8000 Handle expired GitHub token by coverbeck · Pull Request #6051 · dockstore/dockstore · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Handle expired GitHub token #6051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Dec 11, 2024
Merged

Handle expired GitHub token #6051

merged 5 commits into from
Dec 11, 2024

Conversation

coverbeck
Copy link
Collaborator
@coverbeck coverbeck commented Dec 10, 2024
edited
Loading

Description
Handles the case where a Dockstore user with an expired GitHub token is involved in a GItHub push notification.

Steve described the bug in the ticket, here's my step-by-step view:

  1. There's a push for a repo with an existing workflow(s)
  2. Who did the push (the sender) doesn't matter (bot, a Dockstore user)
  3. The push can have multiple users associated with it -- authors and committers from all the commits being pushed.
  4. We attempt to list each of those user's GitHub repos so we can automatically add them to the workflow if the repo is one of theirs.
  5. One of those users has an expired GitHub token, which throws an exception and rolls back everything.

Alternative and/or temporary fix: we could delete expired GitHub tokens, which may not be a bad idea anyway. The problem is we don't have an easy way to figure that out, and it would sort of risky updating the DB directly with SQL.

Review Instructions
This will be tricky to verify in staging.

Find an event that failed and redeliver it in prod.

Verify there are no errors in CloudWatch if you search for "Bad credentials" "Error handling push event"

Issue
SEAB-6850

Security and Privacy

If there are any concerns that require extra attention from the security team, highlight them here and check the box when complete.

  • Security and Privacy assessed

e.g. Does this change...

  • Any user data we collect, or data location?
  • Access control, authentication or authorization?
  • Encryption features?

Please make sure that you've checked the following before submitting your pull request. Thanks!

  • Check that you pass the basic style checks and unit tests by running mvn clean install
  • Ensure that the PR targets the correct branch. Check the milestone or fix version of the ticket.
  • Follow the existing JPA patterns for queries, using named parameters, to avoid SQL injection
  • If you are changing dependencies, check the Snyk status check or the dashboard to ensure you are not introducing new high/critical vulnerabilities
  • Assume that inputs to the API can be malicious, and sanitize and/or check for Denial of Service type values, e.g., massive sizes
  • Do not serve user-uploaded binary images through the Dockstore API
  • Ensure that endpoints that only allow privileged access enforce that with the @RolesAllowed annotation
  • Do not create cookies, although this may change in the future
  • If this PR is for a user-facing feature, create and link a documentation ticket for this feature (usually in the same milestone as the linked issue). Style points if you create a documentation PR directly and link that instead.

@coverbeck coverbeck self-assigned this Dec 10, 2024
@codecov Codecov
Copy link
codecov bot commented Dec 10, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 74.52%. Comparing base (daa7b3d) to head (fc4b021).
Report is 1 commits behind head on hotfix/1.16.1.

Additional details and impacted files 
@@                 Coverage Diff                 @@
##             hotfix/1.16.1    #6051      +/-   ##
===================================================
+ Coverage            74.49%   74.52%   +0.02%     
- Complexity            5504     5506       +2     
===================================================
  Files                  381      381              
  Lines                19797    19800       +3     
  Branches              2044     2044              
===================================================
+ Hits                 14748    14756       +8     
+ Misses                4070     4065       -5     
  Partials               979      979
Flag Coverage Δ
bitbuckettests 26.64% <0.00%> (-0.01%) ⬇️
hoverflytests 27.96% <0.00%> (-0.01%) ⬇️
integrationtests 56.78% <100.00%> (+0.03%) ⬆️
languageparsingtests 11.04% <0.00%> (-0.01%) ⬇️
localstacktests 21.55% <0.00%> (-0.01%) ⬇️
toolintegrationtests 30.01% <0.00%> (-0.01%) ⬇️
unit-tests_and_non-confidential-tests 25.83% <0.00%> (-0.01%) ⬇️
workflowintegrationtests 38.04% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

coverbeck
coverbeck commented Dec 10, 2024
View reviewed changes
dockstore-integration-testing/src/test/java/io/dockstore/client/cli/GitHubWorkflowIT.java
@@ -453,7 +453,7 @@ void testTRSImageName() {
trsVersion = ga4Ghv20Api.toolsIdVersionsVersionIdGet("#workflow/github.com/" + DockstoreTesting.HELLO_WDL_WORKFLOW, quayDigestVersionName);
assertEquals(1, trsVersion.getImages().size(), "Should be one image in this TRS version");
trsVersion.getImages().forEach(image -> assertEquals(
"quay.io/ga4gh-dream/dockstore-tool-helloworld@sha256:3a854fd1ebd970011fa57c8c099347314eda36cc746fd831f4deff9a1d433718", image.getImageName()));
"quay.io/ga4gh-dream/dockstore-tool-helloworld@sha256:71c0f43d9081cb14411adae56773762b1e829f7175645484571dcb1c6e120d23", image.getImageName()));
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cherry-pick from Steve's PR to fix test.

Charles Overbeck added 2 commits December 10, 2024 16:04
svonworl
svonworl approved these changes Dec 11, 2024
View reviewed changes
Copy link
Contributor
@svonworl svonworl left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

THIS COMMENT WAS WRONG, so I nuked it. Can't figure out why I can't just delete it.

@sonarqubecloud SonarQubeCloud
8000 Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@coverbeck coverbeck merged commit 9e2c316 into hotfix/1.16.1 Dec 11, 2024
19 of 20 checks passed
@coverbeck coverbeck deleted the feature/seab-6850/expiredtoken branch December 11, 2024 19:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denis-yuen denis-yuen denis-yuen approved these changes

@kathy-t kathy-t kathy-t approved these changes

@svonworl svonworl svonworl approved these changes

@david4096 david4096 Awaiting requested review from david4096

Assignees

@coverbeck coverbeck

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@coverbeck @denis-yuen @kathy-t @svonworl
0