[Git][qa/jenkins.debian.net][master] reproducible debian: for self-scheduling, replace deb-sso authentication with...

Wed Apr 30 14:03:04 BST 2025


Mattia Rizzolo pushed to branch master at Debian QA / jenkins.debian.net


Commits:
20c9da5f by Mattia Rizzolo at 2025-04-30T15:01:50+02:00
reproducible debian: for self-scheduling, replace deb-sso authentication with OpenIDc with salsa.debian.org

Signed-off-by: Mattia Rizzolo <mattia at debian.org>

- - - - -


6 changed files:

- bin/cgi-bin/schedule
- hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
- hosts/jenkins/etc/cron.d/dsa
- − hosts/jenkins/usr/local/bin/update-debsso-ca
- mustache-templates/reproducible/package_suitearch_section.mustache
- update_jdn.sh


Changes:

=====================================
bin/cgi-bin/schedule
=====================================
@@ -15,7 +15,7 @@ cgitb.enable()
 
 def debug_info():
     print()
-    print('You are authenticated as: {}'.format(user))
+    print('You are authenticated as: {}, A.K.A. {}'.format(user, salsa_username))
     print(cgi.FieldStorage())
 
 
@@ -140,17 +140,19 @@ def main(args):
 
 # Check whether the user has successfully authenticated
 try:
-    user = os.environ['SSL_CLIENT_S_DN_CN']
+    user = os.environ['REMOTE_USER']
 except KeyError:
     user = None
-    print('Status: 496 SSL Certificate Required')
+    salsa_username = None
+    print('Status: 401 Unauthorized')
     print('Content-Type: text/plain; charset="utf-8"')
     print()
-    print('You need to authenticate with a Debian SSO certificate to use this service.')
+    print('You need to authenticate with a valid salsa.debian.org OpenIDc identity to use this service.')
     print()
-    print('(If you believe you are authenticated, your certificate may have expired.)')
 else:
     try:
+        # if it fails and we get None, whatever, it's only a debug hint
+        salsa_username = os.environ.get('OIDC_CLAIM_preferred_username')
         form = cgi.FieldStorage()
         main(validate(form))
     except Exception:


=====================================
hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
=====================================
@@ -227,18 +227,18 @@ Use https-redirect www.diffoscope.org
 		  Deny from env=bad_bot
 		</Limit>
 	</Directory>
-	# Use the sso.debian.org CA to validate client certificates
-	# Keep these files up to date with update-debsso-ca
-	SSLCACertificateFile /etc/apache2/ssl/debsso/debsso.crt
-	SSLCARevocationCheck chain
-	SSLCARevocationFile /etc/apache2/ssl/debsso/debsso.crl
-	<Location /cgi-bin/schedule>
-		# Export data about the certificate to the environment
-		SSLOptions +StdEnvVars
-		# Allow access if one does not have a valid certificate,
-		# so we can show a decent error message
-		SSLVerifyClient optional
+
+	# Authenticate with with salsa.debian.org OpenIDc
+	OIDCProviderMetadataURL https://salsa.debian.org/.well-known/openid-configuration
+	OIDCRedirectURI https://tests.reproducible-builds.org/auth/secure
+	# this files defines OIDCClientID, OIDCClientSecret, OIDCCryptoPassphrase
+	Include oidc_secrets.conf
+	
+	<Location /auth>
+		AuthType openid-connect
+		Require valid-user
 	</Location>
+	ScriptAlias /auth/schedule /srv/jenkins/bin/cgi-bin/schedule
 
 	<Proxy *>
 		Require all granted


=====================================
hosts/jenkins/etc/cron.d/dsa
=====================================
@@ -8,4 +8,3 @@ MAILTO=root
 
 0 1 * * * nobody /usr/bin/chronic /usr/lib/nagios/plugins/check_running_kernel
 2 1,13 * * * nobody /usr/bin/chronic /usr/local/bin/dsa-check-packages
-0 0 * * * root mkdir -p /etc/apache2/ssl/debsso && /usr/local/bin/update-debsso-ca --destdir /etc/apache2/ssl/debsso


=====================================
hosts/jenkins/usr/local/bin/update-debsso-ca deleted
=====================================
@@ -1,113 +0,0 @@
-#!/usr/bin/python3
-
-# Originally downloaded from https://salsa.debian.org/debsso-team/debsso/raw/master/update-debsso-ca
-
-# Download new versions of the CA certificate and Certificate Revocation List
-# from sso.debian.org and write them out atomically.
-
-import requests
-import tempfile
-import argparse
-import os
-import subprocess
-import ssl
-
-class atomic_writer(object):
-    """
-    Atomically write to a file
-    """
-    def __init__(self, fname, mode, osmode=0o644, sync=True, **kw):
-        self.fname = fname
-        self.osmode = osmode
-        self.sync = sync
-        dirname = os.path.dirname(self.fname)
-        self.fd, self.abspath = tempfile.mkstemp(dir=dirname, text="b" not in mode)
-        self.outfd = open(self.fd, mode, closefd=True, **kw)
-
-    def __enter__(self):
-        return self.outfd
-
-    def __exit__(self, exc_type, exc_val, exc_tb):
-        if exc_type is None:
-            self.outfd.flush()
-            if self.sync: os.fdatasync(self.fd)
-            os.fchmod(self.fd, self.osmode)
-            os.rename(self.abspath, self.fname)
-        else:
-            os.unlink(self.abspath)
-        self.outfd.close()
-        return False
-
-
-def get_url(url):
-    """
-    Fetch a URL and return the raw result as bytes
-    """
-    bundle='/etc/ssl/ca-debian/ca-certificates.crt'
-    if os.path.exists(bundle):
-        res = requests.get(url, verify=bundle)
-    else:
-        res = requests.get(url)
-    res.raise_for_status()
-    return res.content
-
-
-def update_file(pathname, content, validate=None):
-    """
-    Write content on pathname atomically, and do nothing if pathname exists and
-    has the same content as `content`.
-
-    Returns True if the file has been updated, else False.
-    """
-    try:
-        with open(pathname, "rb") as fd:
-            existing = fd.read()
-    except OSError:
-        existing = None
-
-    if existing == content: return False
-
-    # Validate the contents
-    if validate:
-        validate(content)
-
-    with atomic_writer(pathname, "wb", osmode=0o644) as out:
-        out.write(content)
-    return True
-
-def validate_crt(data):
-    ssl.PEM_cert_to_DER_cert(data.decode("utf-8"))
-
-def validate_crl(data):
-    if not data.startswith(b"-----BEGIN X509 CRL-----"):
-        raise RuntimeError("Data does not begin with a CRL signature")
-    if not data.endswith(b"-----END X509 CRL-----\n"):
-        raise RuntimeError("Data does not end with a CRL footer")
-
-def update(destdir):
-    # Fetch the certificate and the CRL
-    cert = get_url("https://sso.debian.org/ca/ca.pem")
-    crl = get_url("https://sso.debian.org/ca/ca.crl")
-
-    # Write them out atomically
-
-    updated = False
-    updated = update_file(os.path.join(destdir, "debsso.crt"), cert, validate=validate_crt) or updated
-    updated = update_file(os.path.join(destdir, "debsso.crl"), crl, validate=validate_crl) or updated
-    return updated
-
-
-def main():
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--destdir", default=".", help="destination directory. Default: .")
-    parser.add_argument("--onupdate", help="command to run if the file has been updated. Default: do not run anything.")
-    args = parser.parse_args()
-
-    if update(args.destdir):
-        if args.onupdate:
-            subprocess.check_call(["sh", "-c", args.onupdate])
-
-
-
-if __name__ == "__main__":
-    main()


=====================================
mustache-templates/reproducible/package_suitearch_section.mustache
=====================================
@@ -17,11 +17,11 @@
         <a href="{{package_uri}}" target="_parent" title="{{spokenstatus}}: {{version}} on {{build_date}}">
           {{version}}
         </a> in <a href="/debian/{{suite}}/{{arch}}/" title="Go to: summary of all tests for {{arch}}/{{suite}}" target="_parent">{{suite}}</a>
-        <a href="/cgi-bin/schedule?suite={{suite}}&architecture={{arch}}&pkg={{package_quote_plus}}" target="_parent" title="Schedule a new build">♻</a>
+        <a href="/auth/schedule?suite={{suite}}&architecture={{arch}}&pkg={{package_quote_plus}}" target="_parent" title="Schedule a new build">♻</a>
         {{/current_suitearch}}
         {{#current_suitearch}}
         {{version}} in <a href="/debian/{{suite}}/{{arch}}/" title="Go to: summary of all tests for {{arch}}/{{suite}}" target="_parent">{{suite}}</a>
-        <a href="/cgi-bin/schedule?suite={{suite}}&architecture={{arch}}&pkg={{package_quote_plus}}" target="_parent" title="Schedule a new build">♻</a>
+        <a href="/auth/schedule?suite={{suite}}&architecture={{arch}}&pkg={{package_quote_plus}}" target="_parent" title="Schedule a new build">♻</a>
         {{/current_suitearch}}
         {{#dbd_page_uri}}{{^current_suitearch}}
           <a href="{{dbd_page_uri}}" class="diff-link" title="Show: formatted diffoscope results">


=====================================
update_jdn.sh
=====================================
@@ -635,6 +635,7 @@ if [ -f /etc/debian_version ] ; then
 				jq
 				kgb-client
 				libcap2-bin 
+				libapache2-mod-auth-openidc
 				libarchive-tools
 				libfile-touch-perl 
 				libguestfs-tools 



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/20c9da5f6c756ed283bba9605de080f978f715b2

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/20c9da5f6c756ed283bba9605de080f978f715b2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20250430/159e7140/attachment-0001.htm>
