Skip to content

[GSK-1623] Secure Giskard readonly demo space at Hugging Face Spaces#1355

Merged
kevinmessiaen merged 68 commits intomainfrom
GSK-1623-secure-readonly-demo-space
Sep 20, 2023
Merged

[GSK-1623] Secure Giskard readonly demo space at Hugging Face Spaces#1355
kevinmessiaen merged 68 commits intomainfrom
GSK-1623-secure-readonly-demo-space

Conversation

@Inokinoki
Copy link
Copy Markdown
Member

@Inokinoki Inokinoki commented Aug 30, 2023
edited
Loading

Description

Preventing any requests with modifications (POST, PUT, DELETE) when giskardai/giskard detected.

Preventing Create, Update, Delete operations in DB after initialization.

Related Issue

Type of Change

  • 📚 Examples / docs / tutorials / dependencies update
  • 🔧 Bug fix (non-breaking change which fixes an issue)
  • 🥂 Improvement (non-breaking change which improves an existing feature)
  • 🚀 New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to change)
  • 🔐 Security fix

Checklist

  • I've read the CODE_OF_CONDUCT.md document.
  • I've read the CONTRIBUTING.md guide.
  • I've updated the code style using make codestyle.
  • I've written tests for all new methods and classes that I created.
  • I've written the docstring in Google format for all the methods and classes that I used.

@linear
Copy link
Copy Markdown

linear Bot commented Aug 30, 2023

GSK-1623 Secure the demo space

Avoid uploading new projects

@andreybavt
Copy link
Copy Markdown
Contributor

andreybavt commented Sep 1, 2023

since we're sending some POST requests like predict or explain we can't actually block on HTTP method level.

Instead I suggest we do it on a DB level (more precisely at JPA).

for example, if you define a class like

import jakarta.persistence.PrePersist;
import jakarta.persistence.PreRemove;
import jakarta.persistence.PreUpdate;


public class ReadOnlyListener {
    private boolean isReadOnlyGiskardInstance() {
        // TODO: implement this, probably in another class
        return true;
    }

    @PrePersist
    @PreUpdate
    @PreRemove
    void onCUD(Object o) {
        if (isReadOnlyGiskardInstance()) {
            throw new IllegalStateException("This is a read-only Giskard instance. You cannot modify entities.");
        }
    }
}

Then you'll be able to use it at an @Entity level:

@Entity(name = "api_keys")
@Getter
@NoArgsConstructor
@EntityListeners(ReadOnlyListener.class)
public class ApiKey extends AbstractAuditingEntity

In this case we could even allow some modifications but not others, like writing TestSuiteExecution (I think we could also have a scheduled method to delete old executions on demo instance so that the DB doesn't get polluted to much)

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Sep 1, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 5 Code Smells

33.3% 33.3% Coverage
0.0% 0.0% Duplication

@Inokinoki
Merge branch 'main' of https://github.com/Giskard-AI/giskard into GSK…
d318d67 
…-1623-secure-readonly-demo-space
@Inokinoki
Merge branch 'main' of https://github.com/Giskard-AI/giskard into GSK…
6635a38 
…-1623-secure-readonly-demo-space
@Inokinoki
Fix multiple-column layout in HFSpaces setup tip
3b05fe8
@Inokinoki
Allow to use pre-filled token to change read-only
24fcf12
@Inokinoki
Allow to (un)lock demo Gallery Space using token
20a4d7d
@Inokinoki
Merge branch 'main' of https://github.com/Giskard-AI/giskard into GSK…
a811bd7 
…-1623-secure-readonly-demo-space
@Inokinoki
Set default value to unlocked in order to init
d69e5c7
@Inokinoki
Polish codestyle according to SonarLint
1c352ec
@Inokinoki
Merge branch 'main' of https://github.com/Giskard-AI/giskard into GSK…
cbc02c7 
…-1623-secure-readonly-demo-space
@Inokinoki Inokinoki self-assigned this Sep 15, 2023
kevinmessiaen
kevinmessiaen requested changes Sep 18, 2023
View reviewed changes
Comment thread backend/src/main/java/ai/giskard/domain/ApiKey.java
Comment thread frontend/src/views/main/admin/settings/SettingsGeneral.vue Outdated
Comment thread backend/src/main/java/ai/giskard/web/rest/errors/GalleryDemoSpaceException.java Outdated
Comment thread backend/src/main/java/ai/giskard/web/rest/controllers/GalleryUnlockController.java
Comment thread backend/src/main/java/ai/giskard/service/InitService.java Outdated
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Sep 19, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

0.0% 0.0% Coverage
0.0% 0.0% Duplication

1 similar comment
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Sep 19, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

0.0% 0.0% Coverage
0.0% 0.0% Duplication

@kevinmessiaen kevinmessiaen merged commit d5eaa73 into main Sep 20, 2023
@kevinmessiaen kevinmessiaen deleted the GSK-1623-secure-readonly-demo-space branch September 20, 2023 02:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevinmessiaen kevinmessiaen kevinmessiaen approved these changes

@andreybavt andreybavt Awaiting requested review from andreybavt

Assignees

@Inokinoki Inokinoki

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Inokinoki @andreybavt @kevinmessiaen