~comcloudway/builds.sr.ht: api/graph: check SECRETS:RO in submit(secrets: true) mutation

c58ac2b2b164ef13996686cd36c864153305a750 — Simon Ser 1 year, 3 months ago 34a2271

api/graph: check SECRETS:RO in submit(secrets: true) mutation

Submitting a build with secrets enabled grants access to secrets.
Let's reflect this in the token scope requirements.

In order to not break builds with no secrets argument specified,
make the default value a bit smarter: enable secrets if at least
one is specified in the manifest and the SECRETS:RO grant is
available.

patch browse .tar.gz

2 files changed, 17 insertions(+), 6 deletions(-)

M api/graph/schema.graphqls
M api/graph/schema.resolvers.go

M api/graph/schema.graphqls => api/graph/schema.graphqls +4 -2

@@ 437,8 437,10 @@ type Mutation {
   """
   Submits a new job to the queue.
 
-  'secrets' may be set to false to disable secrets for this build. Secrets
-  are enabled if unspecified.
+  'secrets' may be set to false to disable secrets for this build. If
+  unspecified, secrets are enabled if at least one is specified in the manifest
+  and the SECRETS:RO grant is available. Enabling secrets requires the
+  SECRETS:RO grant.
 
   'execute' may be set to false to defer queueing this job. Builds are
   executed immediately if unspecified.

M api/graph/schema.resolvers.go => api/graph/schema.resolvers.go +13 -4

@@ 285,12 285,21 @@ func (r *mutationResolver) Submit(ctx context.Context, manifest string, tags []s
 		}
 	}
 
+	hasSecretsScope := user.Grants.Has("SECRETS", auth.RO)
+
+	var sec bool
+	if secrets != nil {
+		sec = *secrets
+	} else {
+		sec = len(man.Secrets) > 0 && hasSecretsScope
+	}
+
+	if sec && !hasSecretsScope {
+		return nil, fmt.Errorf("Missing SECRETS:RO grant")
+	}
+
 	var job model.Job
 	if err := database.WithTx(ctx, nil, func(tx *sql.Tx) error {
-		sec := true
-		if secrets != nil {
-			sec = *secrets
-		}
 		status := "pending"
 		if execute == nil || *execute {
 			status = "pending"