diff --git a/config.example.ini b/config.example.ini index 9f6301e..1606081 100644 --- a/config.example.ini +++ b/config.example.ini @@ -9,6 +9,9 @@ site-info=https://sourcehut.org # {{ site-name }}, {{ site-blurb }} site-blurb=the hacker's forge # +# If this != production, we add a banner to each page +environment=development +# # Contact information for the site owners owner-name=Drew DeVault owner-email=sir@cmpwn.com diff --git a/dispatchsrht-migrate b/dispatchsrht-migrate index 446d4a6..b1a72c7 100755 --- a/dispatchsrht-migrate +++ b/dispatchsrht-migrate @@ -3,4 +3,3 @@ import dispatchsrht.alembic import srht.alembic from srht.database import alembic alembic("dispatch.sr.ht", dispatchsrht.alembic) -alembic("dispatch.sr.ht", srht.alembic) diff --git a/dispatchsrht/alembic/versions/986fd25d5184_add_secrets_to_github_prs.py b/dispatchsrht/alembic/versions/986fd25d5184_add_secrets_to_github_prs.py new file mode 100644 index 0000000..d59825c --- /dev/null +++ b/dispatchsrht/alembic/versions/986fd25d5184_add_secrets_to_github_prs.py @@ -0,0 +1,26 @@ +"""Add secrets to GitHub PRs + +Revision ID: 986fd25d5184 +Revises: 5ad9b51c90f5 +Create Date: 2019-06-21 10:36:22.290121 + +""" + +# revision identifiers, used by Alembic. +revision = '986fd25d5184' +down_revision = '5ad9b51c90f5' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + op.add_column('github_pr_to_build', sa.Column('private', + sa.Boolean, nullable=False, server_default='f')) + op.add_column('github_pr_to_build', sa.Column('secrets', + sa.Boolean, nullable=False, server_default='f')) + + +def downgrade(): + op.add_drop('github_pr_to_build', 'private') + op.add_drop('github_pr_to_build', 'secrets') diff --git a/dispatchsrht/blueprints/html.py b/dispatchsrht/blueprints/html.py index 20c0ca5..17b277b 100644 --- a/dispatchsrht/blueprints/html.py +++ b/dispatchsrht/blueprints/html.py @@ -1,4 +1,5 @@ from flask import Blueprint, render_template, request, redirect, url_for, abort +from flask import session from flask_login import current_user from srht.config import cfg from srht.database import db diff --git a/dispatchsrht/tasks/github/github_pr_to_build.py b/dispatchsrht/tasks/github/github_pr_to_build.py index 637e0be..b2f357d 100644 --- a/dispatchsrht/tasks/github/github_pr_to_build.py +++ b/dispatchsrht/tasks/github/github_pr_to_build.py @@ -2,6 +2,7 @@ import sqlalchemy as sa import sqlalchemy_utils as sau from github import Github from flask import Blueprint, redirect, request, render_template, url_for, abort +from flask import session from flask_login import current_user from jinja2 import Markup from uuid import UUID, uuid4 @@ -46,6 +47,8 @@ class GitHubPRToBuild(TaskDef): repo = sa.Column(sa.Unicode(1024), nullable=False) github_webhook_id = sa.Column(sa.Integer, nullable=False) automerge = sa.Column(sa.Boolean, nullable=False, server_default='f') + private = sa.Column(sa.Boolean, nullable=False, server_default='f') + secrets = sa.Column(sa.Boolean, nullable=False, server_default='f') blueprint = Blueprint("github_pr_to_build", __name__, template_folder="github_pr_to_build") @@ -56,7 +59,19 @@ class GitHubPRToBuild(TaskDef): ).one_or_none() if not record: abort(404) - return render_template("github/edit.html", task=task, record=record) + auth = GitHubAuthorization.query.filter( + GitHubAuthorization.user_id == current_user.id + ).first() + github = Github(auth.oauth_token) + repo = github.get_repo(record.repo) + if repo.private != record.private: + record.private = repo.private + if not repo.private: + record.secrets = False + db.session.commit() + saved = session.pop("saved", False) + return render_template("github/edit.html", + task=task, record=record, saved=saved) def edit_POST(task): record = GitHubPRToBuild._GitHubPRToBuildRecord.query.filter( @@ -64,8 +79,13 @@ class GitHubPRToBuild(TaskDef): ).one_or_none() valid = Validation(request) automerge = valid.optional("automerge", cls=bool, default=False) + secrets = valid.optional("secrets", cls=bool, default=False) record.automerge = bool(automerge) + record.secrets = bool(secrets) + if not record.private: + record.secrets = False db.session.commit() + session["saved"] = True return redirect(url_for("html.edit_task", task_id=task.id)) @csrf_bypass @@ -94,8 +114,11 @@ class GitHubPRToBuild(TaskDef): return ( "You have not authorized us to access your GitHub account", 401 ) + secrets = hook.secrets + if not base_repo["private"]: + secrets = False return submit_build(hook, head_repo, head, base_repo, - secrets=False, extras={ + secrets=secrets, extras={ "automerge": hook.automerge, "pr": pr["number"] }, env={ @@ -141,6 +164,7 @@ class GitHubPRToBuild(TaskDef): record.task_id = task.id record.github_webhook_id = -1 record.repo = repo.full_name + record.private = repo.private db.session.add(record) db.session.flush() hook = repo.create_hook("web", { diff --git a/dispatchsrht/templates/github/edit.html b/dispatchsrht/templates/github/edit.html index 6e119d2..0d39639 100644 --- a/dispatchsrht/templates/github/edit.html +++ b/dispatchsrht/templates/github/edit.html @@ -56,14 +56,34 @@
+ {% if record.private %} +
+ Warning: Enable secrets for this hook with care. Anyone + who can submit a pull request will be able to extract secrets from the + build environment if you enable secrets for this repository. +
+ {% endif %}
+ {% if not record.private %} - Secrets are disabled for pull requests. + Secrets are disabled for pull requests on public repos. + {% else %} + + + {% endif %}
{% endif %} @@ -72,3 +92,8 @@ {{icon("caret-right")}} +{% if saved %} +
+ Changes saved. +
+{% endif %}