diff --git a/nix/0001-allow-secrets-to-be-group-readable.patch b/nix/0001-allow-secrets-to-be-group-readable.patch new file mode 100644 index 0000000..8c1c726 --- /dev/null +++ b/nix/0001-allow-secrets-to-be-group-readable.patch @@ -0,0 +1,47 @@ +From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= +Date: Sat, 14 Oct 2023 11:45:30 +0200 +Subject: [PATCH] allow secrets to be group-readable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Systemd's LoadCredential feature makes have the following 0o440 permissions. +Services cannot modify secrets or their permission. +By relaxing the check we allow buildbot to use secrets provided by systemd. + +Signed-off-by: Jörg Thalheim +--- + master/buildbot/secrets/providers/file.py | 2 +- + master/buildbot/test/unit/test_secret_in_file.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py +index 11daf327a..293a9f410 100644 +--- a/buildbot/secrets/providers/file.py ++++ b/buildbot/secrets/providers/file.py +@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase): + def checkFileIsReadOnly(self, dirname, secretfile): + filepath = os.path.join(dirname, secretfile) + obs_stat = stat.S_IMODE(os.stat(filepath).st_mode) +- if (obs_stat & 0o77) != 0 and os.name == "posix": ++ if (obs_stat & 0o7) != 0 and os.name == "posix": + config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open." + " It is required that your secret files are NOT" + " accessible by others!") +diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py +index 01750172d..041b9654f 100644 +--- a/buildbot/test/unit/test_secret_in_file.py ++++ b/buildbot/test/unit/test_secret_in_file.py +@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self): + if os.name != "posix": + self.skipTest("Permission checks only works on posix systems") + filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt", +- chmodRights=stat.S_IRGRP) ++ chmodRights=stat.S_IROTH) + expctd_msg_error = " on file tempfile2.txt are too " \ + "open. It is required that your secret files are" \ + " NOT accessible by others!" +-- +2.42.0 + diff --git a/nix/master.nix b/nix/master.nix index 6383d5e..d461208 100644 --- a/nix/master.nix +++ b/nix/master.nix @@ -178,6 +178,10 @@ in in "${if hasSSL then "https" else "http"}://${cfg.domain}/"; dbUrl = config.services.buildbot-nix.master.dbUrl; + # Can be dropped after we have 24.05 everywhere + package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: { + patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ]; + })); pythonPackages = ps: [ ps.requests ps.treq