Merge pull request #17 from mstg/miscchanges-1

WORKSPACE

@@ -82,12 +82,12 @@ go_repository(
 go_repository(
     name = "com_github_ProtonMail_go_crypto",
     importpath = "github.com/ProtonMail/go-crypto",
-    sum = "h1:J2FzIrXN82q5uyUraeJpLIm7U6PffRwje2ORho5yIik=",
-    version = "v0.0.0-20220113124808-70ae35bab23f",
+    patch_args = ["-p1"],
     patches = [
         "//patches:0001-Key-ID-subpacket-should-not-be-hashed-or-critical-fo.patch",
     ],
-    patch_args = ["-p1"],
+    sum = "h1:J2FzIrXN82q5uyUraeJpLIm7U6PffRwje2ORho5yIik=",
+    version = "v0.0.0-20220113124808-70ae35bab23f",
 )
 
 go_repository(

common/frontend_server/index.mjs

@@ -53,6 +53,9 @@ const { auth } = expressOidc;
 export default async function(opts) {
   // Create a new app for health checks.
   const appZ = express();
+  appZ.get('/healthz', ((req, res) => {
+    res.end();
+  }));
   appZ.get('/_/healthz', ((req, res) => {
     res.end();
   }));
@@ -83,15 +86,19 @@ export default async function(opts) {
     console.log(`Using clientID: ${opts.clientID}`);
     console.log(`Using baseURL: ${opts.baseURL}`);
 
-    if (opts.issuerBaseURL.endsWith('.localhost') || opts.issuerBaseURL.endsWith('.localhost/')) {
-      const kong = 'kong-proxy.kong.svc.cluster.local'
+    if ((opts.issuerBaseURL.endsWith('.localhost')
+        || opts.issuerBaseURL.endsWith('.localhost/'))
+      && process.env['BYC_ENV']) {
+      const kong = 'kong-proxy.kong.svc.cluster.local';
       const urlObject = new URL(opts.issuerBaseURL);
       console.warn(`Forcing ${urlObject.hostname} to resolve to ${kong}`);
       const lookup = async () => {
         return new Promise((resolve, reject) => {
           // noinspection HttpUrlsUsage
           dns.lookup(kong, { family: 4 }, (err, address, family) => {
-            if(err) reject(err);
+            if (err) {
+              reject(err);
+            }
             resolve(address);
           });
         });
@@ -99,11 +106,13 @@ export default async function(opts) {
       const internalServiceResolve = await lookup();
       evilDns.add(urlObject.hostname, internalServiceResolve);
       // Disable TLS verification for development
-      process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0
+      process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0;
     }
 
     const config = {
-      authRequired: (process.env['DISABLE_AUTH_ENFORCE'] && process.env['DISABLE_AUTH_ENFORCE'] === 'false') || !!!opts.disableAuthEnforce,
+      authRequired: process.env['DISABLE_AUTH_ENFORCE']
+        ? process.env['DISABLE_AUTH_ENFORCE'] === 'false'
+        : !!!opts.disableAuthEnforce,
       // Disable telemetry
       enableTelemetry: false,
       // Use dev secret is none is present (Prod requires a secret so not a security issue)
@@ -115,7 +124,6 @@ export default async function(opts) {
       clientID: opts.clientID,
       // The specific application should supply a dev secret while prod secrets should be set as an env variable
       clientSecret: opts.clientSecret,
-      // We're currently only using the Rocky issuer
       issuerBaseURL: opts.issuerBaseURL,
       idpLogout: true,
       authorizationParams: {
@@ -138,13 +146,50 @@ export default async function(opts) {
     // Remember, authentication done here is only for simplicity purposes.
     // The authentication token is then passed on to the API.
     // Bypassing auth here doesn't accomplish anything.
+    let middlewares = [];
+
+
+    // If requireEmailSuffix is present, let's validate post callback
+    // that the signed in email ends with a suffix in the allowlist
+    // Again, a bypass here doesn't accomplish anything.
+    let requireEmailSuffix = opts.authOptions?.requireEmailSuffix;
+    if (process.env['AUTH_OPTIONS_REQUIRE_EMAIL_SUFFIX']) {
+      requireEmailSuffix = process.env['AUTH_OPTIONS_REQUIRE_EMAIL_SUFFIX'].split(
+        ',');
+    }
+    if (requireEmailSuffix) {
+      middlewares.push((req, res, next) => {
+        const email = req.oidc?.user?.email;
+        if (!email) {
+          return next('No email found in the user object');
+        }
+        const suffixes = requireEmailSuffix;
+        let isAllowed = false;
+        for (const suffix of suffixes) {
+          if (email.endsWith(suffix)) {
+            isAllowed = true;
+            break;
+          }
+        }
+
+        if (isAllowed) {
+          next();
+        } else {
+          res.redirect(process.env['AUTH_REJECT_REDIRECT_URL']
+            ? process.env['AUTH_REJECT_REDIRECT_URL']
+            : (opts.authOptions.authRejectRedirectUrl
+              || 'https://rockylinux.org'));
+        }
+      });
+    }
+
     app.use((req, res, next) => {
       try {
         auth(config)(req, res, next);
       } catch (err) {
         next(err);
       }
-    });
+    }, [middlewares]);
   }
 
   // Currently in dev, webpack is handling all file serving
@@ -200,9 +245,11 @@ export default async function(opts) {
         // Make it possible to override api url using an env variable.
         // Example: /api can be set with URL_API
         // Example 2: /manage/api can be set with URL_MANAGE_API
-        const prodEnvName = `URL_${x.substr(1).replace('/', '_').toUpperCase()}`;
+        const prodEnvName = `URL_${x.substr(1).replace('/',
+          '_').toUpperCase()}`;
 
-        const apiUrl = prod ? (process.env[prodEnvName] || opts.apis[x].prodApiUrl) : opts.apis[x].devApiUrl;
+        const apiUrl = prod ? (process.env[prodEnvName]
+          || opts.apis[x].prodApiUrl) : opts.apis[x].devApiUrl;
 
         createProxyMiddleware({
           target: apiUrl,
@@ -265,7 +312,7 @@ export default async function(opts) {
     webpackMildCompile(compiler);
 
     const wdm = webpackDevMiddleware(compiler, {
-      publicPath: opts.webpackConfig.output.publicPath,
+      publicPath: opts.webpackConfig.output.publicPath
     });
 
     app.use(history());
@@ -279,7 +326,8 @@ export default async function(opts) {
         // For SPAs, the only HTML page is the index page
         if (res.get('content-type').indexOf('text/html') !== -1) {
           // Run through handlebars compiler with our template parameters
-          newData = hbs.handlebars.compile(data.toString())(templateParams(req));
+          newData = hbs.handlebars.compile(data.toString())(
+            templateParams(req));
         } else {
           // No new data, just return old data
           newData = data;

common/frontend_server/upstream.mjs

@@ -32,8 +32,20 @@
 
 import os from 'os';
 
+export function envOverridable(svcName, protocol, x) {
+  const envName = `${svcName}_${protocol}_ENDPOINT_OVERRIDE`.toUpperCase();
+  const envValue = process.env[envName];
+  if (envValue) {
+    return envValue;
+  }
+  return x();
+}
+
 export function svcName(svc, protocol) {
   let env = process.env['BYC_ENV'];
+  if (!env) {
+    env = 'dev';
+  }
   return `${svc}-${protocol}-${env}-service`;
 }
 
@@ -42,6 +54,10 @@ export function svcNameHttp(svc) {
 }
 
 export function endpoint(generatedServiceName, ns, port) {
+  const forceNs = process.env['BYC_FORCE_NS'];
+  if (forceNs) {
+    ns = forceNs;
+  }
   return `${generatedServiceName}.${ns}.svc.cluster.local${port}`;
 }
 

hydra/pkg/hydra/autosignup.mjs

@@ -33,20 +33,29 @@
 // noinspection JSUnresolvedFunction
 // noinspection ES6PreferShortImport
 
-import { svcNameHttp, endpointHttp, NS } from '../../../common/frontend_server/upstream.mjs';
+import {
+  svcNameHttp,
+  endpointHttp,
+  NS,
+  envOverridable
+} from '../../../common/frontend_server/upstream.mjs';
 import pkg from '@ory/hydra-client';
 import os from 'os';
 
 const { Configuration, PublicApi, AdminApi } = pkg;
 
 export function hydraPublicUrl() {
+  return envOverridable('hydra_public', 'http', () => {
     const svc = svcNameHttp('hydra-public');
     return endpointHttp(svc, NS('hydra-public'), ':4444');
+  });
 }
 
 function hydraAdminUrl() {
+  return envOverridable('hydra_admin', 'http', () => {
     const svc = svcNameHttp('hydra-admin');
     return endpointHttp(svc, NS('hydra-admin'), ':4445');
+  });
 }
 
 const hydraAdmin = new AdminApi(

package.json

@@ -16,7 +16,7 @@
     "@babel/preset-typescript": "^7.10.4",
     "@bazel/buildifier": "^5.1.0",
     "@bazel/hide-bazel-files": "^1.7.0",
-    "@bazel/typescript": "^5.5.2",
+    "@bazel/typescript": "^3.7.0",
     "@emotion/react": "^11.8.1",
     "@emotion/styled": "^11.8.1",
     "@heroicons/react": "^1.0.1",

peridot/builder/v1/workflow/infrastructure.go

@@ -578,6 +578,10 @@ func (c *Controller) CreateK8sPodActivity(ctx context.Context, req *ProvisionWor
 							Name:  "REAL_BUILD_ARCH",
 							Value: imageArch,
 						},
+						{
+							Name:  "TEMPORAL_NAMESPACE",
+							Value: viper.GetString("temporal.namespace"),
+						},
 						{
 							Name:  "KEYKEEPER_GRPC_ENDPOINT_OVERRIDE",
 							Value: os.Getenv("KEYKEEPER_GRPC_ENDPOINT_OVERRIDE"),

peridot/keykeeper/v1/sign.go

@@ -213,7 +213,7 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
 				if err2 != nil {
 					s.log.Errorf("failed to add error details to status: %v", err2)
 				}
-				return nil, fmt.Errorf("failed to sign artifact %s: %v\nlogs: %s", artifact.Name, err, outBuf.String())
+				return nil, statusErr
 			}
 			_, err = s.storage.PutObject(newObjectKey, localPath)
 			if err != nil {
@@ -251,6 +251,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
 				"--checksig", localPath,
 			}
 			cmd := gpgCmdEnv(exec.Command("rpm", opts...))
+			cmd.Stdout = os.Stdout
+			cmd.Stderr = os.Stderr
 			err := cmd.Run()
 			if err != nil {
 				s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
@@ -260,11 +262,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
 		}
 		var tries int
 		for {
-			res, err := rpmSign()
-			if err == nil {
-				return res, nil
-			}
-			err = verifySig()
+			res, _ := rpmSign()
+			err := verifySig()
 			if err == nil {
 				return res, nil
 			}

peridot/yumrepofs/v1/blob.go

@@ -62,6 +62,9 @@ func (s *Server) GetBlob(ctx context.Context, req *yumrepofspb.GetBlobRequest) (
 	if err := req.ValidateAll(); err != nil {
 		return nil, err
 	}
+	if req.Arch == "i386" {
+		req.Arch = "i686"
+	}
 
 	if strings.HasSuffix(req.Blob, ".sqlite.gz") {
 		s3Req, _ := s.s3.GetObjectRequest(&s3.GetObjectInput{

peridot/yumrepofs/v1/metadata.go

@@ -44,6 +44,9 @@ func (s *Server) GetRepoMd(_ context.Context, req *yumrepofspb.GetRepoMdRequest)
 	if err := req.ValidateAll(); err != nil {
 		return nil, err
 	}
+	if req.Arch == "i386" {
+		req.Arch = "i686"
+	}
 
 	latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch)
 	if err != nil {
@@ -66,6 +69,9 @@ func (s *Server) GetRepoMdSignature(_ context.Context, req *yumrepofspb.GetRepoM
 	if err := req.ValidateAll(); err != nil {
 		return nil, err
 	}
+	if req.Arch == "i386" {
+		req.Arch = "i686"
+	}
 
 	latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch)
 	if err != nil {
@@ -88,6 +94,9 @@ func (s *Server) GetPublicKey(_ context.Context, req *yumrepofspb.GetPublicKeyRe
 	if err := req.ValidateAll(); err != nil {
 		return nil, err
 	}
+	if req.Arch == "i386" {
+		req.Arch = "i686"
+	}
 
 	key, err := s.db.GetDefaultKeyForProject(req.ProjectId)
 	if err != nil {
@@ -104,6 +113,9 @@ func (s *Server) GetUrlMappings(_ context.Context, req *yumrepofspb.GetUrlMappin
 	if err := req.ValidateAll(); err != nil {
 		return nil, err
 	}
+	if req.Arch == "i386" {
+		req.Arch = "i686"
+	}
 
 	latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch)
 	if err != nil {

peridot/yumrepofs/v1/rpm.go

@@ -51,6 +51,9 @@ func (s *Server) GetRpm(ctx context.Context, req *yumrepofspb.GetRpmRequest) (*y
 	if err := req.ValidateAll(); err != nil {
 		return nil, err
 	}
+	if req.Arch == "i386" {
+		req.Arch = "i686"
+	}
 
 	fileName := fmt.Sprintf("%s/%s.rpm", req.ParentTaskId, strings.TrimSuffix(req.FileName, ".rpm"))
 	if len(req.ParentTaskId) == 1 {

rules_byc/internal/container/container.bzl

@@ -1,5 +1,5 @@
 load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
-load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_push", "container_layer")
+load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_layer", "container_push")
 load("@io_bazel_rules_docker//nodejs:image.bzl", "nodejs_image")
 
 REGISTRY_VARIANT = "aws"
@@ -66,7 +66,7 @@ def container(image_name, files, tars_to_layer = [], base = "//bases/bazel/go",
             name = "%s_image_node" % image_name,
             entry_point = server_entrypoint,
             data = server_files,
-            base = ":%s_image" % image_name
+            base = ":%s_image" % image_name,
         )
 
     container_push(
@@ -88,4 +88,3 @@ def container(image_name, files, tars_to_layer = [], base = "//bases/bazel/go",
         }) if should_use_aws_format and not disable_conditional else tag,
         visibility = ["//visibility:public"],
     )
-

servicecatalog/common.go

@@ -50,6 +50,9 @@ func SvcNameGrpc(svc string) string {
 }
 
 func Endpoint(svcName string, ns string, port string) string {
+	if forceNs := os.Getenv("BYC_FORCE_NS"); forceNs != "" {
+		ns = forceNs
+	}
 	return fmt.Sprintf("%s.%s.svc.cluster.local%s", svcName, ns, port)
 }
 

servicecatalog/hydra.go

@@ -31,11 +31,15 @@
 package servicecatalog
 
 func HydraPublic() string {
+	return envOverridable("hydra_public", "http", func() string {
 		svcName := SvcNameHttp("hydra-public")
 		return EndpointHttp(svcName, NS("hydra-public")) + ":4444"
+	})
 }
 
 func HydraAdmin() string {
+	return envOverridable("hydra_admin", "http", func() string {
 		svcName := SvcNameHttp("hydra-admin")
 		return EndpointHttp(svcName, NS("hydra-admin")) + ":4445"
+	})
 }

servicecatalog/spicedb.go

@@ -37,8 +37,10 @@ import (
 )
 
 func SpiceDB() string {
+	return envOverridable("spicedb", "grpc", func() string {
 		svcName := SvcNameGrpc("spicedb")
 		return Endpoint(svcName, NS("spicedb"), ":50051")
+	})
 }
 
 func SpiceDBCredentials() []grpc.DialOption {

temporalutils/BUILD.bazel

@@ -9,6 +9,7 @@ go_library(
         "//vendor/github.com/sirupsen/logrus",
         "//vendor/github.com/spf13/pflag",
         "//vendor/github.com/spf13/viper",
+        "//vendor/go.temporal.io/api/workflowservice/v1:workflowservice",
         "//vendor/go.temporal.io/sdk/client",
         "@org_golang_google_grpc//:go_default_library",
         "@org_golang_google_grpc//credentials",

temporalutils/client.go

@@ -31,14 +31,18 @@
 package temporalutils
 
 import (
+	"context"
 	"crypto/tls"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
+	"go.temporal.io/api/workflowservice/v1"
 	"go.temporal.io/sdk/client"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"os"
 	"strings"
+	"time"
 )
 
 func AddFlags(pflags *pflag.FlagSet) {
@@ -66,5 +70,32 @@ func NewClient(opts client.Options) (client.Client, error) {
 
 	opts.HostPort = temporalHostPort
 
+	bycNs := os.Getenv("BYC_NS")
+	temporalNamespace := os.Getenv("TEMPORAL_NAMESPACE")
+	if temporalNamespace != "" {
+		bycNs = temporalNamespace
+	}
+	if opts.Namespace != "" {
+		bycNs = opts.Namespace
+	}
+	if bycNs == "" {
+		bycNs = "default"
+	}
+
+	nscl, err := client.NewNamespaceClient(opts)
+	if err != nil {
+		return nil, err
+	}
+	dur := 5 * 24 * time.Hour
+	err = nscl.Register(context.TODO(), &workflowservice.RegisterNamespaceRequest{
+		Namespace:                        bycNs,
+		WorkflowExecutionRetentionPeriod: &dur,
+	})
+	if err != nil && !strings.Contains(err.Error(), "Namespace already exists") {
+		return nil, err
+	}
+	opts.Namespace = bycNs
+	viper.Set("temporal.namespace", bycNs)
+
 	return client.NewClient(opts)
 }