Skip to content

GitLab

Switch branch/tag
  1. 05 Feb, 2021 1 commit
  3. 25 Jan, 2021 2 commits
  5. 16 Apr, 2020 2 commits
  7. 17 Mar, 2020 9 commits
  9. 04 Dec, 2019 1 commit
  11. 14 Nov, 2019 1 commit
    • Vivek Das Mohapatra's avatar
      Invalidate the rails cache for project meta xml in show_project_meta · 4a9a792c
      Vivek Das Mohapatra authored 
      The project model code path for this invalidates the cache before
returning.

Users now have different views of project meta config (references to
inaccessible projects, which were not permitted at all before, are now
elided to "HIDDEN" for users with insufficient access): This means
that the code path which provides the meta config to osc must also
invalidate the cache.

It's not clear that this particular config should be cached at all.
Possibly it should include the user context in the cache key instead
but in any case this is the least invasive way to make sure osc
returns the correct information for now.
      4a9a792c
  13. 05 Nov, 2019 3 commits
    • Vivek Das Mohapatra's avatar
      Use the allowbuilddep in meta config to whitelist project access · 7bb95b09
      Vivek Das Mohapatra authored 
      Allow projects mentioned as <allowbuilddep name="accessing-project"/>
entries in the meta config of another project to fetch build
dependencies from that project unconditionally.
      7bb95b09
    • Vivek Das Mohapatra's avatar
      Add a new none-or-some element <allowbuilddep> to project meta config · 309e5a9e
      Vivek Das Mohapatra authored 
      These patches merely add the new element which has no effect as of
this commit.

The new element is added to:
• the RNG xml declarations
• BSXML.pm (which serves a similar purpose for the back end code)
• bs_srcserver which supplies the parsed metadata to backend services
• the database
  ◦ initial schema (structure.sql)
  ◦ migration file
• the rails model(s)
  ◦ the project,rb model
  ◦ a new allowbuilddep.rb model for the element iteslf
  ◦ _project.xml.builder which generates XML from the database
      309e5a9e
    • Vivek Das Mohapatra's avatar
      Suppress a 500 error in the web-UI for project meta config · e220e271
      Vivek Das Mohapatra authored 
      When a user tries to view a project's meta config, the rails
application actually recreates the XML from the database contents
using the project model.

It does this with the user id set in its context and applies normal
ACL rules.

This means that any data relating to a project the user does not have
at least read access to is missing from the model's internal data
structures, so <path…> elements that refer to unreadable projects
result in a method call on nil and a 500 error in the web UI.

This patch ameliorates that by checking that the relevant object
actually exists in the model before calling an accessor method on it,
and substituting 'HIDDEN' for the project's name if it does not.

This does mean that the user SHOULD NOT try and save said meta config
but that restriction is not enforced here.
      e220e271
  15. 03 Apr, 2019 2 commits
  17. 02 Apr, 2019 1 commit
  19. 01 Apr, 2019 6 commits
  21. 27 Mar, 2019 3 commits
  23. 26 Mar, 2019 2 commits
    • Andrew Lee (李健秋)'s avatar
      Update correct group permission for rb_sysopen · b62403bf
      Andrew Lee (李健秋) authored 
      The rb_sysopen runs as www-data that needs to access to production.log,
backend_access.log and database.yml.

Revert the group owner to www-data to avoid following errors:

 Rails Error: Unable to access log file. Please ensure that
 /usr/share/obs/api/log/production.log exists and is writable (ie, make
 it writable for user and group: chmod 0664
 /usr/share/obs/api/log/production.log). The log level has been raised
 to WARN and the output directed to STDERR until the problem is fixed.
 rake aborted!
 Errno::EACCES: Cannot load `Rails.application.database_configuration`:
 Permission denied @ rb_sysopen - /usr/share/obs/api/config/database.yml
 /usr/share/obs/api/config/environment.rb:30:in `<top (required)>'
 Errno::EACCES: Permission denied @ rb_sysopen -
 /usr/share/obs/api/config/database.yml
 /usr/share/obs/api/config/environment.rb:30:in `<top (required)>'
 Tasks: TOP => environment
 (See full trace by running task with --trace)
 Errno::EACCES: Permission denied @ rb_sysopen -
 /usr/share/obs/api/log/backend_access.log
 /usr/share/obs/api/lib/opensuse/backend.rb:14:in `new'
 /usr/share/obs/api/lib/opensuse/backend.rb:14:in `<class:Backend>'
 /usr/share/obs/api/lib/opensuse/backend.rb:6:in `<module:Suse>'
 /usr/share/obs/api/lib/opensuse/backend.rb:5:in `<top (required)>'
 /usr/share/obs/api/app/models/project.rb:1:in `<top (required)>'
 /usr/share/obs/api/app/indices/project_index.rb:2:in `block in <top
 (required)>'
 Tasks: TOP => ts:index
 (See full trace by running task with --trace)
Signed-off-by: default avatarAndrew Lee (李健秋) <ajqlee@debian.org>
      b62403bf
    • Andrew Lee (李健秋)'s avatar
      Make passenger rubyapp runs as obsapi user. · b40ef240
      Andrew Lee (李健秋) authored 
      Passenger's default user is nobody:
 https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_default_user

So that we got Passenger and the RubyApp runs as nobody. However,
according to Debian's SystemGroup usage:
  https://wiki.debian.org/SystemGroups

nogroup (user: nobody): Daemons that need not own any files run as user
nobody and group nogroup. Thus, no files on a system should be owned by
this user or group.

So that we should create a new user call 'obapi' and force passenger app
to run as obs-api instead.

And config files should be readable by that obsapi user but usually not
writable.
Signed-off-by: default avatarAndrew Lee (李健秋) <ajqlee@debian.org>
Signed-off-by: Héctor Orón Martínez's avatarHéctor Orón Martínez <hector.oron@collabora.com>
      b40ef240
  25. 25 Mar, 2019 3 commits
  27. 22 Mar, 2019 4 commits