~sircmpwn/builds.sr.ht

c58ac2b2b164ef13996686cd36c864153305a750 — Simon Ser 10 months ago 34a2271
api/graph: check SECRETS:RO in submit(secrets: true) mutation

Submitting a build with secrets enabled grants access to secrets.
Let's reflect this in the token scope requirements.

In order to not break builds with no secrets argument specified,
make the default value a bit smarter: enable secrets if at least
one is specified in the manifest and the SECRETS:RO grant is
available.
2 files changed, 17 insertions(+), 6 deletions(-)

M api/graph/schema.graphqls
M api/graph/schema.resolvers.go
M api/graph/schema.graphqls => api/graph/schema.graphqls +4 -2
@@ 437,8 437,10 @@ type Mutation {
  """
  Submits a new job to the queue.

  'secrets' may be set to false to disable secrets for this build. Secrets
  are enabled if unspecified.
  'secrets' may be set to false to disable secrets for this build. If
  unspecified, secrets are enabled if at least one is specified in the manifest
  and the SECRETS:RO grant is available. Enabling secrets requires the
  SECRETS:RO grant.

  'execute' may be set to false to defer queueing this job. Builds are
  executed immediately if unspecified.

M api/graph/schema.resolvers.go => api/graph/schema.resolvers.go +13 -4
@@ 285,12 285,21 @@ func (r *mutationResolver) Submit(ctx context.Context, manifest string, tags []s
		}
	}

	hasSecretsScope := user.Grants.Has("SECRETS", auth.RO)

	var sec bool
	if secrets != nil {
		sec = *secrets
	} else {
		sec = len(man.Secrets) > 0 && hasSecretsScope
	}

	if sec && !hasSecretsScope {
		return nil, fmt.Errorf("Missing SECRETS:RO grant")
	}

	var job model.Job
	if err := database.WithTx(ctx, nil, func(tx *sql.Tx) error {
		sec := true
		if secrets != nil {
			sec = *secrets
		}
		status := "pending"
		if execute == nil || *execute {
			status = "pending"