Commits · f3b232dd4c9471dbc5f7f76fb97d4f831012d9ae · obs / open-build-service

12 May, 2022 2 commits

Copy secrets with correct ownership instead of symlinking them · f3b232dd

Andrej Shadura authored May 12, 2022 and

Sjoerd Simons committed May 12, 2022



Secrets are owned by root and are not world-readable by default, so
the frontend cannot access them when it’s not running as root.
Not all versions of docker-compose support setting access rights for
secrets, so instead of wrangling with them, just copy secrets and
re-own them.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

f3b232dd

Move the backend dependency to the right place in docker-compose.yml · 2cad17ab
Andrej Shadura authored May 12, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
2cad17ab

04 May, 2022 1 commit

Allow new SSO logins in "deny" mode · fca80a4d

Andrej Shadura authored May 04, 2022 and

Sjoerd Simons committed May 04, 2022



The can_register check is actually only suitable for preventing new
unverified registrations; in SSO mode, we normally trust the SSO
provider have performed the checks and only gives us users we’re
supposed to let in.

Ideally, this should be a separate set of settings to allow e.g.
optionally requiring confirmation on SSO logins or to configure
different levels of trust per SSO provider.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

fca80a4d

03 May, 2022 1 commit
- Disable InfluxDB by default but allow configuring it through envvars · c743b6a3
  Andrej Shadura authored May 03, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
  c743b6a3
02 May, 2022 20 commits

Only store the 'info' part of the auth hash in the session · 04d85c79

Andrej Shadura authored Jan 31, 2022

The auth hash can be quite large, and with session storage in cookies,
the cookie can easily reach the 4 KB limit. Work around this issue
by only storing the part of the hash we currently use.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

04d85c79

Add omniauth-github · 1683e170
Andrej Shadura authored Jan 31, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
1683e170
Add dependency on omniauth_openid_connect 0.4.0+ · 80aace25
Andrej Shadura authored Jan 28, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
80aace25

Mark passwords for SSO-only users as invalid to allow changing them later · 0c8d82ff

Andrej Shadura authored Jun 15, 2021

Add a new "hash type" for invalid passwords, which is never equal to
normal passwords, but nevertheless can be changed without being known by
the user.

This "invalid" password can only be set by directly setting the password
hash type. When updating the password using update_password method, it will
always be upgrade it to the strongest hash type, sha256crypt.

To allow changing this "invalid" password to a normal one, stop
requiring a non-empty current password in the password change dialog
when changing a password from an "invalid" one. Don’t show the current
password box either, as it is not used anyway in this case, making
it better not to show it to avoid confusion.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

0c8d82ff

Verify the referrer URL when redirecting back · 8ebe1e5a

Andrej Shadura authored Jan 27, 2022



The redirect should only happen to the referrer URL pointing at our
domain, never to the external ones.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

8ebe1e5a

Try harder to derive the username from email addresses · 960c56af

Andrej Shadura authored Jun 08, 2021



Some providers set username or nickname to an email address.
For this reason, first collect the best possible user name we can find,
and only then fix it to match our requirements.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

960c56af

Implement first login flow · b964a418
Andrej Shadura authored May 27, 2021
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
b964a418

Reenable SSO · 90626a81

Andrej Shadura authored Jan 26, 2022



Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

90626a81

Add SSO callback to allow existing users log in with an external source · 83cfd486
Andrej Shadura authored May 18, 2021
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
83cfd486
user model: add find_with_omniauth/create_with_omniauth · aa61b341
Andrej Shadura authored May 27, 2021
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
aa61b341
Rename create_ldap_user to create_external_user · 73138246
Andrej Shadura authored May 27, 2021
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
73138246
Add an SSO login page so that users can choose between providers · 1c894350
Andrej Shadura authored May 17, 2021
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
1c894350
Parse SSO authentication config on startup · f9f7e2a7
Andrej Shadura authored May 27, 2021
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
f9f7e2a7
Add omniauth-rails_csrf_protection · 8efa7b76
Andrej Shadura authored Jan 26, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
8efa7b76
Add dependency on omniauth-gitlab · a9e2a658
Andrej Shadura authored Jan 26, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
a9e2a658
Add omniauth dependency · d4258b84
Andrej Shadura authored Jan 20, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
d4258b84
Add more settings, including SSO and msmtp · b9e88678
Andrej Shadura authored Apr 27, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
b9e88678
Add a loglevel setting for the frontend · c2365630
Andrej Shadura authored Apr 27, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
c2365630
Add labels to the backend configmap · cfabe712
Andrej Shadura authored Apr 27, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
cfabe712
Install patched reprepro with "conflictingarchall" ignore option added · c68794b4
Andrej Shadura authored May 02, 2022
```
See https://bugs.debian.org/697630



Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
c68794b4

28 Apr, 2022 1 commit

Move service dispatch daemon after the source service · 876e73dc

Andrej Shadura authored Apr 28, 2022



Service dispatch daemon depends on the source service, so it has to
start after it.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

876e73dc

27 Apr, 2022 3 commits

Order the backend services according to their dependencies · cd5ab0f2

Andrej Shadura authored Apr 27, 2022 and

Sjoerd Simons committed Apr 27, 2022

Backend services have internal dependencies, so it’s better to start
them in the correct order. Supervisord does not guarantee this order,
but it’s still better than starting them all at once.

See: https://openbuildservice.org/help/manuals/obs-admin-guide/obs.cha.installation_and_configuration.html#_backend_installation

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

cd5ab0f2

Replace armv7l with armv7hl and add aarch64 to the default configuration · 411b902d
Andrej Shadura authored Apr 27, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
411b902d
Make supervisord try harder with retries for the backend · 63e4fed3
Andrej Shadura authored Apr 26, 2022 and Sjoerd Simons committed Apr 27, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
63e4fed3

26 Apr, 2022 2 commits

Switch to stateful set · ef9b6973

Sjoerd Simons authored Apr 26, 2022 and

Andrej Shadura committed Apr 26, 2022



The backend better fits to a stateful set rather then a replicaset; As
obviously the backend has a lot of state and a 1:1 relationship with its
volumes

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>

ef9b6973

Remove service account creation · ea8aaf85

Sjoerd Simons authored Apr 26, 2022 and

Andrej Shadura committed Apr 26, 2022



OBS doesn't talk to the kubernetes api so there is no reason to create
service accounts

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>

ea8aaf85

25 Apr, 2022 2 commits
- Don’t try to repeatedly disable the signer · cbfda8eb
  Andrej Shadura authored Apr 25, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
  cbfda8eb
- Make sure the "t" bit is set on /tmp · a146dfd5
  Andrej Shadura authored Apr 25, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
  a146dfd5
22 Apr, 2022 2 commits

Add Helm charts · ac982ce8

Andrej Shadura authored Apr 14, 2022



Add a charts with two subcharts, for the frontend and the backend.
Workers are not covered since we want to run them externally and connect
them using a proxy.

Settings for the backend and frontend themselves are specified through
the "global" section, while settings for MariaDB and memcached should go
into "frontend".

The extraConfig setting allows adding configuration code to BSConfig.local.pm.

The permanent backend storage stores both data and the configuration in
subdirectories.

All hosts have r/w+worker access to the backend by default.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

ac982ce8

Search exits with 0 on error, so we need to always restart it. · 22203484

Andrej Shadura authored Apr 22, 2022

The default is "unexpected" which means exit codes 0 or 2 are considered
success, however search can crash and exit with 0.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

22203484

20 Apr, 2022 5 commits

Fix Action Pack vulnerability · d0319ab2

Eduardo Navarro authored Feb 14, 2022 and

Andrej Shadura committed Apr 20, 2022

CVE-2022-23633: Possible exposure of information vulnerability in Action
Pack.

Update Rails to 5.2.6.2 with `bundle update rails --strict --patch`.

Cherry-picked from 65292f48a504918aac61d35934e35c8b3d5c5bb1

d0319ab2

Add user_login to route constraints · de62ee6e
Henne Vogelsang authored Apr 06, 2022 and Andrej Shadura committed Apr 20, 2022
```
Missing from #10951

Cherry-picked from 531160be9f3be444bf8ff63f0bebe3643b65788b
```
de62ee6e

Add constraints to user requests endpoint · 04b07c49

Sasi Olin authored Jan 04, 2022 and

Andrej Shadura committed Apr 20, 2022

Fixes #10951:

    When I visit the Task page to look up my open tasks in our
    private instance, I get the followowing errors…

See https://github.com/openSUSE/open-build-service/issues/10951
Cherry-picked from d0b9bb6f524e73ed0b657b294d5c3ba0a61d0da2

04b07c49

Preload the frontend before forking off workers. · 26f6e1d5

Andrej Shadura authored Apr 20, 2022

Use preload_app! to boot the application and load its code before forking.
This takes advantage of copy-on-write, leading to better memory usage.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

26f6e1d5

Create GNUPGHOME with -p to prevent failures if it already exists · 4043ca6a

Andrej Shadura authored Apr 20, 2022



If the GNUPGHOME existed but was empty, mkdir would fail without -p.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>

4043ca6a

13 Apr, 2022 1 commit
- Allow overriding the memcache host through the environment · 0a047426
  Andrej Shadura authored Apr 13, 2022
```
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
```
  0a047426