diff --git a/contrib/tanglu/eg/debile-tanglu.init.yaml.example b/contrib/tanglu/eg/debile-tanglu.init.yaml.example index f5ac796..e8baf03 100644 --- a/contrib/tanglu/eg/debile-tanglu.init.yaml.example +++ b/contrib/tanglu/eg/debile-tanglu.init.yaml.example @@ -1,22 +1,30 @@ --- Users: # Users of Debile - name: Matthias Klumpp - username: mak - key: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329 email: mak@debian.org - password: s3kr37 + pgp: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329 + ssl: 0000000000000000DEADBEEF0000000000000000 + + - name: Jon Severinsson + email: jon@severinsson.net + pgp: 32623A6F42F5DA4B0DBD5B2BCDBBA39E78415AD2 + ssl: 0000000000000000DEADBEEF0000000000000000 - name: Debian Archive Kit - username: dak - key: 0000000000000000DADADA000000000000000000 email: dak@ftp-master.tanglu.org - password: s3kr37 + pgp: 0000000000000000DEADBEEF0000000000000000 + ssl: 0000000000000000DEADBEEF0000000000000000 Builders: # Machines that can build - name: helium.buildd.tanglu.org - key: 367D333376945BAE75CB466779A21745EC78A01D - maintainer: mak - password: s3kr37 + maintainer: mak@debian.org + pgp: 367D333376945BAE75CB466779A21745EC78A01D + ssl: 0000000000000000DEADBEEF0000000000000000 + + - name: caesium.buildd.tanglu.org + maintainer: jon@severinsson.net + pgp: 517884F17B4964C46EEE3D56FFF33867C01E4D5A + ssl: 9B625D4D2B2C6913216B0DB3251141B32DA8E82F Suites: - name: aequorea-updates @@ -46,7 +54,7 @@ Checks: Groups: - name: default - maintainer: mak + maintainer: mak@debian.org suites: - suite: staging diff --git a/contrib/tanglu/update-jobs.py b/contrib/tanglu/update-jobs.py index de07fb7..2f6a954 100755 --- a/contrib/tanglu/update-jobs.py +++ b/contrib/tanglu/update-jobs.py @@ -63,7 +63,7 @@ def __init__(self, suite): @staticmethod def create_debile_source(session, group, suite, component_name, dsc_fname): - user = session.query(Person).filter_by(username="dak").one() + user = session.query(Person).filter_by(email="dak@ftp-master.tanglu.org").one() group_suite = session.query(GroupSuite).filter( Group.name==group, diff --git a/debile/master/dimport.py b/debile/master/dimport.py index f162213..9cf0e2c 100644 --- a/debile/master/dimport.py +++ b/debile/master/dimport.py @@ -47,25 +47,10 @@ def import_dict(obj): with session() as s: for user in users: - existing = None - try: - existing = s.query(Person).filter_by( - username=user['username'] - ).one() - except NoResultFound: - pass - - p = Person(**user) - - if existing: - p.id = existing.id - s.merge(p) - else: - s.add(p) + s.add(Person(**user)) for builder in builders: - username = builder.pop('maintainer') - who = s.query(Person).filter_by(username=username).one() + who = s.query(Person).filter_by(email=builder['maintainer']).one() builder['maintainer'] = who builder['last_ping'] = datetime.utcnow() s.add(Builder(**builder)) @@ -85,7 +70,7 @@ def import_dict(obj): for group in groups: suites = group.pop('suites') - who = s.query(Person).filter_by(username=group['maintainer']).one() + who = s.query(Person).filter_by(email=group['maintainer']).one() group['maintainer'] = who group = Group(**group) s.add(group) diff --git a/debile/master/incoming_changes.py b/debile/master/incoming_changes.py index 7c65e68..33adb75 100644 --- a/debile/master/incoming_changes.py +++ b/debile/master/incoming_changes.py @@ -59,14 +59,14 @@ def process_changes(session, path): return reject_changes(session, changes, "invalid-group") try: - key = changes.validate_signature() + fingerprint = changes.validate_signature() except ChangesFileException: return reject_changes(session, changes, "invalid-signature") #### Sourceful Uploads if changes.is_source_only_upload(): try: - user = session.query(Person).filter_by(key=key).one() + user = session.query(Person).filter_by(pgp=fingerprint).one() except NoResultFound: return reject_changes(session, changes, "invalid-user") return accept_source_changes(session, changes, user) @@ -74,7 +74,7 @@ def process_changes(session, path): #### Binary Uploads if changes.is_binary_only_upload(): try: - builder = session.query(Builder).filter_by(key=key).one() + builder = session.query(Builder).filter_by(pgp=fingerprint).one() except NoResultFound: return reject_changes(session, changes, "invalid-builder") return accept_binary_changes(session, changes, builder) diff --git a/debile/master/incoming_dud.py b/debile/master/incoming_dud.py index e9b987a..b6ee457 100644 --- a/debile/master/incoming_dud.py +++ b/debile/master/incoming_dud.py @@ -53,10 +53,13 @@ def process_dud(session, path): except DudFileException as e: return reject_dud(session, dud, "invalid-dud-upload") - key = dud.validate_signature() + try: + fingerprint = dud.validate_signature() + except DudFileException as e: + return reject_dud(session, dud, "invalid-signature") try: - builder = session.query(Builder).filter_by(key=key).one() + builder = session.query(Builder).filter_by(pgp=fingerprint).one() except NoResultFound: return reject_dud(session, dud, "invalid-dud-builder") diff --git a/debile/master/orm.py b/debile/master/orm.py index 4e8847c..f749dff 100644 --- a/debile/master/orm.py +++ b/debile/master/orm.py @@ -57,52 +57,47 @@ def getthing(obj, name): class Person(Base): __tablename__ = 'people' - __table_args__ = (UniqueConstraint('username'),) + __table_args__ = (UniqueConstraint('email'),) _debile_objs = { "id": "id", - "username": "username", "name": "name", "email": "email", - "key": "key", + "pgp": "pgp", + "ssl": "ssl", } debilize = _debilize id = Column(Integer, primary_key=True) - username = Column(String(255)) # Unique - name = Column(String(255)) email = Column(String(255)) - key = Column(String(255)) - password = Column(String(255)) # Weak password. Not actually critical. - def validate(self, password): - return self.password == password + pgp = Column(String(40), nullable=True) + ssl = Column(String(40), nullable=True) class Builder(Base): + __table_args__ = (UniqueConstraint('name'),) __tablename__ = 'builders' _debile_objs = { "id": "id", - "maintainer_id": "maintainer.username", - "maintainer": "maintainer.name", "name": "name", - "key": "key", "last_ping": "last_ping", + "maintainer_name": "maintainer.name", + "maintainer_email": "maintainer.email", + "pgp": "pgp", + "ssl": "ssl", } debilize = _debilize id = Column(Integer, primary_key=True) + name = Column(String(255)) + last_ping = Column(DateTime, nullable=False) maintainer_id = Column(Integer, ForeignKey('people.id')) maintainer = relationship("Person", foreign_keys=[maintainer_id]) - name = Column(String(255)) - key = Column(String(255)) - password = Column(String(255)) # Weak password. Not actually critical. - last_ping = Column(DateTime, nullable=False) - - def validate(self, password): - return self.password == password + pgp = Column(String(40), nullable=True) + ssl = Column(String(40), nullable=True) class Suite(Base): @@ -172,8 +167,8 @@ class Group(Base): _debile_objs = { "id": "id", "name": "name", - "maintainer_id": "maintainer.username", - "maintainer": "maintainer.name", + "maintainer_name": "maintainer.name", + "maintainer_email": "maintainer.email", "repo_path": "repo_path", "repo_url": "repo_url", "files_path": "files_path", @@ -293,7 +288,8 @@ class Source(Base): "suite": "group_suite.suite.name", "component": "component.name", "group_id": "group_suite.group_id", - "uploader": "uploader.username", + "uploader_name": "uploader.name", + "uploader_email": "uploader.email", "uploaded_at": "uploaded_at", } debilize = _debilize diff --git a/debile/master/server.py b/debile/master/server.py index a1c8d0e..bec4f0f 100644 --- a/debile/master/server.py +++ b/debile/master/server.py @@ -22,14 +22,12 @@ from SimpleXMLRPCServer import SimpleXMLRPCServer from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler -from sqlalchemy.orm.exc import NoResultFound from sqlalchemy.orm import Session, sessionmaker import debile.master.core from debile.master.utils import session -from debile.master.orm import Person, Builder, Job +from debile.master.orm import Person, Builder -from base64 import b64decode import datetime as dt import SocketServer import threading @@ -37,6 +35,7 @@ from logging.handlers import SysLogHandler import os import ssl +import hashlib from debile.master.core import config @@ -90,41 +89,13 @@ def authenticate(self): if not hasattr(NAMESPACE, 'session'): set_session() - (basic, _, encoded) = self.headers.get('Authorization').partition(' ') - if basic.lower() != 'basic': - self.send_error(401, 'Only allowed basic type thing') - entity, password = b64decode(encoded.encode()).decode().split(":", 1) + cert = self.connection.getpeercert(True) + fingerprint = hashlib.sha1(cert).hexdigest().upper() - actor_auth_methods = { - "@": self.authenticate_user, - "%": self.authenticate_machine, - } + NAMESPACE.machine = NAMESPACE.session.query(Builder).filter_by(ssl=fingerprint).first() + NAMESPACE.user = NAMESPACE.session.query(Person).filter_by(ssl=fingerprint).first() - actor_type = entity[0] - entity = entity[1:] - - try: - method = actor_auth_methods[actor_type] - except KeyError: - return False - - return method(NAMESPACE.session, entity, password) - - def authenticate_user(self, session, entity, password): - try: - luser = session.query(Person).filter_by(username=entity).one() - NAMESPACE.user = luser - return luser.validate(password) - except NoResultFound: - return False - - def authenticate_machine(self, session, entity, password): - try: - machine = session.query(Builder).filter_by(name=entity).one() - NAMESPACE.machine = machine - return machine.validate(password) - except NoResultFound: - return False + return NAMESPACE.machine or NAMESPACE.user def parse_request(self, *args): if SimpleXMLRPCRequestHandler.parse_request(self, *args): diff --git a/debile/utils/xmlrpc.py b/debile/utils/xmlrpc.py index 1e60abf..a17f16b 100644 --- a/debile/utils/xmlrpc.py +++ b/debile/utils/xmlrpc.py @@ -90,9 +90,7 @@ def get_proxy(config): raise Exception("No xmlrpc found in slave yaml") proxy = xmlrpclib.ServerProxy( - "https://{user}:{password}@{host}:{port}/".format( - user=xml['user'], - password=xml['password'], + "https://{host}:{port}/".format( host=xml['host'], port=xml['port'], ), transport=DebileSafeTransport( diff --git a/eg/debile.yaml b/eg/debile.yaml index efcaa28..7771532 100644 --- a/eg/debile.yaml +++ b/eg/debile.yaml @@ -1,27 +1,25 @@ --- Users: # Users of Debile - name: Paul Tagliamonte - username: paultag - key: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329 email: paultag@debian.org - password: s3kr37 + pgp: 57DC4BD33F73E0CDBA98D22AF7EBEE8EB7982329 + ssl: 0000000000000000DEADBEEF0000000000000000 - name: Archive Rebuilder - username: rebuild - key: 2EA5C67F0A37D37C64C7B5EDC0A1FC9FD80D7B69 email: help@debuild.me - password: s3kr37 + pgp: 2EA5C67F0A37D37C64C7B5EDC0A1FC9FD80D7B69 + ssl: 0000000000000000DEADBEEF0000000000000000 Builders: # Machines that can build - name: leliel.pault.ag - key: 21CAF89F520676541CD7088849E9153AF7901FAE - maintainer: paultag - password: s3kr37 + maintainer: paultag@debian.org + pgp: 21CAF89F520676541CD7088849E9153AF7901FAE + ssl: 0000000000000000DEADBEEF0000000000000000 - name: helios.pault.ag - key: 0C267E932994895CDE7B6B3ECB4315D1BC490D41 - maintainer: paultag - password: s3kr375 + maintainer: paultag@debian.org + pgp: 0C267E932994895CDE7B6B3ECB4315D1BC490D41 + ssl: 0000000000000000DEADBEEF0000000000000000 Suites: - name: unstable @@ -51,7 +49,7 @@ Checks: Groups: - name: default - maintainer: paultag + maintainer: paultag@debian.org suites: - suite: unstable diff --git a/eg/etc/debile/master.yaml b/eg/etc/debile/master.yaml index 759aa59..f971186 100644 --- a/eg/etc/debile/master.yaml +++ b/eg/etc/debile/master.yaml @@ -1,5 +1,5 @@ --- -database: sqlite:////home/tag/debile.db +database: sqlite:////srv/debile/debile.db filerepo_chmod_mode: 660 affinity_preference: ['amd64', 'i386'] @@ -7,8 +7,9 @@ affinity_preference: ['amd64', 'i386'] xmlrpc: addr: 0.0.0.0 port: 22017 - keyfile: /home/tag/debile.key - certfile: /home/tag/debile.crt + keyfile: /srv/debile/master.key + certfile: /srv/debile/master.crt + ca_certs: /srv/debile/clients.pem repo: # custom_resolver: devnull.foo.resolver diff --git a/eg/etc/debile/slave.yaml b/eg/etc/debile/slave.yaml index 6702d4c..17ccb5f 100644 --- a/eg/etc/debile/slave.yaml +++ b/eg/etc/debile/slave.yaml @@ -1,11 +1,11 @@ --- xmlrpc: - user: "%leliel.pault.ag" - password: s3kr37 host: debile-master port: 22017 + keyfile: /etc/debile/leliel.key + certfile: /etc/debile/leliel.crt -gpg: GPGFINGERPRINTGOESHEREATSOMEPOINTSOONISH +gpg: 0000000000000000DEADBEEF00000000000000000 dput: host: debile-master diff --git a/eg/etc/debile/user.yaml b/eg/etc/debile/user.yaml index c6c9a9c..f91ca00 100644 --- a/eg/etc/debile/user.yaml +++ b/eg/etc/debile/user.yaml @@ -1,6 +1,6 @@ --- xmlrpc: - user: "@paultag" - password: s3kr37 host: localhost port: 22017 + keyfile: /home/paultag/.debile/paultag.key + certfile: /home/paultag/.debile/paultag.crt