projects/3
where I would expect ProjectEndpoint
to show up, (also according to the patterns it matches) it doesn't actually show up. The endpoints that do show up are: [ProjectsEndpoint, MasterEndpoint, WorkersEndpoint, BuildRequestsEndpoint, BuildersEndpoint, ChangesEndpoint, BuildsEndpoint]
but that doesn't help us much as far as I can tell. ProjectEndpoint
only appears at #/builders/19
which makes no sense to me. But I'm probably misunderstanding something.
All of this testing has been done on the github_app
branch as I didn't really want to change my nix config from developing that :) and while not logged into buildbot at all. But assuming that the correct endpoints would show up, we have a problem anyway as ProjectsEndpoint
does not do any filtering whatsoever and does not allow for it. It directly calls up the DB right here, that function if followed directly executes the equivalent of select * from projects;
with no room for any filtering either. So this either calls for upstream changes or a mixin.
Not sure what's the correct path forward here and I would appreciate some input as to what to do here. (this little foray into buildbots endpoint handling also tells me that custom UI is possible with mixins and custom endpoints probably :tada:)
But also this only comes into play if we want to limit access to projects, for builds its quite simple, namely , we have the same problem here too, at the BuildsEndpoint
/builds
endpoint it is not enough to just allow or deny it, the response must be edited as far as I can tell. The current code does not allow to mark some build as visible and others not.
Ok. I suspected something like this since Buildbot was designed for open-source use.
Since this requires a major refactor, a better short-term solution is to shield the installation. Users can decide to make their instance private, and then only logged-in users can see build information. Webhooks need to be sent through still.
I'm pushing this to the future milestone then
Is this addressed by https://github.com/nix-community/buildbot-nix/pull/251
Noy really, what #251 gets us is a all or nothing support for access control. Ideally one wouldn't have to run 2 instances for public and provate repositories.
In some settings, we only want to show the builds to users with access to the repos.
Is it possible to map the repo access control to the authenticated users?
If not, create a "private" mode where only logged-in users can see the builds and builders.