feat: add organization setting to restrict project-scoped contracts #2602
Conversation
Signed-off-by: Sylwester Piskozub <[email protected]>
Signed-off-by: Sylwester Piskozub <[email protected]>
Signed-off-by: Sylwester Piskozub <[email protected]>
| var projectID *uuid.UUID | ||
| if req.ProjectReference.IsSet() { | ||
| // Check if organization prevents project-scoped contracts | ||
| if org.PreventProjectScopedContracts { |
There was a problem hiding this comment.
is this the only place a contract is created? can you check during attestation init?
There was a problem hiding this comment.
We need to double check that a contract can only be created on-demand from this use case. I remember it was also created during a workflow creation, or attestation init.
Would you mind posting there an evaluation of those entrypoints and how this feature will work with the other preventWorkflowCreation feature?
There was a problem hiding this comment.
I don't think this is what we want. What we want is to only allow administrators to create contracts if this setting is set
|
also, what's the use-case here? Can anybody create project contracts? can admins do it? |
Signed-off-by: Sylwester Piskozub <[email protected]>
Signed-off-by: Sylwester Piskozub <[email protected]>
|
Updated with what have discussed.
We could also restrict creation of the default contract that is created when no contract was specified in workflow creation, but is that desired behavior? |
I think so yes The idea of this feature is to prevent contract sprawl, and the main source of sprawl is the attestation process. |
Signed-off-by: Sylwester Piskozub <[email protected]>
Alright, added validation to |
Thanks Does it work in |
Signed-off-by: Sylwester Piskozub <[email protected]>
Yes, there shouldn't be any other remaining cases |
| } | ||
|
|
||
| if !membership.Role.IsAdmin() { | ||
| return nil, errors.Forbidden("forbidden", "only organization admins can create contracts") |
There was a problem hiding this comment.
can we make sure the error is cleaner and consistent with what we did in this other check? #2527
ERR creating workflows during the attestation process is disabled for this organization. Please create them in advance or contact your administrator
There was a problem hiding this comment.
Updated direct creation (e.g. wf contract create) to
ERR contract creation is restricted to organization administrators. Please contact your administrator
And indirect creation (e.g. att with --contract flag or wf create) to
ERR contract creation is restricted to organization administrators. Please use existing contracts or contact your administrator
Signed-off-by: Sylwester Piskozub <[email protected]>
2 participants
This PR adds a new organization-level setting that allows administrators to restrict contract creation to be only available for organization admins, preventing their creation by org members and project admins.
When setting is enabled and non-admin user tries to run
att initwithout specifying contract an error is returned: