buildbot-nix access control for private repos

[zimbatm]

In some settings, we only want to show the builds to users with access to the repos.

Is it possible to map the repo access control to the authenticated users?

If not, create a "private" mode where only logged-in users can see the builds and builders.

[Mic92]

It's possible. We already limit certain builder endpoints for projects: https://github.com/Mic92/buildbot-nix/blob/b0526ceab2ec89bed5e194a206391a7d85a833e7/buildbot_nix/__init__.py#L663
This can be also extended to limit logs visible of project itself.

[zimbatm]

Could it also be extended to the builder activity?

[MagicRB]

Ill look into it tomorrow, should be done with a prototype by the evening

[MagicRB]

Very briefly looking into this, I instrumented buildbots authentication with the following code:

    any_endpoint_matcher = util.AnyEndpointMatcher(role="admin", defaultDeny=False)
    old_match = any_endpoint_matcher.match

    def match(self: util.AnyEndpointMatcher, ep: Any, action: Any, options: Any) -> Any:
        import inspect

        if options is None:
            options = {}
        try:
            epobject, epdict = self.master.data.getEndpoint(ep)
            for klass in inspect.getmro(epobject.__class__):
                log.info(
                    "matching on {klass} with action: {action}",
                    klass=klass.__name__,
                    action=action,
                )
        except:
            pass
        old_match(ep, action, options)

    import types

    any_endpoint_matcher.match = types.MethodType(match, any_endpoint_matcher)

    allow_rules.append(any_endpoint_matcher)

Which then prints me a list of endpoints that buildbot is looking for auth for, said list reveals:

1. ProjectsEndpoint
2. ProjectEndpoint

ProjectsEndpoint comes into play on the /#/projects URL. Interestingly at /#/projects/3 where I would expect ProjectEndpoint to show up, (also according to the patterns it matches) it doesn't actually show up. The endpoints that do show up are: [ProjectsEndpoint, MasterEndpoint, WorkersEndpoint, BuildRequestsEndpoint, BuildersEndpoint, ChangesEndpoint, BuildsEndpoint] but that doesn't help us much as far as I can tell. ProjectEndpoint only appears at #/builders/19 which makes no sense to me. But I'm probably misunderstanding something.

All of this testing has been done on the github_app branch as I didn't really want to change my nix config from developing that :) and while not logged into buildbot at all. But assuming that the correct endpoints would show up, we have a problem anyway as ProjectsEndpoint does not do any filtering whatsoever and does not allow for it. It directly calls up the DB right here, that function if followed directly executes the equivalent of select * from projects; with no room for any filtering either. So this either calls for upstream changes or a mixin.

Not sure what's the correct path forward here and I would appreciate some input as to what to do here. (this little foray into buildbots endpoint handling also tells me that custom UI is possible with mixins and custom endpoints probably 🎉)

[MagicRB]

But also this only comes into play if we want to limit access to projects, for builds its quite simple, namely BuildsEndpoint, we have the same problem here too, at the /builds endpoint it is not enough to just allow or deny it, the response must be edited as far as I can tell. The current code does not allow to mark some build as visible and others not.

[zimbatm]

Ok. I suspected something like this since Buildbot was designed for open-source use.

Since this requires a major refactor, a better short-term solution is to shield the installation. Users can decide to make their instance private, and then only logged-in users can see build information. Webhooks need to be sent through still.

[MagicRB]

I'm pushing this to the future milestone then

[Mic92]

Is this addressed by #251

[MagicRB]

Noy really, what #251 gets us is a all or nothing support for access control. Ideally one wouldn't have to run 2 instances for public and provate repositories.