Launchpad itself

Merge ~pappacena/launchpad:create-mp-refs into launchpad:master

Proposed by Thiago F. Pappacena on 2020-09-10

Status:	Needs review
Proposed branch:	~pappacena/launchpad:create-mp-refs
Merge into:	launchpad:master
Prerequisite:	~pappacena/launchpad:githosting-copy-and-delete-refs
Diff against target:	745 lines (+365/-27) 10 files modified lib/lp/code/interfaces/branchmergeproposal.py (+26/-1) lib/lp/code/interfaces/gitrepository.py (+12/-1) lib/lp/code/model/branchmergeproposal.py (+92/-0) lib/lp/code/model/githosting.py (+0/-1) lib/lp/code/model/gitrepository.py (+5/-2) lib/lp/code/model/tests/test_branchmergeproposal.py (+155/-0) lib/lp/code/model/tests/test_githosting.py (+0/-1) lib/lp/code/model/tests/test_gitrepository.py (+65/-19) lib/lp/code/subscribers/branchmergeproposal.py (+8/-2) lib/lp/code/tests/helpers.py (+2/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Colin Watson (community)		2020-09-10	Approve on 2020-10-05
Review via email: mp+390581@code.qastaging.launchpad.net

Commit message

Creating and deleting merge proposal virtual ref for "merge/xxx/head" on git hosting when appropriated.

Revision history for this message

William Grant (wgrant) wrote on 2020-09-11:

How does this interact with privacy?

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2020-09-11:

wgrant, good point.

When a user opens a MP#1 targeting RepositoryX's master, for example, RepositoryX itself will have a read-only ref called `refs/merge/1/head`. The idea is that whomever is responsible for RepositoryX will have an easier way to pull locally the changes introduced by MP#1.

Let's assume a RepositoryX is private. In theory, nothing changes for the user opening the MP#1: the privacy checks and requirements to actually open a new MP targeting RepositoryX are still the same.

The only extra security check introduced on RepositoryX will be on Turnip side, to block pushes to `refs/merge/...` namespace: https://code.launchpad.net/~pappacena/turnip/+git/turnip/+merge/390620.

Do you see any specific privacy problem with this scenario?

Revision history for this message

William Grant (wgrant) wrote on 2020-09-12:

On 12/9/20 12:38 am, Thiago F. Pappacena wrote:
> wgrant, good point.
>
> When a user opens a MP#1 targeting RepositoryX's master, for example, RepositoryX itself will have a read-only ref called `refs/merge/1/head`. The idea is that whomever is responsible for RepositoryX will have an easier way to pull locally the changes introduced by MP#1.
>
> Let's assume a RepositoryX is private. In theory, nothing changes for the user opening the MP#1: the privacy checks and requirements to actually open a new MP targeting RepositoryX are still the same.
>
> The only extra security check introduced on RepositoryX will be on Turnip side, to block pushes to `refs/merge/...` namespace: https://code.launchpad.net/~pappacena/turnip/+git/turnip/+merge/390620.
>
> Do you see any specific privacy problem with this scenario?

The problem arises when the *source* repository is private. Consider,
for example, a security fix MP: a user can only view an MP if they can
see both the source and target branches. But this will let anyone who
can see the target repository examine the code in the MP from a
potentially invisible private branch.

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2020-09-14:

wgrant, got it.

I guess we have 2 options in this case:

1- We don't add at all the the `refs/merge/<xxx>` if the source repository is private; or
2- We do extra permission checks on refs on Turnip on every operation, and not only pushes as it seems to be implemented today.

The first option brings some complexity in terms of changing a repository to/from private after the virtual ref is already created, but is simple to implement.

I prefer the second option, as it seems cleaner and better for the long term IMHO, although it might require (a small) extra implementation effort now.

Any thoughts on this?

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2020-09-15:

Just to keep the record, it turn out that filtering git fetches is not that trivial, since there is no hook for that anymore (http://git.661346.n2.nabble.com/Removal-of-post-upload-hook-td4394312.html).

We will handle private repositories the following way:

1- When opening the MP, if the source is a different private repository, the virtual ref will not be created;
2- When opening the MP, if the source is the same repository (regardless of being private or not), we will create the virtual ref;
3- When opening the MP, if the owner of the source repository is the same as the owner of the target repository, we will creat ethe virtual ref
4- When privacy or the owner of a repository changes, we need to run a job to check again the above conditions and make sure that the virtual ref is created/deleted accordingly

I'll split in some MPs just to make the review easier (this MP is already a bit too big), but I guess all of these rules should be landed at once.

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2020-09-21:

The MP with the job that should re-sync the virtual refs is here: https://code.launchpad.net/~pappacena/launchpad/+git/launchpad/+merge/390940.

As said before, they are splitted just to make the review process easier, but the functionality should only be landed once both MPs are ready to be landed together.

Revision history for this message

Colin Watson (cjwatson) on 2020-10-05:

review: Approve

Revision history for this message

Colin Watson (cjwatson) wrote on 2020-10-05:

Also please set a commit message.

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2020-10-13:

Strange that the commit message is empty. I'm adding it now.

Pushed the requested changes. There are a few comments that may worth checking, cjwatson.

There was an error fetching revisions from git servers. Please try again in a few minutes. If the problem persists, contact Launchpad support.