Merge branch 'main' into issue-2664-same-repo-shortcut-comment-sender

Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>

Author: chmouel

pkg/provider/github/acl.go

@@ -211,6 +211,11 @@ func (v *Provider) aclCheckAll(ctx context.Context, rev *info.Event) (bool, erro
 		if isFromSameRepo {
 			return true, nil
 		}
+	} else if rev.PullRequestNumber != 0 && v.Logger != nil {
+		v.Logger.Debugf(
+			"Skipping same-repo pull request shortcut for untrusted event %T on %s/%s#%d from sender %s",
+			rev.Event, rev.Organization, rev.Repository, rev.PullRequestNumber, rev.Sender,
+		)
 	}
 
 	// If the user who has submitted the pr is a owner on the repo then allows

pkg/provider/github/acl_test.go

@@ -816,3 +816,35 @@ func TestIfPullRequestIsForSameRepoWithoutFork(t *testing.T) {
 		})
 	}
 }
+
+func TestACLCheckAllIssueCommentLogsShortcutSkip(t *testing.T) {
+	fakeclient, _, _, teardown := ghtesthelper.SetupGH()
+	defer teardown()
+
+	ctx, _ := rtesting.SetupFakeContext(t)
+	repo := &v1alpha1.Repository{Spec: v1alpha1.RepositorySpec{
+		Settings: &v1alpha1.Settings{},
+	}}
+	observer, logs := zapobserver.New(zap.DebugLevel)
+
+	gprovider := Provider{
+		ghClient: fakeclient,
+		repo:     repo,
+		Logger:   zap.New(observer).Sugar(),
+	}
+
+	allowed, err := gprovider.aclCheckAll(ctx, &info.Event{
+		Organization:      "owner",
+		Sender:            "nonowner",
+		Repository:        "repo",
+		PullRequestNumber: 1,
+		HeadURL:           "http://org.com/owner/repo",
+		BaseURL:           "http://org.com/owner/repo",
+		HeadBranch:        "main",
+		BaseBranch:        "dependabot",
+		Event:             &github.IssueCommentEvent{},
+	})
+	assert.NilError(t, err)
+	assert.Equal(t, false, allowed)
+	assert.Assert(t, logs.FilterMessageSnippet("Skipping same-repo pull request shortcut for untrusted event").Len() == 1)
+}

pkg/provider/github/detect.go

@@ -76,8 +76,11 @@ func (v *Provider) detectTriggerTypeFromPayload(ghEventType string, eventInt any
 		}
 		return "", fmt.Sprintf("pull_request: unsupported action \"%s\"", event.GetAction())
 	case *github.IssueCommentEvent:
-		if event.GetAction() == "created" &&
-			event.GetIssue().IsPullRequest() &&
+		if event.GetAction() != "created" {
+			return "", fmt.Sprintf("issue_comment: unsupported action \"%s\"", event.GetAction())
+		}
+
+		if event.GetIssue().IsPullRequest() &&
 			event.GetIssue().GetState() == "open" {
 			if opscomments.IsTestRetestComment(event.GetComment().GetBody(), gitOpsCommentPrefix) {
 				return triggertype.Retest, ""
@@ -101,18 +104,20 @@ func (v *Provider) detectTriggerTypeFromPayload(ghEventType string, eventInt any
 		}
 		return "", fmt.Sprintf("check_run: unsupported action \"%s\"", event.GetAction())
 	case *github.CommitCommentEvent:
-		if event.GetAction() == "created" {
-			if opscomments.IsTestRetestComment(event.GetComment().GetBody(), gitOpsCommentPrefix) {
-				return triggertype.Retest, ""
-			}
-			if opscomments.IsCancelComment(event.GetComment().GetBody(), gitOpsCommentPrefix) {
-				return triggertype.Cancel, ""
-			}
-			// Here, the `/ok-to-test` command is ignored because it is intended for pull requests.
-			// For unauthorized users, it has no relevance to pushed commits, as only authorized users
-			// are allowed to run CI on pushed commits. Therefore, the `ok-to-test` command holds no significance in this context.
-			// However, it is left to be processed by the `on-comment` annotation rather than returning an error.
+		if event.GetAction() != "created" {
+			return "", fmt.Sprintf("commit_comment: unsupported action \"%s\"", event.GetAction())
+		}
+
+		if opscomments.IsTestRetestComment(event.GetComment().GetBody(), gitOpsCommentPrefix) {
+			return triggertype.Retest, ""
+		}
+		if opscomments.IsCancelComment(event.GetComment().GetBody(), gitOpsCommentPrefix) {
+			return triggertype.Cancel, ""
 		}
+		// Here, the `/ok-to-test` command is ignored because it is intended for pull requests.
+		// For unauthorized users, it has no relevance to pushed commits, as only authorized users
+		// are allowed to run CI on pushed commits. Therefore, the `ok-to-test` command holds no significance in this context.
+		// However, it is left to be processed by the `on-comment` annotation rather than returning an error.
 		return triggertype.Comment, ""
 	}
 	return "", fmt.Sprintf("github: event \"%v\" is not supported", ghEventType)

pkg/provider/github/detect_test.go

@@ -74,9 +74,10 @@ func TestProviderDetect(t *testing.T) {
 			event: github.CommitCommentEvent{
 				Action: github.Ptr("something"),
 			},
+			wantReason: "commit_comment: unsupported action \"something\"",
 			eventType:  "commit_comment",
 			isGH:       true,
-			processReq: true,
+			processReq: false,
 		},
 		{
 			name: "invalid check run Event",
@@ -92,9 +93,10 @@ func TestProviderDetect(t *testing.T) {
 			event: github.IssueCommentEvent{
 				Action: github.Ptr("deleted"),
 			},
+			wantReason: "issue_comment: unsupported action \"deleted\"",
 			eventType:  "issue_comment",
 			isGH:       true,
-			processReq: true,
+			processReq: false,
 		},
 		{
 			name: "issue comment Event with no valid comment",

pkg/provider/github/parse_payload.go

@@ -353,9 +353,6 @@ func (v *Provider) processEvent(ctx context.Context, event *info.Event, eventInt
 			return nil, fmt.Errorf("no github client has been initialized, " +
 				"exiting... (hint: did you forget setting a secret on your repo?)")
 		}
-		if gitEvent.GetAction() != "created" {
-			return nil, fmt.Errorf("only newly created comment is supported, received: %s", gitEvent.GetAction())
-		}
 		processedEvent, err = v.handleIssueCommentEvent(ctx, gitEvent)
 		if err != nil {
 			return nil, err

pkg/provider/github/parse_payload_test.go

@@ -744,14 +744,6 @@ func TestParsePayLoad(t *testing.T) {
 				},
 			},
 		},
-		{
-			name:               "bad/issue_comment_not_from_created",
-			wantErrString:      "only newly created comment is supported, received: deleted",
-			payloadEventStruct: github.IssueCommentEvent{Action: github.Ptr("deleted")},
-			eventType:          "issue_comment",
-			triggerTarget:      "pull_request",
-			githubClient:       true,
-		},
 		{
 			name:          "good/issue comment",
 			eventType:     "issue_comment",

test/github_pullrequest_oktotest_test.go

@@ -7,11 +7,15 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"regexp"
 	"strconv"
 	"testing"
+	"time"
 
 	"github.com/google/go-github/v84/github"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/keys"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/info"
+	"github.com/openshift-pipelines/pipelines-as-code/test/pkg/cctx"
 	tgithub "github.com/openshift-pipelines/pipelines-as-code/test/pkg/github"
 	"github.com/openshift-pipelines/pipelines-as-code/test/pkg/payload"
 	twait "github.com/openshift-pipelines/pipelines-as-code/test/pkg/wait"
@@ -41,60 +45,99 @@ func TestGithubGHEPullRequestOkToTest(t *testing.T) {
 		Organization:  g.Options.Organization,
 		Repository:    g.Options.Repo,
 		URL:           repoinfo.GetHTMLURL(),
-		Sender:        g.Options.Organization,
 	}
 
+	repo, err := g.Cnx.Clients.PipelineAsCode.PipelinesascodeV1alpha1().Repositories(g.TargetNamespace).Get(ctx, g.TargetNamespace, metav1.GetOptions{})
+	assert.NilError(t, err)
+	initialStatusCount := len(repo.Status)
+
+	pruns, err := g.Cnx.Clients.Tekton.TektonV1().PipelineRuns(g.TargetNamespace).List(ctx, metav1.ListOptions{
+		LabelSelector: fmt.Sprintf("%s=%s", keys.SHA, g.SHA),
+	})
+	assert.NilError(t, err)
+	initialPipelineRunCount := len(pruns.Items)
+
 	installID, err := strconv.ParseInt(os.Getenv("TEST_GITHUB_SECOND_APPLICATION_ID"), 10, 64)
 	assert.NilError(t, err)
-	event := github.IssueCommentEvent{
-		Comment: &github.IssueComment{
-			Body: github.Ptr(`/ok-to-test`),
-		},
-		Installation: &github.Installation{
-			ID: &installID,
-		},
-		Action: github.Ptr("created"),
-		Issue: &github.Issue{
-			State: github.Ptr("open"),
-			PullRequestLinks: &github.PullRequestLinks{
-				HTMLURL: github.Ptr(fmt.Sprintf("%s/pull/%d", runevent.URL, g.PRNumber)),
+
+	sendIssueComment := func(t *testing.T, sender string) {
+		t.Helper()
+
+		event := github.IssueCommentEvent{
+			Comment: &github.IssueComment{
+				Body: github.Ptr(`/ok-to-test`),
+			},
+			Installation: &github.Installation{
+				ID: &installID,
+			},
+			Action: github.Ptr("created"),
+			Issue: &github.Issue{
+				State: github.Ptr("open"),
+				PullRequestLinks: &github.PullRequestLinks{
+					HTMLURL: github.Ptr(fmt.Sprintf("%s/pull/%d", runevent.URL, g.PRNumber)),
+				},
+			},
+			Repo: &github.Repository{
+				DefaultBranch: &runevent.DefaultBranch,
+				HTMLURL:       &runevent.URL,
+				Name:          &runevent.Repository,
+				Owner:         &github.User{Login: &runevent.Organization},
+			},
+			Sender: &github.User{
+				Login: github.Ptr(sender),
 			},
-		},
-		Repo: &github.Repository{
-			DefaultBranch: &runevent.DefaultBranch,
-			HTMLURL:       &runevent.URL,
-			Name:          &runevent.Repository,
-			Owner:         &github.User{Login: &runevent.Organization},
-		},
-		Sender: &github.User{
-			Login: &runevent.Sender,
-		},
+		}
+
+		err = payload.Send(ctx,
+			g.Cnx,
+			os.Getenv("TEST_GITHUB_SECOND_EL_URL"),
+			os.Getenv("TEST_GITHUB_SECOND_WEBHOOK_SECRET"),
+			os.Getenv("TEST_GITHUB_SECOND_API_URL"),
+			os.Getenv("TEST_GITHUB_SECOND_APPLICATION_ID"),
+			event,
+			"issue_comment",
+		)
+		assert.NilError(t, err)
 	}
 
-	err = payload.Send(ctx,
-		g.Cnx,
-		os.Getenv("TEST_GITHUB_SECOND_EL_URL"),
-		os.Getenv("TEST_GITHUB_SECOND_WEBHOOK_SECRET"),
-		os.Getenv("TEST_GITHUB_SECOND_API_URL"),
-		os.Getenv("TEST_GITHUB_SECOND_APPLICATION_ID"),
-		event,
-		"issue_comment",
-	)
+	g.Cnx.Clients.Log.Infof("Sending /ok-to-test from untrusted sender on same-repo pull request")
+	sendIssueComment(t, "nonowner")
+
+	time.Sleep(10 * time.Second)
+
+	pruns, err = g.Cnx.Clients.Tekton.TektonV1().PipelineRuns(g.TargetNamespace).List(ctx, metav1.ListOptions{
+		LabelSelector: fmt.Sprintf("%s=%s", keys.SHA, g.SHA),
+	})
+	assert.NilError(t, err)
+	assert.Equal(t, initialPipelineRunCount, len(pruns.Items), "untrusted issue_comment must not create a new PipelineRun")
+
+	repo, err = g.Cnx.Clients.PipelineAsCode.PipelinesascodeV1alpha1().Repositories(g.TargetNamespace).Get(ctx, g.TargetNamespace, metav1.GetOptions{})
 	assert.NilError(t, err)
+	assert.Equal(t, initialStatusCount, len(repo.Status), "untrusted issue_comment must not add a new Repository status")
 
-	g.Cnx.Clients.Log.Infof("Wait for the second repository update to be updated")
+	ctx, err = cctx.GetControllerCtxInfo(ctx, g.Cnx)
+	assert.NilError(t, err)
+	numLines := int64(1000)
+	logRegex := regexp.MustCompile(`Skipping same-repo pull request shortcut for untrusted event \*github\.IssueCommentEvent`)
+	err = twait.RegexpMatchingInControllerLog(ctx, g.Cnx, *logRegex, 10, "ghe-controller", &numLines, nil)
+	assert.NilError(t, err)
+
+	g.Cnx.Clients.Log.Infof("Sending /ok-to-test from trusted sender")
+	sendIssueComment(t, g.Options.Organization)
+
+	g.Cnx.Clients.Log.Infof("Wait for the repository update triggered by trusted /ok-to-test")
 	waitOpts := twait.Opts{
 		RepoName:        g.TargetNamespace,
 		Namespace:       g.TargetNamespace,
-		MinNumberStatus: 1,
+		MinNumberStatus: initialStatusCount + 1,
 		PollTimeout:     twait.DefaultTimeout,
 		TargetSHA:       g.SHA,
 	}
 	_, err = twait.UntilRepositoryUpdated(ctx, g.Cnx.Clients, waitOpts)
 	assert.NilError(t, err)
 
-	g.Cnx.Clients.Log.Infof("Check if we have the repository set as succeeded")
-	repo, err := g.Cnx.Clients.PipelineAsCode.PipelinesascodeV1alpha1().Repositories(g.TargetNamespace).Get(ctx, g.TargetNamespace, metav1.GetOptions{})
+	g.Cnx.Clients.Log.Infof("Check if we have the repository set as succeeded after trusted /ok-to-test")
+	repo, err = g.Cnx.Clients.PipelineAsCode.PipelinesascodeV1alpha1().Repositories(g.TargetNamespace).Get(ctx, g.TargetNamespace, metav1.GetOptions{})
 	assert.NilError(t, err)
 	assert.Assert(t, repo.Status[len(repo.Status)-1].Conditions[0].Status == corev1.ConditionTrue)
 }