Juju Charms Collection
turnip package

Merge lp:~cjwatson/charms/trusty/turnip/cgit into lp:~canonical-launchpad-branches/charms/trusty/turnip/devel

  1. Trusty Tahr (14.04)
  2. cgit
  3. Merge into devel
Proposed by Colin Watson
Status: Merged
Merged at revision: 56
Proposed branch: lp:~cjwatson/charms/trusty/turnip/cgit
Merge into: lp:~canonical-launchpad-branches/charms/trusty/turnip/devel
Diff against target: 86 lines (+32/-0)
6 files modified
config.yaml (+8/-0)
hooks/actions.py (+7/-0)
hooks/services.py (+9/-0)
templates/cgitwrap.j2 (+4/-0)
templates/envs/CGIT_EXEC_PATH.j2 (+1/-0)
templates/sudoers-cgit.j2 (+3/-0)
To merge this branch: bzr merge lp:~cjwatson/charms/trusty/turnip/cgit
Reviewer Review Type Date Requested Status
Colin Watson (community) Approve
Review via email: mp+254608@code.launchpad.net

Commit message

Configure user separation for cgit.

Description of the change

Configure user separation for cgit. This goes with https://code.launchpad.net/~cjwatson/turnip/cgit/+merge/254606.

To post a comment you must log in.
Revision history for this message
Colin Watson (cjwatson) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'config.yaml'
2--- config.yaml 2015-03-29 10:43:46 +0000
3+++ config.yaml 2015-03-30 17:02:05 +0000
4@@ -68,6 +68,14 @@
5 type: string
6 default: turnip
7 description: The service will run under this group.
8+ cgit_user:
9+ type: string
10+ default: turnip_cgit
11+ description: The cgit code browser will run as this user.
12+ cgit_group:
13+ type: string
14+ default: turnip_cgit
15+ description: The cgit code browser will run under this group.
16 private_ssh_key:
17 type: string
18 default: ''
19
20=== modified file 'hooks/actions.py'
21--- hooks/actions.py 2015-03-30 10:50:08 +0000
22+++ hooks/actions.py 2015-03-30 17:02:05 +0000
23@@ -38,6 +38,8 @@
24 CODE_GROUP = config['code_group']
25 USER = config['user']
26 GROUP = config['group']
27+CGIT_USER = config['cgit_user']
28+CGIT_GROUP = config['cgit_group']
29 PRIVATE_KEY = config['private_ssh_key']
30 PRIVATE_KEY_PATH = (os.path.join(KEY_DIR, 'ssh-host-key'))
31 PUBLIC_KEY = config['public_ssh_key']
32@@ -70,6 +72,11 @@
33 password = host.pwgen()
34 host.adduser(USER, password)
35 host.add_user_to_group(USER, GROUP)
36+ cgit_password = host.pwgen()
37+ host.adduser(CGIT_USER, cgit_password)
38+ host.add_user_to_group(CGIT_USER, CGIT_GROUP)
39+ # This lets the main service user execute cgitwrap.
40+ host.add_user_to_group(USER, CGIT_GROUP)
41
42
43 def unpack_source(service_name):
44
45=== modified file 'hooks/services.py'
46--- hooks/services.py 2015-03-29 10:43:46 +0000
47+++ hooks/services.py 2015-03-30 17:02:05 +0000
48@@ -68,6 +68,15 @@
49 actions.write_ssh_keys,
50 render_env_template(config, 'PRIVATE_SSH_KEY_PATH'),
51 render_env_template(config, 'PUBLIC_SSH_KEY_PATH'),
52+ helpers.render_template(
53+ source='sudoers-cgit.j2',
54+ target='/etc/sudoers.d/turnip-cgit',
55+ perms=0o440),
56+ helpers.render_template(
57+ source='cgitwrap.j2',
58+ target='/usr/local/bin/cgitwrap',
59+ perms=0o755),
60+ render_env_template(config, 'CGIT_EXEC_PATH'),
61 actions.publish_wsgi_relations,
62 ],
63 },
64
65=== added file 'templates/cgitwrap.j2'
66--- templates/cgitwrap.j2 1970-01-01 00:00:00 +0000
67+++ templates/cgitwrap.j2 2015-03-30 17:02:05 +0000
68@@ -0,0 +1,4 @@
69+#! /bin/sh
70+set -e
71+
72+exec sudo -u {{ cgit_user }} /usr/lib/cgit/cgit.cgi "$@"
73
74=== added file 'templates/envs/CGIT_EXEC_PATH.j2'
75--- templates/envs/CGIT_EXEC_PATH.j2 1970-01-01 00:00:00 +0000
76+++ templates/envs/CGIT_EXEC_PATH.j2 2015-03-30 17:02:05 +0000
77@@ -0,0 +1,1 @@
78+/usr/local/bin/cgitwrap
79
80=== added file 'templates/sudoers-cgit.j2'
81--- templates/sudoers-cgit.j2 1970-01-01 00:00:00 +0000
82+++ templates/sudoers-cgit.j2 2015-03-30 17:02:05 +0000
83@@ -0,0 +1,3 @@
84+Runas_Alias CGIT = {{ cgit_user }}
85+Defaults>CGIT !env_reset
86+{{ user }} ALL = (CGIT) /usr/lib/cgit/cgit.cgi

Subscribers

People subscribed via source and target branches

to all changes: