Validate bugzilla email/accounts

[nirik]

Currently we have a bugzilla email/account field in noggin, but we aren't doing much with it yet.

When the user doesn't set this, we use their main address to log them into bugzilla via SAML2.

When they do set it, we need some way to validate that the email/account is valid and matches the user. Bugzilla admins would like this before we start using this for logging into bugzilla.

I am not entirely sure how we can do this validation. Perhaps @puiterwijk will have some ideas?

[puiterwijk]

We could just do the "default": set any changes to a bz_email_toverify attribute on the user object, and send the new email a link that confirms it, after which it updates bz_email.

[puiterwijk]

In order to not have to store anything, it would be an idea to e.g. have the link be a signed JWT token valid for a limited time (10 minutes?) that includes the new email address, old one, current last-user-mod-time, and username?

[jmflinuxtx]

Oh, things are much worse than just not using or validating it. I changed my "email address" field from my RH address to my personal address because I tend to use my fedoraproject.org address upstream and don't want to have to log into work email to see replies to it. My "Red Hat Bugzilla Email" is still set to jforbes@redhat.com and was not touched. For some reason I just got a lot of bugzilla notifications:

Fedora Admin user for bugzilla script actions <fedora-admin-xmlrpc@fedoraproject.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|jforbes@redhat.com          |jmforbes@linuxtx.org

--- Comment #4 from Fedora Admin user for bugzilla script actions <fedora-admin-xmlrpc@fedoraproject.org> ---
This package has changed maintainer in Fedora. Reassigning to the new
maintainer of this component.

This makes it look like I left the company or something. It is beyond annoying, and actually harmful for optics. Luckily kernel bugs themselves are assigned to the kernel-team alias, so were not effected, but everything else I own was.

[abompard]

Uh, I have no idea what happened here. Noggin does not initiate communication with Bugzilla as far as I know. @pypingou maybe one of the toddlers listen to this type of change and updates Bugzilla ?

[pypingou]

Toddlers does the sync to bugzilla indeed.
This is the code used to retrieved the bugzilla email of an user: https://pagure.io/fedora-infra/toddlers/blob/main/f/toddlers/utils/fedora_account.py#_55 if I read this correctly, it looks like it does not support the "Red Hat Bugzilla email" field.

[jmflinuxtx]

So I am assuming if I leave my email setup the way it is right now and somehow get bugzilla changed on the couple of packages that were owned by my email directly switched back, it will not try to change them again unless I change something else? Or do I need to switch my regular email field back to my redhat address?

[jmflinuxtx]

Toddlers does the sync to bugzilla indeed.
This is the code used to retrieved the bugzilla email of an user: https://pagure.io/fedora-infra/toddlers/blob/main/f/toddlers/utils/fedora_account.py#_55 if I read this correctly, it looks like it does not support the "Red Hat Bugzilla email" field.

In the longer term, I think we should either add the support to Toddlers, or remove the field from the Fedora Account System. I would prefer the first option, but what we have now certainly leads to unexpected results.

[abompard]

Yeah I think that the problem is that the field advertises something that does not do anything yet, because the bugzilla admins don't want us to use this field until the email ownership is validated (which is the original point of this ticket). When that's fixed, toddlers should only look at changes in the bugzilla email attribute, not in the main email attribute, for this task. Right?

[jmflinuxtx]

I might suggest from my experience, that nothing validated the email address I put in the regular email field either, and we still changed bugzilla ownership without validation. Making toddler do the right thing now puts us in no worse of a situation.