PR#1640: Provide for passing credentials to SRPMfromSCM

Merges #1640 https://pagure.io/koji/pull-request/1640 Fixes: #1658 https://pagure.io/koji/issue/1658 Provide for passing credentials to SRPMfromSCM
2019-12-12 15:22:05 +01:00 · 2019-12-12 15:22:05 +01:00 · 160780cedf
commit 160780cedf
parent e5ac490d71 80021ab904
2 changed files with 19 additions and 0 deletions
--- a/builder/kojid
+++ b/builder/kojid
@ -4764,6 +4764,10 @@ class BuildSRPMFromSCMTask(BaseBuildTask):
        rootopts = {'install_group': 'srpm-build',
                    'setup_dns': True,
                    'repo_id': repo_id}
+        if self.options.scm_credentials_dir is not None and os.path.isdir(self.options.scm_credentials_dir):
+            rootopts['bind_opts'] = {'dirs' : {self.options.scm_credentials_dir : '/credentials',}}
+            ## Force internal_dev_setup back to true because bind_opts is used to turn it off
+            rootopts['internal_dev_setup'] = True
        br_arch = self.find_arch('noarch', self.session.host.getHost(), self.session.getBuildConfig(build_tag['id'], event=event_id))
        broot = BuildRoot(self.session, self.options, build_tag['id'], br_arch, self.id, **rootopts)
        broot.workdir = self.workdir
@ -6179,6 +6183,7 @@ def get_options():
                'createrepo_update': True,
                'pkgurl': None,
                'allowed_scms': '',
+                'scm_credentials_dir': None,
                'support_rpm_source_layout': True,
                'yum_proxy': None,
                'maven_repo_ignore': '*.md5 *.sha1 maven-metadata*.xml _maven.repositories '
--- a/builder/kojid.conf
+++ b/builder/kojid.conf
@ -69,6 +69,20 @@ topurl=http://hub.example.com/kojifiles
 ; is run by default.
 allowed_scms=scm.example.com:/cvs/example git.example.org:/example svn.example.org:/users/*:no

+; A directory to bind mount into Source RPM creation so that some
+; credentials can be supplied when required to fetch sources, e.g.
+; when the place the sources are fetched from requires all accesses to
+; be authenticated in order to satisfy auditing requirements.
+;
+; The directory specified here will turn up in the SRPMfromSCM chroot
+; as /credentials. It is up to whatever implements "make_source_cmd"
+; to make appropriate use of any credentials supplied.
+;
+; Be aware that this means "make_source_cmd" has access to these
+; credentials and could steal them; any credentials supplied
+; should be easily disabled, and not used for other purposes.
+; scm_credentials_dir = /etc/kojid/scmcredentials
+
 ; The mail host to use for sending email notifications
 smtphost=example.com