This repository was archived by the owner on Sep 30, 2024. It is now read-only.
Conversation
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
3ba461a to
4dbc13d
Compare
…sert ip based permissions
4dbc13d to
1be7df6
Compare
eseliger
approved these changes
Jul 16, 2024
eseliger
left a comment
Member
There was a problem hiding this comment.
Thanks for all the tests!
Eventually, we should be able to simply delete the old versions of the setters/getters once the IP address functioanlity has been threaded through everywhere.
once we do that, I think we should also consider renaming the methods again to drop the WithIPs suffix, since that is just the standard behavior.
…permissions_modify_store_to_be_able_to_insert_ip_based_permissions
Contributor
Author
ggilmore
referenced
this pull request
Jul 30, 2024
…addresses (#64010) The perforce permission syncer has been adapted to now read and save the HOST field from the perforce protections table, which contains the IP address(es) that the path rule that it applies to. It uses the updated sub_repository_rules store methods introduced in https://github.com/sourcegraph/sourcegraph/pull/63811/. ### Notes - There is some existing logic in the permissions syncer that attempts to re-insert the existing sub_repo_permissions if we encounter a temporary (timeout, etc.) error when syncing. However, there is an edge case: what do we do if the existing permissions don't have an IP address associated with them yet (they were inserted before the updated permission syncer ran)? For simplicity, in this PR I leaned towawrds correctness - I fail the operation outright (I'd rather temporarirly lock someone out rather than accidentally leak information). I implemented a more robust straetgy for this in https://github.com/sourcegraph/sourcegraph/pull/64086. ## Test plan - The existing unit tests have been adapted to use the new authz.SubRepoPermissionsWithIP structs (I use wildcard IP addresses). - The big new test to pay attention to is TestScanIPPermissions (and the associated `sample-protects-ip.txt` file). ## Changelog - The perforce permissions syncer has been updated to save the IP address associated with each sub_repository_permissions rule.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes https://linear.app/sourcegraph/issue/SRC-459/
Closes
This PR adds support for saving and retreiving the IP addressess associated with each path rule in the sub_repo_permissions store.
It does this by:
Adding a new permissions type to the internal/authz package:
https://github.com/sourcegraph/sourcegraph/blob/1be7df6d79c96017b9a49c289038cf59cb4a8eb2/internal/authz/iface.go#L52-L96
Adding new
*WithIPsversions of all the setter and getter methodsThe new setter methods uses the above
authz.SubRepoPermissionsWithIPstype that write to the appropriateipscolumn in the DB.The new getter methods retrieve the ip addresses associated with each path entry. However, here there is an additional complication: It's possible for someone to call the
*WithIPsgetters when the ips column is still NULL (indicating that the perforce syncer hasn't been updated / ran in order to save the IP addresses from the protection table yet."/depot/main/...","/depot/dev/...","-/depot/secret/..."}"/depot/public/...","-/depot/private/..."}In order to address this, the getters each have a
backfillboolean that allows the caller to choose the behavior that they want.If
backfill = true, the paths without IP entries will be returned with a*(wildcard) IP indicating that any client IP address is okay. (This is effectively the behavior we have today since we don't check IPs for sub_repo_permisisons). I imagine this can be used when callers don't care about enforcing IP-based permissions (such as when IP address enforcement is disabled in site configuration).If
backfill = false, if the IPs column is NULL - an error is returned instead of backfilling ("The IP addresses associated with this sub-repository-permissions entry have not been synced yet."). This allows for callers that care about IP address enforcement to know explicitly if the IP address information hasn't been updated yet - so we can't know whether or not the user is able to view the file (e.g when IP based enforcement is enabled).Ensuring that the old setter methods set the IPs column to NULL:
self-explanatory, if someone uses the non
*WithIPvariants of the setters, we want to ensure that we zero out that column so that we don't leave stale / inconsistent information for those Path entries.Overall, the design this adds the new IP address functionality without having to immediately update all the call sites in the codebase to force them to interpret all this information (which would make for a gargantuan PR). Eventually, we should be able to simply delete the old versions of the setters/getters once the IP address functioanlity has been threaded through everywhere.
Test plan
Extensive unit tests.
For each new setter and getter, I added unit tests that tested along all of the following dimenisons:
withIPvariant of upsert, etc.), or was it inserted with the old legacy way with no ip information*for that entry), or avoids backfilling (will return the information in the IPs column, or hard-error)?Changelog