Fix an issue with incorrect authorization handling in Working Copy build steps

Summary: Fixes T9669. Two issues: - We were using `repositoryPHIDs` instead of `blueprintPHIDs` for the list of allowed blueprints. Use the correct value. - We weren't enforcing `allowedBlueprintPHIDs` fully correctly. We //did// require an authorization, so the net effect was correct in nearly all cases, but we could have selected from too large a pool in the case where the application itself was doing the authorization (e.g., from the command line). Test Plan: Ran a build through Drydock/Harbormaster locally. Reviewers: chad, tycho.tatitscheff Reviewed By: chad, tycho.tatitscheff Subscribers: tycho.tatitscheff Maniphest Tasks: T9669 Differential Revision: https://secure.phabricator.com/D14368
2024-11-19 05:12:41 +01:00 · 2015-10-30 16:02:35 +00:00 · 2015-10-30 16:02:35 +00:00 · f48a833704
commit f48a833704
parent 096117aacd
2 changed files with 10 additions and 6 deletions
--- a/src/applications/drydock/worker/DrydockLeaseUpdateWorker.php
+++ b/src/applications/drydock/worker/DrydockLeaseUpdateWorker.php
@ -309,17 +309,18 @@ final class DrydockLeaseUpdateWorker extends DrydockWorker {
      return array();
    }

-    $query = id(new DrydockBlueprintQuery())
-      ->setViewer($viewer)
-      ->withBlueprintClasses(array_keys($impls))
-      ->withDisabled(false);
-
    $blueprint_phids = $lease->getAllowedBlueprintPHIDs();
    if (!$blueprint_phids) {
      $lease->logEvent(DrydockLeaseNoBlueprintsLogType::LOGCONST);
      return array();
    }

+    $query = id(new DrydockBlueprintQuery())
+      ->setViewer($viewer)
+      ->withPHIDs($blueprint_phids)
+      ->withBlueprintClasses(array_keys($impls))
+      ->withDisabled(false);
+
    // The Drydock application itself is allowed to authorize anything. This
    // is primarily used for leases generated by CLI administrative tools.
    $drydock_phid = id(new PhabricatorDrydockApplication())->getPHID();
--- a/src/applications/harbormaster/step/HarbormasterLeaseWorkingCopyBuildStepImplementation.php
+++ b/src/applications/harbormaster/step/HarbormasterLeaseWorkingCopyBuildStepImplementation.php
@ -41,7 +41,10 @@ final class HarbormasterLeaseWorkingCopyBuildStepImplementation
      $working_copy_type = id(new DrydockWorkingCopyBlueprintImplementation())
        ->getType();

-      $allowed_phids = $build_target->getFieldValue('repositoryPHIDs');
+      $allowed_phids = $build_target->getFieldValue('blueprintPHIDs');
+      if (!is_array($allowed_phids)) {
+        $allowed_phids = array();
+      }
      $authorizing_phid = $build_target->getBuildStep()->getPHID();

      $lease = DrydockLease::initializeNewLease()