nix-community / buildbot-nix

A nixos module to make buildbot a proper Nix-CI [maintainer=@Mic92,@MagicRB]
MIT License
120 stars 23 forks source link

buildbot-nix access control for private repos #165

Open zimbatm opened 5 months ago

zimbatm commented 5 months ago

In some settings, we only want to show the builds to users with access to the repos.

Is it possible to map the repo access control to the authenticated users?

If not, create a "private" mode where only logged-in users can see the builds and builders.

Mic92 commented 5 months ago

It's possible. We already limit certain builder endpoints for projects: https://github.com/Mic92/buildbot-nix/blob/b0526ceab2ec89bed5e194a206391a7d85a833e7/buildbot_nix/__init__.py#L663 This can be also extended to limit logs visible of project itself.

zimbatm commented 5 months ago

Could it also be extended to the builder activity?

MagicRB commented 5 months ago

Ill look into it tomorrow, should be done with a prototype by the evening

MagicRB commented 5 months ago

Very briefly looking into this, I instrumented buildbots authentication with the following code:

    any_endpoint_matcher = util.AnyEndpointMatcher(role="admin", defaultDeny=False)
    old_match = any_endpoint_matcher.match

    def match(self: util.AnyEndpointMatcher, ep: Any, action: Any, options: Any) -> Any:
        import inspect

        if options is None:
            options = {}
        try:
            epobject, epdict = self.master.data.getEndpoint(ep)
            for klass in inspect.getmro(epobject.__class__):
                log.info(
                    "matching on {klass} with action: {action}",
                    klass=klass.__name__,
                    action=action,
                )
        except:
            pass
        old_match(ep, action, options)

    import types

    any_endpoint_matcher.match = types.MethodType(match, any_endpoint_matcher)

    allow_rules.append(any_endpoint_matcher)

Which then prints me a list of endpoints that buildbot is looking for auth for, said list reveals:

  1. ProjectsEndpoint
  2. ProjectEndpoint

ProjectsEndpoint comes into play on the /#/projects URL. Interestingly at /#/projects/3 where I would expect ProjectEndpoint to show up, (also according to the patterns it matches) it doesn't actually show up. The endpoints that do show up are: [ProjectsEndpoint, MasterEndpoint, WorkersEndpoint, BuildRequestsEndpoint, BuildersEndpoint, ChangesEndpoint, BuildsEndpoint] but that doesn't help us much as far as I can tell. ProjectEndpoint only appears at #/builders/19 which makes no sense to me. But I'm probably misunderstanding something.

All of this testing has been done on the github_app branch as I didn't really want to change my nix config from developing that :) and while not logged into buildbot at all. But assuming that the correct endpoints would show up, we have a problem anyway as ProjectsEndpoint does not do any filtering whatsoever and does not allow for it. It directly calls up the DB right here, that function if followed directly executes the equivalent of select * from projects; with no room for any filtering either. So this either calls for upstream changes or a mixin.

Not sure what's the correct path forward here and I would appreciate some input as to what to do here. (this little foray into buildbots endpoint handling also tells me that custom UI is possible with mixins and custom endpoints probably :tada:)

MagicRB commented 5 months ago

But also this only comes into play if we want to limit access to projects, for builds its quite simple, namely BuildsEndpoint, we have the same problem here too, at the /builds endpoint it is not enough to just allow or deny it, the response must be edited as far as I can tell. The current code does not allow to mark some build as visible and others not.

zimbatm commented 5 months ago

Ok. I suspected something like this since Buildbot was designed for open-source use.

Since this requires a major refactor, a better short-term solution is to shield the installation. Users can decide to make their instance private, and then only logged-in users can see build information. Webhooks need to be sent through still.

MagicRB commented 4 months ago

I'm pushing this to the future milestone then

Mic92 commented 1 month ago

Is this addressed by https://github.com/nix-community/buildbot-nix/pull/251

MagicRB commented 1 month ago

Noy really, what #251 gets us is a all or nothing support for access control. Ideally one wouldn't have to run 2 instances for public and provate repositories.