diff --git a/ofborg/src/acl.rs b/ofborg/src/acl.rs index 99116b3..f1a9d3e 100644 --- a/ofborg/src/acl.rs +++ b/ofborg/src/acl.rs @@ -1,18 +1,30 @@ pub struct ACL { - authorized_users: Vec, + trusted_users: Vec, + known_users: Vec, } impl ACL { - pub fn new(authorized_users: Vec) -> ACL { - return ACL { authorized_users: authorized_users }; + pub fn new(trusted_users: Vec, known_users: Vec) -> ACL { + return ACL { + trusted_users: trusted_users, + known_users: known_users, + }; } - pub fn can_build(&self, user: &str, repo: &str) -> bool { + pub fn can_build_restricted(&self, user: &str, repo: &str) -> bool { if repo.to_lowercase() != "nixos/nixpkgs" { return false; } - return self.authorized_users.contains(&user.to_lowercase()); + return self.known_users.contains(&user.to_lowercase()); + } + + pub fn can_build_unrestricted(&self, user: &str, repo: &str) -> bool { + if repo.to_lowercase() != "nixos/nixpkgs" { + return false; + } + + return self.trusted_users.contains(&user.to_lowercase()); } } diff --git a/ofborg/src/config.rs b/ofborg/src/config.rs index 2a382b9..5671ee5 100644 --- a/ofborg/src/config.rs +++ b/ofborg/src/config.rs @@ -55,7 +55,8 @@ pub struct LogStorage { #[derive(Serialize, Deserialize, Debug)] pub struct RunnerConfig { pub identity: String, - pub authorized_users: Option>, + pub trusted_users: Option>, + pub known_users: Option>, } #[derive(Serialize, Deserialize, Debug)] @@ -69,9 +70,14 @@ impl Config { } pub fn acl(&self) -> acl::ACL { - return acl::ACL::new(self.runner.authorized_users.clone().expect( - "fetching config's runner.authorized_users", - )); + return acl::ACL::new( + self.runner.trusted_users.clone().expect( + "fetching config's runner.trusted_users", + ), + self.runner.known_users.clone().expect( + "fetching config's runner.known_users", + ), + ); } pub fn github(&self) -> Github { diff --git a/ofborg/src/tasks/githubcommentfilter.rs b/ofborg/src/tasks/githubcommentfilter.rs index dd48bbc..81503e1 100644 --- a/ofborg/src/tasks/githubcommentfilter.rs +++ b/ofborg/src/tasks/githubcommentfilter.rs @@ -53,11 +53,25 @@ impl worker::SimpleWorker for GitHubCommentWorker { return vec![worker::Action::Ack]; } - if !self.acl.can_build( + let build_destinations: Vec<(Option,Option)>; + + if self.acl.can_build_unrestricted( + &job.comment.user.login, + &job.repository.full_name, + ) { + build_destinations = vec![ + (Some("build-jobs".to_owned()), None) + ]; + } else if self.acl.can_build_restricted( &job.comment.user.login, &job.repository.full_name, ) { + build_destinations = vec![ + (None, Some("build-inputs-x86_64-linux".to_owned())), + (None, Some("build-inputs-aarch64-linux".to_owned())), + ]; + } else { println!( "ACL prohibits {} from building {:?} for {}", job.comment.user.login, @@ -125,11 +139,13 @@ impl worker::SimpleWorker for GitHubCommentWorker { statusreport: Some((Some("build-results".to_owned()), None)), }; - response.push(worker::publish_serde_action( - Some("build-jobs".to_owned()), - None, - &msg, - )); + for (exch, rk) in build_destinations.clone() { + response.push(worker::publish_serde_action( + exch, + rk, + &msg, + )); + } } commentparser::Instruction::Eval => { let msg = massrebuildjob::MassRebuildJob {