Skip to content

Fixup automatically created feed permissions#8037

Merged
mmitche merged 6 commits into
dotnet:mainfrom
mmitche:fix-feed-perms
Oct 20, 2021
Merged

Fixup automatically created feed permissions#8037
mmitche merged 6 commits into
dotnet:mainfrom
mmitche:fix-feed-perms

Conversation

@mmitche

@mmitche mmitche commented Oct 13, 2021

Copy link
Copy Markdown
Member

Tighten up the feed permissions used when creating new feeds on the fly, or when publishing signed assets, and do a bit of refactoring in the process.

  • Put internal feeds into the internal project, rather than the organization. This is where they should have been from the beginning. There was mainly confusion about project vs. org scoped feeds when this was created.
  • Tweak the default feed permissions so that:
    • Members of dnceng get read perms on the local view (this avoids an issue where we used to have to add people as Contributors). This is done by patching the local feed view after feed creation.
    • Admins get ownership
    • the internal and collection build service accounts get write access
  • Added some nice NYI exceptions that should fire if we ever change the organization or project that we are running in.
  • Update references to the task, in PublishSignedAssets.proj and SetupTargetFeedConfigV3, to use the new task parameters.

Refactoring:

  • Remove SetupTargetFeeds.proj (v2 support), which is unused. I chose to do this because it also contain a reference to CreateAzureDevOpsFeed
  • Set the default publishing version to 3
  • Remove IsInternal as a feed task creation parameter and replace it with the AzDO project. The AzDO project defines the visibility, and this cleans up a little of the dnceng-isms and enables moving them into some helper methods
  • Add helper methods for determining some aspects of the feed names
  • Refactor some variable names to make them clearer

To double check:

Tighten up the feed permissions used when creating new feeds on the fly, or when publishing signed assets, and do a bit of refactoring in the process.
- Put internal feeds into the internal project, rather than the organization. This is where they should have been from the beginning. There was mainly confusion about project vs. org scoped feeds when this was created.
- Tweak the default feed permissions so that:
  - Members of dnceng get read perms on the local view (this avoids an issue where we used to have to add people as Contributors). This is done by patching the local feed view after feed creation.
  - Admins get ownership
  - the internal and collection build service accounts get write access
- Added some nice NYI exceptions that should fire if we ever change the organization or project that we are running in.
- Update references to the task, in PublishSignedAssets.proj and SetupTargetFeedConfigV3, to use the new task parameters.

Refactoring:
- Remove SetupTargetFeeds.proj (v2 support), which is unused. I chose to do this because it also contain a reference to CreateAzureDevOpsFeed
- Set the default publishing version to 3
- Remove IsInternal as a feed task creation parameter and replace it with the AzDO project. The AzDO project defines the visibility, and this cleans up a little of the dnceng-isms and enables moving them into some helper methods
- Add helper methods for determining some aspects of the feed names
- Refactor some variable names to make them clearer
@mmitche
mmitche requested review from a user, epananth and michellemcdaniel October 13, 2021 22:43
@mmitche

mmitche commented Oct 13, 2021

Copy link
Copy Markdown
Member Author

@mmitche mmitche changed the title Fixup automatically create feed permissions Fixup automatically created feed permissions Oct 13, 2021

@ghost ghost left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Some nits

Comment thread src/Microsoft.DotNet.Arcade.Sdk/tools/SdkTasks/PublishSignedAssets.proj Outdated
Comment thread src/Microsoft.DotNet.Build.Tasks.Feed/src/CreateAzureDevOpsFeed.cs Outdated
Comment thread src/Microsoft.DotNet.Build.Tasks.Feed/src/CreateAzureDevOpsFeed.cs Outdated
Comment thread src/Microsoft.DotNet.Build.Tasks.Feed/src/CreateAzureDevOpsFeed.cs Outdated

@michellemcdaniel michellemcdaniel left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some nits

When the new target feed specifications were created, they collapsed down the feed specs for shipping and non-shipping package asset selection in cases where the target would be the same feed. This subtlety was required though, since in case of a stable build, we want just the shipping packages to go to a separate, newly created feed. The current code correct substitutes this if the TargetFeedSpecifications are broken out for ShippingOnly and NonShippingOnly, but there are a number of channels that did not break them out. Instead, it tried to send shipping packages to the isolated feed, and all packages to the non-isolated feed.

To fix this, separate out the TargetFeedSpecifications and put a check into the constructor to ensure that this can't be done accidentally.
Also
- Do a little refactoring for clarity.
- Add a test to ensure that this throws
@mmitche
mmitche enabled auto-merge (squash) October 20, 2021 02:55
@mmitche
mmitche merged commit cb683d5 into dotnet:main Oct 20, 2021
@mmitche
mmitche deleted the fix-feed-perms branch February 9, 2022 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants