Merge pull request #110 from Mic92/authz-fix

Re-introduce buildbot patch for old buildbot versions
This commit is contained in:
Jörg Thalheim 2024-03-21 13:04:27 +01:00 committed by GitHub
commit 138e574774
Failed to generate hash of commit
2 changed files with 51 additions and 0 deletions

View file

@ -0,0 +1,47 @@
From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 14 Oct 2023 11:45:30 +0200
Subject: [PATCH] allow secrets to be group-readable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Systemd's LoadCredential feature makes have the following 0o440 permissions.
Services cannot modify secrets or their permission.
By relaxing the check we allow buildbot to use secrets provided by systemd.
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
master/buildbot/secrets/providers/file.py | 2 +-
master/buildbot/test/unit/test_secret_in_file.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py
index 11daf327a..293a9f410 100644
--- a/buildbot/secrets/providers/file.py
+++ b/buildbot/secrets/providers/file.py
@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase):
def checkFileIsReadOnly(self, dirname, secretfile):
filepath = os.path.join(dirname, secretfile)
obs_stat = stat.S_IMODE(os.stat(filepath).st_mode)
- if (obs_stat & 0o77) != 0 and os.name == "posix":
+ if (obs_stat & 0o7) != 0 and os.name == "posix":
config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open."
" It is required that your secret files are NOT"
" accessible by others!")
diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py
index 01750172d..041b9654f 100644
--- a/buildbot/test/unit/test_secret_in_file.py
+++ b/buildbot/test/unit/test_secret_in_file.py
@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self):
if os.name != "posix":
self.skipTest("Permission checks only works on posix systems")
filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt",
- chmodRights=stat.S_IRGRP)
+ chmodRights=stat.S_IROTH)
expctd_msg_error = " on file tempfile2.txt are too " \
"open. It is required that your secret files are" \
" NOT accessible by others!"
--
2.42.0

View file

@ -178,6 +178,10 @@ in
in
"${if hasSSL then "https" else "http"}://${cfg.domain}/";
dbUrl = config.services.buildbot-nix.master.dbUrl;
# Can be dropped after we have 24.05 everywhere
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: {
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
}));
pythonPackages = ps: [
ps.requests
ps.treq