Compare commits

..

12 commits

Author SHA1 Message Date
Bruno BELANYI 8f60cfe836 nix: flake: build package with vanilla 'nixpkgs' 2021-03-31 16:03:29 +00:00
Antoine Martin 3fc96cd7a8 ci: switch to stable toolchain 2021-03-31 13:48:15 +02:00
Antoine Martin 535cfe0e65 README: remove mention of nightly compiler 2021-03-31 13:46:46 +02:00
Antoine Martin e0fc69781a lohr: build on rust stable
Switching to Rocket's master branch (soon to be 0.5.0) allows building
with a stable Rust compiler, yay!
2021-03-31 13:46:03 +02:00
Antoine Martin 6a79949e28 cargo: try to reduce number of dependencies
serde_regex unconditionally uses all features of the regex crate, which
prevents optimizing the dependency graph further
2021-03-31 12:31:25 +02:00
Antoine Martin 933e164259 README: add section about installing lohr 2021-03-30 23:11:52 +02:00
Antoine Martin a516d841e1 lohr: v0.3.1 2021-03-30 23:02:32 +02:00
Antoine Martin 78194b69ad cargo: bump lockfile 2021-03-30 22:59:39 +02:00
Antoine Martin 54fafc6a46 README: mention cli flag for configuration 2021-03-30 22:57:27 +02:00
Antoine Martin aba153726b main: log when skipping blacklisted repo 2021-03-30 22:53:33 +02:00
Antoine Martin 422024d919 main: support config override with CLI flag 2021-03-30 22:51:51 +02:00
Antoine Martin ff90b5fb2d job: move blacklist processing to request 2021-03-30 22:00:59 +02:00
11 changed files with 977 additions and 628 deletions

View file

@ -10,11 +10,11 @@ jobs:
- name: Checkout sources - name: Checkout sources
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Install nightly toolchain - name: Install stable toolchain
uses: actions-rs/toolchain@v1 uses: actions-rs/toolchain@v1
with: with:
profile: minimal profile: minimal
toolchain: nightly toolchain: stable
override: true override: true
- name: Run cargo check - name: Run cargo check
@ -29,11 +29,11 @@ jobs:
- name: Checkout sources - name: Checkout sources
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Install nightly toolchain - name: Install stable toolchain
uses: actions-rs/toolchain@v1 uses: actions-rs/toolchain@v1
with: with:
profile: minimal profile: minimal
toolchain: nightly toolchain: stable
override: true override: true
- name: Run cargo test - name: Run cargo test
@ -48,11 +48,11 @@ jobs:
- name: Checkout sources - name: Checkout sources
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Install nightly toolchain - name: Install stable toolchain
uses: actions-rs/toolchain@v1 uses: actions-rs/toolchain@v1
with: with:
profile: minimal profile: minimal
toolchain: nightly toolchain: stable
override: true override: true
components: rustfmt, clippy components: rustfmt, clippy

1314
Cargo.lock generated

File diff suppressed because it is too large Load diff

View file

@ -1,6 +1,6 @@
[package] [package]
name = "lohr" name = "lohr"
version = "0.3.0" version = "0.3.1"
authors = ["Antoine Martin <antoine@alarsyo.net>"] authors = ["Antoine Martin <antoine@alarsyo.net>"]
edition = "2018" edition = "2018"
license = "Apache-2.0 OR MIT" license = "Apache-2.0 OR MIT"
@ -16,10 +16,21 @@ hex = "0.4.3"
hmac = "0.10.1" hmac = "0.10.1"
log = "0.4.14" log = "0.4.14"
regex = "1" regex = "1"
rocket = "0.4.7"
rocket_contrib = { version = "0.4.7", features = [ "json" ] }
serde = { version = "1.0.125", features = [ "derive" ] } serde = { version = "1.0.125", features = [ "derive" ] }
serde_json = "1.0.64" serde_json = "1.0.64"
serde_regex = "1.1.0" serde_regex = "1.1.0"
serde_yaml = "0.8.17" serde_yaml = "0.8.17"
sha2 = "0.9.3" sha2 = "0.9.3"
[dependencies.rocket]
version = "0.5.0-dev"
# don't need private-cookies
default-features = false
[dependencies.clap]
version = "2.33.3"
# no need for suggestions or color with only one argument
default-features = false
[patch.crates-io]
rocket = { git = "https://github.com/SergioBenitez/Rocket", rev = "2893ce754d6535e0a752586e60d7e292343016c0" }

View file

@ -21,6 +21,14 @@ file at the repo root.
This is a very destructive process: anything removed from the single source of This is a very destructive process: anything removed from the single source of
truth is effectively removed from any mirror as well. truth is effectively removed from any mirror as well.
** Installing
=lohr= is [[https://crates.io/crates/lohr][published on crates.io]], so you can install it with ~cargo install~:
#+begin_src sh
$ cargo install lohr
#+end_src
** Setup ** Setup
*** Quickstart *** Quickstart
@ -73,8 +81,12 @@ variable.
**** Extra remote configuration **** Extra remote configuration
=lohr= looks for a =lohr-config.yaml= file in its =LOHR_HOME= directory. The You can provide =lohr= with a YAML file containing additional configuration. You
=LOHR_CONFIG= variable takes precedence over looking into the state directory. can pass its path to the =--config= flag when launching =lohr=. If no
configuration is provided via a CLI flag, =lohr= will check the =LOHR_CONFIG=
environment variable. If the environment variable isn't set either, it will
check in =LOHR_HOME= is a =lohr-config.yaml= file exists, and try to load it.
This file takes the following format: This file takes the following format:
#+begin_src yaml #+begin_src yaml

View file

@ -31,43 +31,6 @@
"type": "github" "type": "github"
} }
}, },
"mozillapkgs": {
"flake": false,
"locked": {
"lastModified": 1603906276,
"narHash": "sha256-RsNPnEKd7BcogwkqhaV5kI/HuNC4flH/OQCC/4W5y/8=",
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
"type": "github"
},
"original": {
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1614785451,
"narHash": "sha256-TPw8kQvr2UNCuvndtY+EjyXp6Q5GEW2l9UafXXh1XmI=",
"owner": "nmattia",
"repo": "naersk",
"rev": "e0fe990b478a66178a58c69cf53daec0478ca6f9",
"type": "github"
},
"original": {
"owner": "nmattia",
"ref": "master",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1616670887, "lastModified": 1616670887,
@ -88,8 +51,6 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"mozillapkgs": "mozillapkgs",
"naersk": "naersk",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
} }

View file

@ -1,13 +1,5 @@
{ {
inputs = { inputs = {
naersk = {
url = "github:nmattia/naersk/master";
inputs.nixpkgs.follows = "nixpkgs";
};
mozillapkgs = {
url = "github:mozilla/nixpkgs-mozilla";
flake = false;
};
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
flake-compat = { flake-compat = {
@ -16,27 +8,19 @@
}; };
}; };
outputs = { self, naersk, mozillapkgs, nixpkgs, flake-utils, ... }: outputs = { self, nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (system: flake-utils.lib.eachDefaultSystem (system:
let let
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs { inherit system; };
mozilla = pkgs.callPackage (mozillapkgs + "/package-set.nix") { };
rustNightly = (mozilla.rustChannelOf {
date = "2021-03-29";
channel = "nightly";
sha256 = "sha256-Y94CnslybZgiZlNVV6Cg0TUPV2OeDXakPev1kqdt9Kk=";
}).rust;
naersk-lib = pkgs.callPackage naersk {
cargo = rustNightly;
rustc = rustNightly;
};
in in
{ {
defaultPackage = naersk-lib.buildPackage { defaultPackage = pkgs.rustPlatform.buildRustPackage {
src = ./.;
pname = "lohr"; pname = "lohr";
version = "0.3.1";
src = ./.;
cargoSha256 = "sha256-XnBvb13Pv7bNTLCL3WV+bxRK0/uMEKA1/Bk0Tfua3Rs=";
meta = with pkgs.lib; { meta = with pkgs.lib; {
description = "A Git mirroring tool"; description = "A Git mirroring tool";
@ -52,10 +36,12 @@
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
cargo
clippy
nixpkgs-fmt nixpkgs-fmt
pre-commit pre-commit
rustPackages.clippy rustPackages.clippy
rustNightly rustc
rustfmt rustfmt
]; ];

View file

@ -1 +1 @@
nightly stable

View file

@ -190,13 +190,6 @@ impl Job {
} }
pub(crate) fn run(&mut self, homedir: &Path, config: &GlobalSettings) -> anyhow::Result<()> { pub(crate) fn run(&mut self, homedir: &Path, config: &GlobalSettings) -> anyhow::Result<()> {
if config
.blacklist
.iter()
.any(|re| re.is_match(&self.repo.full_name))
{
return Ok(());
}
let local_path = homedir.join(&self.repo.full_name); let local_path = homedir.join(&self.repo.full_name);
assert!(local_path.is_absolute()); assert!(local_path.is_absolute());
self.local_path = Some(local_path); self.local_path = Some(local_path);

View file

@ -1,18 +1,17 @@
#![feature(proc_macro_hygiene, decl_macro)]
use std::env; use std::env;
use std::fs::File; use std::fs::File;
use std::path::PathBuf; use std::path::{Path, PathBuf};
use std::sync::{ use std::sync::{
mpsc::{channel, Receiver, Sender}, mpsc::{channel, Receiver, Sender},
Mutex, Mutex,
}; };
use std::thread; use std::thread;
use anyhow::Context;
use clap::{App, Arg};
use log::{error, info};
use rocket::{http::Status, post, routes, State}; use rocket::{http::Status, post, routes, State};
use log::error;
mod gitea; mod gitea;
use gitea::GiteaWebHook; use gitea::GiteaWebHook;
@ -29,7 +28,23 @@ struct JobSender(Mutex<Sender<Job>>);
struct Secret(String); struct Secret(String);
#[post("/", data = "<payload>")] #[post("/", data = "<payload>")]
fn gitea_webhook(payload: SignedJson<GiteaWebHook>, sender: State<JobSender>) -> Status { fn gitea_webhook(
payload: SignedJson<GiteaWebHook>,
sender: State<JobSender>,
config: State<GlobalSettings>,
) -> Status {
if config
.blacklist
.iter()
.any(|re| re.is_match(&payload.repository.full_name))
{
info!(
"Ignoring webhook for repo {} which is blacklisted",
payload.repository.full_name
);
return Status::Ok;
}
{ {
let sender = sender.0.lock().unwrap(); let sender = sender.0.lock().unwrap();
let repo = &payload.repository; let repo = &payload.repository;
@ -49,21 +64,47 @@ fn repo_updater(rx: Receiver<Job>, homedir: PathBuf, config: GlobalSettings) {
} }
} }
fn parse_config(mut path: PathBuf) -> anyhow::Result<GlobalSettings> { fn parse_config(home: &Path, flags: &clap::ArgMatches) -> anyhow::Result<GlobalSettings> {
path.push("lohr-config"); // prioritize CLI flag, then env var
path.set_extension("yaml"); let config_path = flags.value_of("config").map(PathBuf::from);
let path = env::var("LOHR_CONFIG") let config_path = config_path.or_else(|| env::var("LOHR_CONFIG").map(PathBuf::from).ok());
.map(Into::into)
.unwrap_or_else(|_| path); let file = match config_path {
let config = if let Ok(file) = File::open(path.as_path()) { Some(config_path) => File::open(&config_path).with_context(|| {
serde_yaml::from_reader(file)? format!(
} else { "could not open provided configuration file at {}",
Default::default() config_path.display()
}; )
Ok(config) })?,
None => {
// check if file exists in lohr home
let config_path = home.join("lohr-config.yaml");
if !config_path.is_file() {
return Ok(Default::default());
} }
fn main() -> anyhow::Result<()> { File::open(config_path).context("failed to open configuration file in LOHR_HOME")?
}
};
serde_yaml::from_reader(file).context("could not parse configuration file")
}
#[rocket::main]
async fn main() -> anyhow::Result<()> {
let matches = App::new("lohr")
.version("0.3.1")
.about("Git mirroring daemon")
.arg(
Arg::with_name("config")
.short("c")
.long("config")
.value_name("FILE")
.help("Use a custom config file")
.takes_value(true),
)
.get_matches();
let (sender, receiver) = channel(); let (sender, receiver) = channel();
let homedir = env::var("LOHR_HOME").unwrap_or_else(|_| "./".to_string()); let homedir = env::var("LOHR_HOME").unwrap_or_else(|_| "./".to_string());
@ -73,7 +114,8 @@ fn main() -> anyhow::Result<()> {
let secret = env::var("LOHR_SECRET") let secret = env::var("LOHR_SECRET")
.expect("please provide a secret, otherwise anyone can send you a malicious webhook"); .expect("please provide a secret, otherwise anyone can send you a malicious webhook");
let config = parse_config(homedir.clone())?; let config = parse_config(&homedir, &matches)?;
let config_state = config.clone();
thread::spawn(move || { thread::spawn(move || {
repo_updater(receiver, homedir, config); repo_updater(receiver, homedir, config);
@ -83,7 +125,9 @@ fn main() -> anyhow::Result<()> {
.mount("/", routes![gitea_webhook]) .mount("/", routes![gitea_webhook])
.manage(JobSender(Mutex::new(sender))) .manage(JobSender(Mutex::new(sender)))
.manage(Secret(secret)) .manage(Secret(secret))
.launch(); .manage(config_state)
.launch()
.await?;
Ok(()) Ok(())
} }

View file

@ -2,7 +2,7 @@ use serde::Deserialize;
pub(crate) type RepoUrl = String; // FIXME: probably needs a better type than this pub(crate) type RepoUrl = String; // FIXME: probably needs a better type than this
#[derive(Default, Deserialize)] #[derive(Clone, Default, Deserialize)]
pub(crate) struct GlobalSettings { pub(crate) struct GlobalSettings {
/// List of remote stems to use when no `.lohr` file is found /// List of remote stems to use when no `.lohr` file is found
#[serde(default)] #[serde(default)]

View file

@ -1,20 +1,17 @@
use std::{ use std::{
io::Read, io,
ops::{Deref, DerefMut}, ops::{Deref, DerefMut},
}; };
use rocket::{ use rocket::{
data::{FromData, Outcome}, data::{ByteUnit, FromData, Outcome},
http::ContentType, http::ContentType,
State, State,
}; };
use rocket::{ use rocket::{http::Status, local_cache};
data::{Transform, Transformed},
http::Status,
};
use rocket::{Data, Request}; use rocket::{Data, Request};
use anyhow::anyhow; use anyhow::{anyhow, Context};
use serde::Deserialize; use serde::Deserialize;
use crate::Secret; use crate::Secret;
@ -53,37 +50,29 @@ impl<T> DerefMut for SignedJson<T> {
} }
} }
const LIMIT: u64 = 1 << 20; const LIMIT: ByteUnit = ByteUnit::Mebibyte(1);
impl<'r, T: Deserialize<'r>> SignedJson<T> {
fn from_str(s: &'r str) -> anyhow::Result<Self> {
serde_json::from_str(s)
.map(SignedJson)
.context("could not parse json")
}
}
// This is a one to one implementation of request_contrib::Json's FromData, but with HMAC // This is a one to one implementation of request_contrib::Json's FromData, but with HMAC
// validation. // validation.
// //
// Tracking issue for chaining Data guards to avoid this: // Tracking issue for chaining Data guards to avoid this:
// https://github.com/SergioBenitez/Rocket/issues/775 // https://github.com/SergioBenitez/Rocket/issues/775
impl<'a, T> FromData<'a> for SignedJson<T> #[rocket::async_trait]
impl<'r, T> FromData<'r> for SignedJson<T>
where where
T: Deserialize<'a>, T: Deserialize<'r>,
{ {
type Error = anyhow::Error; type Error = anyhow::Error;
type Owned = String;
type Borrowed = str;
fn transform( async fn from_data(request: &'r Request<'_>, data: Data) -> Outcome<Self, Self::Error> {
request: &Request,
data: Data,
) -> rocket::data::Transform<Outcome<Self::Owned, Self::Error>> {
let size_limit = request.limits().get("json").unwrap_or(LIMIT);
let mut s = String::with_capacity(512);
match data.open().take(size_limit).read_to_string(&mut s) {
Ok(_) => Transform::Borrowed(Outcome::Success(s)),
Err(e) => Transform::Borrowed(Outcome::Failure((
Status::BadRequest,
anyhow!("couldn't read json: {}", e),
))),
}
}
fn from_data(request: &Request, o: Transformed<'a, Self>) -> Outcome<Self, Self::Error> {
let json_ct = ContentType::new("application", "json"); let json_ct = ContentType::new("application", "json");
if request.content_type() != Some(&json_ct) { if request.content_type() != Some(&json_ct) {
return Outcome::Failure((Status::BadRequest, anyhow!("wrong content type"))); return Outcome::Failure((Status::BadRequest, anyhow!("wrong content type")));
@ -97,26 +86,31 @@ where
)); ));
} }
let size_limit = request.limits().get("json").unwrap_or(LIMIT);
let content = match data.open(size_limit).into_string().await {
Ok(s) if s.is_complete() => s.into_inner(),
Ok(_) => {
let eof = io::ErrorKind::UnexpectedEof;
return Outcome::Failure((
Status::PayloadTooLarge,
io::Error::new(eof, "data limit exceeded").into(),
));
}
Err(e) => return Outcome::Failure((Status::BadRequest, e.into())),
};
let signature = signatures[0]; let signature = signatures[0];
let secret = request.guard::<State<Secret>>().await.unwrap();
let content = o.borrowed()?; if !validate_signature(&secret.0, &signature, &content) {
let secret = request.guard::<State<Secret>>().unwrap();
if !validate_signature(&secret.0, &signature, content) {
return Outcome::Failure((Status::BadRequest, anyhow!("couldn't verify signature"))); return Outcome::Failure((Status::BadRequest, anyhow!("couldn't verify signature")));
} }
let content = match serde_json::from_str(content) { let content = match Self::from_str(local_cache!(request, content)) {
Ok(content) => content, Ok(content) => Outcome::Success(content),
Err(e) => { Err(e) => Outcome::Failure((Status::BadRequest, e)),
return Outcome::Failure((
Status::BadRequest,
anyhow!("couldn't parse json: {}", e),
))
}
}; };
Outcome::Success(SignedJson(content)) content
} }
} }