the-distro/ofborg
2
0
Fork 1
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity

Accept build jobs from all commiters of nixpkgs, but only on linux hosts

Browse source 
authorized -> trusted, since authorized means nothing now
This commit is contained in:
Graham Christensen 2018-01-26 23:32:01 -05:00
parent 1326fdbe33
commit 8c1badeab6
No known key found for this signature in database
GPG key ID: ACA1C1D120C83D5C
3 changed files with 49 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
ofborg/src/acl.rs
View file

@ -1,18 +1,30 @@
pub struct ACL { pub struct ACL {
authorized_users: Vec<String>, trusted_users: Vec<String>,
known_users: Vec<String>,
} }
impl ACL { impl ACL {
pub fn new(authorized_users: Vec<String>) -> ACL { pub fn new(trusted_users: Vec<String>, known_users: Vec<String>) -> ACL {
return ACL { authorized_users: authorized_users }; return ACL {
trusted_users: trusted_users,
known_users: known_users,
};
} }
pub fn can_build(&self, user: &str, repo: &str) -> bool { pub fn can_build_restricted(&self, user: &str, repo: &str) -> bool {
if repo.to_lowercase() != "nixos/nixpkgs" { if repo.to_lowercase() != "nixos/nixpkgs" {
return false; return false;
} }
return self.authorized_users.contains(&user.to_lowercase()); return self.known_users.contains(&user.to_lowercase());
}
pub fn can_build_unrestricted(&self, user: &str, repo: &str) -> bool {
if repo.to_lowercase() != "nixos/nixpkgs" {
return false;
}
return self.trusted_users.contains(&user.to_lowercase());
} }
} }

14
ofborg/src/config.rs
View file

@ -55,7 +55,8 @@ pub struct LogStorage {
#[derive(Serialize, Deserialize, Debug)] #[derive(Serialize, Deserialize, Debug)]
pub struct RunnerConfig { pub struct RunnerConfig {
pub identity: String, pub identity: String,
pub authorized_users: Option<Vec<String>>, pub trusted_users: Option<Vec<String>>,
pub known_users: Option<Vec<String>>,
} }
#[derive(Serialize, Deserialize, Debug)] #[derive(Serialize, Deserialize, Debug)]
@ -69,9 +70,14 @@ impl Config {
} }
pub fn acl(&self) -> acl::ACL { pub fn acl(&self) -> acl::ACL {
return acl::ACL::new(self.runner.authorized_users.clone().expect( return acl::ACL::new(
"fetching config's runner.authorized_users", self.runner.trusted_users.clone().expect(
)); "fetching config's runner.trusted_users",
),
self.runner.known_users.clone().expect(
"fetching config's runner.known_users",
),
);
} }
pub fn github(&self) -> Github { pub fn github(&self) -> Github {

28
ofborg/src/tasks/githubcommentfilter.rs
View file

@ -53,11 +53,25 @@ impl worker::SimpleWorker for GitHubCommentWorker {
return vec![worker::Action::Ack]; return vec![worker::Action::Ack];
} }
if !self.acl.can_build( let build_destinations: Vec<(Option<String>,Option<String>)>;
if self.acl.can_build_unrestricted(
&job.comment.user.login,
&job.repository.full_name,
) {
build_destinations = vec![
(Some("build-jobs".to_owned()), None)
];
} else if self.acl.can_build_restricted(
&job.comment.user.login, &job.comment.user.login,
&job.repository.full_name, &job.repository.full_name,
) )
{ {
build_destinations = vec![
(None, Some("build-inputs-x86_64-linux".to_owned())),
(None, Some("build-inputs-aarch64-linux".to_owned())),
];
} else {
println!( println!(
"ACL prohibits {} from building {:?} for {}", "ACL prohibits {} from building {:?} for {}",
job.comment.user.login, job.comment.user.login,
@ -125,11 +139,13 @@ impl worker::SimpleWorker for GitHubCommentWorker {
statusreport: Some((Some("build-results".to_owned()), None)), statusreport: Some((Some("build-results".to_owned()), None)),
}; };
response.push(worker::publish_serde_action( for (exch, rk) in build_destinations.clone() {
Some("build-jobs".to_owned()), response.push(worker::publish_serde_action(
None, exch,
&msg, rk,
)); &msg,
));
}
} }
commentparser::Instruction::Eval => { commentparser::Instruction::Eval => {
let msg = massrebuildjob::MassRebuildJob { let msg = massrebuildjob::MassRebuildJob {