-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix crash when uploading a package through scoped API key #647
Conversation
@gabm, can you please rebase with the latest commit on main? |
dcbc366
to
3691ed6
Compare
done |
@gabm, can you fix the lint, please? |
actually the linter was very helpful.. I fixed the problems.. pls have a look |
I am actually not sure whether we also want to use the owner in other places... the theory goes like this
In some places we want to use one and in other places the other. For example when uploading a package we want to set the owner as the owner of the pkgs, but in other places we need the reduced privileges of the virtual user... I am not familiar enough to review all the other uses or |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gabm thanks for the PR. I appreciate the clarity of your fix. On the code itself, I mostly have nitpicky suggestions, I hope you don't mind.
One actually important thing though: Would you mind also writing a test that captures the bug (==fails with the old implementation, but works with your fix?)
My intuition here would be that the current implementation before your fix, where an anonymous user is used, is the most robust in the sense that it never leaks permissions. If anything, it is problematic because you sometimes get too few permissions. Therefore, unless we are fixing a specific problem (as you did in this PR), I would not change the existing system for fear of accidentally leaking permissions for no gain. |
a5650af
to
069e0ed
Compare
7a83441
to
c3c1812
Compare
thanks for those hints @AndreasAlbertQC . I added the tests as well.. pls have a look. P.S.: I had a hard time working through the pytest fixtures, they are all over the place :/ |
c3c1812
to
9db1f58
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the additional work and tests @gabm ! Tests look good to me, I would just add a a try/finally around the yields in the fixtures to headaches if a test throws an exception. Apart from that, this is ready to go IMO
Hi! Thanks for working on this. I have the same issue :-) I did a quick test and this branch indeed works for new uploaded packages. Also just wondering if an alternative solution could not have been to show "anonymous/none" for the uploader. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As @ivergara kindly pointed out to me, pytest already takes care of the exception handling for yielding fixtures such that the try/except block I asked for is not needed. My bad!
The CI is fixed on |
9db1f58
to
8a4ae18
Compare
done |
For us its not a huge problem, we fixed it manually so far. Currently there is no straight forward way to fix it in the DB because the uploader information is lost iirc.
The full details are outlined here #642. In short: the current user model mixes "identity" and "authorization" to some extent. When you create an API key with a scope, then a new user without username is created and added as a member/maintainer to the packages/channels etc... When uploading a package with that API Key, it correctly resolves to that new, anonymous user that has the restricted authorization - thus preventing privilege escalation. Unfortunately, as this anonymous user has no identity (no name etc), the uploader field remains unset and that causes the error. The uploader field should be set with the identity of the "owner of the API Key". This identity should imho not be "anonymous"... |
Thanks for the additional information about restricted authorization. I agree using the owner_id makes sense.
I think it's possible to have a migration script:
Or I guess we don't want to change |
Update package_versions uploader with API keys owner instead of the key anonymous user. This is linked to mamba-org#647 and allow to update existing databases.
* Add migration script for scoped API keys Update package_versions uploader with API keys owner instead of the key anonymous user. This is linked to #647 and allow to update existing databases. * Fix issue with sqlalchemy >=2.0 SQL query needs to be wrapped in sqlalchemy.text. Using raw string as been removed.
fixes #642
Problem
Solution