buildbot: Add HTTP basic authentication to change hook

2024-10-06 23:23:27 +00:00 · 2023-04-23 16:44:11 -04:00 · 2023-04-23 16:44:11 -04:00 · b65e2ca32a
commit b65e2ca32a
parent 9ca1777783
4 changed files with 22 additions and 0 deletions
--- a/roles/buildbot/default.nix
+++ b/roles/buildbot/default.nix
@ -89,6 +89,7 @@ in {
  config = lib.mkIf cfg.enable {
    age.secrets.android-keystore = buildbotSecret ../../secrets/android-keystore.age;
    age.secrets.android-keystore-pass = buildbotSecret ../../secrets/android-keystore-pass.age;
+    age.secrets.buildbot-change-hook-credentials = buildbotSecret ../../secrets/buildbot-change-hook-credentials.age;
    age.secrets.buildbot-downloads-create-key = buildbotSecret ../../secrets/buildbot-downloads-create-key.age;
    age.secrets.buildbot-fifoci-frontend-api-key = buildbotSecret ../../secrets/fifoci-frontend-api-key.age;
    age.secrets.buildbot-gh-client-id = buildbotSecret ../../secrets/buildbot-gh-client-id.age;
@ -115,6 +116,7 @@ in {
        ANDROID_KEYSTORE_PASS_PATH = config.age.secrets.android-keystore-pass.path;
        DOWNLOADS_CREATE_KEY_PATH = config.age.secrets.buildbot-downloads-create-key.path;
        FIFOCI_FRONTEND_API_KEY_PATH = config.age.secrets.buildbot-fifoci-frontend-api-key.path;
+        CHANGE_HOOK_CREDENTIALS_PATH = config.age.secrets.buildbot-change-hook-credentials.path;
        GH_CLIENT_ID_PATH = config.age.secrets.buildbot-gh-client-id.path;
        GH_CLIENT_SECRET_PATH = config.age.secrets.buildbot-gh-client-secret.path;
        STEAM_ACCOUNT_USERNAME_PATH = config.age.secrets.buildbot-steam-username.path;
--- a/roles/buildbot/etc/master.cfg
+++ b/roles/buildbot/etc/master.cfg
@ -21,6 +21,7 @@ from buildbot.schedulers.basic import AnyBranchScheduler, Dependent
 from buildbot.schedulers.timed import Nightly
 from buildbot.schedulers.triggerable import Triggerable
 from datetime import timedelta
+from twisted.cred import strcred

 import hashlib
 import json
@ -34,6 +35,7 @@ FIFOCI_API_KEY = open(os.environ["FIFOCI_FRONTEND_API_KEY_PATH"]).read().strip()
 ANDROID_KEYSTORE_PATH = os.environ["ANDROID_KEYSTORE_PATH"]
 ANDROID_KEYSTORE_PASS_PATH = os.environ["ANDROID_KEYSTORE_PASS_PATH"]
 UPDATE_SIGNING_KEY_PATH = os.environ["UPDATE_SIGNING_KEY_PATH"]
+CHANGE_HOOK_CREDENTIALS_PATH = os.environ["CHANGE_HOOK_CREDENTIALS_PATH"]

 ARTIFACTS_BASE_DIR = os.environ["ARTIFACTS_BASE_DIR"]

@ -1146,6 +1148,7 @@ BuildmasterConfig = {
        "change_hook_dialects": {
            "base": True,
        },
+        "change_hook_auth": [strcred.makeChecker("file:" + CHANGE_HOOK_CREDENTIALS_PATH)]
    },

    "services": [
--- a/secrets/buildbot-change-hook-credentials.age
+++ b/secrets/buildbot-change-hook-credentials.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-ed25519 QNIwVA 1TyWdqqKanq9wzUE+MByQPRCzFOBZYdHk8tzknPHJX0
+byGUwR03gX7jGxJw4lHBxAW29uBv633wwfDrr5AfbJU
+-> ssh-ed25519 nDu9FA FUnW9BVs7ZMY2X3EGEb6Uy1dq/4vgpcBen+JSIEStkA
+AShu+WGwV4giKrohpc5wpgjPKUVqHj9qmcdsX6zJxtc
+-> ssh-ed25519 tX+N9g BkfKQpUpHbQ8hm2WhD0/csI1DqQfnvnO4AQJUxogNT8
+tUWzy3mnzVlE3dG9cnRoWhRNhHQuO/DneUyJV8exXPM
+-> ssh-ed25519 nE7g2A Yc3ZIr0xTWBX4m2IbJOk7Akn3llIf6pm/5v3UK7XtzA
+fiNuPtjcacpoK5H5Tl/QM5IDdmWeg5OV1FdzVQc+e88
+-> ssh-ed25519 eddTNw 2Pr6eCPWHgpye3rLLxPJ4Yyfc5AOJBC4+tXhBfV8DGQ
+Ya94JmByX2bba3h/mEcshXGIxu3DO+8c2+avJPt5pLo
+-> u-grease V>N8k ]8LL!8 sqbYzu [2cgPu2Y
+hmGOMZ3B6iKEYEya49WEbJve8HeIiF6g5vxMzHdE8qCsplLW8Y0t0f90HpODXML5
+AWcvMrI05HmN27emq+xUpREGvuZijPgieXQIMd5RSao9loPf1dHy+F0
+--- XRmn6eJOB9KhCD76buXrUeU6O3LwsXGPrXg61qYAMd4
+eŸW\ä<>š¯l¶Ízu…Ø…Ò,Z°Àlã²Œ8ëê«'òt·l«q¬9yÝ,4ãù9Á`gÉ»–ó1Ÿ¬Š„„Éìt“!ãû¦Ñ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -20,6 +20,7 @@ let
    "backup-passphrase.age"
    "backup-ssh-key.age"
    "backup-ssh-known-hosts.age"
+    "buildbot-change-hook-credentials.age"
    "buildbot-downloads-create-key.age"
    "buildbot-gh-client-id.age"
    "buildbot-gh-client-secret.age"