Disable trusted users for now
The current darwwin builder is reset very, very frequently (mostly due to its storage constraints necessitating it), so there's much less of a reason to limit the people who can utilize it. (Enabling it for everybody will also guarantee more frequent resets, as well.) However, it is kept as an option so that it can be re-enabled some time in the future, if anything were to happen.
This commit is contained in:
parent
d934ebe9af
commit
452ee25294
5 changed files with 43 additions and 22 deletions
|
@ -122,7 +122,11 @@ combinations:
|
|||
@ofborg build list of attrs looks good to me!
|
||||
```
|
||||
|
||||
## Trusted Users
|
||||
## Trusted Users (Currently Disabled)
|
||||
|
||||
> **NOTE:** The Trusted Users functionality is currently disabled, as the
|
||||
> current darwin builder is reset very frequently. This means that _all_ users
|
||||
> will have their PRs build on the darwin machine.
|
||||
|
||||
Trusted users have their builds and tests executed on _all_ available platforms,
|
||||
including those without good sandboxing. Because this exposes the host to a
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
"grahamc/ofborg",
|
||||
"grahamc/nixpkgs"
|
||||
],
|
||||
"disable_trusted_users": true,
|
||||
"trusted_users": [
|
||||
"1000101",
|
||||
"7c6f434c",
|
||||
|
|
|
@ -1,16 +1,15 @@
|
|||
use crate::systems::System;
|
||||
|
||||
pub struct ACL {
|
||||
trusted_users: Vec<String>,
|
||||
trusted_users: Option<Vec<String>>,
|
||||
repos: Vec<String>,
|
||||
}
|
||||
|
||||
impl ACL {
|
||||
pub fn new(repos: Vec<String>, mut trusted_users: Vec<String>) -> ACL {
|
||||
trusted_users
|
||||
.iter_mut()
|
||||
.map(|x| *x = x.to_lowercase())
|
||||
.last();
|
||||
pub fn new(repos: Vec<String>, mut trusted_users: Option<Vec<String>>) -> ACL {
|
||||
if let Some(ref mut users) = trusted_users {
|
||||
users.iter_mut().map(|x| *x = x.to_lowercase()).last();
|
||||
}
|
||||
|
||||
ACL {
|
||||
trusted_users,
|
||||
|
@ -47,10 +46,16 @@ impl ACL {
|
|||
}
|
||||
|
||||
pub fn can_build_unrestricted(&self, user: &str, repo: &str) -> bool {
|
||||
if repo.to_lowercase() == "nixos/nixpkgs" {
|
||||
self.trusted_users.contains(&user.to_lowercase())
|
||||
if let Some(ref users) = self.trusted_users {
|
||||
if repo.to_lowercase() == "nixos/nixpkgs" {
|
||||
users.contains(&user.to_lowercase())
|
||||
} else {
|
||||
user == "grahamc"
|
||||
}
|
||||
} else {
|
||||
user == "grahamc"
|
||||
// If trusted_users is disabled (and thus None), everybody can build
|
||||
// unrestricted
|
||||
true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -67,6 +67,7 @@ pub struct LogStorage {
|
|||
pub struct RunnerConfig {
|
||||
pub identity: String,
|
||||
pub repos: Option<Vec<String>>,
|
||||
pub disable_trusted_users: bool,
|
||||
pub trusted_users: Option<Vec<String>>,
|
||||
|
||||
/// If true, will create its own queue attached to the build job
|
||||
|
@ -89,16 +90,24 @@ impl Config {
|
|||
}
|
||||
|
||||
pub fn acl(&self) -> acl::ACL {
|
||||
acl::ACL::new(
|
||||
self.runner
|
||||
.repos
|
||||
.clone()
|
||||
.expect("fetching config's runner.repos"),
|
||||
self.runner
|
||||
.trusted_users
|
||||
.clone()
|
||||
.expect("fetching config's runner.trusted_users"),
|
||||
)
|
||||
let repos = self
|
||||
.runner
|
||||
.repos
|
||||
.clone()
|
||||
.expect("fetching config's runner.repos");
|
||||
|
||||
let trusted_users = if self.runner.disable_trusted_users {
|
||||
None
|
||||
} else {
|
||||
Some(
|
||||
self.runner
|
||||
.trusted_users
|
||||
.clone()
|
||||
.expect("fetching config's runner.trusted_users"),
|
||||
)
|
||||
};
|
||||
|
||||
acl::ACL::new(repos, trusted_users)
|
||||
}
|
||||
|
||||
pub fn github(&self) -> Github {
|
||||
|
|
|
@ -110,8 +110,10 @@ mod tests {
|
|||
let job: ghevent::PullRequestEvent =
|
||||
serde_json::from_str(&data.to_string()).expect("Should properly deserialize");
|
||||
|
||||
let mut worker =
|
||||
EvaluationFilterWorker::new(acl::ACL::new(vec!["nixos/nixpkgs".to_owned()], vec![]));
|
||||
let mut worker = EvaluationFilterWorker::new(acl::ACL::new(
|
||||
vec!["nixos/nixpkgs".to_owned()],
|
||||
Some(vec![]),
|
||||
));
|
||||
|
||||
assert_eq!(
|
||||
worker.consumer(&job),
|
||||
|
|
Loading…
Reference in a new issue