From 80a9f324414f13c25008ee5bfd429d296630856f Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Thu, 14 Jul 2022 18:58:49 +0200 Subject: [PATCH 01/13] Yumrepofs should translate i386 to i686 --- peridot/yumrepofs/v1/blob.go | 3 +++ peridot/yumrepofs/v1/metadata.go | 12 ++++++++++++ peridot/yumrepofs/v1/rpm.go | 3 +++ rules_byc/internal/container/container.bzl | 7 +++---- 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/peridot/yumrepofs/v1/blob.go b/peridot/yumrepofs/v1/blob.go index 2a0b944..a6165db 100644 --- a/peridot/yumrepofs/v1/blob.go +++ b/peridot/yumrepofs/v1/blob.go @@ -62,6 +62,9 @@ func (s *Server) GetBlob(ctx context.Context, req *yumrepofspb.GetBlobRequest) ( if err := req.ValidateAll(); err != nil { return nil, err } + if req.Arch == "i386" { + req.Arch = "i686" + } if strings.HasSuffix(req.Blob, ".sqlite.gz") { s3Req, _ := s.s3.GetObjectRequest(&s3.GetObjectInput{ diff --git a/peridot/yumrepofs/v1/metadata.go b/peridot/yumrepofs/v1/metadata.go index 90f846d..5174afb 100644 --- a/peridot/yumrepofs/v1/metadata.go +++ b/peridot/yumrepofs/v1/metadata.go @@ -44,6 +44,9 @@ func (s *Server) GetRepoMd(_ context.Context, req *yumrepofspb.GetRepoMdRequest) if err := req.ValidateAll(); err != nil { return nil, err } + if req.Arch == "i386" { + req.Arch = "i686" + } latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch) if err != nil { @@ -66,6 +69,9 @@ func (s *Server) GetRepoMdSignature(_ context.Context, req *yumrepofspb.GetRepoM if err := req.ValidateAll(); err != nil { return nil, err } + if req.Arch == "i386" { + req.Arch = "i686" + } latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch) if err != nil { @@ -88,6 +94,9 @@ func (s *Server) GetPublicKey(_ context.Context, req *yumrepofspb.GetPublicKeyRe if err := req.ValidateAll(); err != nil { return nil, err } + if req.Arch == "i386" { + req.Arch = "i686" + } key, err := s.db.GetDefaultKeyForProject(req.ProjectId) if err != nil { @@ -104,6 +113,9 @@ func (s *Server) GetUrlMappings(_ context.Context, req *yumrepofspb.GetUrlMappin if err := req.ValidateAll(); err != nil { return nil, err } + if req.Arch == "i386" { + req.Arch = "i686" + } latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch) if err != nil { diff --git a/peridot/yumrepofs/v1/rpm.go b/peridot/yumrepofs/v1/rpm.go index d4bb7e0..de995c7 100644 --- a/peridot/yumrepofs/v1/rpm.go +++ b/peridot/yumrepofs/v1/rpm.go @@ -51,6 +51,9 @@ func (s *Server) GetRpm(ctx context.Context, req *yumrepofspb.GetRpmRequest) (*y if err := req.ValidateAll(); err != nil { return nil, err } + if req.Arch == "i386" { + req.Arch = "i686" + } fileName := fmt.Sprintf("%s/%s.rpm", req.ParentTaskId, strings.TrimSuffix(req.FileName, ".rpm")) if len(req.ParentTaskId) == 1 { diff --git a/rules_byc/internal/container/container.bzl b/rules_byc/internal/container/container.bzl index f9a2de8..e30e85e 100644 --- a/rules_byc/internal/container/container.bzl +++ b/rules_byc/internal/container/container.bzl @@ -1,5 +1,5 @@ load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar") -load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_push", "container_layer") +load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_layer", "container_push") load("@io_bazel_rules_docker//nodejs:image.bzl", "nodejs_image") REGISTRY_VARIANT = "aws" @@ -63,10 +63,10 @@ def container(image_name, files, tars_to_layer = [], base = "//bases/bazel/go", if len(server_files) > 0: nodejs_image( - name = "%s_image_node" %image_name, + name = "%s_image_node" % image_name, entry_point = server_entrypoint, data = server_files, - base = ":%s_image" % image_name + base = ":%s_image" % image_name, ) container_push( @@ -88,4 +88,3 @@ def container(image_name, files, tars_to_layer = [], base = "//bases/bazel/go", }) if should_use_aws_format and not disable_conditional else tag, visibility = ["//visibility:public"], ) - From 3245c6099c8b5847280d4f63fff52ddb8f71f5f4 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Sat, 16 Jul 2022 01:07:15 +0200 Subject: [PATCH 02/13] Make Temporal namespace configurable --- temporalutils/BUILD.bazel | 1 + temporalutils/client.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/temporalutils/BUILD.bazel b/temporalutils/BUILD.bazel index 69bb03e..6ddfb50 100644 --- a/temporalutils/BUILD.bazel +++ b/temporalutils/BUILD.bazel @@ -9,6 +9,7 @@ go_library( "//vendor/github.com/sirupsen/logrus", "//vendor/github.com/spf13/pflag", "//vendor/github.com/spf13/viper", + "//vendor/go.temporal.io/api/workflowservice/v1:workflowservice", "//vendor/go.temporal.io/sdk/client", "@org_golang_google_grpc//:go_default_library", "@org_golang_google_grpc//credentials", diff --git a/temporalutils/client.go b/temporalutils/client.go index 003fddd..157d29c 100644 --- a/temporalutils/client.go +++ b/temporalutils/client.go @@ -31,14 +31,18 @@ package temporalutils import ( + "context" "crypto/tls" "github.com/sirupsen/logrus" "github.com/spf13/pflag" "github.com/spf13/viper" + "go.temporal.io/api/workflowservice/v1" "go.temporal.io/sdk/client" "google.golang.org/grpc" "google.golang.org/grpc/credentials" + "os" "strings" + "time" ) func AddFlags(pflags *pflag.FlagSet) { @@ -66,5 +70,31 @@ func NewClient(opts client.Options) (client.Client, error) { opts.HostPort = temporalHostPort + bycNs := os.Getenv("BYC_NS") + temporalNamespace := os.Getenv("TEMPORAL_NAMESPACE") + if temporalNamespace != "" { + bycNs = temporalNamespace + } + if opts.Namespace != "" { + bycNs = opts.Namespace + } + if bycNs == "" { + bycNs = "default" + } + + nscl, err := client.NewNamespaceClient(opts) + if err != nil { + return nil, err + } + dur := 5 * 24 * time.Hour + err = nscl.Register(context.TODO(), &workflowservice.RegisterNamespaceRequest{ + Namespace: bycNs, + WorkflowExecutionRetentionPeriod: &dur, + }) + if err != nil && !strings.Contains(err.Error(), "Namespace already exists") { + return nil, err + } + opts.Namespace = bycNs + return client.NewClient(opts) } From 95340b21ee878ecf038bdaaeb6a61f2a9642d482 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Sun, 17 Jul 2022 06:34:17 +0200 Subject: [PATCH 03/13] Add option to enable/disable auth enforce using env variables --- common/frontend_server/index.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/frontend_server/index.mjs b/common/frontend_server/index.mjs index 027ff20..4c09812 100644 --- a/common/frontend_server/index.mjs +++ b/common/frontend_server/index.mjs @@ -103,7 +103,7 @@ export default async function(opts) { } const config = { - authRequired: (process.env['DISABLE_AUTH_ENFORCE'] && process.env['DISABLE_AUTH_ENFORCE'] === 'false') || !!!opts.disableAuthEnforce, + authRequired: process.env['DISABLE_AUTH_ENFORCE'] ? process.env['DISABLE_AUTH_ENFORCE'] === 'false' : !!!opts.disableAuthEnforce, // Disable telemetry enableTelemetry: false, // Use dev secret is none is present (Prod requires a secret so not a security issue) From 361a9378aa61d52e8ab488ccde9f5e24d5566517 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Sun, 17 Jul 2022 22:16:38 +0200 Subject: [PATCH 04/13] Add more customization options for authOptions --- common/frontend_server/index.mjs | 69 ++++++++++++++++++++++++++------ 1 file changed, 57 insertions(+), 12 deletions(-) diff --git a/common/frontend_server/index.mjs b/common/frontend_server/index.mjs index 4c09812..5d70898 100644 --- a/common/frontend_server/index.mjs +++ b/common/frontend_server/index.mjs @@ -53,7 +53,7 @@ const { auth } = expressOidc; export default async function(opts) { // Create a new app for health checks. const appZ = express(); - appZ.get('/_/healthz', ((req, res) => { + appZ.get('/healthz', ((req, res) => { res.end(); })); @@ -83,15 +83,19 @@ export default async function(opts) { console.log(`Using clientID: ${opts.clientID}`); console.log(`Using baseURL: ${opts.baseURL}`); - if (opts.issuerBaseURL.endsWith('.localhost') || opts.issuerBaseURL.endsWith('.localhost/')) { - const kong = 'kong-proxy.kong.svc.cluster.local' + if ((opts.issuerBaseURL.endsWith('.localhost') + || opts.issuerBaseURL.endsWith('.localhost/')) + && process.env['BYC_ENV']) { + const kong = 'kong-proxy.kong.svc.cluster.local'; const urlObject = new URL(opts.issuerBaseURL); console.warn(`Forcing ${urlObject.hostname} to resolve to ${kong}`); const lookup = async () => { return new Promise((resolve, reject) => { // noinspection HttpUrlsUsage dns.lookup(kong, { family: 4 }, (err, address, family) => { - if(err) reject(err); + if (err) { + reject(err); + } resolve(address); }); }); @@ -99,11 +103,13 @@ export default async function(opts) { const internalServiceResolve = await lookup(); evilDns.add(urlObject.hostname, internalServiceResolve); // Disable TLS verification for development - process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0 + process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0; } const config = { - authRequired: process.env['DISABLE_AUTH_ENFORCE'] ? process.env['DISABLE_AUTH_ENFORCE'] === 'false' : !!!opts.disableAuthEnforce, + authRequired: process.env['DISABLE_AUTH_ENFORCE'] + ? process.env['DISABLE_AUTH_ENFORCE'] === 'false' + : !!!opts.disableAuthEnforce, // Disable telemetry enableTelemetry: false, // Use dev secret is none is present (Prod requires a secret so not a security issue) @@ -115,7 +121,6 @@ export default async function(opts) { clientID: opts.clientID, // The specific application should supply a dev secret while prod secrets should be set as an env variable clientSecret: opts.clientSecret, - // We're currently only using the Rocky issuer issuerBaseURL: opts.issuerBaseURL, idpLogout: true, authorizationParams: { @@ -138,13 +143,50 @@ export default async function(opts) { // Remember, authentication done here is only for simplicity purposes. // The authentication token is then passed on to the API. // Bypassing auth here doesn't accomplish anything. + let middlewares = []; + + + // If requireEmailSuffix is present, let's validate post callback + // that the signed in email ends with a suffix in the allowlist + // Again, a bypass here doesn't accomplish anything. + let requireEmailSuffix = opts.authOptions?.requireEmailSuffix; + if (process.env['AUTH_OPTIONS_REQUIRE_EMAIL_SUFFIX']) { + requireEmailSuffix = process.env['AUTH_OPTIONS_REQUIRE_EMAIL_SUFFIX'].split( + ','); + } + if (requireEmailSuffix) { + middlewares.push((req, res, next) => { + const email = req.oidc?.user?.email; + if (!email) { + return next('No email found in the user object'); + } + const suffixes = requireEmailSuffix; + let isAllowed = false; + for (const suffix of suffixes) { + if (email.endsWith(suffix)) { + isAllowed = true; + break; + } + } + + if (isAllowed) { + next(); + } else { + res.redirect(process.env['AUTH_REJECT_REDIRECT_URL'] + ? process.env['AUTH_REJECT_REDIRECT_URL'] + : (opts.authOptions.authRejectRedirectUrl + || 'https://rockylinux.org')); + } + }); + } + app.use((req, res, next) => { try { auth(config)(req, res, next); } catch (err) { next(err); } - }); + }, [middlewares]); } // Currently in dev, webpack is handling all file serving @@ -200,9 +242,11 @@ export default async function(opts) { // Make it possible to override api url using an env variable. // Example: /api can be set with URL_API // Example 2: /manage/api can be set with URL_MANAGE_API - const prodEnvName = `URL_${x.substr(1).replace('/', '_').toUpperCase()}`; + const prodEnvName = `URL_${x.substr(1).replace('/', + '_').toUpperCase()}`; - const apiUrl = prod ? (process.env[prodEnvName] || opts.apis[x].prodApiUrl) : opts.apis[x].devApiUrl; + const apiUrl = prod ? (process.env[prodEnvName] + || opts.apis[x].prodApiUrl) : opts.apis[x].devApiUrl; createProxyMiddleware({ target: apiUrl, @@ -265,7 +309,7 @@ export default async function(opts) { webpackMildCompile(compiler); const wdm = webpackDevMiddleware(compiler, { - publicPath: opts.webpackConfig.output.publicPath, + publicPath: opts.webpackConfig.output.publicPath }); app.use(history()); @@ -279,7 +323,8 @@ export default async function(opts) { // For SPAs, the only HTML page is the index page if (res.get('content-type').indexOf('text/html') !== -1) { // Run through handlebars compiler with our template parameters - newData = hbs.handlebars.compile(data.toString())(templateParams(req)); + newData = hbs.handlebars.compile(data.toString())( + templateParams(req)); } else { // No new data, just return old data newData = data; From 0e58d6e9d3f96c4b629da07f9bf3c0a6253613f0 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Mon, 18 Jul 2022 21:15:16 +0200 Subject: [PATCH 05/13] Temporal namespace should be passed to peridotbuilder --- peridot/builder/v1/workflow/infrastructure.go | 4 ++++ temporalutils/client.go | 1 + 2 files changed, 5 insertions(+) diff --git a/peridot/builder/v1/workflow/infrastructure.go b/peridot/builder/v1/workflow/infrastructure.go index d5f6647..6f1ac38 100644 --- a/peridot/builder/v1/workflow/infrastructure.go +++ b/peridot/builder/v1/workflow/infrastructure.go @@ -578,6 +578,10 @@ func (c *Controller) CreateK8sPodActivity(ctx context.Context, req *ProvisionWor Name: "REAL_BUILD_ARCH", Value: imageArch, }, + { + Name: "TEMPORAL_NAMESPACE", + Value: viper.GetString("temporal.namespace"), + }, { Name: "KEYKEEPER_GRPC_ENDPOINT_OVERRIDE", Value: os.Getenv("KEYKEEPER_GRPC_ENDPOINT_OVERRIDE"), diff --git a/temporalutils/client.go b/temporalutils/client.go index 157d29c..ee57b06 100644 --- a/temporalutils/client.go +++ b/temporalutils/client.go @@ -95,6 +95,7 @@ func NewClient(opts client.Options) (client.Client, error) { return nil, err } opts.Namespace = bycNs + viper.Set("temporal.namespace", bycNs) return client.NewClient(opts) } From ccba0d90ca2ce32f2dc4b4e0bf96c2239e1687dc Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Tue, 19 Jul 2022 23:45:20 +0200 Subject: [PATCH 06/13] Add option to force namespace --- common/frontend_server/upstream.mjs | 7 +++++++ servicecatalog/common.go | 3 +++ 2 files changed, 10 insertions(+) diff --git a/common/frontend_server/upstream.mjs b/common/frontend_server/upstream.mjs index 569f41a..3f7bf3e 100644 --- a/common/frontend_server/upstream.mjs +++ b/common/frontend_server/upstream.mjs @@ -34,6 +34,9 @@ import os from 'os'; export function svcName(svc, protocol) { let env = process.env['BYC_ENV']; + if (!env) { + env = 'dev'; + } return `${svc}-${protocol}-${env}-service`; } @@ -42,6 +45,10 @@ export function svcNameHttp(svc) { } export function endpoint(generatedServiceName, ns, port) { + const forceNs = process.env['BYC_FORCE_NS']; + if (forceNs) { + ns = forceNs; + } return `${generatedServiceName}.${ns}.svc.cluster.local${port}`; } diff --git a/servicecatalog/common.go b/servicecatalog/common.go index c306346..fc966a3 100644 --- a/servicecatalog/common.go +++ b/servicecatalog/common.go @@ -50,6 +50,9 @@ func SvcNameGrpc(svc string) string { } func Endpoint(svcName string, ns string, port string) string { + if forceNs := os.Getenv("BYC_FORCE_NS"); forceNs != "" { + ns = forceNs + } return fmt.Sprintf("%s.%s.svc.cluster.local%s", svcName, ns, port) } From dd8c287520b9fe7f9b7cf515bb0ff27608a22eaf Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Wed, 20 Jul 2022 05:33:44 +0200 Subject: [PATCH 07/13] Add option to override Hydra and SpiceDB endpoints --- servicecatalog/hydra.go | 12 ++++++++---- servicecatalog/spicedb.go | 6 ++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/servicecatalog/hydra.go b/servicecatalog/hydra.go index 34eb9e4..634a22a 100644 --- a/servicecatalog/hydra.go +++ b/servicecatalog/hydra.go @@ -31,11 +31,15 @@ package servicecatalog func HydraPublic() string { - svcName := SvcNameHttp("hydra-public") - return EndpointHttp(svcName, NS("hydra-public")) + ":4444" + return envOverridable("hydra_public", "http", func() string { + svcName := SvcNameHttp("hydra-public") + return EndpointHttp(svcName, NS("hydra-public")) + ":4444" + }) } func HydraAdmin() string { - svcName := SvcNameHttp("hydra-admin") - return EndpointHttp(svcName, NS("hydra-admin")) + ":4445" + return envOverridable("hydra_admin", "http", func() string { + svcName := SvcNameHttp("hydra-admin") + return EndpointHttp(svcName, NS("hydra-admin")) + ":4445" + }) } diff --git a/servicecatalog/spicedb.go b/servicecatalog/spicedb.go index 6fc901d..d2b1445 100644 --- a/servicecatalog/spicedb.go +++ b/servicecatalog/spicedb.go @@ -37,8 +37,10 @@ import ( ) func SpiceDB() string { - svcName := SvcNameGrpc("spicedb") - return Endpoint(svcName, NS("spicedb"), ":50051") + return envOverridable("spicedb", "grpc", func() string { + svcName := SvcNameGrpc("spicedb") + return Endpoint(svcName, NS("spicedb"), ":50051") + }) } func SpiceDBCredentials() []grpc.DialOption { From 78cf89a3ae5c1640c1d2714cd6c9b0d3bac0263c Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Wed, 20 Jul 2022 05:33:56 +0200 Subject: [PATCH 08/13] Formatting --- WORKSPACE | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/WORKSPACE b/WORKSPACE index 7ef97ff..86014a5 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -82,12 +82,12 @@ go_repository( go_repository( name = "com_github_ProtonMail_go_crypto", importpath = "github.com/ProtonMail/go-crypto", + patch_args = ["-p1"], + patches = [ + "//patches:0001-Key-ID-subpacket-should-not-be-hashed-or-critical-fo.patch", + ], sum = "h1:J2FzIrXN82q5uyUraeJpLIm7U6PffRwje2ORho5yIik=", version = "v0.0.0-20220113124808-70ae35bab23f", - patches = [ - "//patches:0001-Key-ID-subpacket-should-not-be-hashed-or-critical-fo.patch", - ], - patch_args = ["-p1"], ) go_repository( From 8e342ff2ba519f15b2ed9c8fcf805b60d3d00197 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Wed, 20 Jul 2022 12:10:14 +0200 Subject: [PATCH 09/13] Make servicecatalog/js able to do env overridable services --- common/frontend_server/upstream.mjs | 9 +++++++++ hydra/pkg/hydra/autosignup.mjs | 19 ++++++++++++++----- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/common/frontend_server/upstream.mjs b/common/frontend_server/upstream.mjs index 3f7bf3e..7d4a644 100644 --- a/common/frontend_server/upstream.mjs +++ b/common/frontend_server/upstream.mjs @@ -32,6 +32,15 @@ import os from 'os'; +export function envOverridable(svcName, protocol, x) { + const envName = `${svcName}_${protocol}_ENDPOINT_OVERRIDE`.toUpperCase(); + const envValue = process.env[envName]; + if (envValue) { + return envValue; + } + return x(); +} + export function svcName(svc, protocol) { let env = process.env['BYC_ENV']; if (!env) { diff --git a/hydra/pkg/hydra/autosignup.mjs b/hydra/pkg/hydra/autosignup.mjs index 4247973..dccc9a9 100644 --- a/hydra/pkg/hydra/autosignup.mjs +++ b/hydra/pkg/hydra/autosignup.mjs @@ -33,20 +33,29 @@ // noinspection JSUnresolvedFunction // noinspection ES6PreferShortImport -import { svcNameHttp, endpointHttp, NS } from '../../../common/frontend_server/upstream.mjs'; +import { + svcNameHttp, + endpointHttp, + NS, + envOverridable +} from '../../../common/frontend_server/upstream.mjs'; import pkg from '@ory/hydra-client'; import os from 'os'; const { Configuration, PublicApi, AdminApi } = pkg; export function hydraPublicUrl() { - const svc = svcNameHttp('hydra-public'); - return endpointHttp(svc, NS('hydra-public'), ':4444'); + return envOverridable('hydra_public', 'http', () => { + const svc = svcNameHttp('hydra-public'); + return endpointHttp(svc, NS('hydra-public'), ':4444'); + }); } function hydraAdminUrl() { - const svc = svcNameHttp('hydra-admin'); - return endpointHttp(svc, NS('hydra-admin'), ':4445'); + return envOverridable('hydra_admin', 'http', () => { + const svc = svcNameHttp('hydra-admin'); + return endpointHttp(svc, NS('hydra-admin'), ':4445'); + }); } const hydraAdmin = new AdminApi( From b5d1bf66a518ce057009db07e8ac167128ec1d7b Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Wed, 20 Jul 2022 15:28:56 +0200 Subject: [PATCH 10/13] Respond to /_/healthz as well for frontend --- common/frontend_server/index.mjs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/common/frontend_server/index.mjs b/common/frontend_server/index.mjs index 5d70898..d0871cf 100644 --- a/common/frontend_server/index.mjs +++ b/common/frontend_server/index.mjs @@ -56,6 +56,9 @@ export default async function(opts) { appZ.get('/healthz', ((req, res) => { res.end(); })); + appZ.get('/_/healthz', ((req, res) => { + res.end(); + })); const app = express(); app.use(function(req, res, next) { @@ -66,7 +69,7 @@ export default async function(opts) { next(); } }); - const prod = process.env.NODE_ENV === 'production'; + const prod = process.env.NODE_ENV !== 'production'; const port = prod ? (process.env.PORT || 8086) : opts.port; From 5917a94c9faadd1d26d48e00f2e9ccb7139f5896 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Wed, 20 Jul 2022 15:49:25 +0200 Subject: [PATCH 11/13] Fix accidental breakage of prod detection for JS/frontend_server --- common/frontend_server/index.mjs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/frontend_server/index.mjs b/common/frontend_server/index.mjs index d0871cf..b44b2f8 100644 --- a/common/frontend_server/index.mjs +++ b/common/frontend_server/index.mjs @@ -69,7 +69,7 @@ export default async function(opts) { next(); } }); - const prod = process.env.NODE_ENV !== 'production'; + const prod = process.env.NODE_ENV === 'production'; const port = prod ? (process.env.PORT || 8086) : opts.port; From 1703798d0eb8aac7b0864f4c0a7d813549d8a5d1 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Wed, 27 Jul 2022 08:28:37 +0200 Subject: [PATCH 12/13] Verify signature regardless of signing status We get "corrupted"/non-correctly signed RPMs from time to time and added a mechanism to verify signatures and resign if invalid. Unfortunately sometimes rpm --addsign can return a zero exit code regardless of actual error status. Because of this we should always verify signature after signing, this way if it's invalid, we can resign it. --- peridot/keykeeper/v1/sign.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/peridot/keykeeper/v1/sign.go b/peridot/keykeeper/v1/sign.go index 2e3ae52..2013ca0 100644 --- a/peridot/keykeeper/v1/sign.go +++ b/peridot/keykeeper/v1/sign.go @@ -213,7 +213,7 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke if err2 != nil { s.log.Errorf("failed to add error details to status: %v", err2) } - return nil, fmt.Errorf("failed to sign artifact %s: %v\nlogs: %s", artifact.Name, err, outBuf.String()) + return nil, statusErr } _, err = s.storage.PutObject(newObjectKey, localPath) if err != nil { @@ -251,6 +251,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke "--checksig", localPath, } cmd := gpgCmdEnv(exec.Command("rpm", opts...)) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr err := cmd.Run() if err != nil { s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err) @@ -260,11 +262,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke } var tries int for { - res, err := rpmSign() - if err == nil { - return res, nil - } - err = verifySig() + res, _ := rpmSign() + err := verifySig() if err == nil { return res, nil } From b9a4d775f121efd038e940c7d2605ed01d217d66 Mon Sep 17 00:00:00 2001 From: Mustafa Gezen Date: Wed, 27 Jul 2022 20:07:51 +0200 Subject: [PATCH 13/13] Downgrade @bazel/typescript to match rules_nodejs --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index ce27a20..79661a3 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,7 @@ "@babel/preset-typescript": "^7.10.4", "@bazel/buildifier": "^5.1.0", "@bazel/hide-bazel-files": "^1.7.0", - "@bazel/typescript": "^5.5.2", + "@bazel/typescript": "^3.7.0", "@emotion/react": "^11.8.1", "@emotion/styled": "^11.8.1", "@heroicons/react": "^1.0.1",