On 4/3/14, 10:23 AM, Ehsan Akhgari wrote:We can go one step further.
We need to have a way to associate a user with their bugzilla auth pair
in order to be able to create the review request under that user name,
as bugzilla will be the authentication provider to RB.
We discussed how is going to work, and this is the plan going forward:
* We will make the ssh server accept any public key (but of course won't
give out shell access to people!). This means that we will accept
pushes from everybody as far as ssh is concerned.
* We will prompt on the client side for your Bugzilla user name and
password, use the Bugzilla REST API
<http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/Server/REST.html#AUTHENTICATION>
to perform the authentication, and will store the auth token locally,
and send it over to the server as part of the push. The token can then
be verified on the server side as part of the hook.
The bzexport Mercurial extension [1] and the python-mozautomation project [2] have Python modules to extract Bugzilla cookies from your Firefox profile. If a user has a Firefox profile with an active Bugzilla session, we should be able to silently piggyback on top of those credentials. I suppose we could go one step further and obtain credentials from Firefox's password manager.
That being said, I think there is a huge security problem here.
Correct me if I'm wrong, but I believe the Bugzilla auth token is as good as your login credentials. The only differences are that it has undergone a one-way transformation and expires after a shorter duration. What you are proposing is effectively giving the code review service the keys to *your* kingdom. I have doubts that will pass security review. If it did, I'm guessing we'd have to bring the code review tool into the same security scope as Bugzilla itself. And I thought we were trying to avoid that (at least initially).
I think we'll have to settle for:
a) Having the client perform all interaction with Bugzilla itself (this sucks because the server may want to track that state and distributed "transactions" are hard).
b) Chained authentication with delegated Bugzilla keys. Client proves its identity with code review server. Code review server communicates with Bugzilla using some special "admin" account that can post as others.
c) Something like OAuth with service access keys, signed requests, etc.
Distributed service authentication is hard. But it's how you play the game while staying secure. It's best to ask someone in the security group what our next steps should be. Perhaps someone from BMO can comment on Bugzilla's delegated authentication story?
[1] https://hg.mozilla.org/hgcustom/version-control-tools/file/b4d8563b207e/hgext/bzexport/bzauth.py
[2] https://bitbucket.org/indygreg/python-mozautomation/src/935dfb1d466f965afcbc3df524e227327c121b1f/mozautomation/bugzilla.py?at=default
On Thu, Apr 3, 2014 at 4:54 PM, Gregory Szorc <g...@mozilla.com> wrote:On 4/3/14, 10:23 AM, Ehsan Akhgari wrote:We can go one step further.
We need to have a way to associate a user with their bugzilla auth pair
in order to be able to create the review request under that user name,
as bugzilla will be the authentication provider to RB.
We discussed how is going to work, and this is the plan going forward:
* We will make the ssh server accept any public key (but of course won't
give out shell access to people!). This means that we will accept
pushes from everybody as far as ssh is concerned.
* We will prompt on the client side for your Bugzilla user name and
password, use the Bugzilla REST API
<http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/Server/REST.html#AUTHENTICATION>
to perform the authentication, and will store the auth token locally,
and send it over to the server as part of the push. The token can then
be verified on the server side as part of the hook.
The bzexport Mercurial extension [1] and the python-mozautomation project [2] have Python modules to extract Bugzilla cookies from your Firefox profile. If a user has a Firefox profile with an active Bugzilla session, we should be able to silently piggyback on top of those credentials. I suppose we could go one step further and obtain credentials from Firefox's password manager.Yeah, sorry I didn't mention this. This was also discussed but this method is fragile in a lot of edge cases (some of them are the kinds of things that developers can hit regularly, such as having a Firefox profile as the default where you have not logged in to Bugzilla.)
That being said, I think there is a huge security problem here.
Correct me if I'm wrong, but I believe the Bugzilla auth token is as good as your login credentials. The only differences are that it has undergone a one-way transformation and expires after a shorter duration. What you are proposing is effectively giving the code review service the keys to *your* kingdom. I have doubts that will pass security review. If it did, I'm guessing we'd have to bring the code review tool into the same security scope as Bugzilla itself. And I thought we were trying to avoid that (at least initially).That's a great point. Is that something that we can ask the security team about? Taras, can you please take that on?
--
You received this message because you are subscribed to the Google Groups "mozilla-code-review" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mozilla-code-re...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
AFAIK we have to support contributions from developers without commit access.
--
You received this message because you are subscribed to the Google Groups "mozilla-code-review" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mozilla-code-review+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to mozilla-code-re...@googlegroups.com.
Can we do something stupid here to start?Eg support unauthenticated pushed and then allow them to be claimed via a web ui?Taras
From: "George Miroshnykov" <gmiros...@rebbix.com>
To: "James Graham" <ja...@hoppipolla.co.uk>
Cc: mozilla-c...@googlegroups.com
Sent: Friday, April 4, 2014 9:32:27 AM
Subject: Re: Plan for authenticating the user to RB as part of the push
AFAIK we have to support contributions from developers without commit access.
On Apr 4, 2014 7:09 PM, "James Graham" <ja...@hoppipolla.co.uk> wrote:
On 04/04/14 17:05, George Miroshnykov wrote:
Hey James,
I believe the intention is to not copy users over into Review Board and then keeping them in sync with Bugzilla.
Instead we need a way to a) authenticate and b) assign reviewers based on the user accounts from Bugzilla,
because otherwise the maintenance overhead of the review tool will be too high.
Have we considered using the same authentication system as Try i.e. has the idea of requiring L1 commit access to post a review been considered and rejected? It seems like basing the auth around LDAP makes a lot of sense, and, as you point out, there are consequences to being able to push to code review which are not dissimilar to those of being able to push to Try (especially if force pushes are allowed).
--
You received this message because you are subscribed to the Google Groups "mozilla-code-review" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mozilla-code-re...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
That would be unfortunate, considering we’ve just dropped the web UI :)The way it works right now is basically you need a b.m.o account in order to push for review.Is this good enough or should we look for another solution?On April 4, 2014 at 19:40:59 , Taras Glek (tg...@mozilla.com) wrote:
Friday, April 4, 2014 9:40
Can we do something stupid here to start?Eg support unauthenticated pushed and then allow them to be claimed via a web ui?Taras
--
You received this message because you are subscribed to the Google Groups "mozilla-code-review" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mozilla-code-re...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Friday, April 4, 2014 9:32
AFAIK we have to support contributions from developers without commit access.
--
You received this message because you are subscribed to the Google Groups "mozilla-code-review" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mozilla-code-re...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Friday, April 4, 2014 9:08
Have we considered using the same authentication system as Try i.e. has the idea of requiring L1 commit access to post a review been considered and rejected? It seems like basing the auth around LDAP makes a lot of sense, and, as you point out, there are consequences to being able to push to code review which are not dissimilar to those of being able to push to Try (especially if force pushes are allowed).
Friday, April 4, 2014 9:05
Hey James,I believe the intention is to not copy users over into Review Board and then keeping them in sync with Bugzilla.Instead we need a way to a) authenticate and b) assign reviewers based on the user accounts from Bugzilla,because otherwise the maintenance overhead of the review tool will be too high.
But personally I don’t have a preference here.I’m not familiar with Bugzilla workflow regarding bots, but if we stick to the current auth scheme, we can create separate accounts for them.Thanks,GeorgeOn April 4, 2014 at 6:53:06 PM, James Graham (ja...@hoppipolla.co.uk) wrote:
AFAIK we have to support contributions from developers without commit access.
To unsubscribe from this group and stop receiving emails from it, send an email to mozilla-code-re...@googlegroups.com.
So I’ve played around with different authentication approaches and here’s the outcome so far.First, let me recap the steps of our flow that requires authentication:1. hg push via SSH2. RB API to create and update review requests3. BZ API to automatically attach the link to RB review request (and possibly keep track of review status etc.)For the first step, we’ve discussed that we will allow anonymous pushes.Before that we also discussed that we’re allowing force-pushes for a number of reasons.AFAIK those two points combined mean than anyone can wipe out the whole review repo and it’s history.There may be ways to work around this, but I’m not yet sure how reliable they’ll be.
The second authentication (RB API) was previously implemented via server-side configuration.The hook was pre-configured with RB credentials (admin), so all review request activity was performed via that user.What we want instead is to manage review requests using user-specific Bugzilla credentials.We already have a RB extension that adds BZ authentication backend:Unfortunately I couldn’t install it: after I did `pip install rbbz`, RB insisted that "There are no extensions installed.”I’ll pick this up separately with Mark.So at this point, the hook doesn’t have to know anything about Bugzilla credentials - it only needs to authenticate with user-specific RB credentials.This means that RB credentials are no longer configured once on the server, but instead they must be passed along during `hg push` like this:RT_BUG=31337 RT_USERNAME=gmiroshnykov RT_PASSWORD=secret hg push -f -e 'ssh -o SendEnv=RT_*’Of course this will be hidden behind `mach`, but for now we can rewrite it for readability:export RT_BUG=31337export RT_USERNAME=gmiroshnykovexport RT_PASSWORD=secrethg push -f -e 'ssh -o SendEnv=RT_*’
Thanks for putting that succinctly. :) Off-hand, I don't think there is any way to limit damages; as others have said, it's basically as good as a username & password. But I'll ask glob on Monday. If you have any ideas as to how damage might be limited in a perfect world (e.g. with unlimited resources :) please let me know.
On April 4, 2014 at 23:58:07 , James Graham (ja...@hoppipolla.co.uk) wrote:
On 04/04/14 20:36, George Miroshnykov wrote:
> Once we have the initial URL, we probably want to track review status in Bugzilla, but to what extent?
> Should we add a comment in Bugzilla each time someone leaves a review comment?
That would be terrible, I think. Once you have a good code review tool,
people tend to leave more comments than they do with the current
bugzilla setup. Presumably the code review tool will already send out
emails (batched, I hope; github doesn't batch email and its code review
system is intolerable for that reason alone, although it is also flawed
in other ways) for those comments. Getting the same email from bugzilla
would be pure spam.
> Should we add a comment for every new changeset pushed?
From the code review tool, yes. After all reviewers need to know that
they have more work to do in that review. I don't see why we would want
bugzilla to duplicate that.
> Should we show remove a Bugzilla attachment for discarded review requests?
We aren't planning to try and upload a patch to bugzilla for every
review request are we? What would be the point of that?
Sorry, that was really unclear on my part.
What I meant was that AFAIK you can add a Review Board link to Bugzilla bug by adding it as an attachment with a special content-type.
If the corresponding review request is closed for some reason, we may wish to discard that attachment containing the link.
I’m not suggesting to attach the actual patches :)
On April 4, 2014 at 11:56:13 PM, Ehsan Akhgari (ehsan....@gmail.com) wrote:
On Fri, Apr 4, 2014 at 11:21 AM, George Miroshnykov <gmiros...@rebbix.com> wrote:Of course this will be hidden behind `mach`, but for now we can rewrite it for readability:export RT_BUG=31337export RT_USERNAME=gmiroshnykovexport RT_PASSWORD=secrethg push -f -e 'ssh -o SendEnv=RT_*’I assume once the rbbz extension issue is fixed this will be replaced by the bugzilla token right?If yes that sounds good!
Ehsan
Good question!
It looks like we need the following auth options from Review Board: