Launchpad itself

Permission requirement for setDefaultRepository() is too broad

Bug #1992500 reported by Robie Basak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Guruprasad

Bug Description

This is a feature request.

The git-ubuntu importer runs as ~git-ubuntu-bot, which is a member of ~git-ubuntu-import, which is the team that owns all repositories imported by git-ubuntu and exists for that purpose. Both ~git-ubuntu-bot and ~git-ubuntu-import have no special privilege at all, which is best for security - especially as they deal with untrusted input.

However, to make imported repositories defaults for their targets, we must call git_repositories.setDefaultRepository(). This requires the calling user to have (I think) launchpad.Edit on the target, which is quite broad.

For now, I'm running a script with my own credentials that bulk examines all ~40k repositories and calls setDefaultRepository as needed. It'd be nicer if the bot could do it if required when it pushes an update to a repository.

Does launchpad.Edit correspond to being an uploader for a package? Would it be possible to split out this permission so we can grant it more granularly to the bot, so that it can set the default targets to its imported repositories without making it an uploader for all packages?

Tags: api git lp-code

Related branches

~racb/git-ubuntu:set-as-default-repository
Andreas Hasenack: Approve
Server Team CI bot: Approve (continuous-integration)
Canonical Server Reporter: Pending requested
Diff: 200 lines (+54/-2)
2 files modified
gitubuntu/importer.py (+22/-1)
gitubuntu/importer_service_worker.py (+32/-1)
~lgp171188/launchpad:merge-db-stable
Guruprasad: Approve
Diff: 20 lines (+14/-0)
1 file modified
database/schema/patch-2211-17-0.sql (+14/-0)
~lgp171188/launchpad:add-distribution-code-admin
William Grant: Approve (db)
Colin Watson (community): Approve (db)
Diff: 20 lines (+14/-0)
1 file modified
database/schema/patch-2211-17-0.sql (+14/-0)
Revision history for this message
Robie Basak (racb) wrote :

Is this the relevant check?

https://git.launchpad.net/launchpad/tree/lib/lp/code/model/gitrepository.py#n2353

Revision history for this message
Jürgen Gmach (jugmac00) wrote : Re: Permission requirement for setDefautRepository() is too broad

Thanks for creating this feature request.

I will discuss this at our next standup.

Revision history for this message
Jürgen Gmach (jugmac00) wrote :

Robie, we quickly discussed this during standup, but I am afraid we really need to sit down and discuss all the options, which we will do during the Engineering Sprint in Prague.

Revision history for this message
Robie Basak (racb) wrote : Re: [Bug 1992500] Re: Permission requirement for setDefautRepository() is too broad

On Fri, Oct 14, 2022 at 02:08:36PM -0000, Jürgen Gmach wrote:
> Robie, we quickly discussed this during standup, but I am afraid we
> really need to sit down and discuss all the options, which we will do
> during the Engineering Sprint in Prague.

Sure, thanks. Currently the workaround is OK - just that there's a delay
in between a new package being imported and "git ubuntu clone" working
for it.

Guruprasad (lgp171188)
Changed in launchpad:
status: New → Incomplete
Revision history for this message
Colin Watson (cjwatson) wrote : Re: Permission requirement for setDefautRepository() is too broad

This isn't really Incomplete, since we aren't waiting for more information from the reporter, just on ourselves to figure out the best way to fix this.

tags: added: api git lp-code
Changed in launchpad:
status: Incomplete → Triaged
importance: Undecided → High
Robie Basak (racb)
summary: - Permission requirement for setDefautRepository() is too broad
+ Permission requirement for setDefaultRepository() is too broad
Revision history for this message
Colin Watson (cjwatson) wrote :

I think there are only two even semi-viable choices here:

 * Make ~git-ubuntu-bot part of a new team that we register as a celebrity and special-case it, similar to the way that ~vcs-imports is currently special-cased;
 * Add some kind of "code admin" role to distributions (similar to e.g. `Distribution.oci_project_admin`), which would give us a slot where we could register ~git-ubuntu-bot, and then allow `GitRepositorySet.setDefaultRepository` if the acting user has that role.

The second is undoubtedly cleaner and I think we should probably take that approach, though it's not a trivial change.

Revision history for this message
Guruprasad (lgp171188) wrote :

Thanks for the useful details, Colin. I will try to implement the second approach and submit a merge proposal for review once it is ready.

Changed in launchpad:
assignee: nobody → Guruprasad (lgp171188)
status: Triaged → In Progress
Guruprasad (lgp171188)
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Guruprasad (lgp171188) wrote :

Robie, we have now implemented and deployed the changes for a 'Code admin' role on distributions and members of that role for a distribution can now call `setDefaultRepository()` on source packages belonging to that distribution.

So this bug can be resolved by assigning that role to an appropriate team and adding the ~git-ubuntu-bot account to it or directly assigning the bot account to the role.

Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.