Comments (11)
FAO @jeffmendoza
from allstar.
I was about to open a separate issue, but maybe it makes sense to tack onto this...
I got this issue soon after the PR was merged.
Could we invert the logic and make ownerless
allowed by default, mostly because ownerless is somewhat of a misnomer?
Any org with sufficient org admins mean the repos have owners transitively.
For org admins that are fine with that, we should not change behavior and notify them, but instead allow them to opt-in to the new restriction.
from allstar.
I could also see a few other scenarios:
- no outside collaborators
- outside collaborators, but not oc admins
- outside collaborators are allowed admin
- outside collaborators are allowed admin IFF there are org member admins
- ownerless disallowed
- ownerless allowed
from allstar.
However, the repo has a team with admin access, and a member of the org is on this team. Perhaps the change didn't take into account the scenario of an admin team as opposed to a member being an admin directly on the team?
@coheigea I did take this into account, and it should be passing in this case. (code is here), however there could be a bug. Do you mind sharing the org/name of your repo, and I can check the logs? I'll double check the logic in my test org as well.
Could we invert the logic and make ownerless allowed by default, mostly because ownerless is somewhat of a misnomer?
Any org with sufficient org admins mean the repos have owners transitively.
For org admins that are fine with that, we should not change behavior and notify them, but instead allow them to opt-in to the new restriction.
@justaugustus A couple thoughts here. While I acknowledge that it is least disruptive to have new features turned off by default, it is also a goal for me to have Allstar's default settings represent the highest level of security best practices that we (OpenSSF) can recommend. For example, the Branch Protection default settings are quite restrictive. I don't think it makes sense for the policy defaults to be a relic of the order in which they were implemented. An area I should improve here is documentation. We should have a "What's New" or "Changelog" front and center covering these changes and not leave them buried in the commit history.
That said, I also acknowledge that my point of view is from a large-org perspective, and while the org admins do have transient permissions on all repos, they can't be expected to be responsible for all repos, and a direct admin should be required. I see how this would not be the case for a small org. I'd like to bring this up at the next "Best Practices" WG meeting to discuss further.
from allstar.
@jeffmendoza The issue is raised here: Talend/helm-charts-public#43
from allstar.
@coheigea Thank you! I've checked the logs and unfortunately Allstar is not picking up any teams for your repo. I'm not quite sure why, as it is picking up teams for some other installations. It would be very helpful if you could do a little debug, would this be possible?
Create your own PAT then run something like this for your repo:
curl \
-H "Authorization: token $(cat ~/ghpat)" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/jeffmendoza-test-org/test-repo-two/teams
(I keep my pat in ~/ghpat
)
For my test repo, I get:
[
{
"name": "Admins",
"id": 5490956,
"node_id": "T_kwDOBb-5Cc4AU8kM",
"slug": "admins",
"description": "",
"privacy": "closed",
"url": "https://api.github.com/organizations/96450825/team/5490956",
"html_url": "https://github.com/orgs/jeffmendoza-test-org/teams/admins",
"members_url": "https://api.github.com/organizations/96450825/team/5490956/members{/member}",
"repositories_url": "https://api.github.com/organizations/96450825/team/5490956/repos",
"permission": "admin",
"permissions": {
"admin": true,
"maintain": true,
"push": true,
"triage": true,
"pull": true
},
"parent": null
}
]
Just let me know if you get any teams, and if they have the permissions that you expect (admin). Thanks!
from allstar.
Hi @jeffmendoza ,
Calling https://api.github.com/repos/talend/helm-charts-public/teams I can see two teams, the second of which is the admin team:
from allstar.
@coheigea Thank you for testing!
I've figured out the issue. The API is supposed to work on any repo, regardless of org permissions, if the App requested "administration read" permissions, which Allstar did.
However, it seems that this API is not working on orgs that have the App installed on "Only select repositories", if Allstar is installed on "All repositories" for the org, then the API works fine. I believe this to be a bug with the GitHub API and have opened a support ticket with them.
While we wait, and I potentially have to rework the code to use a different API, I will disable this feature. Sorry for the noise, and thanks again for helping.
from allstar.
@jeffmendoza We could add a doc update in the meanwhile. The current installation directions in the README.md suggest choosing "All repositories" at the App installation step but with no indication of why. While this gets sorted out, we could word it a bit more strongly. Something like: "Choose 'All Repositories' under Repository Access, even if you plan to disable Allstar on some repositories later. If you do not choose 'All Repositories' in this step, certain Allstar features may not work." Would that help?
from allstar.
Thanks for the great support @jeffmendoza , hopefully GitHub can fix the issue quickly, because I think it's a valuable check.
It could be extended to configure a maximum number of individual admins for a given repo, so that we can enforce policies about how many people can have admin privileges on a repo.
from allstar.
This is fixed in #115 , but it not turned on in default settings. I won't turn it on by default without further communication to users.
from allstar.
Related Issues (20)
- [Feature Request]: Check rulesets for branch protection rules HOT 2
- Allstar not opening issue on a fork HOT 2
- FR: Add a check for pinned dependencies HOT 4
- OptConfig missing on GH action policies
- Having setup difficulty using ossf provided instance HOT 1
- Prevent enforcement of `Branch Protection` on archived repositories HOT 1
- Create GitHub private vulnerability reports as an action
- Policy for checking for arbitrary file existence HOT 8
- [bug] Issue in member repo is updated/edited when org config IssueRepo is set centrally HOT 1
- [improvement] Allow app running with --once to exit with error when policy errors are encountered HOT 1
- Time for a new release? HOT 4
- Feature: Add `issueDetails` option to the configuration files
- Emit logs with details about configuration origin and final configuration
- Outside collaborators should be override-able at the repo-level HOT 2
- Allstar operations overview follow-ups HOT 1
- Improve Allstar's Scorecard HOT 2
- Update emitted copy around OpenSSF Scorecard checks
- Document recent changes to the generic Scorecard policy HOT 1
- Interested in support for self-hosted GHE installation HOT 2
- Issue with Allstar Branch Protection Enforcement (404 errors upon action: fix) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from allstar.