Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(github): allow only pull permission for print command #262

Merged
merged 2 commits into from
Aug 6, 2022

Conversation

jetersen
Copy link
Contributor

@jetersen jetersen commented Jul 18, 2022

Without configuring platform run options. Not all repos are downloaded due to conditions.

What does this change

Instead of:
DEBU[0000] Skipping repository since the token does not have push permissions and the run will not fork repo=jenkinsci/opslevel-plugin
INFO[0000] Running on 0 repositories

You get:
INFO[0000] Running on 1 repositories
INFO[0000] Cloning and running script repo=jenkinsci/opslevel-plugin

Since jenkinsci/opslevel-plugin is a fork I have no push permissions and g.Fork always being false because configureRunPlatform is never run.

Notes for the reviewer

Put any questions or notes for the reviewer here.

Checklist

  • Made sure the PR follows the CONTRIBUTING.md guidelines
  • Tests if something new is added

@jetersen jetersen changed the title fix print being unaware of forks fix print being unaware of fork option, which prevents cloning repositories without push permissions Jul 18, 2022
@lindell
Copy link
Owner

lindell commented Jul 19, 2022

Thanks for the PR. The bug is definitely real and needs to be addressed. The print command should only require pull permissions.

Unfortunately, this does more than that. It does add the fork option (as the title suggests), but that option is intentionally kept out of the print command since there are no forks to be considered when running print. The fix should be to ensure that only pull permissions are required and nothing else.

@jetersen
Copy link
Contributor Author

Well even though there is no fork. It filters out the repository. So I wonder what the conditional logic should say.

@lindell
Copy link
Owner

lindell commented Jul 19, 2022

It would have to be indicated to each VersionController that push permission is not needed.

Adding something like "readOnly" and change this

case !g.Fork && !permissions["push"]:

to

case !g.Fork && !g.ReadOnly && !permissions["push"]:

@jetersen
Copy link
Contributor Author

I'll see if I can get around to it in the weekend to add readonly.

@jetersen
Copy link
Contributor Author

Hopefully this weekend!

@jetersen
Copy link
Contributor Author

jetersen commented Jul 30, 2022

@lindell I added flag that is set programmatically in the printCmd() method. To not change the signature of other methods like getVersionController and createGithubClient

@jetersen jetersen changed the title fix print being unaware of fork option, which prevents cloning repositories without push permissions fix GitHub permission check for print cmd Jul 30, 2022
cmd/platform.go Outdated
Comment on lines 34 to 36
// This is only used by PrintCmd to mark readOnly mode for version control platform
flags.Bool("readOnly", false, "If set, This is running in readonly will be read-only.")
_ = flags.MarkHidden("readOnly")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is added inside configurePlatform which is run for all cmds.
Marking it hidden as this is set programmatically by the print command.

cmd/cmd-print.go Outdated
@@ -48,6 +48,8 @@ func print(cmd *cobra.Command, args []string) error {
strOutput, _ := flag.GetString("output")
strErrOutput, _ := flag.GetString("error-output")

_ = flag.Set("readOnly", "true")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ignoring the error here because we know readOnly flag is available.

@@ -143,7 +148,7 @@ func (g *Github) GetRepositories(ctx context.Context) ([]scm.Repository, error)
case !permissions["pull"]:
log.Debug("Skipping repository since the token does not have pull permissions")
continue
case !g.Fork && !permissions["push"]:
case !g.Fork && !g.ReadOnly && !permissions["push"]:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testing against

repo:
- jenkinsci/jenkins-infra-test-plugin # a non forked repo
- jenkinsci/opslevel-plugin # a forked repo

@lindell
Copy link
Owner

lindell commented Aug 5, 2022

Thanks for the PR @jetersen.

@lindell I added flag that is set programmatically in the printCmd() method. To not change the signature of other methods like getVersionController and createGithubClient

I don't think we are able to do this in a good way, since the flags are used to automatically generate documentation and the help text. We do also expose something, that if set by the user, would make multi-gitter not work properly and create confusion. Changing the signature of getVersionController and createGithubClient has to be done in this case, and that is ok 😄

This logic should also extend to other SCMs, if you are able to add to them as well, that would be appreciated. I can make sure to test it.

@jetersen
Copy link
Contributor Author

jetersen commented Aug 6, 2022

I did not see the same permission check in the other SCM

@lindell
Copy link
Owner

lindell commented Aug 6, 2022

I did not see the same permission check in the other SCM

Indeed that is the case. Nvm that comment

@jetersen
Copy link
Contributor Author

jetersen commented Aug 6, 2022

@lindell I believe mark hidden does hide it from help text and usage: See docs: https://github.com/spf13/pflag/blob/85dd5c8bc61cfa382fecd072378089d4e856579d/README.md#hidden-flags

So I see no reason to change this further.
As the code achieves the desired effect. A hidden internal flag we can use signal other code that we are in print mode.

I can change the name of the flag to something like secretReadOnly or printReadOnly

@jetersen
Copy link
Contributor Author

jetersen commented Aug 6, 2022

@lindell
Copy link
Owner

lindell commented Aug 6, 2022

Seems that it hides it from the help text, but we have some other parts that generate docs that do not take it into consideration (yaml documentation in readme). That could also be fixed to check for hidden flags.

But depending on hidden flags to pass data around (that should not be set by setting the flag) is unfortunately not something I can accept. It does indeed work, but so does a global variable, or environment variables etc.

@lindell
Copy link
Owner

lindell commented Aug 6, 2022

Also sees relatively frequent usage: https://cs.github.com/?q=MarkHidden%20language%3AGo&scopeName=All%20repos&scope= https://github.com/search?q=MarkHidden+language%3Ago&type=code

MarkHidden should have a lot of legit usecases, but I can't find any place in the top search results where it is simply used as a way to create a hidden flags where it is only set programmatically.

@jetersen
Copy link
Contributor Author

jetersen commented Aug 6, 2022

@jetersen
Copy link
Contributor Author

jetersen commented Aug 6, 2022

@lindell fixed. Thanks to goland refactoring it was a 30 seconds change. 👏

If we add more argument passing we should switch to passing a struct.

@lindell
Copy link
Owner

lindell commented Aug 6, 2022

Thanks 😄

If we add more argument passing we should switch to passing a struct.

Totally agree 👍

@lindell lindell changed the title fix GitHub permission check for print cmd fix(github): permission check for print command Aug 6, 2022
@lindell lindell changed the title fix(github): permission check for print command fix(github): allow only pull permission for print command Aug 6, 2022
@lindell lindell merged commit 582c706 into lindell:master Aug 6, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Aug 6, 2022

Included in release v0.42.1 🎉

@jetersen jetersen deleted the patch-1 branch August 6, 2022 13:53
@jetersen
Copy link
Contributor Author

jetersen commented Aug 6, 2022

@lindell Thanks for accepting my pull request! 👏🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants