From c58ac2b2b164ef13996686cd36c864153305a750 Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Fri, 7 Jul 2023 08:10:54 +0000 Subject: [PATCH] api/graph: check SECRETS:RO in submit(secrets: true) mutation Submitting a build with secrets enabled grants access to secrets. Let's reflect this in the token scope requirements. In order to not break builds with no secrets argument specified, make the default value a bit smarter: enable secrets if at least one is specified in the manifest and the SECRETS:RO grant is available. --- api/graph/schema.graphqls | 6 ++++-- api/graph/schema.resolvers.go | 17 +++++++++++++---- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/api/graph/schema.graphqls b/api/graph/schema.graphqls index f7d62e8..15ef7a7 100644 --- a/api/graph/schema.graphqls +++ b/api/graph/schema.graphqls @@ -437,8 +437,10 @@ type Mutation { """ Submits a new job to the queue. - 'secrets' may be set to false to disable secrets for this build. Secrets - are enabled if unspecified. + 'secrets' may be set to false to disable secrets for this build. If + unspecified, secrets are enabled if at least one is specified in the manifest + and the SECRETS:RO grant is available. Enabling secrets requires the + SECRETS:RO grant. 'execute' may be set to false to defer queueing this job. Builds are executed immediately if unspecified. diff --git a/api/graph/schema.resolvers.go b/api/graph/schema.resolvers.go index b28b0c6..7271f72 100644 --- a/api/graph/schema.resolvers.go +++ b/api/graph/schema.resolvers.go @@ -285,12 +285,21 @@ func (r *mutationResolver) Submit(ctx context.Context, manifest string, tags []s } } + hasSecretsScope := user.Grants.Has("SECRETS", auth.RO) + + var sec bool + if secrets != nil { + sec = *secrets + } else { + sec = len(man.Secrets) > 0 && hasSecretsScope + } + + if sec && !hasSecretsScope { + return nil, fmt.Errorf("Missing SECRETS:RO grant") + } + var job model.Job if err := database.WithTx(ctx, nil, func(tx *sql.Tx) error { - sec := true - if secrets != nil { - sec = *secrets - } status := "pending" if execute == nil || *execute { status = "pending" -- 2.38.5