1. 04 Dec, 2019 1 commit
  2. 14 Nov, 2019 1 commit
    • Vivek Das Mohapatra's avatar
      Invalidate the rails cache for project meta xml in show_project_meta · 4a9a792c
      Vivek Das Mohapatra authored
      The project model code path for this invalidates the cache before
      returning.
      
      Users now have different views of project meta config (references to
      inaccessible projects, which were not permitted at all before, are now
      elided to "HIDDEN" for users with insufficient access): This means
      that the code path which provides the meta config to osc must also
      invalidate the cache.
      
      It's not clear that this particular config should be cached at all.
      Possibly it should include the user context in the cache key instead
      but in any case this is the least invasive way to make sure osc
      returns the correct information for now.
      4a9a792c
  3. 05 Nov, 2019 3 commits
    • Vivek Das Mohapatra's avatar
      Use the allowbuilddep in meta config to whitelist project access · 7bb95b09
      Vivek Das Mohapatra authored
      Allow projects mentioned as <allowbuilddep name="accessing-project"/>
      entries in the meta config of another project to fetch build
      dependencies from that project unconditionally.
      7bb95b09
    • Vivek Das Mohapatra's avatar
      Add a new none-or-some element <allowbuilddep> to project meta config · 309e5a9e
      Vivek Das Mohapatra authored
      These patches merely add the new element which has no effect as of
      this commit.
      
      The new element is added to:
      • the RNG xml declarations
      • BSXML.pm (which serves a similar purpose for the back end code)
      • bs_srcserver which supplies the parsed metadata to backend services
      • the database
        ◦ initial schema (structure.sql)
        ◦ migration file
      • the rails model(s)
        ◦ the project,rb model
        ◦ a new allowbuilddep.rb model for the element iteslf
        ◦ _project.xml.builder which generates XML from the database
      309e5a9e
    • Vivek Das Mohapatra's avatar
      Suppress a 500 error in the web-UI for project meta config · e220e271
      Vivek Das Mohapatra authored
      When a user tries to view a project's meta config, the rails
      application actually recreates the XML from the database contents
      using the project model.
      
      It does this with the user id set in its context and applies normal
      ACL rules.
      
      This means that any data relating to a project the user does not have
      at least read access to is missing from the model's internal data
      structures, so <path…> elements that refer to unreadable projects
      result in a method call on nil and a 500 error in the web UI.
      
      This patch ameliorates that by checking that the relevant object
      actually exists in the model before calling an accessor method on it,
      and substituting 'HIDDEN' for the project's name if it does not.
      
      This does mean that the user SHOULD NOT try and save said meta config
      but that restriction is not enforced here.
      e220e271
  4. 03 Apr, 2019 2 commits
  5. 02 Apr, 2019 1 commit
  6. 01 Apr, 2019 6 commits
  7. 27 Mar, 2019 3 commits
  8. 26 Mar, 2019 2 commits
    • Andrew Lee (李健秋)'s avatar
      Update correct group permission for rb_sysopen · b62403bf
      Andrew Lee (李健秋) authored
      The rb_sysopen runs as www-data that needs to access to production.log,
      backend_access.log and database.yml.
      
      Revert the group owner to www-data to avoid following errors:
      
       Rails Error: Unable to access log file. Please ensure that
       /usr/share/obs/api/log/production.log exists and is writable (ie, make
       it writable for user and group: chmod 0664
       /usr/share/obs/api/log/production.log). The log level has been raised
       to WARN and the output directed to STDERR until the problem is fixed.
       rake aborted!
       Errno::EACCES: Cannot load `Rails.application.database_configuration`:
       Permission denied @ rb_sysopen - /usr/share/obs/api/config/database.yml
       /usr/share/obs/api/config/environment.rb:30:in `<top (required)>'
       Errno::EACCES: Permission denied @ rb_sysopen -
       /usr/share/obs/api/config/database.yml
       /usr/share/obs/api/config/environment.rb:30:in `<top (required)>'
       Tasks: TOP => environment
       (See full trace by running task with --trace)
       Errno::EACCES: Permission denied @ rb_sysopen -
       /usr/share/obs/api/log/backend_access.log
       /usr/share/obs/api/lib/opensuse/backend.rb:14:in `new'
       /usr/share/obs/api/lib/opensuse/backend.rb:14:in `<class:Backend>'
       /usr/share/obs/api/lib/opensuse/backend.rb:6:in `<module:Suse>'
       /usr/share/obs/api/lib/opensuse/backend.rb:5:in `<top (required)>'
       /usr/share/obs/api/app/models/project.rb:1:in `<top (required)>'
       /usr/share/obs/api/app/indices/project_index.rb:2:in `block in <top
       (required)>'
       Tasks: TOP => ts:index
       (See full trace by running task with --trace)
      Signed-off-by: default avatarAndrew Lee (李健秋) <ajqlee@debian.org>
      b62403bf
    • Andrew Lee (李健秋)'s avatar
      Make passenger rubyapp runs as obsapi user. · b40ef240
      Andrew Lee (李健秋) authored
      Passenger's default user is nobody:
       https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_default_user
      
      So that we got Passenger and the RubyApp runs as nobody. However,
      according to Debian's SystemGroup usage:
        https://wiki.debian.org/SystemGroups
      
      nogroup (user: nobody): Daemons that need not own any files run as user
      nobody and group nogroup. Thus, no files on a system should be owned by
      this user or group.
      
      So that we should create a new user call 'obapi' and force passenger app
      to run as obs-api instead.
      
      And config files should be readable by that obsapi user but usually not
      writable.
      Signed-off-by: default avatarAndrew Lee (李健秋) <ajqlee@debian.org>
      Signed-off-by: Héctor Orón Martínez's avatarHéctor Orón Martínez <hector.oron@collabora.com>
      b40ef240
  9. 25 Mar, 2019 3 commits
  10. 22 Mar, 2019 11 commits
  11. 21 Mar, 2019 1 commit
  12. 20 Mar, 2019 2 commits
  13. 19 Sep, 2018 4 commits