diff --git a/README.md b/README.md index 30871f9..789dd89 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,11 @@ combinations: @ofborg build list of attrs looks good to me! ``` -## Trusted Users +## Trusted Users (Currently Disabled) + +> **NOTE:** The Trusted Users functionality is currently disabled, as the +> current darwin builder is reset very frequently. This means that _all_ users +> will have their PRs build on the darwin machine. Trusted users have their builds and tests executed on _all_ available platforms, including those without good sandboxing. Because this exposes the host to a diff --git a/config.public.json b/config.public.json index a06680e..4316785 100644 --- a/config.public.json +++ b/config.public.json @@ -12,6 +12,7 @@ "grahamc/ofborg", "grahamc/nixpkgs" ], + "disable_trusted_users": true, "trusted_users": [ "1000101", "7c6f434c", diff --git a/ofborg/src/acl.rs b/ofborg/src/acl.rs index aeef24e..d807d3a 100644 --- a/ofborg/src/acl.rs +++ b/ofborg/src/acl.rs @@ -1,16 +1,15 @@ use crate::systems::System; pub struct ACL { - trusted_users: Vec, + trusted_users: Option>, repos: Vec, } impl ACL { - pub fn new(repos: Vec, mut trusted_users: Vec) -> ACL { - trusted_users - .iter_mut() - .map(|x| *x = x.to_lowercase()) - .last(); + pub fn new(repos: Vec, mut trusted_users: Option>) -> ACL { + if let Some(ref mut users) = trusted_users { + users.iter_mut().map(|x| *x = x.to_lowercase()).last(); + } ACL { trusted_users, @@ -47,10 +46,16 @@ impl ACL { } pub fn can_build_unrestricted(&self, user: &str, repo: &str) -> bool { - if repo.to_lowercase() == "nixos/nixpkgs" { - self.trusted_users.contains(&user.to_lowercase()) + if let Some(ref users) = self.trusted_users { + if repo.to_lowercase() == "nixos/nixpkgs" { + users.contains(&user.to_lowercase()) + } else { + user == "grahamc" + } } else { - user == "grahamc" + // If trusted_users is disabled (and thus None), everybody can build + // unrestricted + true } } } diff --git a/ofborg/src/config.rs b/ofborg/src/config.rs index f9f8fbc..fa105b4 100644 --- a/ofborg/src/config.rs +++ b/ofborg/src/config.rs @@ -67,6 +67,7 @@ pub struct LogStorage { pub struct RunnerConfig { pub identity: String, pub repos: Option>, + pub disable_trusted_users: bool, pub trusted_users: Option>, /// If true, will create its own queue attached to the build job @@ -89,16 +90,24 @@ impl Config { } pub fn acl(&self) -> acl::ACL { - acl::ACL::new( - self.runner - .repos - .clone() - .expect("fetching config's runner.repos"), - self.runner - .trusted_users - .clone() - .expect("fetching config's runner.trusted_users"), - ) + let repos = self + .runner + .repos + .clone() + .expect("fetching config's runner.repos"); + + let trusted_users = if self.runner.disable_trusted_users { + None + } else { + Some( + self.runner + .trusted_users + .clone() + .expect("fetching config's runner.trusted_users"), + ) + }; + + acl::ACL::new(repos, trusted_users) } pub fn github(&self) -> Github { diff --git a/ofborg/src/tasks/evaluationfilter.rs b/ofborg/src/tasks/evaluationfilter.rs index 6735e89..db66a54 100644 --- a/ofborg/src/tasks/evaluationfilter.rs +++ b/ofborg/src/tasks/evaluationfilter.rs @@ -110,8 +110,10 @@ mod tests { let job: ghevent::PullRequestEvent = serde_json::from_str(&data.to_string()).expect("Should properly deserialize"); - let mut worker = - EvaluationFilterWorker::new(acl::ACL::new(vec!["nixos/nixpkgs".to_owned()], vec![])); + let mut worker = EvaluationFilterWorker::new(acl::ACL::new( + vec!["nixos/nixpkgs".to_owned()], + Some(vec![]), + )); assert_eq!( worker.consumer(&job),