lix-project/buildbot-nix
15
0
Fork 0
Code Issues 12 Pull requests 7 Packages Projects Releases Wiki Activity

add patch to make systemd LoadCredential work again

Browse source
This commit is contained in:
Jörg Thalheim 2023-10-27 07:45:57 +02:00
parent fcf58ff31b
commit 0732e17b14
2 changed files with 55 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
nix/0001-allow-secrets-to-be-group-readable.patch Normal file
View file

@ -0,0 +1,47 @@
From 41bd68a23e605fb97b0fccff2af00a39cfd386f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sat, 14 Oct 2023 11:45:30 +0200
Subject: [PATCH] allow secrets to be group-readable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Systemd's LoadCredential feature makes have the following 0o440 permissions.
Services cannot modify secrets or their permission.
By relaxing the check we allow buildbot to use secrets provided by systemd.
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
master/buildbot/secrets/providers/file.py | 2 +-
master/buildbot/test/unit/test_secret_in_file.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/master/buildbot/secrets/providers/file.py b/master/buildbot/secrets/providers/file.py
index 11daf327a..293a9f410 100644
--- a/buildbot/secrets/providers/file.py
+++ b/buildbot/secrets/providers/file.py
@@ -32,7 +32,7 @@ class SecretInAFile(SecretProviderBase):
def checkFileIsReadOnly(self, dirname, secretfile):
filepath = os.path.join(dirname, secretfile)
obs_stat = stat.S_IMODE(os.stat(filepath).st_mode)
- if (obs_stat & 0o77) != 0 and os.name == "posix":
+ if (obs_stat & 0o7) != 0 and os.name == "posix":
config.error(f"Permissions {oct(obs_stat)} on file {secretfile} are too open."
" It is required that your secret files are NOT"
" accessible by others!")
diff --git a/master/buildbot/test/unit/test_secret_in_file.py b/master/buildbot/test/unit/test_secret_in_file.py
index 01750172d..041b9654f 100644
--- a/buildbot/test/unit/test_secret_in_file.py
+++ b/buildbot/test/unit/test_secret_in_file.py
@@ -57,7 +57,7 @@ def testCheckConfigErrorSecretInAFileService(self):
if os.name != "posix":
self.skipTest("Permission checks only works on posix systems")
filepath = self.createFileTemp(self.tmp_dir, "tempfile2.txt",
- chmodRights=stat.S_IRGRP)
+ chmodRights=stat.S_IROTH)
expctd_msg_error = " on file tempfile2.txt are too " \
"open. It is required that your secret files are" \
" NOT accessible by others!"
--
2.42.0

8
nix/master.nix
View file

@ -122,6 +122,9 @@ in
in in
"${if hasSSL then "https" else "http"}://${cfg.domain}/"; "${if hasSSL then "https" else "http"}://${cfg.domain}/";
dbUrl = config.services.buildbot-nix.master.dbUrl; dbUrl = config.services.buildbot-nix.master.dbUrl;
package = (pkgs.buildbot.overrideAttrs (old: {
patches = old.patches ++ [ ./0001-allow-secrets-to-be-group-readable.patch ];
}));
pythonPackages = ps: [ pythonPackages = ps: [
ps.requests ps.requests
ps.treq ps.treq
@ -129,6 +132,11 @@ in
(ps.toPythonModule pkgs.buildbot-worker) (ps.toPythonModule pkgs.buildbot-worker)
pkgs.buildbot-plugins.www pkgs.buildbot-plugins.www
pkgs.buildbot-plugins.www-react pkgs.buildbot-plugins.www-react
pkgs.buildbot-plugins.console-view
pkgs.buildbot-plugins.waterfall-view
pkgs.buildbot-plugins.grid-view
pkgs.buildbot-plugins.wsgi-dashboards
pkgs.buildbot-plugins.badges
]; ];
}; };