From 237bb194667135b8d6ac2c4b26eff178c1f0fe43 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Fri, 12 Jun 2026 09:01:12 +0200 Subject: [PATCH 1/7] fix: update some build permissions when the source repo is private --- components/renku_data_services/session/db.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/components/renku_data_services/session/db.py b/components/renku_data_services/session/db.py index 16f1d538b..bbc6d8bfb 100644 --- a/components/renku_data_services/session/db.py +++ b/components/renku_data_services/session/db.py @@ -929,6 +929,8 @@ async def start_build(self, user: base_models.APIUser, build: models.UnsavedBuil raise errors.ConflictError( message=f"Session environment with id '{build.environment_id}' already has a build in progress." ) + + # TODO # We check that we build for a single target platform if len(build_parameters.platforms) > 1: @@ -1023,6 +1025,9 @@ async def get_build_logs( authorized = await self._get_environment_authorization( session=session, user=user, environment=build.environment, scope=Scope.WRITE ) + + # TODO + if not authorized: raise errors.MissingResourceError(message=not_found_message) From 264aa0dbcb57eb4b0314f1a9cebea76020abc2b5 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Fri, 12 Jun 2026 07:15:19 +0000 Subject: [PATCH 2/7] check pull to start build --- components/renku_data_services/session/db.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/components/renku_data_services/session/db.py b/components/renku_data_services/session/db.py index bbc6d8bfb..df9210831 100644 --- a/components/renku_data_services/session/db.py +++ b/components/renku_data_services/session/db.py @@ -929,8 +929,6 @@ async def start_build(self, user: base_models.APIUser, build: models.UnsavedBuil raise errors.ConflictError( message=f"Session environment with id '{build.environment_id}' already has a build in progress." ) - - # TODO # We check that we build for a single target platform if len(build_parameters.platforms) > 1: @@ -1152,7 +1150,9 @@ async def _get_buildrun_params( ) if result.is_error: - raise errors.CannotStartBuildError(message=str(result.error)) + raise errors.UnauthorizedError( + message=f"You do not have the required credentials to clone the code repository {git_repository}." + ) authentication_secret: models.AuthenticationSecret | None = None output_image_prefix = ( @@ -1165,6 +1165,11 @@ async def _get_buildrun_params( visibility = result.metadata.visibility if visibility == RepositoryVisibility.private: + if isinstance(result.metadata, Metadata) and not result.metadata.pull_permission: + raise errors.ForbiddenError( + message=f"You do not have the required permissions to clone the code repository {git_repository}." + ) + token: dict[str, Any] | None = await self.git_repositories_repo.get_token( repository_url=git_repository, user=user ) From 36ab50e8c4444dcbcd3dcee9b47eb86b5bec224b Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Fri, 12 Jun 2026 07:25:44 +0000 Subject: [PATCH 3/7] capture result image at build start --- components/renku_data_services/session/db.py | 25 +++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/components/renku_data_services/session/db.py b/components/renku_data_services/session/db.py index df9210831..a060c4ba3 100644 --- a/components/renku_data_services/session/db.py +++ b/components/renku_data_services/session/db.py @@ -942,21 +942,28 @@ async def start_build(self, user: base_models.APIUser, build: models.UnsavedBuil build_orm = schemas.BuildORM( environment_id=build.environment_id, status=models.BuildStatus.in_progress, + result_repository_url=build_parameters.repository, ) + + result = build_orm.dump() + launcher = launcher_orm.dump() if launcher_orm is not None else None + + params: models.ShipwrightBuildRunParams | None = None + if self.shipwright_client is not None: + params = await self._get_buildrun_params( + user=user, build=result, build_parameters=build_parameters, launcher=launcher + ) + build_orm.result_image = params.output_image + else: + logger.error("Shipwright client is None") + session.add(build_orm) await session.flush() await session.refresh(build_orm) - result = build_orm.dump() - launcher = launcher_orm.dump() if launcher_orm is not None else None - if self.shipwright_client is not None: - params = await self._get_buildrun_params( - user=user, build=result, build_parameters=build_parameters, launcher=launcher - ) + assert params is not None await self.shipwright_client.create_image_build(params=params, user_id=user.id) - else: - logger.error("Shipwright client is None") return result @@ -1024,7 +1031,7 @@ async def get_build_logs( session=session, user=user, environment=build.environment, scope=Scope.WRITE ) - # TODO + # TODO: If the output image is private, check that the user can read the source repository if not authorized: raise errors.MissingResourceError(message=not_found_message) From 0c25ac05fc1dab6e3ec87908b4bfe6f473ac1c23 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Fri, 12 Jun 2026 07:51:57 +0000 Subject: [PATCH 4/7] perform check for logs --- components/renku_data_services/session/db.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/components/renku_data_services/session/db.py b/components/renku_data_services/session/db.py index a060c4ba3..e2097c973 100644 --- a/components/renku_data_services/session/db.py +++ b/components/renku_data_services/session/db.py @@ -1031,7 +1031,24 @@ async def get_build_logs( session=session, user=user, environment=build.environment, scope=Scope.WRITE ) - # TODO: If the output image is private, check that the user can read the source repository + # If the output image is private, check that the user can read the source repository + if build.result_image is None: + authorized = False + else: + if self.builds_config.build_output_private_image_prefix is not None and build.result_image.startswith( + self.builds_config.build_output_private_image_prefix + ): + if build.result_repository_url is None: + authorized = False + else: + repo_data = await self.git_repositories_repo.get_repository( + repository_url=build.result_repository_url, + user=user, + etag=None, + internal_gitlab_user=base_models.APIUser(), + ) + if not isinstance(repo_data.metadata, Metadata) or not repo_data.metadata.pull_permission: + authorized = False if not authorized: raise errors.MissingResourceError(message=not_found_message) From 734cd63ce6a0443e7438b7e8eeb5b8bc1e73c843 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Mon, 22 Jun 2026 10:20:28 +0000 Subject: [PATCH 5/7] fix 500 error --- components/renku_data_services/session/db.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/components/renku_data_services/session/db.py b/components/renku_data_services/session/db.py index 9dbcc9f58..5ef9e7c41 100644 --- a/components/renku_data_services/session/db.py +++ b/components/renku_data_services/session/db.py @@ -945,13 +945,12 @@ async def start_build(self, user: base_models.APIUser, build: models.UnsavedBuil result_repository_url=build_parameters.repository, ) - result = build_orm.dump() launcher = launcher_orm.dump() if launcher_orm is not None else None params: models.ShipwrightBuildRunParams | None = None if self.shipwright_client is not None: params = await self._get_buildrun_params( - user=user, build=result, build_parameters=build_parameters, launcher=launcher + user=user, build=build_orm.dump(), build_parameters=build_parameters, launcher=launcher ) build_orm.result_image = params.output_image else: @@ -960,6 +959,7 @@ async def start_build(self, user: base_models.APIUser, build: models.UnsavedBuil session.add(build_orm) await session.flush() await session.refresh(build_orm) + result = build_orm.dump() if self.shipwright_client is not None: assert params is not None From 696eef810f30ae5b08fe9998b37207fc2f393a65 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Mon, 29 Jun 2026 15:09:29 +0200 Subject: [PATCH 6/7] Update components/renku_data_services/session/db.py Co-authored-by: Samuel Gaist --- components/renku_data_services/session/db.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/renku_data_services/session/db.py b/components/renku_data_services/session/db.py index 5d9cd436d..5207317c9 100644 --- a/components/renku_data_services/session/db.py +++ b/components/renku_data_services/session/db.py @@ -1054,8 +1054,9 @@ async def get_build_logs( if build.result_image is None: authorized = False else: - if self.builds_config.build_output_private_image_prefix is not None and build.result_image.startswith( - self.builds_config.build_output_private_image_prefix + if builds_config.private_builds_enabled + and launcher.environment.container_image.startswith( + builds_config.build_output_private_image_prefix ): if build.result_repository_url is None: authorized = False From 42844c4a023367cb7db4a240d0aee46e59c18a06 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Mon, 29 Jun 2026 13:19:51 +0000 Subject: [PATCH 7/7] fix suggestion --- components/renku_data_services/session/db.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/components/renku_data_services/session/db.py b/components/renku_data_services/session/db.py index 5207317c9..00162b9ac 100644 --- a/components/renku_data_services/session/db.py +++ b/components/renku_data_services/session/db.py @@ -1054,9 +1054,8 @@ async def get_build_logs( if build.result_image is None: authorized = False else: - if builds_config.private_builds_enabled - and launcher.environment.container_image.startswith( - builds_config.build_output_private_image_prefix + if self.builds_config.private_builds_enabled and build.result_image.startswith( + self.builds_config.build_output_private_image_prefix ): if build.result_repository_url is None: authorized = False