•  
      story #35093 execute custom code as artifact post action
    Summary
    Empty
    execute custom code as artifact post action

    I can add my own computation

    Overview

    The goal of this feature is to let project administrator do a level of computation automatically when artifacts are updated. For instance, this could be used, for instance, to compute a risk as a combination of two factors.

    This story is designed to be an alternative to the model where team have to rely on webhook & an external server to do their own computation.

    In this initial implementation, the idea is to leverage what was done on untrusted code execution in git pre-commit hooks (see epic #31078):

    1. User code will be a web assembly module (in order to guaranty the security of the system).
    2. The execution will be done after the artifact update, asynchronously.
    3. The result of the computation will lead to an artifact update (new changeset) with a dedicated user (like workflow triggers).

    For a bit more of context:

    1. Is mandatory to ensure that executed code cannot be used by threat actors to steal or damage the infrastructure.
    2. While execution of webassembly module was already addressed with git pre-commit, the introduction of the concept in Trackers has its own challenges. For instance, right now there is no intermediate representation of a changeset that could be easily passed to a webassembly module. If the execution of webassembly module happens after the artifact update, we can re-use the existing infrastructure that is used to send webhook payload. In addition to that, as code is executed asynchronously, we don't have to deal with code optimization as much as it would be required if code was run OLTP.
    3. As an extension of 2, it's likely that at some point,we would like to see what was part of user submitted data and what was computed (at least for debug or traceability reasons). By having the changes done by the webassembly module recorded as a dedicated changeset, the diff comes for free.

    Functional requirements

    Prerequisite: asynchronous processing in trackers is activated.

    • As a tracker administrator, I should be able to select a webassembly (WASM) module and to upload it for my tracker. There is only one WASM module per tracker (on purpose to avoid having to deal with the order of execution of modules right now) if multiple computation must be performed, it will be in the same WASM module
      • Execution of the WASM module can be suspended (module is there but not executed)
      • For each tracker, the last 50 execution details (status, errors) are kept with: associated artifact id, changeset id, source payload and generated payload.
    • When an artifact is updated, after the new changeset is saved in the database, there is a new action in the post-processing pipeline: execution of the WASM module (if any)
      • The module is executed with the artifact webhook payload as an input (json)
      • The module returns the payload as expected by PUT /artifacts/:id on standard output
      • Tuleap saves the modified payload as new changeset (if there is any change) as workflow user
      • The update will not trigger a new WASM module execution but the rest of the pipeline will not change (it means that webhook are triggered for the WASM update). The webhook payload is modified to inform if the source action is WASM module or regular update.
      • The execution already gather metrics (prometheus), a label should be added to distinguish the source.
    • When there is an error in the execution of the module, an email is sent to the tracker administrators to inform them.
    • In order to ease the development of module, the tracker description is added to the webhook payload. This is useful when module want to produce a value in a List field

    The feature is available as a plugin to limit the amount of clutter on Tracker.

    Known limitations

    As this feature is currently in a shape where we want to see if there is an interest for it, the following things are not covered:

    • XML import/export
    • Tracker duplication
    • Ability to read attachments
    Empty
    Empty
    Status
    Trackers
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [ ] Is it exploratory?
    Empty
    Details
    #35093
    Manuel Vacelet (vaceletm)
    2024-02-01 09:14
    2023-11-02 14:12
    36703

    References
    Referencing story #35093

    Artifact Tracker v5

    rel #35497 15.5

    Git commit

    tuleap/tuleap/stable

    feat: Create forge__cce user 36e9f83d9c
    feat: Add empty plugin for Tracker CCE db1edce569
    refactor: extract workflow menu from mustache templates 33c5d1cac5
    feat: ActionsRunner dispatch an event to collect more PostCreationTask 987c2d1364
    feat: introduce CCE administration page 724771fed0
    Allow to pass multiple mount points (or none) to the executed WASM module 1c9f6751f5
    feat: Add pipeline to call WASM module b41a03d161
    feat: wasm module upload 8abb4a3199
    feat: prevent installation if no workers cfb0e33d4a
    feat: Example WASM module check fields sum 4efc74eb14
    feat: tuleap config-{get,set} sys_nb_backend_workers 8ed4f1b32c
    refactor: Split ActionsRunner in 2 classes 494598610a
    feat: experimental package for tracker_cce e3fa5b0e9b
    feat: CCE WASM pipeline apply update on artifact 1df566e436
    feat: system check in error if nb backend workers is 0 7b3681d399
    feat: ability to remove a module 6cbba5e64a
    feat: CCE pipeline saves logs in db c3a0c9cae2
    feat: (de)activate module 8b86de45e3
    feat: Delete oldest module logs 534f78cfdd
    feat: Add Tracker CCE in TEE container 62980e2501
    feat: Webhook payload tell if it is wasm update 5e4fcca1e1
    feat: display CCE logs b1d11a9440
    fix: CCE user cannot update artifact sometimes 0329e21d26
    feat: Add a label to prometheus to tell if who call WASM c1a2ccbff0
    doc: Add documentation for Tracker CCE b117f561da
    fix: Output CCE post action should be strictly validated dee764c39f
    feat: Add Tracker representation in input payload 4eb742acc2
    feat: Tracker CCE is not anymore experimental 094a72cec5
    feat: Add mapping error in error message 388159c778
    feat: Limit module size to 10Mb e32d6ccf07
    feat: Tracker admin receive a mail when WASM fail 4d82783497
    feat: Delete logs when removing module c70362916b
    feat: WASMExecutionException is not shown to end users 1781b5f01a
    feat: Basic e2e cover of Tuleap Functions for Tracker 80a7201921
    refactor: Rename TrackerCCE -> TrackerFunctions 1bd2579ed3
    feat: Update link to documentation 7c5fcdc537
    fix: e2e tests should install plugin tracker_functions 77036747ba
    fix: Remove front b of forgeupgrade filename 9c6e2d0a05

    Follow-ups

    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Kevin Traini (ktraini)2024-01-08 12:52

    gerrit #30168 integrated into Tuleap 15.4.99.40


    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Acceptance criteria
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes