Fetch credentials from DB

Do not rely on the entity object to hold updated or detailed credentials,
fetch them from the DB every time.

This change also ensures that we pass in the user context instead of the
runner context to the DB methods.

Signed-off-by: Gabriel Adrian Samfira <[email protected]>

.github/workflows/integration-tests.yml

@@ -54,7 +54,7 @@ jobs:
         run: |
           set -o pipefail
           set -o errexit
-          make integration 2>&1 | tee /artifacts-logs/e2e.log
+          make integration 2>&1
         env:
           GARM_BASE_URL: ${{ steps.ngrok.outputs.tunnel-url }}
           ORG_NAME: gsamfira
@@ -68,6 +68,7 @@ jobs:
         run: |
           sudo systemctl status garm@runner || true
           sudo journalctl --no-pager 2>&1 > /artifacts-logs/system.log
+          sudo journalctl -u garm@runner --no-pager 2>&1 > /artifacts-logs/garm.log
 
       - name: Upload GARM and e2e logs
         if: always()

cmd/garm/main.go

@@ -151,6 +151,8 @@ func main() {
 	ctx, stop := signal.NotifyContext(context.Background(), signals...)
 	defer stop()
 
+	ctx = auth.GetAdminContext(ctx)
+
 	cfg, err := config.NewConfig(*conf)
 	if err != nil {
 		log.Fatalf("Fetching config: %+v", err) //nolint:gocritic

runner/enterprises.go

@@ -54,6 +54,8 @@ func (r *Runner) CreateEnterprise(ctx context.Context, param params.CreateEnterp
 		}
 	}()
 
+	// Use the admin context in the pool manager. Any access control is already done above when
+	// updating the store.
 	var poolMgr common.PoolManager
 	poolMgr, err = r.poolManagerCtrl.CreateEnterprisePoolManager(r.ctx, enterprise, r.providers, r.store)
 	if err != nil {
@@ -172,6 +174,8 @@ func (r *Runner) UpdateEnterprise(ctx context.Context, enterpriseID string, para
 		return params.Enterprise{}, errors.Wrap(err, "updating enterprise")
 	}
 
+	// Use the admin context in the pool manager. Any access control is already done above when
+	// updating the store.
 	poolMgr, err := r.poolManagerCtrl.UpdateEnterprisePoolManager(r.ctx, enterprise)
 	if err != nil {
 		return params.Enterprise{}, fmt.Errorf("failed to update enterprise pool manager: %w", err)

runner/organizations.go

@@ -67,6 +67,8 @@ func (r *Runner) CreateOrganization(ctx context.Context, param params.CreateOrgP
 		}
 	}()
 
+	// Use the admin context in the pool manager. Any access control is already done above when
+	// updating the store.
 	poolMgr, err := r.poolManagerCtrl.CreateOrgPoolManager(r.ctx, org, r.providers, r.store)
 	if err != nil {
 		return params.Organization{}, errors.Wrap(err, "creating org pool manager")
@@ -201,6 +203,8 @@ func (r *Runner) UpdateOrganization(ctx context.Context, orgID string, param par
 		return params.Organization{}, errors.Wrap(err, "updating org")
 	}
 
+	// Use the admin context in the pool manager. Any access control is already done above when
+	// updating the store.
 	poolMgr, err := r.poolManagerCtrl.UpdateOrgPoolManager(r.ctx, org)
 	if err != nil {
 		return params.Organization{}, fmt.Errorf("updating org pool manager: %w", err)

runner/repositories.go

@@ -67,6 +67,8 @@ func (r *Runner) CreateRepository(ctx context.Context, param params.CreateRepoPa
 		}
 	}()
 
+	// Use the admin context in the pool manager. Any access control is already done above when
+	// updating the store.
 	poolMgr, err := r.poolManagerCtrl.CreateRepoPoolManager(r.ctx, repo, r.providers, r.store)
 	if err != nil {
 		return params.Repository{}, errors.Wrap(err, "creating repo pool manager")
@@ -200,6 +202,8 @@ func (r *Runner) UpdateRepository(ctx context.Context, repoID string, param para
 		return params.Repository{}, errors.Wrap(err, "updating repo")
 	}
 
+	// Use the admin context in the pool manager. Any access control is already done above when
+	// updating the store.
 	poolMgr, err := r.poolManagerCtrl.UpdateRepoPoolManager(r.ctx, repo)
 	if err != nil {
 		return params.Repository{}, fmt.Errorf("failed to update pool manager: %w", err)

runner/runner.go

@@ -67,6 +67,7 @@ func NewRunner(ctx context.Context, cfg config.Config, db dbCommon.Store) (*Runn
 	poolManagerCtrl := &poolManagerCtrl{
 		controllerID:  ctrlID.ControllerID.String(),
 		config:        cfg,
+		store:         db,
 		repositories:  map[string]common.PoolManager{},
 		organizations: map[string]common.PoolManager{},
 		enterprises:   map[string]common.PoolManager{},
@@ -92,6 +93,7 @@ type poolManagerCtrl struct {
 
 	controllerID string
 	config       config.Config
+	store        dbCommon.Store
 
 	repositories  map[string]common.PoolManager
 	organizations map[string]common.PoolManager
@@ -102,7 +104,12 @@ func (p *poolManagerCtrl) CreateRepoPoolManager(ctx context.Context, repo params
 	p.mux.Lock()
 	defer p.mux.Unlock()
 
-	cfgInternal, err := p.getInternalConfig(ctx, repo.Credentials, repo.GetBalancerType())
+	creds, err := p.store.GetGithubCredentialsByName(ctx, repo.CredentialsName, true)
+	if err != nil {
+		return nil, errors.Wrap(err, "fetching credentials")
+	}
+
+	cfgInternal, err := p.getInternalConfig(ctx, creds, repo.GetBalancerType())
 	if err != nil {
 		return nil, errors.Wrap(err, "fetching internal config")
 	}
@@ -130,7 +137,12 @@ func (p *poolManagerCtrl) UpdateRepoPoolManager(ctx context.Context, repo params
 		return nil, errors.Wrapf(runnerErrors.ErrNotFound, "repository %s/%s pool manager not loaded", repo.Owner, repo.Name)
 	}
 
-	internalCfg, err := p.getInternalConfig(ctx, repo.Credentials, repo.GetBalancerType())
+	creds, err := p.store.GetGithubCredentialsByName(ctx, repo.CredentialsName, true)
+	if err != nil {
+		return nil, errors.Wrap(err, "fetching credentials")
+	}
+
+	internalCfg, err := p.getInternalConfig(ctx, creds, repo.GetBalancerType())
 	if err != nil {
 		return nil, errors.Wrap(err, "fetching internal config")
 	}
@@ -175,7 +187,11 @@ func (p *poolManagerCtrl) CreateOrgPoolManager(ctx context.Context, org params.O
 	p.mux.Lock()
 	defer p.mux.Unlock()
 
-	cfgInternal, err := p.getInternalConfig(ctx, org.Credentials, org.GetBalancerType())
+	creds, err := p.store.GetGithubCredentialsByName(ctx, org.CredentialsName, true)
+	if err != nil {
+		return nil, errors.Wrap(err, "fetching credentials")
+	}
+	cfgInternal, err := p.getInternalConfig(ctx, creds, org.GetBalancerType())
 	if err != nil {
 		return nil, errors.Wrap(err, "fetching internal config")
 	}
@@ -202,7 +218,11 @@ func (p *poolManagerCtrl) UpdateOrgPoolManager(ctx context.Context, org params.O
 		return nil, errors.Wrapf(runnerErrors.ErrNotFound, "org %s pool manager not loaded", org.Name)
 	}
 
-	internalCfg, err := p.getInternalConfig(ctx, org.Credentials, org.GetBalancerType())
+	creds, err := p.store.GetGithubCredentialsByName(ctx, org.CredentialsName, true)
+	if err != nil {
+		return nil, errors.Wrap(err, "fetching credentials")
+	}
+	internalCfg, err := p.getInternalConfig(ctx, creds, org.GetBalancerType())
 	if err != nil {
 		return nil, errors.Wrap(err, "fetching internal config")
 	}
@@ -247,7 +267,11 @@ func (p *poolManagerCtrl) CreateEnterprisePoolManager(ctx context.Context, enter
 	p.mux.Lock()
 	defer p.mux.Unlock()
 
-	cfgInternal, err := p.getInternalConfig(ctx, enterprise.Credentials, enterprise.GetBalancerType())
+	creds, err := p.store.GetGithubCredentialsByName(ctx, enterprise.CredentialsName, true)
+	if err != nil {
+		return nil, errors.Wrap(err, "fetching credentials")
+	}
+	cfgInternal, err := p.getInternalConfig(ctx, creds, enterprise.GetBalancerType())
 	if err != nil {
 		return nil, errors.Wrap(err, "fetching internal config")
 	}
@@ -275,7 +299,11 @@ func (p *poolManagerCtrl) UpdateEnterprisePoolManager(ctx context.Context, enter
 		return nil, errors.Wrapf(runnerErrors.ErrNotFound, "enterprise %s pool manager not loaded", enterprise.Name)
 	}
 
-	internalCfg, err := p.getInternalConfig(ctx, enterprise.Credentials, enterprise.GetBalancerType())
+	creds, err := p.store.GetGithubCredentialsByName(ctx, enterprise.CredentialsName, true)
+	if err != nil {
+		return nil, errors.Wrap(err, "fetching credentials")
+	}
+	internalCfg, err := p.getInternalConfig(ctx, creds, enterprise.GetBalancerType())
 	if err != nil {
 		return nil, errors.Wrap(err, "fetching internal config")
 	}