add patch to make systemd LoadCredential work again

2023-10-27 07:45:57 +02:00 · 2023-10-27 07:45:57 +02:00 · 0732e17b14
parent fcf58ff31b
commit 0732e17b14
2 changed files with 55 additions and 0 deletions
--- a/nix/0001-allow-secrets-to-be-group-readable.patch
+++ b/nix/0001-allow-secrets-to-be-group-readable.patch
@ -0,0 +1,47 @@
+From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Sat, 14 Oct 2023 11:45:30 +0200
+Subject: [PATCH] allow secrets to be group-readable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Systemd's LoadCredential feature makes have the following 0o440 permissions.
+Services cannot modify secrets or their permission.
+By relaxing the check we allow buildbot to use secrets provided by systemd.
+
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ master/buildbot/secrets/providers/file.py        | 2 +-
+ master/buildbot/test/unit/test_secret_in_file.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py
+index 11daf327a..293a9f410 100644
+--- a/buildbot/secrets/providers/file.py
+++ b/buildbot/secrets/providers/file.py
+@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase):
+     def checkFileIsReadOnly(self, dirname, secretfile):
+         filepath = os.path.join(dirname, secretfile)
+         obs_stat = stat.S_IMODE(os.stat(filepath).st_mode)
+-        if (obs_stat & 0o77) != 0 and os.name == "posix":
+        if (obs_stat & 0o7) != 0 and os.name == "posix":
+             config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open."
+                          " It is required that your secret files are NOT"
+                          " accessible by others!")
+diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py
+index 01750172d..041b9654f 100644
+--- a/buildbot/test/unit/test_secret_in_file.py
+++ b/buildbot/test/unit/test_secret_in_file.py
+@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self):
+         if os.name != "posix":
+             self.skipTest("Permission checks only works on posix systems")
+         filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt",
+-                                       chmodRights=stat.S_IRGRP)
+                                       chmodRights=stat.S_IROTH)
+         expctd_msg_error = " on file tempfile2.txt are too " \
+                            "open. It is required that your secret files are" \
+                            " NOT accessible by others!"
+-- 
+2.42.0
+
--- a/nix/master.nix
+++ b/nix/master.nix
@ -122,6 +122,9 @@ in
        in
        "${if hasSSL then "https" else "http"}://${cfg.domain}/";
      dbUrl = config.services.buildbot-nix.master.dbUrl;
+      package = (pkgs.buildbot.overrideAttrs (old: {
+        patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
+      }));
      pythonPackages = ps: [
        ps.requests
        ps.treq
@ -129,6 +132,11 @@ in
        (ps.toPythonModule pkgs.buildbot-worker)
        pkgs.buildbot-plugins.www
        pkgs.buildbot-plugins.www-react
+        pkgs.buildbot-plugins.console-view
+        pkgs.buildbot-plugins.waterfall-view
+        pkgs.buildbot-plugins.grid-view
+        pkgs.buildbot-plugins.wsgi-dashboards
+        pkgs.buildbot-plugins.badges
      ];
    };