Merge pull request #110 from Mic92/authz-fix
Re-introduce buildbot patch for old buildbot versions
This commit is contained in:
commit
138e574774
47
nix/0001-allow-secrets-to-be-group-readable.patch
Normal file
47
nix/0001-allow-secrets-to-be-group-readable.patch
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
|
||||||
|
Date: Sat, 14 Oct 2023 11:45:30 +0200
|
||||||
|
Subject: [PATCH] allow secrets to be group-readable
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Systemd's LoadCredential feature makes have the following 0o440 permissions.
|
||||||
|
Services cannot modify secrets or their permission.
|
||||||
|
By relaxing the check we allow buildbot to use secrets provided by systemd.
|
||||||
|
|
||||||
|
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
|
||||||
|
---
|
||||||
|
master/buildbot/secrets/providers/file.py | 2 +-
|
||||||
|
master/buildbot/test/unit/test_secret_in_file.py | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py
|
||||||
|
index 11daf327a..293a9f410 100644
|
||||||
|
--- a/buildbot/secrets/providers/file.py
|
||||||
|
+++ b/buildbot/secrets/providers/file.py
|
||||||
|
@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase):
|
||||||
|
def checkFileIsReadOnly(self, dirname, secretfile):
|
||||||
|
filepath = os.path.join(dirname, secretfile)
|
||||||
|
obs_stat = stat.S_IMODE(os.stat(filepath).st_mode)
|
||||||
|
- if (obs_stat & 0o77) != 0 and os.name == "posix":
|
||||||
|
+ if (obs_stat & 0o7) != 0 and os.name == "posix":
|
||||||
|
config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open."
|
||||||
|
" It is required that your secret files are NOT"
|
||||||
|
" accessible by others!")
|
||||||
|
diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py
|
||||||
|
index 01750172d..041b9654f 100644
|
||||||
|
--- a/buildbot/test/unit/test_secret_in_file.py
|
||||||
|
+++ b/buildbot/test/unit/test_secret_in_file.py
|
||||||
|
@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self):
|
||||||
|
if os.name != "posix":
|
||||||
|
self.skipTest("Permission checks only works on posix systems")
|
||||||
|
filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt",
|
||||||
|
- chmodRights=stat.S_IRGRP)
|
||||||
|
+ chmodRights=stat.S_IROTH)
|
||||||
|
expctd_msg_error = " on file tempfile2.txt are too " \
|
||||||
|
"open. It is required that your secret files are" \
|
||||||
|
" NOT accessible by others!"
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
|
@ -178,6 +178,10 @@ in
|
||||||
in
|
in
|
||||||
"${if hasSSL then "https" else "http"}://${cfg.domain}/";
|
"${if hasSSL then "https" else "http"}://${cfg.domain}/";
|
||||||
dbUrl = config.services.buildbot-nix.master.dbUrl;
|
dbUrl = config.services.buildbot-nix.master.dbUrl;
|
||||||
|
# Can be dropped after we have 24.05 everywhere
|
||||||
|
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (pkgs.buildbot.overrideAttrs (old: {
|
||||||
|
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
|
||||||
|
}));
|
||||||
pythonPackages = ps: [
|
pythonPackages = ps: [
|
||||||
ps.requests
|
ps.requests
|
||||||
ps.treq
|
ps.treq
|
||||||
|
|
Loading…
Reference in a new issue