Add support for [objects]s3-insecure

2024-01-24 12:51:32 +01:00 · 2024-01-24 12:51:32 +01:00 · 2da016a3d3
parent 3f02d409c2
commit 2da016a3d3
6 changed files with 44 additions and 59 deletions
--- a/api/graph/schema.resolvers.go
+++ b/api/graph/schema.resolvers.go
@ -26,6 +26,7 @@ import (
 	"git.sr.ht/~sircmpwn/core-go/config"
 	"git.sr.ht/~sircmpwn/core-go/database"
 	coremodel "git.sr.ht/~sircmpwn/core-go/model"
+	"git.sr.ht/~sircmpwn/core-go/s3"
 	"git.sr.ht/~sircmpwn/core-go/server"
 	"git.sr.ht/~sircmpwn/core-go/valid"
 	corewebhooks "git.sr.ht/~sircmpwn/core-go/webhooks"
@ -43,7 +44,6 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/storer"
 	"github.com/lib/pq"
 	minio "github.com/minio/minio-go/v7"
-	"github.com/minio/minio-go/v7/pkg/credentials"
 )

 // Repository is the resolver for the repository field.
@ -59,10 +59,7 @@ func (r *aCLResolver) Entity(ctx context.Context, obj *model.ACL) (model.Entity,
 // URL is the resolver for the url field.
 func (r *artifactResolver) URL(ctx context.Context, obj *model.Artifact) (string, error) {
 	conf := config.ForContext(ctx)
-	upstream, ok := conf.Get("objects", "s3-upstream")
-	if !ok {
-		return "", fmt.Errorf("S3 upstream not configured for this server")
-	}
+
 	bucket, ok := conf.Get("git.sr.ht", "s3-bucket")
 	if !ok {
 		return "", fmt.Errorf("S3 bucket not configured for this server")
@ -71,7 +68,13 @@ func (r *artifactResolver) URL(ctx context.Context, obj *model.Artifact) (string
 	if !ok {
 		return "", fmt.Errorf("S3 prefix not configured for this server")
 	}
-	return fmt.Sprintf("https://%s/%s/%s/%s", upstream, bucket, prefix, obj.Filename), nil
+
+	base := s3.URL(conf, bucket)
+	if base == "" {
+		return "", s3.ErrDisabled
+	}
+
+	return fmt.Sprintf("%s/%s/%s/%s", base, bucket, prefix, obj.Filename), nil
 }

 // Diff is the resolver for the diff field.
@ -561,21 +564,16 @@ func (r *mutationResolver) DeleteACL(ctx context.Context, id int) (*model.ACL, e
 // UploadArtifact is the resolver for the uploadArtifact field.
 func (r *mutationResolver) UploadArtifact(ctx context.Context, repoID int, revspec string, file graphql.Upload) (*model.Artifact, error) {
 	conf := config.ForContext(ctx)
-	upstream, _ := conf.Get("objects", "s3-upstream")
-	accessKey, _ := conf.Get("objects", "s3-access-key")
-	secretKey, _ := conf.Get("objects", "s3-secret-key")
-	bucket, _ := conf.Get("git.sr.ht", "s3-bucket")
-	prefix, _ := conf.Get("git.sr.ht", "s3-prefix")
-	if upstream == "" || accessKey == "" || secretKey == "" || bucket == "" {
-		return nil, fmt.Errorf("Object storage is not enabled for this server")
+
+	mc, err := s3.NewClient(conf)
+	if err != nil {
+		return nil, err
 	}

-	mc, err := minio.New(upstream, &minio.Options{
-		Creds:  credentials.NewStaticV4(accessKey, secretKey, ""),
-		Secure: true,
-	})
-	if err != nil {
-		panic(err)
+	bucket, _ := conf.Get("git.sr.ht", "s3-bucket")
+	prefix, _ := conf.Get("git.sr.ht", "s3-prefix")
+	if bucket == "" {
+		return nil, s3.ErrDisabled
 	}

 	repo, err := loaders.ForContext(ctx).RepositoriesByID.Load(repoID)
@ -701,21 +699,16 @@ func (r *mutationResolver) UploadArtifact(ctx context.Context, repoID int, revsp
 // DeleteArtifact is the resolver for the deleteArtifact field.
 func (r *mutationResolver) DeleteArtifact(ctx context.Context, id int) (*model.Artifact, error) {
 	conf := config.ForContext(ctx)
-	upstream, _ := conf.Get("objects", "s3-upstream")
-	accessKey, _ := conf.Get("objects", "s3-access-key")
-	secretKey, _ := conf.Get("objects", "s3-secret-key")
-	bucket, _ := conf.Get("git.sr.ht", "s3-bucket")
-	prefix, _ := conf.Get("git.sr.ht", "s3-prefix")
-	if upstream == "" || accessKey == "" || secretKey == "" || bucket == "" {
-		return nil, fmt.Errorf("Object storage is not enabled for this server")
+
+	mc, err := s3.NewClient(conf)
+	if err != nil {
+		return nil, err
 	}

-	mc, err := minio.New(upstream, &minio.Options{
-		Creds:  credentials.NewStaticV4(accessKey, secretKey, ""),
-		Secure: true,
-	})
-	if err != nil {
-		panic(err)
+	bucket, _ := conf.Get("git.sr.ht", "s3-bucket")
+	prefix, _ := conf.Get("git.sr.ht", "s3-prefix")
+	if bucket == "" {
+		return nil, s3.ErrDisabled
 	}

 	var artifact model.Artifact
--- a/api/repos/middleware.go
+++ b/api/repos/middleware.go
@ -3,7 +3,6 @@ package repos
 import (
 	"context"
 	"database/sql"
-	"fmt"
 	"log"
 	"net/http"
 	"path"
@ -11,10 +10,10 @@ import (

 	"git.sr.ht/~sircmpwn/core-go/config"
 	"git.sr.ht/~sircmpwn/core-go/database"
+	"git.sr.ht/~sircmpwn/core-go/s3"
 	work "git.sr.ht/~sircmpwn/dowork"
 	"github.com/go-git/go-git/v5"
 	"github.com/minio/minio-go/v7"
-	"github.com/minio/minio-go/v7/pkg/credentials"
 )

 type contextKey struct {
@ -102,22 +101,16 @@ func DeleteArtifactsBlocking(
 	filenames []string,
 ) error {
 	conf := config.ForContext(ctx)
-	upstream, _ := conf.Get("objects", "s3-upstream")
-	accessKey, _ := conf.Get("objects", "s3-access-key")
-	secretKey, _ := conf.Get("objects", "s3-secret-key")
-	bucket, _ := conf.Get("git.sr.ht", "s3-bucket")
-	prefix, _ := conf.Get("git.sr.ht", "s3-prefix")

-	if upstream == "" || accessKey == "" || secretKey == "" || bucket == "" {
-		return fmt.Errorf("Object storage is not enabled for this server")
+	mc, err := s3.NewClient(conf)
+	if err != nil {
+		return err
 	}

-	mc, err := minio.New(upstream, &minio.Options{
-		Creds:  credentials.NewStaticV4(accessKey, secretKey, ""),
-		Secure: true,
-	})
-	if err != nil {
-		panic(err)
+	bucket, _ := conf.Get("git.sr.ht", "s3-bucket")
+	prefix, _ := conf.Get("git.sr.ht", "s3-prefix")
+	if bucket == "" {
+		return s3.ErrDisabled
 	}

 	for _, filename := range filenames {
--- a/gitsrht-update-hook/stage-3.go
+++ b/gitsrht-update-hook/stage-3.go
@ -8,9 +8,9 @@ import (
 	"path/filepath"
 	"strconv"

+	"git.sr.ht/~sircmpwn/core-go/s3"
 	_ "github.com/lib/pq"
 	"github.com/minio/minio-go/v7"
-	"github.com/minio/minio-go/v7/pkg/credentials"
 )

 func stage3() {
@ -122,16 +122,10 @@ func stage3() {
 }

 func deleteArtifacts(ctx *PushContext, db *sql.DB, payload *WebhookPayload) {
-	s3upstream, _ := config.Get("objects", "s3-upstream")
-	s3accessKey, _ := config.Get("objects", "s3-access-key")
-	s3secretKey, _ := config.Get("objects", "s3-secret-key")
 	s3bucket, _ := config.Get("git.sr.ht", "s3-bucket")
 	s3prefix, _ := config.Get("git.sr.ht", "s3-prefix")

-	minioClient, err := minio.New(s3upstream, &minio.Options{
-		Creds:  credentials.NewStaticV4(s3accessKey, s3secretKey, ""),
-		Secure: true,
-	})
+	minioClient, err := s3.NewClient(config)
 	if err != nil {
 		logger.Fatalf("Error connecting to S3: %e", err)
 	}
--- a/gitsrht/blueprints/artifacts.py
+++ b/gitsrht/blueprints/artifacts.py
@ -19,6 +19,7 @@ artifacts = Blueprint('artifacts', __name__)
 s3_upstream = cfg("objects", "s3-upstream", default=None)
 s3_access_key = cfg("objects", "s3-access-key", default=None)
 s3_secret_key = cfg("objects", "s3-secret-key", default=None)
+s3_secure = cfg("objects", "s3-insecure", default="no") != "yes"
 s3_bucket = cfg("git.sr.ht", "s3-bucket", default=None)
 s3_prefix = cfg("git.sr.ht", "s3-prefix", default=None)

@ -83,7 +84,7 @@ def ref_download(owner, repo, ref, filename):
    prefix = os.path.join(s3_prefix, "artifacts",
            repo.owner.canonical_name, repo.name)
    minio = Minio(s3_upstream, access_key=s3_access_key,
-            secret_key=s3_secret_key, secure=True)
+            secret_key=s3_secret_key, secure=s3_secure)
    f = minio.get_object(s3_bucket, os.path.join(prefix, filename))
    return send_file(f, as_attachment=True, download_name=filename)

--- a/gitsrht/repos.py
+++ b/gitsrht/repos.py
@ -16,6 +16,7 @@ post_update = cfg("git.sr.ht", "post-update-script")
 s3_upstream = cfg("objects", "s3-upstream", default=None)
 s3_access_key = cfg("objects", "s3-access-key", default=None)
 s3_secret_key = cfg("objects", "s3-secret-key", default=None)
+s3_secure = cfg("objects", "s3-insecure", default="no") != "yes"
 s3_bucket = cfg("git.sr.ht", "s3-bucket", default=None)
 s3_prefix = cfg("git.sr.ht", "s3-prefix", default=None)

@ -28,7 +29,7 @@ object_storage_enabled = all([

 def delete_artifact(artifact):
    minio = Minio(s3_upstream, access_key=s3_access_key,
-            secret_key=s3_secret_key, secure=True)
+            secret_key=s3_secret_key, secure=s3_secure)
    repo = artifact.repo
    prefix = os.path.join(s3_prefix, "artifacts",
            repo.owner.canonical_name, repo.name)
@ -49,7 +50,7 @@ def upload_artifact(valid, repo, commit, f, filename):
    if not valid.ok:
        return None
    minio = Minio(s3_upstream, access_key=s3_access_key,
-            secret_key=s3_secret_key, secure=True)
+            secret_key=s3_secret_key, secure=s3_secure)
    prefix = os.path.join(s3_prefix, "artifacts",
            repo.owner.canonical_name, repo.name)
    try:
--- a/gitsrht/types/artifact.py
+++ b/gitsrht/types/artifact.py
@ -31,7 +31,10 @@ class Artifact(Base):
        s3_prefix = cfg("git.sr.ht", "s3-prefix")
        prefix = os.path.join(s3_prefix, "artifacts",
                self.repo.owner.canonical_name, self.repo.name)
-        url = f"https://{s3_upstream}/{s3_bucket}/{prefix}/{self.filename}"
+        proto = "https"
+        if cfg("objects", "s3-insecure", default="no") == "yes":
+            proto = "http"
+        url = f"{proto}://{s3_upstream}/{s3_bucket}/{prefix}/{self.filename}"
        return {
            "created": self.created,
            "checksum": self.checksum,