kojid: extend SCM.assert_allowed with hub policy

This is a simple extention of `SCM.assert_allowed` - `assert_allowed_by_policy` will set the default "use_common" to False which is different to the old behavior - `channel`, `user_id`, `scratch` are passed in the `policy_data` with scminfo right now. This is a prototype for this change, and there are some other solutions could be implemented too - Use a scmpolicy plugin as `postSCMCheckout` callback, the pro is that we can do more checks after the source is initialized on builder, meanwhile, the con is that the source will be downloaded even it is denied by policy. It might be a potential risk? - Do the scm check in hub's `make_task`, this looks straightforward, but may lack some builder's information fixes: #2757
2021-07-16 15:33:39 +00:00 · 2021-07-16 15:33:39 +00:00 · 47c4b5d70b
commit 47c4b5d70b
parent ec70d21c41
8 changed files with 431 additions and 25 deletions
--- a/vm/kojivmd
+++ b/vm/kojivmd
@ -138,6 +138,8 @@ def get_options():
                'offline_retry': True,
                'offline_retry_interval': 120,
                'allowed_scms': '',
+                'allowed_scms_by_config': True,
+                'allowed_scms_by_policy': False,
                'cert': None,
                'serverca': None}
    if config.has_section('kojivmd'):
@ -149,7 +151,8 @@ def get_options():
                    defaults[name] = int(value)
                except ValueError:
                    quit("value for %s option must be a valid integer" % name)
-            elif name in ['offline_retry', 'no_ssl_verify']:
+            elif name in ['offline_retry', 'no_ssl_verify', 'allowed_scms_by_config',
+                          'allowed_scms_by_policy']:
                defaults[name] = config.getboolean('kojivmd', name)
            elif name in ['plugin', 'plugins']:
                defaults['plugin'] = value.split()
@ -325,8 +328,16 @@ class WinBuildTask(MultiPlatformTask):
        # verify the urls before passing them to the VM
        for url in [source_url] + koji.util.to_list(subopts.values()):
            scm = SCM(url)
-            scm.assert_allowed(self.options.allowed_scms)
-
+            scm.assert_allowed(allowed=self.options.allowed_scms,
+                               session=self.session,
+                               by_config=self.options.allowed_scms_use_config,
+                               by_policy=self.options.allowed_scms_use_policy,
+                               opts={
+                                   'user_id': self.taskinfo['owner'],
+                                   'channel': self.session.getChannel(self.taskinfo['channel_id'],
+                                                                      strict=True)['name'],
+                                   'scratch': opts.get('scratch')
+                               })
        task_info = self.session.getTaskInfo(self.id)
        target_info = self.session.getBuildTarget(target)
        if not target_info:
--- a/vm/kojivmd.conf
+++ b/vm/kojivmd.conf
@ -27,6 +27,14 @@ server=http://hub.example.com/kojihub
 ; dir, and will raise an exception if it cannot.
 allowed_scms=scm.example.com:/cvs/example git.example.org:/example svn.example.org:/users/*:no

+; If use the option allowed_scms above for allowing / denying SCM, default: true
+; allowed_scms_use_config = true
+
+; If use hub policy: build_from_scm for allowing / denying SCM, default: false
+; notice that if both options are enabled, both assertions will be applied, and user_common
+; will be overridden by the policy's result.
+; allowed_scms_use_policy = false
+
 ; The mail host to use for sending email notifications
 smtphost=example.com