lix-project/buildbot-nix
15
0
Fork 0
Code Issues 13 Pull requests 7 Projects Releases Packages Wiki Activity

chore(auth): generalize authentication method to internals of NixOS module

Browse source 
This makes it easier to make it configurable, this is step 1.

Signed-off-by: Raito Bezarius <raito@lix.systems>
This commit is contained in:
raito 2024-05-06 19:52:55 +02:00
parent 914c28af91
commit 87a9b9df01
2 changed files with 38 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
buildbot_nix/__init__.py
View file

@ -14,6 +14,7 @@ from buildbot.process import buildstep, logobserver, remotecommand
from buildbot.process.project import Project
from buildbot.process.properties import Properties
from buildbot.process.results import ALL_RESULTS, statusToString
from buildbot.www.auth import AuthBase
from buildbot.www.oauth2 import OAuth2Auth
from buildbot.changes.gerritchangesource import GerritChangeSource
from buildbot.reporters.utils import getURLForBuildrequest
@ -31,13 +32,22 @@ from .binary_cache import S3BinaryCacheConfig
log = Logger()
class LixSystemsOAuth2(OAuth2Auth):
name = 'Lix'
faIcon = 'fa-login'
resourceEndpoint = "https://identity.lix.systems"
# is passing scope necessary?
authUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth'
tokenUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'
@dataclass
class OAuth2Config:
name: str
faIcon: str
resourceEndpoint: str
authUri: str
tokenUri: str
def make_oauth2_method(oauth2_config: OAuth2Config):
"""
This constructs dynamically a class inheriting
an OAuth2 base configured using a dataclass.
"""
return type(f'{oauth2_config.name}DynamicOAuth2',
(OAuth2Auth,),
oauth2_config.__dict__)
class BuildbotNixError(Exception):
pass
@ -716,6 +726,7 @@ class GerritNixConfigurator(ConfiguratorBase):
nix_workers_secret_name: str = "buildbot-nix-workers", # noqa: S107
signing_keyfile: str | None = None,
binary_cache_config: dict[str, str] | None = None,
auth_method: AuthBase | None = None,
) -> None:
super().__init__()
self.gerrit_server = gerrit_server
@ -740,6 +751,8 @@ class GerritNixConfigurator(ConfiguratorBase):
self.signing_keyfile = signing_keyfile
self.auth_method = auth_method
def configure(self, config: dict[str, Any]) -> None:
worker_config = json.loads(read_secret_file(self.nix_workers_secret_name))
worker_names = []
@ -816,5 +829,5 @@ class GerritNixConfigurator(ConfiguratorBase):
config["www"].setdefault("plugins", {})
if "auth" not in config["www"]:
config["www"]["auth"] = LixSystemsOAuth2('buildbot', read_secret_file('buildbot-oauth2-secret'), autologin=True)
if "auth" not in config["www"] and self.auth_method is not None:
config["www"]["auth"] = self.auth_method

18
nix/coordinator.nix
View file

@ -144,13 +144,23 @@ in
home = "/var/lib/buildbot";
extraImports = ''
from datetime import timedelta
from buildbot_nix import GerritNixConfigurator
from buildbot_nix import GerritNixConfigurator, read_secret_file
'';
configurators = [
''
util.JanitorConfigurator(logHorizon=timedelta(weeks=4), hour=12, dayOfWeek=6)
''
''
# TODO(raito): make me configurable from the NixOS module.
# how?
LixSystemsOAuth2 = make_oauth2_method(OAuth2Config(
name='Lix',
faIcon='fa-login',
resourceEndpoint='https://identity.lix.systems',
authUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth',
tokenUri='https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'
)
GerritNixConfigurator(
"${cfg.gerrit.domain}",
"${cfg.gerrit.username}",
@ -166,7 +176,11 @@ in
binary_cache_config=${if (!cfg.binaryCache.enable) then "None" else builtins.toJSON {
inherit (cfg.binaryCache) bucket region endpoint;
profile = "default";
}}
}},
auth_method=LixSystemsOAuth2('buildbot',
read_secret_file('buildbot-oauth2-secret'),
autologin=True
)
)
''
];