Commit 5774f889 authored by Vivek Das Mohapatra's avatar Vivek Das Mohapatra

Merge branch 'collabora/master' into 'wip/ritesh/clean-up-obs-packaging'

# Conflicts:
#   debian/changelog
parents eb77f69e 2d3e28c3
......@@ -4,6 +4,7 @@ open-build-service (2.7.4-3co2) stretch; urgency=medium
* Add patch to publish Debian upstream tarball signature to the
repositories
* Add patch to publish Ubuntu ddeb files to the repositories
* Backport upstream udeb support
[ Vivek Das Mohapatra ]
* Add allowbuilddep whitelist element in project config
......@@ -12,6 +13,17 @@ open-build-service (2.7.4-3co2) stretch; urgency=medium
-- Ritesh Raj Sarraf <ritesh.sarraf@collabora.com> Tue, 17 Mar 2020 19:29:33 +0530
[ Héctor Orón Martínez ]
* debian/README.source: add new file
* worker: override DefaultTasksMax
* debian/patches/CVE-2017-5188.patch: update
[ Andrew Lee (李健秋) ]
* Make passenger rubyapp runs as obsapi user.
* Update correct group permission for rb_sysopen
-- Héctor Orón Martínez <hector.oron@collabora.co.uk> Wed, 27 Mar 2019 18:05:54 +0100
open-build-service (2.7.4-3co1) stretch; urgency=medium
[ Andrew Lee (李健秋) ]
......
#!/bin/sh
eval "$(dpkg-architecture --print-set)"
case "$DEB_HOST_ARCH" in
(i?86)
echo "i586"
;;
(armel)
echo "armv5el"
;;
(armhf)
echo "armv7hl"
;;
# add any more special cases here
(*)
echo "$DEB_HOST_GNU_CPU"
;;
esac
Repotype: debian
# create initial user
Preinstall: base-passwd
Preinstall: user-setup
# required for preinstall images
Preinstall: perl
# preinstall essentials + dependencies
Preinstall: base-files base-passwd bash bsdutils coreutils dash debconf
Preinstall: debianutils diffutils dpkg e2fslibs e2fsprogs findutils gawk
Preinstall: gcc-6-base grep gzip hostname initscripts init-system-helpers
Preinstall: insserv libacl1 libattr1 libblkid1 libbz2-1.0 libc-bin libc6
Preinstall: libcomerr2 libdb5.3 libgcc1 liblzma5 libmount1 libncurses5
Preinstall: libpam-modules libpcre3 libsmartcols1
Preinstall: libpam-modules-bin libpam-runtime libpam0g libreadline7
Preinstall: libselinux1 libsemanage-common libsemanage1 libsepol1 libsigsegv2
Preinstall: libslang2 libss2 libtinfo5 libustr-1.0-1 libuuid1 login lsb-base
Preinstall: mount multiarch-support ncurses-base ncurses-bin passwd perl-base
Preinstall: readline-common sed sensible-utils sysv-rc sysvinit-utils
Preinstall: tar tzdata util-linux zlib1g
Runscripts: base-passwd user-setup base-files gawk
VMinstall: libdevmapper1.02.1
Order: user-setup:base-files
# Essential packages (this should also pull the dependencies)
Support: base-files base-passwd bash bsdutils coreutils dash debianutils
Support: diffutils dpkg e2fsprogs findutils grep gzip hostname libc-bin
Support: login mount ncurses-base ncurses-bin perl-base sed
Support: sysvinit-utils tar util-linux
# Build-essentials
Required: build-essential
Prefer: build-essential:make
# build script needs fakeroot
Support: fakeroot
# lintian support would be nice, but breaks too much atm
#Support: lintian
# helper tools in the chroot
Support: less kmod net-tools procps psmisc strace vim
%define debian_version 900
Macros:
%debian_version 900
backend-publish-udebs-in-repo.patch
publish-ddeb-files.patch
collabora/publish-asc-files.patch
publish-asc-files.patch
database.yml-settings.patch
gemfile-tweaks.patch
drop-test-and-development-depends.patch
......
Test-Command: /bin/true
Depends: obs-api, obs-server, obs-worker, obs-productconverter, obs-utils
Restrictions: superficial
Tests: install-purge-install
Depends: obs-api, obs-server, obs-worker, obs-productconverter, obs-utils
Restrictions: needs-root, isolation-machine, breaks-testbed
Tests: install-break-purge
Depends: obs-api, obs-server, obs-worker, obs-productconverter, obs-utils
Restrictions: needs-root, isolation-machine, breaks-testbed
Tests: setup-api-and-check
Depends: obs-api, obs-server, default-mysql-server, ssl-cert, curl, apache2
Restrictions: needs-root, isolation-machine, breaks-testbed
Tests: smoke-test
Depends: obs-api, obs-server, obs-worker, obs-utils, osc, default-mysql-server, ssl-cert, apache2, dpkg-dev
Restrictions: needs-root, isolation-machine, breaks-testbed
#!/bin/sh
packages=${1:-obs-api obs-server obs-worker obs-productconverter obs-utils}
exec 2>&1
set -exu
export DEBIAN_FRONTEND=noninteractive
# if install failed for some reason or the user broke the configuration
# we should still be able to cleanup things
rm -rf /etc/obs
apt-get purge -qy $packages
#!/bin/sh
packages=${1:-obs-api obs-server obs-worker obs-productconverter obs-utils}
exec 2>&1
set -exu
export DEBIAN_FRONTEND=noninteractive
apt-get purge -qy $packages
apt-get install -qy $packages
dummy (1.0) unstable; urgency=medium
* Initial Release.
-- Lucas Kanashiro <lucas.kanashiro@collabora.com> Mon, 01 Apr 2019 12:01:50 -0300
Source: dummy
Priority: optional
Maintainer: Lucas Kanashiro <lucas.kanashiro@collabora.com>
Build-Depends: debhelper (>= 9)
Standards-Version: 4.1.3
Package: dummy
Architecture: all
Depends: ${misc:Depends}
Description: dummy native package
This package is used to test open-build-service source package
#!/bin/sh
exec 2>&1
set -exu
# TODO: https://bugs.debian.org/926198
# set up obs-api app
/usr/share/obs/api/script/rake-tasks.sh setup
# create certificate
make-ssl-cert generate-default-snakeoil --force-overwrite
# update apache2 config
sed -ri 's/(\s*)ServerName api/\1Servername localhost/' /etc/apache2/sites-available/obs.conf
service apache2 restart
# try to access the home page
curl --insecure -s https://localhost | grep "Welcome - Open Build Service"
#!/bin/sh
exec 2>&1
set -exu
# TODO: https://bugs.debian.org/926198
# set up obs-api app
/usr/share/obs/api/script/rake-tasks.sh setup
# create certificate
make-ssl-cert generate-default-snakeoil --force-overwrite
# update apache2 config
sed -ri 's/(\s*)ServerName api/\1Servername localhost/' /etc/apache2/sites-available/obs.conf
service apache2 restart
# TODO: https://bugs.debian.org/926200
# configure obs-server
sed -i "s/frontend = undef/frontend = 'localhost'/g" /etc/obs/BSConfig.pm
# configure obs-worker
sed -i 's/obs:5352/localhost:5352/g' /etc/default/obsworker
sed -i 's/obs:5252/localhost:5252/g' /etc/default/obsworker
sed -i 's/INSTANCES="0"/INSTANCES="1"/g' /etc/default/obsworker
# start worker
service obsworker start
# Debian and OBS use different nomenclature for architectures
obs_arch="$(debian/deb-arch-to-obs-arch)"
mkdir "$AUTOPKGTEST_TMP"/data
cat << EOF > "$AUTOPKGTEST_TMP"/data/test_meta_prj_Debian_9
<project name="Debian:9">
<title>Debian 9 DoD</title>
<description>Debian 9 DoD</description>
<person userid="Admin" role="maintainer"/>
<repository name="main">
<download arch="$obs_arch" url="http://deb.debian.org/debian/stretch/main" repotype="deb"/>
<arch>$obs_arch</arch>
</repository>
</project>
EOF
cat << EOF > "$AUTOPKGTEST_TMP"/data/test_meta_prj_test
<project name="test">
<title>test</title>
<description>test</description>
<person userid="Admin" role="maintainer"/>
<repository name="Debian_9.0">
<path project="Debian:9" repository="main"/>
<arch>$obs_arch</arch>
</repository>
</project>
EOF
cat << EOF > /root/.oscrc
[general]
apiurl = https://localhost
[https://localhost]
user = Admin
pass = opensuse
# do not check self signed certificate
sslcertck = 0
EOF
# create a test project and Debian DoD
osc -A https://localhost/ ls
osc -A https://localhost/ meta prj Debian:9 -c -F "$AUTOPKGTEST_TMP"/data/test_meta_prj_Debian_9
osc -A https://localhost/ meta prjconf Debian:9 -c -F debian/examples/debian-stretch.prjconf
osc -A https://localhost/ meta prj test -c -F "$AUTOPKGTEST_TMP"/data/test_meta_prj_test
# upload the dummy native package
cp -r debian/tests/obs-test-trivial-package "$AUTOPKGTEST_TMP"
cd "$AUTOPKGTEST_TMP"
osc -A https://localhost/ co test
mkdir -p test/dummy/dummy-1.0; cp -r obs-test-trivial-package/debian test/dummy/dummy-1.0; cd test;
cd dummy; dpkg-source -b dummy-1.0; cd "$AUTOPKGTEST_TMP"/test;
rm -rf dummy/dummy-1.0
osc add dummy
osc ci -m "New import" dummy
cd dummy
found=0
for i in $(seq 1 35); do
echo "Round $i: checking binary..."
output=$(osc -A https://localhost/ ls -b .)
case $output in
*"dummy_1.0_all.deb"*) found=1 && break ;;
*) sleep 10
esac
done
[ "$found" -eq 1 ] || exit 1
......@@ -149,6 +149,14 @@
</element>
</define>
<define ns="" name="allowbuilddep-element">
<element name="allowbuilddep">
<attribute name="name">
<data type="string" />
</attribute>
</element>
</define>
<define ns="" name="group-element">
<element name="group">
<attribute name="groupid">
......
......@@ -95,6 +95,10 @@
</element>
</optional>
<zeroOrMore>
<ref name="allowbuilddep-element"/>
</zeroOrMore>
<zeroOrMore>
<ref name="person-element"/>
</zeroOrMore>
......
......@@ -432,6 +432,13 @@ class SourceController < ApplicationController
else
# access check
prj = Project.get_by_name params[:project]
# since users may now see different versions of the
# project XML depending on their access permissions
# to linked projects, and the cache is global, we must
# invalidate the cache before reconstructing the xml.
if prj.id
Rails.cache.delete("xml_project_#{prj.id}")
end
render xml: prj.to_axml
end
end
......
class Allowbuilddep < ActiveRecord::Base
belongs_to :project, foreign_key: :db_project_id, inverse_of: :allowbuilddeps
end
......@@ -51,6 +51,8 @@ class Project < ActiveRecord::Base
end
has_many :attribs, :dependent => :destroy
has_many :allowbuilddeps, :dependent => :destroy, foreign_key: :db_project_id
has_many :repositories, :dependent => :destroy, foreign_key: :db_project_id
has_many :repository_architectures, -> { order("position") }, through: :repositories
has_many :architectures, -> { order("position").distinct }, :through => :repository_architectures
......@@ -575,6 +577,7 @@ class Project < ActiveRecord::Base
#--- update repositories ---#
update_repositories(xmlhash, force)
#--- end update repositories ---#
update_allowbuilddep_from_xml(xmlhash)
end
def update_from_xml(xmlhash, force = nil)
......@@ -584,6 +587,13 @@ class Project < ActiveRecord::Base
{ error: e.message }
end
def update_allowbuilddep_from_xml(xmlhash)
self.allowbuilddeps.destroy_all
xmlhash.elements('allowbuilddep') do |abd|
self.allowbuilddeps.create(name: abd['name'])
end
end
def update_repositories(xmlhash, force)
fill_repo_cache
......@@ -1719,7 +1729,8 @@ class Project < ActiveRecord::Base
target_project = Project.get_by_name(target_project_name)
# user can access tprj, but backend would refuse to take binaries from there
if target_project.class == Project && target_project.disabled_for?('access', nil, nil)
return { error: "The current backend implementation is not using binaries from read access protected projects #{target_project_name}"}
# RBEI modification to ACL logic: upstream returns an { error: "… read access protected …" } here.
logger.info "Project #{project_name} depends on restricted project #{target_project_name}"
end
end
logger.debug "Project #{project_name} repository path checked against #{target_project_name} projects permission"
......
......@@ -20,6 +20,11 @@ xml.project(project_attributes) do
my_model.render_relationships(xml)
adbs = my_model.allowbuilddeps.sort { |a, b| b.name <=> a.name }
adbs.each do |adb|
xml.allowbuilddep(name: adb.name)
end
repos = my_model.repositories.not_remote.sort { |a, b| b.name <=> a.name }
FlagHelper.flag_types.each do |flag_name|
flaglist = my_model.type_flags(flag_name)
......@@ -62,10 +67,13 @@ xml.project(project_attributes) do
repo.path_elements.includes(:link).each do |pe|
if pe.link.remote_project_name
project_name = pe.link.project.name+":"+pe.link.remote_project_name
else
xml_repository.path(:project => project_name, :repository => pe.link.name)
elsif pe.link.project
project_name = pe.link.project.name
xml_repository.path(:project => project_name, :repository => pe.link.name)
else
xml_repository.path(:project => "HIDDEN", :repository => pe.link.name)
end
xml_repository.path(:project => project_name, :repository => pe.link.name)
end
repo.repository_architectures.joins(:architecture).pluck("architectures.name").each do |arch|
xml_repository.arch arch
......
class CreateAllowbuilddeps < ActiveRecord::Migration
def self.up
create_table :allowbuilddeps do |t|
t.integer :db_project_id, :null => false
t.string :name, :null => false
t.index [ :db_project_id, :name ]
end
end
def self.down
drop_table :allowbuilddeps
end
end
CREATE TABLE `allowbuilddeps` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`db_project_id` int(11) NOT NULL,
`name` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `index_allowbuilddeps_on_db_project_id_and_name` (`db_project_id`,`name`(191))
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
CREATE TABLE `architectures` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(255) CHARACTER SET utf8 NOT NULL,
......@@ -1682,6 +1690,8 @@ INSERT INTO schema_migrations (version) VALUES ('20160518105300');
INSERT INTO schema_migrations (version) VALUES ('20160824132643');
INSERT INTO schema_migrations (version) VALUES ('20191011000000');
INSERT INTO schema_migrations (version) VALUES ('21');
INSERT INTO schema_migrations (version) VALUES ('22');
......
......@@ -42,6 +42,19 @@ sub checkaccess {
return $access;
}
sub checkbuilddepok {
my ($gctx, $projid, $aprojid) = @_;
my $adata = $gctx->{projpacks}->{$aprojid} || {};
my $allow = $adata->{allowbuilddep} || [];
foreach my $a ( grep { ref($_) eq 'HASH' } @$allow ) {
if( $a->{name} eq $projid ) { return 1; }
}
return 0;
}
# check if every user from oprojid may access projid
sub checkroles {
my ($gctx, $type, $projid, $packid, $oprojid, $opackid) = @_;
......@@ -101,6 +114,13 @@ sub checkprpaccess {
# ok if aprp is not protected
return 1 if checkaccess($gctx, 'access', $aprojid, undef, $arepoid);
my ($projid, $repoid) = split('/', $prp, 2);
#################################################################
# this is an RBEI modification
# ok if prp has access to aprp (via allowbuilddep in project meta):
return 1 if checkbuilddepok($gctx, $projid, $aprojid);
#################################################################
# not ok if prp is unprotected
return 0 if checkaccess($gctx, 'access', $projid, undef, $repoid);
# both prp and aprp are proteced.
......
......@@ -115,6 +115,10 @@ our @flags = (
[ 'access' => @disableenable ],
);
our @allowbuilddep = (
[[ 'allowbuilddep' => 'name' ]],
);
our @roles = (
[[ 'person' =>
'userid',
......@@ -151,6 +155,7 @@ our $proj = [
'project',
],
@roles,
@allowbuilddep,
$maintenance,
@flags,
[ $repo ],
......@@ -292,6 +297,7 @@ our $projpack = [
[],
'title',
'description',
@allowbuilddep,
'config',
'patternmd5',
[[ 'link' =>
......
......@@ -3266,7 +3266,7 @@ sub getprojpack {
}
next if $repoids && !grep {$repoids->{$_->{'name'}}} @{$proj->{'repository'} || []};
next if $packids && !grep {$packids->{$_}} @packages;
for (qw{title description build publish debuginfo useforbuild remoteurl remoteproject download link sourceaccess privacy access lock}) {
for (qw{title description build publish debuginfo useforbuild remoteurl remoteproject download link sourceaccess privacy access lock allowbuilddep}) {
$jinfo->{$_} = $proj->{$_} if exists $proj->{$_};
}
if ($proj->{'access'}) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment