insights: discover from user/org settings
Created by: slimsag
Today, insights are discovered from "global user settings" only. This happens here. You must be an admin to edit the global user settings. It is a cascade like so:
Global user settings -> Organization settings -> User settings (overrides all else).
Insights violates this cascade and the default user assumption by only picking up ones defined in the global user settings.
Security
Actually making insights get picked up from user/org settings is pretty straightforward, we merely need to update the Discover
function here to read from all settings on the entire Sourcegraph instance: https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/blob/enterprise/internal/insights/discovery/discovery.go
However, since insights run search queries in the background with no authentication, they have access to search results the user may not have access to. For example, a plain user could add a search insight which can see repositories only visible to a specific team within a company. If we were to naively enable this, I could write insights which extract some information about the repos I don't have access to:
- whether or not a specific term exists in someone's repos, and how many instances of it.
- That repos exist under a given org/name. This is most risky on Sourcegraph.com, e.g. someone could check
repo:microsoft-private/foobar
and see that Microsoft has private repositories on Sourcegraph.com (I can neither confirm nor deny if this is true.)
There are some cross-cutting things to consider as well when thinking about:
- Giving repository-level breakdowns of insights
- Add GraphQL API to push data into TimescaleDB/insights store directly ("webhooks") #17220 (closed) - which may be describing global (not associated with a repository) insights.
Probably we need to:
- Discover insights from all org/user settings on the instance (easy.)
- When querying insights, if per-repo is being queried then confirm the user has access to those repos one-by-one (we should have an existing API to do this given a repo ID.)
- When querying insights, if NOT per-repo (i.e. a global insight) then confirm the user has that exact insight defined in their user settings. We could do this by comparing the
SeriesID
which is a hash of the insight's important bits.