the-distro/ofborg
1
0
Fork 1
Code Issues Pull requests Packages Projects Releases Wiki Activity

Disable trusted users for now

Browse source 
The current darwwin builder is reset very, very frequently (mostly due to its
storage constraints necessitating it), so there's much less of a reason to limit
the people who can utilize it. (Enabling it for everybody will also guarantee
more frequent resets, as well.)

However, it is kept as an option so that it can be re-enabled some time in the
future, if anything were to happen.
This commit is contained in:
Cole Helbling 2021-05-17 13:08:14 -07:00
parent d934ebe9af
commit 452ee25294
No known key found for this signature in database
GPG key ID: B37E0F2371016A4C
5 changed files with 43 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -122,7 +122,11 @@ combinations:
@ofborg build list of attrs looks good to me!
```
## Trusted Users
## Trusted Users (Currently Disabled)
> **NOTE:** The Trusted Users functionality is currently disabled, as the
> current darwin builder is reset very frequently. This means that _all_ users
> will have their PRs build on the darwin machine.
Trusted users have their builds and tests executed on _all_ available platforms,
including those without good sandboxing. Because this exposes the host to a

1
config.public.json
View file

@ -12,6 +12,7 @@
"grahamc/ofborg",
"grahamc/nixpkgs"
],
"disable_trusted_users": true,
"trusted_users": [
"1000101",
"7c6f434c",

23
ofborg/src/acl.rs
View file

@ -1,16 +1,15 @@
use crate::systems::System;
pub struct ACL {
trusted_users: Vec<String>,
trusted_users: Option<Vec<String>>,
repos: Vec<String>,
}
impl ACL {
pub fn new(repos: Vec<String>, mut trusted_users: Vec<String>) -> ACL {
trusted_users
.iter_mut()
.map(|x| *x = x.to_lowercase())
.last();
pub fn new(repos: Vec<String>, mut trusted_users: Option<Vec<String>>) -> ACL {
if let Some(ref mut users) = trusted_users {
users.iter_mut().map(|x| *x = x.to_lowercase()).last();
}
ACL {
trusted_users,
@ -47,10 +46,16 @@ impl ACL {
}
pub fn can_build_unrestricted(&self, user: &str, repo: &str) -> bool {
if repo.to_lowercase() == "nixos/nixpkgs" {
self.trusted_users.contains(&user.to_lowercase())
if let Some(ref users) = self.trusted_users {
if repo.to_lowercase() == "nixos/nixpkgs" {
users.contains(&user.to_lowercase())
} else {
user == "grahamc"
}
} else {
user == "grahamc"
// If trusted_users is disabled (and thus None), everybody can build
// unrestricted
true
}
}
}

29
ofborg/src/config.rs
View file

@ -67,6 +67,7 @@ pub struct LogStorage {
pub struct RunnerConfig {
pub identity: String,
pub repos: Option<Vec<String>>,
pub disable_trusted_users: bool,
pub trusted_users: Option<Vec<String>>,
/// If true, will create its own queue attached to the build job
@ -89,16 +90,24 @@ impl Config {
}
pub fn acl(&self) -> acl::ACL {
acl::ACL::new(
self.runner
.repos
.clone()
.expect("fetching config's runner.repos"),
self.runner
.trusted_users
.clone()
.expect("fetching config's runner.trusted_users"),
)
let repos = self
.runner
.repos
.clone()
.expect("fetching config's runner.repos");
let trusted_users = if self.runner.disable_trusted_users {
None
} else {
Some(
self.runner
.trusted_users
.clone()
.expect("fetching config's runner.trusted_users"),
)
};
acl::ACL::new(repos, trusted_users)
}
pub fn github(&self) -> Github {

6
ofborg/src/tasks/evaluationfilter.rs
View file

@ -110,8 +110,10 @@ mod tests {
let job: ghevent::PullRequestEvent =
serde_json::from_str(&data.to_string()).expect("Should properly deserialize");
let mut worker =
EvaluationFilterWorker::new(acl::ACL::new(vec!["nixos/nixpkgs".to_owned()], vec![]));
let mut worker = EvaluationFilterWorker::new(acl::ACL::new(
vec!["nixos/nixpkgs".to_owned()],
Some(vec![]),
));
assert_eq!(
worker.consumer(&job),