Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not assume public artifacts have prefix public/ #407

Open
petemoore opened this issue Dec 22, 2023 · 2 comments
Open

Do not assume public artifacts have prefix public/ #407

petemoore opened this issue Dec 22, 2023 · 2 comments

Comments

@petemoore
Copy link
Member

petemoore commented Dec 22, 2023
edited

Scanning the taskgraph codebase, there are several pieces of code that check whether an artifact name has prefix public/ to determine whether scopes are required to fetch it. Unfortunately this is not the correct way to determine whether an API call to fetch the artifact requires scopes.

The anonymous role determines the set of scopes that all calls are granted. Typically this includes queue:get-artifact:public/* but that is not a requirement, and in locked down taskcluster deployments this scope may not be included in the anonymous role. Furthermore, the anonymous role may include other scopes with prefix queue:get-artifact: meaning that not only public/* artifacts are public.

The bottom line is: the correct way to check whether an artifact is public is to see if an unauthorized request satisfies the scope queue:get-artifact:<artifact-name> e.g. by calling authorize (node.js) or e.g. scopes.Satisfies (go) or alternatively just fetch the artifact with an unauthorized HEAD request and check for a 200 http status code response.

In python, it looks like you can either expand the scopes of the anonymous role, or make an unauthorised call to auth.currentScopes to fetch anonymous scopes. Then call scopeMatch to see if the anonymous role satisfies the scope queue:get-artifact:<artifact-name> for the artifact name you are interested in.

Note, you should not try to parse the anonymous scopes yourself, but instead rely on one of these libraries to take care of the delicate matters of scope/role expansion, * matching, handling parameterized roles, etc.
@petemoore petemoore mentioned this issue Dec 22, 2023
Closed
@ahal
Copy link
Collaborator

ahal commented Dec 22, 2023

Thanks for the report, makes sense.

I do worry that making a network request for each artifact we need to check will be expensive. I wonder if in some cases an educated guess like what we're doing here is good enough. Or maybe there's a way to query the prefixes the anonymous role uses once and go with that?

@petemoore
Copy link
Member Author

Thanks for the report, makes sense.

I do worry that making a network request for each artifact we need to check will be expensive. I wonder if in some cases an educated guess like what we're doing here is good enough. Or maybe there's a way to query the prefixes the anonymous role uses once and go with that?

Good point! In python, you can cache the results of the anonymous role, and the scopeMatch routine I think doesn't make any external network request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petemoore @ahal