--- title: CI threat model ... Sorry CI in the abstract STRIDE Threats --- # Sorry * RelEng is de-scoping the new CI project to only continuous integration, dropping delivery and deployment. For now. * This is a recent change (last week), and may come as a surprise. This presentation has a butchered threat model that hasn't been reviewed by other parties yet. --- ~~~dot digraph "abstract2" { labelloc=b developer [shape=octagon label="Developer"]; deployer [shape=octagon label="Reviewer"]; gerrit [label="Gerrit"]; subgraph cluster_ci { label="CI" build [label="Untrusted build \n worker"]; build2 [label="Trusted build \n worker"]; arts [label="Artifact store"]; } developer -> gerrit [headlabel="push \n patchset"]; gerrit -> build [label="trigger"]; deployer -> gerrit [taillabel="CR+2"]; gerrit -> build2 [label="merge and \n upload"]; build2 -> arts [label="upload"]; } ~~~ --- ~~~dot digraph "ci-threat" { labelloc=b dev [label="Developer"] vcs [label="Code review\nsystem", style=filled] dep [label="Deployer"] # Developers can submit patches to the VCS system dev -> vcs [label="patch",color="blue"] # Deployers can merge patches in the codebase dep -> vcs [label="+2",color="red"] # This graph includes all of the "untrusted" environments subgraph cluster_untrusted { node [style=filled] label = "Untrusted environents" color=blue subgraph cluster_unt_ci { label="CI" style="dashed" ci [label="CI system"] ciui [label="CI RO web UI"] tempartifacts [label="Artifact store\n for temporary blobs\nincl. build logs"] } subgraph cluster_testing { node [style=filled] testenv [label="test cluster"] label = "deployment-prep" style = "dashed" } } subgraph cluster_trusted { node [style=filled] label = "Trusted environents" color=red subgraph cluster_tr_ci { label="Trusted CI" style = "dashed" trustedci [label="Secure CI component"] trustedciui [label="Admin CI UI"] artifacts [label="Artifact store\n for persistent blobs"] # the trusted CI component can upload artifacts to the store(s) trustedci -> artifacts # The admin CI interface can submit and view jobs in the secure ci trustedciui -> trustedci [label="submit/view"] } subgraph cluster_prod { label = "Production" style = "dashed" prodenv [label="Production nodes"] deployment [label="Deployment nodes"] # The deployment nodes can deploy artifacts to production deployment -> prodenv } # The artifact store deployment -> artifacts [style="dashed",label="pull"] } # The admin CI interface can submit jobs to the untrusted CI trustedciui -> ci [label="submit"] # Merging a patch generates a trusted job vcs -> trustedci [label="+2/gns",color="red"] # The developer can view the results of builds dev -> ciui [style="dashed"] ciui -> ci [style="dashed"] ciui -> tempartifacts [style="dashed"] vcs -> ci [label="PS", color="blue"] # The insecure ci can upload artifacts to the temporary store ci -> tempartifacts testenv -> tempartifacts [style="dashed",label="pull"] # Deployers can deploy the resulting artifacts dep -> deployment [label="deploy"] # The deployer can submit/view jobs on the trusted CI dep -> trustedciui [label="submit/view"] subgraph cluster_legend { labelloc=t label="Legend" { key [label=<
Read-Write |
Read-Only |