From dbb25f7288be2c9d2afe796d63d1a070e353daca Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 8 Nov 2016 16:48:58 +0100
Subject: k 5 Reaktor: harden sed-plugin

---
 krebs/5pkgs/Reaktor/plugins.nix           |  2 +-
 krebs/5pkgs/Reaktor/scripts/sed-plugin.py | 17 +++++++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

(limited to 'krebs/5pkgs')

diff --git a/krebs/5pkgs/Reaktor/plugins.nix b/krebs/5pkgs/Reaktor/plugins.nix
index a483db32..242373ce 100644
--- a/krebs/5pkgs/Reaktor/plugins.nix
+++ b/krebs/5pkgs/Reaktor/plugins.nix
@@ -59,7 +59,7 @@ rec {
   };
 
   sed-plugin = buildSimpleReaktorPlugin "sed-plugin" {
-    path = [ pkgs.gnused pkgs.python3 ];
+    path = [ pkgs.gnused pkgs.proot pkgs.python3 ];
     # only support s///gi the plugin needs to see every msg
     # TODO: this will eat up the last regex, fix Reaktor to support fallthru
     append_rule = true;
diff --git a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
index 8103c958..6039aeb4 100644
--- a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
+++ b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
@@ -34,9 +34,22 @@ if m:
         flagstr = ''
     last = d.get(usr,None)
     if last:
-        #print(re.sub(fn,tn,last,count=count,flags=flags))
         from subprocess import Popen,PIPE
-        p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
+        import shutil
+        from os.path import realpath
+        # sed only needs stdin/stdout, we protect state_dir with this
+        # input to read/write arbitrary files:
+        #   s/.\/\/; w /tmp/i       (props to waldi)
+        # conclusion: sed is untrusted and we handle it like this
+        p = Popen(['proot',
+            # '-v','1',
+            '-w','/', # cwd is root
+            '-b','/nix/store', # mount important folders
+            '-b','/usr',
+            '-b','/bin',
+            '-r','/var/empty', # chroot to /var/empty
+            realpath(shutil.which('sed')),
+            's/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
         so,se = p.communicate(bytes("{}\n".format(last),"UTF-8"))
         if p.returncode:
             print("something went wrong when trying to process your regex: {}".format(se.decode()))
-- 
cgit v1.2.3


From 0155fc32e1b79bc25fdfc81ee8460438b70ba128 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 15 Nov 2016 23:26:55 +0100
Subject: k 5: override buildbot

---
 krebs/5pkgs/buildbot/default.nix | 81 ++++++++++++++++++++++++++++++++++++++++
 krebs/5pkgs/buildbot/worker.nix  | 24 ++++++++++++
 krebs/5pkgs/default.nix          |  6 +++
 krebs/5pkgs/treq/default.nix     | 17 +++++++++
 4 files changed, 128 insertions(+)
 create mode 100644 krebs/5pkgs/buildbot/default.nix
 create mode 100644 krebs/5pkgs/buildbot/worker.nix
 create mode 100644 krebs/5pkgs/treq/default.nix

(limited to 'krebs/5pkgs')

diff --git a/krebs/5pkgs/buildbot/default.nix b/krebs/5pkgs/buildbot/default.nix
new file mode 100644
index 00000000..a0e6bb6a
--- /dev/null
+++ b/krebs/5pkgs/buildbot/default.nix
@@ -0,0 +1,81 @@
+{ pkgs, stdenv, pythonPackages, fetchurl, coreutils, plugins ? [] }:
+
+pythonPackages.buildPythonApplication (rec {
+  name = "${pname}-${version}";
+  pname = "buildbot";
+  version = "0.9.1";
+  src = fetchurl {
+    url = "mirror://pypi/b/${pname}/${name}.tar.gz";
+    sha256 = "1kk4dlkk4rznwid9xykq2lbzksvkcr4r5kmz9hgh5hswdzv8bwx9";
+  };
+  doCheck = false;
+  buildInputs = with pythonPackages; [
+    lz4
+    txrequests
+    pyjade
+    boto3
+    moto
+    txgithub
+    mock
+    setuptoolsTrial
+    isort
+    pylint
+    astroid
+    pyflakes
+  ];
+
+  propagatedBuildInputs = with pythonPackages; [
+
+    # core
+    twisted
+    jinja2
+    zope_interface
+    future
+    sqlalchemy
+    sqlalchemy_migrate
+    future
+    dateutil
+    txaio
+    autobahn
+
+    # tls
+    pyopenssl
+    service-identity
+    idna
+    pkgs.treq
+
+    # docs
+    sphinx
+    sphinxcontrib-blockdiag
+    sphinxcontrib-spelling
+    pyenchant
+    docutils
+    ramlfications
+    sphinx-jinja
+
+  ] ++ plugins;
+
+  preInstall = ''
+    # writes out a file that can't be read properly
+    sed -i.bak -e '69,84d' buildbot/test/unit/test_www_config.py
+
+    # re-hardcode path to tail
+    sed -i.bak 's|/usr/bin/tail|${coreutils}/bin/tail|' buildbot/scripts/logwatcher.py
+  '';
+
+  postFixup = ''
+    mv -v $out/bin/buildbot $out/bin/.wrapped-buildbot
+    echo "#!/bin/sh" > $out/bin/buildbot
+    echo "export PYTHONPATH=$PYTHONPATH" >> $out/bin/buildbot
+    echo "exec $out/bin/.wrapped-buildbot \"\$@\"" >> $out/bin/buildbot
+    chmod -c 555 $out/bin/buildbot
+  '';
+
+  meta = with stdenv.lib; {
+    homepage = http://buildbot.net/;
+    description = "Continuous integration system that automates the build/test cycle";
+    maintainers = with maintainers; [ nand0p ryansydnor ];
+    platforms = platforms.all;
+    license = licenses.gpl2;
+  };
+})
diff --git a/krebs/5pkgs/buildbot/worker.nix b/krebs/5pkgs/buildbot/worker.nix
new file mode 100644
index 00000000..c100de5d
--- /dev/null
+++ b/krebs/5pkgs/buildbot/worker.nix
@@ -0,0 +1,24 @@
+{ pkgs, stdenv, fetchurl, pythonPackages }:
+pythonPackages.buildPythonApplication (rec {
+  name = "${pname}-${version}";
+  pname = "buildbot-worker";
+  version = "0.9.1";
+
+  doCheck = false;
+  src = fetchurl {
+    url = "mirror://pypi/b/${pname}/${name}.tar.gz";
+    sha256 = "00p9l1qz6mx12npjwsycp8f9a8f2har15ig79pfsg8z7a7yw93hx";
+  };
+
+  buildInputs = with pythonPackages; [ setuptoolsTrial mock ];
+  propagatedBuildInputs = with pythonPackages; [ twisted future pkgs.treq ];
+
+  meta = with stdenv.lib; {
+    homepage = http://buildbot.net/;
+    description = "Buildbot Worker Daemon";
+    maintainers = with maintainers; [ nand0p ryansydnor ];
+    platforms = platforms.all;
+    license = licenses.gpl2;
+  };
+})
+
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 876f8b9a..c1ec0f33 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -38,6 +38,12 @@ with import <stockholm/lib>;
 
     ReaktorPlugins = callPackage ./Reaktor/plugins.nix {};
 
+    buildbot = callPackage ./buildbot {};
+    buildbot-full = callPackage ./buildbot {
+      plugins = with pkgs.buildbot-plugins; [ www console-view waterfall-view ];
+    };
+    buildbot-worker = callPackage ./buildbot/worker.nix {};
+
     # XXX symlinkJoin changed arguments somewhere around nixpkgs d541e0d
     symlinkJoin = { name, paths, ... }@args: let
       x = pkgs.symlinkJoin args;
diff --git a/krebs/5pkgs/treq/default.nix b/krebs/5pkgs/treq/default.nix
new file mode 100644
index 00000000..20387b9c
--- /dev/null
+++ b/krebs/5pkgs/treq/default.nix
@@ -0,0 +1,17 @@
+{ stdenv, fetchurl, pythonPackages }:
+
+pythonPackages.buildPythonPackage rec {
+  name = "${pname}-${version}";
+  pname = "treq";
+  version = "15.1.0";
+  src = fetchurl {
+    url = "mirror://pypi/t/${pname}/${name}.tar.gz";
+    sha256= "425a47d5d52a993d51211028fb6ade252e5fbea094e878bb4b644096a7322de8";
+  };
+  propagatedBuildInputs = with pythonPackages; [
+    twisted
+    pyopenssl
+    requests2
+    service-identity
+  ];
+}
-- 
cgit v1.2.3