From b65e2ca32ae4698a68d53c6f1b10d2381c2ca1a0 Mon Sep 17 00:00:00 2001 From: OatmealDome Date: Sun, 23 Apr 2023 16:44:11 -0400 Subject: [PATCH] buildbot: Add HTTP basic authentication to change hook --- roles/buildbot/default.nix | 2 ++ roles/buildbot/etc/master.cfg | 3 +++ secrets/buildbot-change-hook-credentials.age | 16 ++++++++++++++++ secrets/secrets.nix | 1 + 4 files changed, 22 insertions(+) create mode 100644 secrets/buildbot-change-hook-credentials.age diff --git a/roles/buildbot/default.nix b/roles/buildbot/default.nix index d5a5d22..0f9b1c0 100644 --- a/roles/buildbot/default.nix +++ b/roles/buildbot/default.nix @@ -89,6 +89,7 @@ in { config = lib.mkIf cfg.enable { age.secrets.android-keystore = buildbotSecret ../../secrets/android-keystore.age; age.secrets.android-keystore-pass = buildbotSecret ../../secrets/android-keystore-pass.age; + age.secrets.buildbot-change-hook-credentials = buildbotSecret ../../secrets/buildbot-change-hook-credentials.age; age.secrets.buildbot-downloads-create-key = buildbotSecret ../../secrets/buildbot-downloads-create-key.age; age.secrets.buildbot-fifoci-frontend-api-key = buildbotSecret ../../secrets/fifoci-frontend-api-key.age; age.secrets.buildbot-gh-client-id = buildbotSecret ../../secrets/buildbot-gh-client-id.age; @@ -115,6 +116,7 @@ in { ANDROID_KEYSTORE_PASS_PATH = config.age.secrets.android-keystore-pass.path; DOWNLOADS_CREATE_KEY_PATH = config.age.secrets.buildbot-downloads-create-key.path; FIFOCI_FRONTEND_API_KEY_PATH = config.age.secrets.buildbot-fifoci-frontend-api-key.path; + CHANGE_HOOK_CREDENTIALS_PATH = config.age.secrets.buildbot-change-hook-credentials.path; GH_CLIENT_ID_PATH = config.age.secrets.buildbot-gh-client-id.path; GH_CLIENT_SECRET_PATH = config.age.secrets.buildbot-gh-client-secret.path; STEAM_ACCOUNT_USERNAME_PATH = config.age.secrets.buildbot-steam-username.path; diff --git a/roles/buildbot/etc/master.cfg b/roles/buildbot/etc/master.cfg index 6c56b49..cee424d 100644 --- a/roles/buildbot/etc/master.cfg +++ b/roles/buildbot/etc/master.cfg @@ -21,6 +21,7 @@ from buildbot.schedulers.basic import AnyBranchScheduler, Dependent from buildbot.schedulers.timed import Nightly from buildbot.schedulers.triggerable import Triggerable from datetime import timedelta +from twisted.cred import strcred import hashlib import json @@ -34,6 +35,7 @@ FIFOCI_API_KEY = open(os.environ["FIFOCI_FRONTEND_API_KEY_PATH"]).read().strip() ANDROID_KEYSTORE_PATH = os.environ["ANDROID_KEYSTORE_PATH"] ANDROID_KEYSTORE_PASS_PATH = os.environ["ANDROID_KEYSTORE_PASS_PATH"] UPDATE_SIGNING_KEY_PATH = os.environ["UPDATE_SIGNING_KEY_PATH"] +CHANGE_HOOK_CREDENTIALS_PATH = os.environ["CHANGE_HOOK_CREDENTIALS_PATH"] ARTIFACTS_BASE_DIR = os.environ["ARTIFACTS_BASE_DIR"] @@ -1146,6 +1148,7 @@ BuildmasterConfig = { "change_hook_dialects": { "base": True, }, + "change_hook_auth": [strcred.makeChecker("file:" + CHANGE_HOOK_CREDENTIALS_PATH)] }, "services": [ diff --git a/secrets/buildbot-change-hook-credentials.age b/secrets/buildbot-change-hook-credentials.age new file mode 100644 index 0000000..57746dd --- /dev/null +++ b/secrets/buildbot-change-hook-credentials.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-ed25519 QNIwVA 1TyWdqqKanq9wzUE+MByQPRCzFOBZYdHk8tzknPHJX0 +byGUwR03gX7jGxJw4lHBxAW29uBv633wwfDrr5AfbJU +-> ssh-ed25519 nDu9FA FUnW9BVs7ZMY2X3EGEb6Uy1dq/4vgpcBen+JSIEStkA +AShu+WGwV4giKrohpc5wpgjPKUVqHj9qmcdsX6zJxtc +-> ssh-ed25519 tX+N9g BkfKQpUpHbQ8hm2WhD0/csI1DqQfnvnO4AQJUxogNT8 +tUWzy3mnzVlE3dG9cnRoWhRNhHQuO/DneUyJV8exXPM +-> ssh-ed25519 nE7g2A Yc3ZIr0xTWBX4m2IbJOk7Akn3llIf6pm/5v3UK7XtzA +fiNuPtjcacpoK5H5Tl/QM5IDdmWeg5OV1FdzVQc+e88 +-> ssh-ed25519 eddTNw 2Pr6eCPWHgpye3rLLxPJ4Yyfc5AOJBC4+tXhBfV8DGQ +Ya94JmByX2bba3h/mEcshXGIxu3DO+8c2+avJPt5pLo +-> u-grease V>N8k ]8LL!8 sqbYzu [2cgPu2Y +hmGOMZ3B6iKEYEya49WEbJve8HeIiF6g5vxMzHdE8qCsplLW8Y0t0f90HpODXML5 +AWcvMrI05HmN27emq+xUpREGvuZijPgieXQIMd5RSao9loPf1dHy+F0 +--- XRmn6eJOB9KhCD76buXrUeU6O3LwsXGPrXg61qYAMd4 +eW\lzu؅,Z l㲌8'tlq9y,49`gɻ1t! \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 465388b..c9bb0bc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,6 +20,7 @@ let "backup-passphrase.age" "backup-ssh-key.age" "backup-ssh-known-hosts.age" + "buildbot-change-hook-credentials.age" "buildbot-downloads-create-key.age" "buildbot-gh-client-id.age" "buildbot-gh-client-secret.age"