Commit 9a166c00 authored by Zen Fu's avatar Zen Fu
Browse files

Weblate: pull/push from/to GitLab (#55, #56)

Tails is now using GitLab to host its canonical repositories, and
Weblate has to use those repos to pull from and push to.

When pulling, we just change the origin remote URL to GitLab's.

When pushing, before this change, an update hook in Gitolite's tails.git
took care of preventing Weblate from modifying things it was not allowed
to. As we don't have SSH access to the root filesystem of the GitLab VM,
there's no simple way to setup Server Hooks there. Because of this, we
use a "gatekeeper" repository to do the same checks as before and proxy
updates to GitLab. As the gatekeeper is hosted in a different VM than
Weblate, we are still protected from privilege escalation as we were
before.
parent 9745e0bc
......@@ -31,6 +31,10 @@ repository_root="${gitolite_root}/repositories"
git remote add salsa "git@salsa.debian.org:tails-team/$repository"
)
;;
weblate-gatekeeper.git)
git remote | grep -qs -x gitlab || \
git remote add gitlab "git@gitlab.tails.boum.org/tails/tails.git"
;;
*)
;;
esac
......
......@@ -41,9 +41,9 @@ docron() {
log "done."
(
log "Pushing master branch of '${INTEGRATION_GIT_CHECKOUT}' to the 'origin' remote..."
log "Force-pushing master branch of '${INTEGRATION_GIT_CHECKOUT}' to the 'weblate-gatekeeper' remote..."
cd "${INTEGRATION_GIT_CHECKOUT}"
git push --quiet origin master >> "$UPDATE_LOGFILE" 2>&1
git push --quiet weblate-gatekeeper +master >> "$UPDATE_LOGFILE" 2>&1
log "done."
)
......
......@@ -90,6 +90,7 @@ WantedBy=multi-user.target
}
class { '::tails::gitolite::weblate_gatekeeper': }
class { '::tails::gitolite::hooks::common': }
class { '::tails::gitolite::hooks::jenkins_jobs': }
class { '::tails::gitolite::hooks::tails': }
......
......@@ -25,25 +25,14 @@ class tails::gitolite::hooks::tails () inherits tails::website::params {
require => Package[curl],
}
# Gitolite's own update hook will automatically chain to update.secondary,
# taking care to pass it the same 3 arguments the original update hook
# received from Git.
$weblate_update_hook_packages = [
'python3-git',
]
# TODO: remove after deploy
file { "${hooks_directory}/update.secondary":
source => 'puppet:///modules/tails/gitolite/hooks/tails-weblate-update.hook',
owner => root,
group => root,
mode => '0755',
require => Package[$weblate_update_hook_packages],
ensure => absent,
}
ensure_packages($weblate_update_hook_packages)
# TODO: remove after deploy
file { "${hooks_directory}/langs.json":
content => template('tails/weblate/langs.json.erb'),
mode => '0640',
owner => root,
group => gitolite3,
ensure => absent,
}
ensure_packages(['curl'])
......
# The Weblate Gatekeeper repository is used as an intermediary between Weblate
# and GitLab to make sure Weblate only pushes what it's allowed to and mitigate
# privilege escalation in the Weblate VM from compromising Tails code in the
# main repository.
class tails::gitolite::weblate_gatekeeper() {
$hooks_dir = '/var/lib/gitolite3/repositories/weblate-gatekeeper.git/hooks'
# The repository itself is created by Gitolite and managed in the
# puppet-git.lizard:gitolite-admin repo, so we only manage hooks here.
file { $hooks_dir:
ensure => directory,
owner => 'gitolite3',
group => 'gitolite3',
mode => '0700',
}
ensure_packages([ 'python3-git' ])
file { "${hooks_dir}/update.secondary": # Gitolite chains 'update' to 'update.secondary'
source => 'puppet:///modules/tails/gitolite/hooks/tails-weblate-update.hook',
owner => 'gitolite3',
group => 'gitolite3',
mode => '0700',
require => [
Package['python3-git'],
File[$hooks_dir],
],
}
file { "${hooks_dir}/langs.json":
content => template('tails/weblate/langs.json.erb'),
mode => '0600',
owner => 'gitolite3',
group => 'gitolite3',
}
file { "${hooks_dir}/post-update":
content => '#!/bin/sh
set -eu
/usr/bin/git push --quiet gitlab master',
owner => 'gitolite3',
group => 'gitolite3',
mode => '0700',
require => [
Package['python3-git'],
File[$hooks_dir],
],
}
}
......@@ -42,15 +42,18 @@ class tails::weblate::repositories(
vcsrepo { "${mutable_data_dir}/repositories/integration":
ensure => present,
force => true, # needed when URL of a remote changes -- TODO: remove after deploy
provider => git,
remote => 'origin',
user => weblate,
group => weblate,
source => {
# used to merge/push changes from/to the canonical repo
'origin' => 'gitolite@puppet-git.lizard:tails',
# used to merge changes from the canonical repo
'origin' => 'https://gitlab.tails.boum.org/tails/tails.git',
# used to fetch the commits that Weblate created
'weblate' => "${mutable_data_dir}/repositories/vcs/tails/index/.git",
'weblate' => "${mutable_data_dir}/repositories/vcs/tails/index/.git",
# used to push changes to canonical repo
'weblate-gatekeeper' => 'gitolite@puppet-git.lizard:weblate-gatekeeper.git',
},
require => Vcsrepo["${mutable_data_dir}/repositories/vcs/tails/index"],
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment