build policy

New 'build' policy replacing 'build_from_srpm' and 'build_from_repo_id'. Related: https://pagure.io/koji/issue/3323 Author: Tomas Kopecek <tkopecek@redhat.com>
2022-06-21 15:43:20 +02:00 · 2022-06-21 15:43:20 +02:00 · e9ebe2250d
commit e9ebe2250d
parent 07536056e8
3 changed files with 13 additions and 2 deletions
--- a/builder/kojid
+++ b/builder/kojid
@ -1032,17 +1032,22 @@ class BuildTask(BaseTaskHandler):
            'task_id': self.id,
            'build_tag': build_tag,  # id
            'skip_tag': bool(self.opts.get('skip_tag')),
+            'scratch': opts.get('scratch'),
+            'from_scm': SCM.is_scm_url(src),
+            'repo_id': opts.get('repo_id'),
        }
        if target_info:
            policy_data['target'] = target_info['name']
        if not self.opts.get('skip_tag'):
            policy_data['tag'] = dest_tag  # id
+        # backward-compatible deprecated policies (TODO: remove in 1.33)
        if not SCM.is_scm_url(src) and not opts.get('scratch'):
            # let hub policy decide
            self.session.host.assertPolicy('build_from_srpm', policy_data)
        if opts.get('repo_id') is not None:
            # use of this option is governed by policy
            self.session.host.assertPolicy('build_from_repo_id', policy_data)
+        self.session.host.assertPolicy('build_rpm', policy_data)
        if not repo_info:
            repo_info = self.getRepo(build_tag, builds=opts.get('wait_builds'),
                                     wait=opts.get('wait_repo'))  # (subtask)
--- a/docs/source/access_controls.rst
+++ b/docs/source/access_controls.rst
@ -51,9 +51,12 @@ Examples of access control polices are:
 * cg_import: control which content generator imports are allowed
 * vm: control which windows build tasks are allowed
 * dist_repo: control which distRepo tasks are allowed
-* build_from_srpm: control whether builds from srpm are allowed
+* build_rpm: control whether builds are allowed, this is superceding older ``build_from_srpm``
+             to handle all task types. ``build_from_srpm`` and ``build_from_repo_id`` are now
+             deprecated and will be removed in koji 1.33. Default policy allows everything.
+* build_from_srpm [deprecated]: control whether builds from srpm are allowed
 * build_from_scm: control whether builds from the SCM are allowed and the behavior of the SCM
-* build_from_repo_id: control whether builds from user-specified repos ids are allowed
+* build_from_repo_id [deprecated]: control whether builds from user-specified repos ids are allowed

 Note that not all policies are access control policies.
 The ``channel`` and ``volume`` policies are used to control which channels tasks go to
--- a/hub/kojixmlrpc.py
+++ b/hub/kojixmlrpc.py
@ -557,6 +557,9 @@ def load_plugins(opts):


 _default_policies = {
+    'build_rpm': '''
+            all :: allow
+            ''',
    'build_from_srpm': '''
            has_perm admin :: allow
            all :: deny Only admin can do this via default policy