Merge pull request #17 from mstg/miscchanges-1

This commit is contained in:
Mustafa Gezen 2022-07-27 22:32:55 +02:00 committed by GitHub
commit 7e5f6f932a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 171 additions and 37 deletions

View File

@ -82,12 +82,12 @@ go_repository(
go_repository(
name = "com_github_ProtonMail_go_crypto",
importpath = "github.com/ProtonMail/go-crypto",
patch_args = ["-p1"],
patches = [
"//patches:0001-Key-ID-subpacket-should-not-be-hashed-or-critical-fo.patch",
],
sum = "h1:J2FzIrXN82q5uyUraeJpLIm7U6PffRwje2ORho5yIik=",
version = "v0.0.0-20220113124808-70ae35bab23f",
patches = [
"//patches:0001-Key-ID-subpacket-should-not-be-hashed-or-critical-fo.patch",
],
patch_args = ["-p1"],
)
go_repository(

View File

@ -53,6 +53,9 @@ const { auth } = expressOidc;
export default async function(opts) {
// Create a new app for health checks.
const appZ = express();
appZ.get('/healthz', ((req, res) => {
res.end();
}));
appZ.get('/_/healthz', ((req, res) => {
res.end();
}));
@ -83,15 +86,19 @@ export default async function(opts) {
console.log(`Using clientID: ${opts.clientID}`);
console.log(`Using baseURL: ${opts.baseURL}`);
if (opts.issuerBaseURL.endsWith('.localhost') || opts.issuerBaseURL.endsWith('.localhost/')) {
const kong = 'kong-proxy.kong.svc.cluster.local'
if ((opts.issuerBaseURL.endsWith('.localhost')
|| opts.issuerBaseURL.endsWith('.localhost/'))
&& process.env['BYC_ENV']) {
const kong = 'kong-proxy.kong.svc.cluster.local';
const urlObject = new URL(opts.issuerBaseURL);
console.warn(`Forcing ${urlObject.hostname} to resolve to ${kong}`);
const lookup = async () => {
return new Promise((resolve, reject) => {
// noinspection HttpUrlsUsage
dns.lookup(kong, { family: 4 }, (err, address, family) => {
if(err) reject(err);
if (err) {
reject(err);
}
resolve(address);
});
});
@ -99,11 +106,13 @@ export default async function(opts) {
const internalServiceResolve = await lookup();
evilDns.add(urlObject.hostname, internalServiceResolve);
// Disable TLS verification for development
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0;
}
const config = {
authRequired: (process.env['DISABLE_AUTH_ENFORCE'] && process.env['DISABLE_AUTH_ENFORCE'] === 'false') || !!!opts.disableAuthEnforce,
authRequired: process.env['DISABLE_AUTH_ENFORCE']
? process.env['DISABLE_AUTH_ENFORCE'] === 'false'
: !!!opts.disableAuthEnforce,
// Disable telemetry
enableTelemetry: false,
// Use dev secret is none is present (Prod requires a secret so not a security issue)
@ -115,7 +124,6 @@ export default async function(opts) {
clientID: opts.clientID,
// The specific application should supply a dev secret while prod secrets should be set as an env variable
clientSecret: opts.clientSecret,
// We're currently only using the Rocky issuer
issuerBaseURL: opts.issuerBaseURL,
idpLogout: true,
authorizationParams: {
@ -138,13 +146,50 @@ export default async function(opts) {
// Remember, authentication done here is only for simplicity purposes.
// The authentication token is then passed on to the API.
// Bypassing auth here doesn't accomplish anything.
let middlewares = [];
// If requireEmailSuffix is present, let's validate post callback
// that the signed in email ends with a suffix in the allowlist
// Again, a bypass here doesn't accomplish anything.
let requireEmailSuffix = opts.authOptions?.requireEmailSuffix;
if (process.env['AUTH_OPTIONS_REQUIRE_EMAIL_SUFFIX']) {
requireEmailSuffix = process.env['AUTH_OPTIONS_REQUIRE_EMAIL_SUFFIX'].split(
',');
}
if (requireEmailSuffix) {
middlewares.push((req, res, next) => {
const email = req.oidc?.user?.email;
if (!email) {
return next('No email found in the user object');
}
const suffixes = requireEmailSuffix;
let isAllowed = false;
for (const suffix of suffixes) {
if (email.endsWith(suffix)) {
isAllowed = true;
break;
}
}
if (isAllowed) {
next();
} else {
res.redirect(process.env['AUTH_REJECT_REDIRECT_URL']
? process.env['AUTH_REJECT_REDIRECT_URL']
: (opts.authOptions.authRejectRedirectUrl
|| 'https://rockylinux.org'));
}
});
}
app.use((req, res, next) => {
try {
auth(config)(req, res, next);
} catch (err) {
next(err);
}
});
}, [middlewares]);
}
// Currently in dev, webpack is handling all file serving
@ -200,9 +245,11 @@ export default async function(opts) {
// Make it possible to override api url using an env variable.
// Example: /api can be set with URL_API
// Example 2: /manage/api can be set with URL_MANAGE_API
const prodEnvName = `URL_${x.substr(1).replace('/', '_').toUpperCase()}`;
const prodEnvName = `URL_${x.substr(1).replace('/',
'_').toUpperCase()}`;
const apiUrl = prod ? (process.env[prodEnvName] || opts.apis[x].prodApiUrl) : opts.apis[x].devApiUrl;
const apiUrl = prod ? (process.env[prodEnvName]
|| opts.apis[x].prodApiUrl) : opts.apis[x].devApiUrl;
createProxyMiddleware({
target: apiUrl,
@ -265,7 +312,7 @@ export default async function(opts) {
webpackMildCompile(compiler);
const wdm = webpackDevMiddleware(compiler, {
publicPath: opts.webpackConfig.output.publicPath,
publicPath: opts.webpackConfig.output.publicPath
});
app.use(history());
@ -279,7 +326,8 @@ export default async function(opts) {
// For SPAs, the only HTML page is the index page
if (res.get('content-type').indexOf('text/html') !== -1) {
// Run through handlebars compiler with our template parameters
newData = hbs.handlebars.compile(data.toString())(templateParams(req));
newData = hbs.handlebars.compile(data.toString())(
templateParams(req));
} else {
// No new data, just return old data
newData = data;

View File

@ -32,8 +32,20 @@
import os from 'os';
export function envOverridable(svcName, protocol, x) {
const envName = `${svcName}_${protocol}_ENDPOINT_OVERRIDE`.toUpperCase();
const envValue = process.env[envName];
if (envValue) {
return envValue;
}
return x();
}
export function svcName(svc, protocol) {
let env = process.env['BYC_ENV'];
if (!env) {
env = 'dev';
}
return `${svc}-${protocol}-${env}-service`;
}
@ -42,6 +54,10 @@ export function svcNameHttp(svc) {
}
export function endpoint(generatedServiceName, ns, port) {
const forceNs = process.env['BYC_FORCE_NS'];
if (forceNs) {
ns = forceNs;
}
return `${generatedServiceName}.${ns}.svc.cluster.local${port}`;
}

View File

@ -33,20 +33,29 @@
// noinspection JSUnresolvedFunction
// noinspection ES6PreferShortImport
import { svcNameHttp, endpointHttp, NS } from '../../../common/frontend_server/upstream.mjs';
import {
svcNameHttp,
endpointHttp,
NS,
envOverridable
} from '../../../common/frontend_server/upstream.mjs';
import pkg from '@ory/hydra-client';
import os from 'os';
const { Configuration, PublicApi, AdminApi } = pkg;
export function hydraPublicUrl() {
const svc = svcNameHttp('hydra-public');
return endpointHttp(svc, NS('hydra-public'), ':4444');
return envOverridable('hydra_public', 'http', () => {
const svc = svcNameHttp('hydra-public');
return endpointHttp(svc, NS('hydra-public'), ':4444');
});
}
function hydraAdminUrl() {
const svc = svcNameHttp('hydra-admin');
return endpointHttp(svc, NS('hydra-admin'), ':4445');
return envOverridable('hydra_admin', 'http', () => {
const svc = svcNameHttp('hydra-admin');
return endpointHttp(svc, NS('hydra-admin'), ':4445');
});
}
const hydraAdmin = new AdminApi(

View File

@ -16,7 +16,7 @@
"@babel/preset-typescript": "^7.10.4",
"@bazel/buildifier": "^5.1.0",
"@bazel/hide-bazel-files": "^1.7.0",
"@bazel/typescript": "^5.5.2",
"@bazel/typescript": "^3.7.0",
"@emotion/react": "^11.8.1",
"@emotion/styled": "^11.8.1",
"@heroicons/react": "^1.0.1",

View File

@ -578,6 +578,10 @@ func (c *Controller) CreateK8sPodActivity(ctx context.Context, req *ProvisionWor
Name: "REAL_BUILD_ARCH",
Value: imageArch,
},
{
Name: "TEMPORAL_NAMESPACE",
Value: viper.GetString("temporal.namespace"),
},
{
Name: "KEYKEEPER_GRPC_ENDPOINT_OVERRIDE",
Value: os.Getenv("KEYKEEPER_GRPC_ENDPOINT_OVERRIDE"),

View File

@ -213,7 +213,7 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
if err2 != nil {
s.log.Errorf("failed to add error details to status: %v", err2)
}
return nil, fmt.Errorf("failed to sign artifact %s: %v\nlogs: %s", artifact.Name, err, outBuf.String())
return nil, statusErr
}
_, err = s.storage.PutObject(newObjectKey, localPath)
if err != nil {
@ -251,6 +251,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
"--checksig", localPath,
}
cmd := gpgCmdEnv(exec.Command("rpm", opts...))
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Run()
if err != nil {
s.log.Errorf("failed to verify artifact %s: %v", artifact.Name, err)
@ -260,11 +262,8 @@ func (s *Server) SignArtifactActivity(ctx context.Context, artifactId string, ke
}
var tries int
for {
res, err := rpmSign()
if err == nil {
return res, nil
}
err = verifySig()
res, _ := rpmSign()
err := verifySig()
if err == nil {
return res, nil
}

View File

@ -62,6 +62,9 @@ func (s *Server) GetBlob(ctx context.Context, req *yumrepofspb.GetBlobRequest) (
if err := req.ValidateAll(); err != nil {
return nil, err
}
if req.Arch == "i386" {
req.Arch = "i686"
}
if strings.HasSuffix(req.Blob, ".sqlite.gz") {
s3Req, _ := s.s3.GetObjectRequest(&s3.GetObjectInput{

View File

@ -44,6 +44,9 @@ func (s *Server) GetRepoMd(_ context.Context, req *yumrepofspb.GetRepoMdRequest)
if err := req.ValidateAll(); err != nil {
return nil, err
}
if req.Arch == "i386" {
req.Arch = "i686"
}
latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch)
if err != nil {
@ -66,6 +69,9 @@ func (s *Server) GetRepoMdSignature(_ context.Context, req *yumrepofspb.GetRepoM
if err := req.ValidateAll(); err != nil {
return nil, err
}
if req.Arch == "i386" {
req.Arch = "i686"
}
latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch)
if err != nil {
@ -88,6 +94,9 @@ func (s *Server) GetPublicKey(_ context.Context, req *yumrepofspb.GetPublicKeyRe
if err := req.ValidateAll(); err != nil {
return nil, err
}
if req.Arch == "i386" {
req.Arch = "i686"
}
key, err := s.db.GetDefaultKeyForProject(req.ProjectId)
if err != nil {
@ -104,6 +113,9 @@ func (s *Server) GetUrlMappings(_ context.Context, req *yumrepofspb.GetUrlMappin
if err := req.ValidateAll(); err != nil {
return nil, err
}
if req.Arch == "i386" {
req.Arch = "i686"
}
latestRevision, err := s.db.GetLatestActiveRepositoryRevisionByProjectIdAndNameAndArch(req.ProjectId, req.RepoName, req.Arch)
if err != nil {

View File

@ -51,6 +51,9 @@ func (s *Server) GetRpm(ctx context.Context, req *yumrepofspb.GetRpmRequest) (*y
if err := req.ValidateAll(); err != nil {
return nil, err
}
if req.Arch == "i386" {
req.Arch = "i686"
}
fileName := fmt.Sprintf("%s/%s.rpm", req.ParentTaskId, strings.TrimSuffix(req.FileName, ".rpm"))
if len(req.ParentTaskId) == 1 {

View File

@ -1,5 +1,5 @@
load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_push", "container_layer")
load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_layer", "container_push")
load("@io_bazel_rules_docker//nodejs:image.bzl", "nodejs_image")
REGISTRY_VARIANT = "aws"
@ -63,10 +63,10 @@ def container(image_name, files, tars_to_layer = [], base = "//bases/bazel/go",
if len(server_files) > 0:
nodejs_image(
name = "%s_image_node" %image_name,
name = "%s_image_node" % image_name,
entry_point = server_entrypoint,
data = server_files,
base = ":%s_image" % image_name
base = ":%s_image" % image_name,
)
container_push(
@ -88,4 +88,3 @@ def container(image_name, files, tars_to_layer = [], base = "//bases/bazel/go",
}) if should_use_aws_format and not disable_conditional else tag,
visibility = ["//visibility:public"],
)

View File

@ -50,6 +50,9 @@ func SvcNameGrpc(svc string) string {
}
func Endpoint(svcName string, ns string, port string) string {
if forceNs := os.Getenv("BYC_FORCE_NS"); forceNs != "" {
ns = forceNs
}
return fmt.Sprintf("%s.%s.svc.cluster.local%s", svcName, ns, port)
}

View File

@ -31,11 +31,15 @@
package servicecatalog
func HydraPublic() string {
svcName := SvcNameHttp("hydra-public")
return EndpointHttp(svcName, NS("hydra-public")) + ":4444"
return envOverridable("hydra_public", "http", func() string {
svcName := SvcNameHttp("hydra-public")
return EndpointHttp(svcName, NS("hydra-public")) + ":4444"
})
}
func HydraAdmin() string {
svcName := SvcNameHttp("hydra-admin")
return EndpointHttp(svcName, NS("hydra-admin")) + ":4445"
return envOverridable("hydra_admin", "http", func() string {
svcName := SvcNameHttp("hydra-admin")
return EndpointHttp(svcName, NS("hydra-admin")) + ":4445"
})
}

View File

@ -37,8 +37,10 @@ import (
)
func SpiceDB() string {
svcName := SvcNameGrpc("spicedb")
return Endpoint(svcName, NS("spicedb"), ":50051")
return envOverridable("spicedb", "grpc", func() string {
svcName := SvcNameGrpc("spicedb")
return Endpoint(svcName, NS("spicedb"), ":50051")
})
}
func SpiceDBCredentials() []grpc.DialOption {

View File

@ -9,6 +9,7 @@ go_library(
"//vendor/github.com/sirupsen/logrus",
"//vendor/github.com/spf13/pflag",
"//vendor/github.com/spf13/viper",
"//vendor/go.temporal.io/api/workflowservice/v1:workflowservice",
"//vendor/go.temporal.io/sdk/client",
"@org_golang_google_grpc//:go_default_library",
"@org_golang_google_grpc//credentials",

View File

@ -31,14 +31,18 @@
package temporalutils
import (
"context"
"crypto/tls"
"github.com/sirupsen/logrus"
"github.com/spf13/pflag"
"github.com/spf13/viper"
"go.temporal.io/api/workflowservice/v1"
"go.temporal.io/sdk/client"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"os"
"strings"
"time"
)
func AddFlags(pflags *pflag.FlagSet) {
@ -66,5 +70,32 @@ func NewClient(opts client.Options) (client.Client, error) {
opts.HostPort = temporalHostPort
bycNs := os.Getenv("BYC_NS")
temporalNamespace := os.Getenv("TEMPORAL_NAMESPACE")
if temporalNamespace != "" {
bycNs = temporalNamespace
}
if opts.Namespace != "" {
bycNs = opts.Namespace
}
if bycNs == "" {
bycNs = "default"
}
nscl, err := client.NewNamespaceClient(opts)
if err != nil {
return nil, err
}
dur := 5 * 24 * time.Hour
err = nscl.Register(context.TODO(), &workflowservice.RegisterNamespaceRequest{
Namespace: bycNs,
WorkflowExecutionRetentionPeriod: &dur,
})
if err != nil && !strings.Contains(err.Error(), "Namespace already exists") {
return nil, err
}
opts.Namespace = bycNs
viper.Set("temporal.namespace", bycNs)
return client.NewClient(opts)
}