drop pre 24.05 patch

This commit is contained in:
zowoq 2024-06-25 10:03:32 +10:00 committed by mergify[bot]
parent d6ae979a91
commit 8678bdf73b
2 changed files with 1 additions and 53 deletions

View file

@ -1,47 +0,0 @@
From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 14 Oct 2023 11:45:30 +0200
Subject: [PATCH] allow secrets to be group-readable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Systemd's LoadCredential feature makes have the following 0o440 permissions.
Services cannot modify secrets or their permission.
By relaxing the check we allow buildbot to use secrets provided by systemd.
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
master/buildbot/secrets/providers/file.py | 2 +-
master/buildbot/test/unit/test_secret_in_file.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py
index 11daf327a..293a9f410 100644
--- a/buildbot/secrets/providers/file.py
+++ b/buildbot/secrets/providers/file.py
@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase):
def checkFileIsReadOnly(self, dirname, secretfile):
filepath = os.path.join(dirname, secretfile)
obs_stat = stat.S_IMODE(os.stat(filepath).st_mode)
- if (obs_stat & 0o77) != 0 and os.name == "posix":
+ if (obs_stat & 0o7) != 0 and os.name == "posix":
config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open."
" It is required that your secret files are NOT"
" accessible by others!")
diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py
index 01750172d..041b9654f 100644
--- a/buildbot/test/unit/test_secret_in_file.py
+++ b/buildbot/test/unit/test_secret_in_file.py
@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self):
if os.name != "posix":
self.skipTest("Permission checks only works on posix systems")
filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt",
- chmodRights=stat.S_IRGRP)
+ chmodRights=stat.S_IROTH)
expctd_msg_error = " on file tempfile2.txt are too " \
"open. It is required that your secret files are" \
" NOT accessible by others!"
--
2.42.0

View file

@ -384,12 +384,7 @@ in
in in
"${if hasSSL then "https" else "http"}://${cfg.domain}/"; "${if hasSSL then "https" else "http"}://${cfg.domain}/";
dbUrl = config.services.buildbot-nix.master.dbUrl; dbUrl = config.services.buildbot-nix.master.dbUrl;
# Can be dropped after we have 24.05 everywhere package = pkgs.buildbot;
package = lib.mkIf (lib.versionOlder pkgs.buildbot.version "3.10.0") (
pkgs.buildbot.overrideAttrs (old: {
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
})
);
pythonPackages = ps: [ pythonPackages = ps: [
ps.requests ps.requests
ps.treq ps.treq