Skip to content

Background permissions syncing should not rely on `ServiceID` to match authz provider

Created by: unknwon

Problem

There can be multiple external services that have same ServiceID but each of them is potentially responsible for different (even mutually exclusive) sets of (private) repositories. Naively using ServiceID to match an authz provider could end up using a token from external service config that is not responsible for the repository.

Example:

"GITHUB": [
    {
      "authorization": {},
      "url": "https://github.com",
      "token": "token1",
      "repos": ["sourcegraph/private-repo-1"]
    },
    {
      "authorization": {},
      "url": "https://github.com",
      "token": "token2",
      "repos": ["sourcegraph/private-repo-2"]
    },
]

While syncing permissions for "sourcegraph/private-repo-2", it is possible that it gets matched to the authz provider that uses "token1", which is guaranteed to fail if two tokens have access to different sets of private repositories.

To fix this problem, we need to:

  • Get sources (i.e. external services) that the repository belong to.
  • Update authz.Provider interface to be able to get which source it belongs to (not just ServiceID)
  • Use the sources to match corresponding authz provider and determine which token to use for fetching permissions.