Use bot token to create org hook #24
Conversation
heurtematte
force-pushed
the
feat/orghook_bot
branch
2 times, most recently
from
c527985
to
f87c87d
Compare
|
From a security standpoint, this is a good idea, but it will require a lot of manual effort to add the Unless there is an easier way to deal with bot token creation, it's going to be a -1 from me. |
Not necessary only apply to new bot creation.
I don't see any relation with this specific permission, it affects token in general. I really want to avoid this code: https://github.com/eclipse-cbi/ci-admin/pull/24/files#diff-8cec566c9498b286ab6c717c83aa85b4a580f137fdaa032ae26cb799fd7f76cfL20 Storing an eclipsewebmaster token in cbi local pass. |
How do we set org level webhooks with existing bot token?
Yes, it affects token in general. So far, we don't rely on them though. So we can still set org level webhooks, even if a bot token expired. |
looking at the code and IIRC, this is already set on old token by using the eclipsewebmaster token. |
Old bot tokens only have |
| @@ -47,13 +50,16 @@ org() { | |||
| exit 1 | |||
| fi | |||
|
|
|||
| local pw_store_path="bots/${project_name}/${GITHUB_PASS_DOMAIN}" | |||
| local bot_token=$(passw cbi "${pw_store_path}/api-token") | |||
|
|
|||
| echo "Creating organization webhook..." | |||
|
|
|||
There was a problem hiding this comment.
You could add a check if the token has the appropriate scope:
has_scope="$(curl -sS -f -I -H "Authorization: token ..." https://api.github.com | grep "^x-oauth-scopes" | grep "admin:org_hook" | wc -l)"
if [ ${has_scope} != "1" ] then
# use webmaster token
fi
and if the token has the scope, use it, otherwise fallback to the webmaster token.
There was a problem hiding this comment.
Sounds good. @heurtematte can you add Thomas' suggestion?
There was a problem hiding this comment.
I finally decided to do it differently.
The token can have the all scope needed but this doesn't mean that the token can access the org or the repository.
I choose to test first with bot token then with cbi config token.
There was a problem hiding this comment.
@heurtematte you did not want to check if the token has the admin:org_hook scope?
There was a problem hiding this comment.
I just realized I've had messages pending for weeks now...
With the refactor code, I don't see the need to test the scope.
The logic is: Create the webhook first with the token bot account. If it fails, it falls back to the cbi config file token.
heurtematte
force-pushed
the
feat/orghook_bot
branch
from
f87c87d
to
248b59d
Compare
Signed-off-by: sebastien.heurtematte <[email protected]>
heurtematte
force-pushed
the
feat/orghook_bot
branch
from
248b59d
to
fb29205
Compare
Signed-off-by: sebastien.heurtematte <[email protected]>
heurtematte
force-pushed
the
feat/orghook_bot
branch
from
cdad03e
to
633cdd4
Compare
|
In addition, the code has been refactored. |
|
@fredg02 gentle ping 🙂 |
Stop relying on eclipse webmaster token to create orgs hook but on bot token permission.
This means adding a new permission to bot token:
admin:org_hook