fix(webhook): Avoid jobs are accepted without labels (#3548)

npalm · web-flow · commit cb7873819b66 · 2023-10-18T10:32:16.000+02:00
## Descirption

When using the mult-runner with an exact match set to `true` worklfows
events with an empty array of labels matches the first matcher. This
cause not intented runners are created. This change avoids jobs with no
labels ar accepted.

The exactMatch is some bagage we ccarry from the past. I have aaded a
set of unit tests to show how the match is working. We should think
about removing the switch.
diff --git a/lambdas/functions/webhook/jest.config.ts b/lambdas/functions/webhook/jest.config.ts
@@ -6,10 +6,10 @@ const config: Config = {
   ...defaultConfig,
   coverageThreshold: {
     global: {
-      statements: 99,
-      branches: 86,
+      statements: 99.07,
+      branches: 93.33,
       functions: 100,
-      lines: 99,
+      lines: 99.02,
     },
   },
 };
diff --git a/lambdas/functions/webhook/src/webhook/handler.test.ts b/lambdas/functions/webhook/src/webhook/handler.test.ts
@@ -7,7 +7,7 @@ import checkrun_event from '../../test/resources/github_check_run_event.json';
 import workflowjob_event from '../../test/resources/github_workflowjob_event.json';
 import queuesConfig from '../../test/resources/multi_runner_configurations.json';
 import { sendActionRequest } from '../sqs';
-import { handle } from './handler';
+import { canRunJob, handle } from './handler';
 
 jest.mock('../sqs');
 jest.mock('@terraform-aws-github-runner/aws-ssm-util');
@@ -261,7 +261,7 @@ describe('handler', () => {
         event,
       );
       expect(resp.statusCode).toBe(202);
-      expect(sendActionRequest).not.toBeCalled;
+      expect(sendActionRequest).not.toBeCalled();
     });
 
     it('Check webhook does not accept jobs where the job labels are spread across label matchers.', async () => {
@@ -289,7 +289,7 @@ describe('handler', () => {
         event,
       );
       expect(resp.statusCode).toBe(202);
-      expect(sendActionRequest).not.toBeCalled;
+      expect(sendActionRequest).not.toBeCalled();
     });
 
     it('Check webhook does not accept jobs where not all labels are supported by the runner.', async () => {
@@ -321,7 +321,7 @@ describe('handler', () => {
         event,
       );
       expect(resp.statusCode).toBe(202);
-      expect(sendActionRequest).not.toBeCalled;
+      expect(sendActionRequest).not.toBeCalled();
     });
 
     it('Check webhook will accept jobs with a single acceptable label.', async () => {
@@ -385,7 +385,7 @@ describe('handler', () => {
         event,
       );
       expect(resp.statusCode).toBe(202);
-      expect(sendActionRequest).not.toBeCalled;
+      expect(sendActionRequest).not.toBeCalled();
     });
     it('Check webhook will accept jobs for specific labels if workflow labels are specific', async () => {
       process.env.RUNNER_CONFIG = JSON.stringify([
@@ -520,3 +520,54 @@ describe('handler', () => {
     });
   });
 });
+
+describe('canRunJob', () => {
+  it('should accept job with an exact match and identical labels.', () => {
+    const workflowLabels = ['self-hosted', 'linux', 'x64', 'ubuntu-latest'];
+    const runnerLabels = [['self-hosted', 'linux', 'x64', 'ubuntu-latest']];
+    const exactMatch = true;
+    expect(canRunJob(workflowLabels, runnerLabels, exactMatch)).toBe(true);
+  });
+
+  it('should accept job with an exact match and runner supports requested capabilites.', () => {
+    const workflowLabels = ['self-hosted', 'linux', 'x64'];
+    const runnerLabels = [['self-hosted', 'linux', 'x64', 'ubuntu-latest']];
+    const exactMatch = true;
+    expect(canRunJob(workflowLabels, runnerLabels, exactMatch)).toBe(true);
+  });
+
+  it('should NOT accept job with an exact match and runner not matching requested capabilites.', () => {
+    const workflowLabels = ['self-hosted', 'linux', 'x64', 'ubuntu-latest'];
+    const runnerLabels = [['self-hosted', 'linux', 'x64']];
+    const exactMatch = true;
+    expect(canRunJob(workflowLabels, runnerLabels, exactMatch)).toBe(false);
+  });
+
+  it('should accept job with for a non exact match. Any label that matches will accept the job.', () => {
+    const workflowLabels = ['self-hosted', 'linux', 'x64', 'ubuntu-latest', 'gpu'];
+    const runnerLabels = [['gpu']];
+    const exactMatch = false;
+    expect(canRunJob(workflowLabels, runnerLabels, exactMatch)).toBe(true);
+  });
+
+  it('should NOT accept job with for an exact match. Not all requested capabilites are supported.', () => {
+    const workflowLabels = ['self-hosted', 'linux', 'x64', 'ubuntu-latest', 'gpu'];
+    const runnerLabels = [['gpu']];
+    const exactMatch = true;
+    expect(canRunJob(workflowLabels, runnerLabels, exactMatch)).toBe(false);
+  });
+
+  it('Should not accecpt jobs not providing labels if exact match is.', () => {
+    const workflowLabels: string[] = [];
+    const runnerLabels = [['self-hosted', 'linux', 'x64']];
+    const exactMatch = true;
+    expect(canRunJob(workflowLabels, runnerLabels, exactMatch)).toBe(false);
+  });
+
+  it('Should accept jobs not providing labels and exact match is set to false.', () => {
+    const workflowLabels: string[] = [];
+    const runnerLabels = [['self-hosted', 'linux', 'x64']];
+    const exactMatch = false;
+    expect(canRunJob(workflowLabels, runnerLabels, exactMatch)).toBe(true);
+  });
+});
diff --git a/lambdas/functions/webhook/src/webhook/handler.ts b/lambdas/functions/webhook/src/webhook/handler.ts
@@ -158,17 +158,18 @@ function isRepoNotAllowed(repoFullName: string, repositoryWhiteList: string[]):
   return repositoryWhiteList.length > 0 && !repositoryWhiteList.includes(repoFullName);
 }
 
-function canRunJob(
+export function canRunJob(
   workflowJobLabels: string[],
   runnerLabelsMatchers: string[][],
   workflowLabelCheckAll: boolean,
 ): boolean {
   runnerLabelsMatchers = runnerLabelsMatchers.map((runnerLabel) => {
     return runnerLabel.map((label) => label.toLowerCase());
   });
-  const match = workflowLabelCheckAll
+  const matchLabels = workflowLabelCheckAll
     ? runnerLabelsMatchers.some((rl) => workflowJobLabels.every((wl) => rl.includes(wl.toLowerCase())))
     : runnerLabelsMatchers.some((rl) => workflowJobLabels.some((wl) => rl.includes(wl.toLowerCase())));
+  const match = workflowJobLabels.length === 0 ? !matchLabels : matchLabels;
 
   logger.debug(
     `Received workflow job event with labels: '${JSON.stringify(workflowJobLabels)}'. The event does ${
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
@@ -34,7 +34,7 @@ variable "tags" {
 }
 
 variable "runner_config" {
-  description = "SQS queue to publish accepted build events based on the runner type."
+  description = "SQS queue to publish accepted build events based on the runner type. When exact match is disabled the webhook accecpts the event if one of the workflow job labels is part of the matcher."
   type = map(object({
     arn  = string
     id   = string

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ variable "tags" {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`variable "runner_config" {`
`37`		`- description = "SQS queue to publish accepted build events based on the runner type."`
	`37`	`+ description = "SQS queue to publish accepted build events based on the runner type. When exact match is disabled the webhook accecpts the event if one of the workflow job labels is part of the matcher."`
`38`	`38`	`type = map(object({`
`39`	`39`	`arn = string`
`40`	`40`	`id = string`