[IMP] runbot: make access to build customizable

2025-03-15 15:35:46 +07:00 · 2023-07-03 14:57:41 +02:00 · 2023-07-03 14:57:41 +02:00 · 9e7441e098
commit 9e7441e098
parent 9571d5f3b3
4 changed files with 30 additions and 6 deletions
--- a/runbot/controllers/frontend.py
+++ b/runbot/controllers/frontend.py
@ -605,4 +605,9 @@ class Runbot(Controller):
        build = request.env['runbot.build'].browse(int(build_id)).exists()
        if db_suffix is None:
            db_suffix = build.mapped('database_ids')[0].db_suffix
-        return werkzeug.utils.redirect(f'http://{build.dest}-{db_suffix}.{build.host}')
+        if request.env.user._is_internal():
+            token, token_info = build._get_run_token()
+            db_suffix = f'{db_suffix}-{token}-{token_info}'
+        redirect = f'http://{build.dest}-{db_suffix}.{build.host}'
+        _logger.info('Redirecting to %s', redirect)
+        return werkzeug.utils.redirect(redirect)
--- a/runbot/models/build.py
+++ b/runbot/models/build.py
@ -21,6 +21,7 @@ from pathlib import Path
 from psycopg2 import sql
 from psycopg2.extensions import TransactionRollbackError
 import getpass
+import uuid

 _logger = logging.getLogger(__name__)

@ -236,6 +237,8 @@ class BuildResult(models.Model):

    static_run = fields.Char('Static run URL')

+    token = fields.Char('Token', default=lambda self: uuid.uuid4().hex)
+
    @api.depends('description', 'params_id.config_id')
    def _compute_display_name(self):
        for build in self:
@ -324,6 +327,11 @@ class BuildResult(models.Model):
    def _get_result_score(self, result):
        return result_order.index(result)

+    def _get_run_token(self):
+        token = self.token or self.params_id.fingerprint
+        token_info = hex(hash(token or '' + str(self.env.user.id)))[-4:]
+        return (token[:6], token_info[:4])
+
    @api.depends('active_step')
    def _compute_job(self):
        for build in self:
--- a/runbot/models/res_users.py
+++ b/runbot/models/res_users.py
@ -26,8 +26,3 @@ class ResUsers(models.Model):
        if list(values.keys()) == ['github_login'] and self.env.user.has_group('runbot.group_runbot_team_manager'):
            return super(ResUsers, self.sudo()).write(values)
        return super().write(values)
-
-    # backport of 16.0 feature TODO remove after migration
-    def _is_internal(self):
-        self.ensure_one()
-        return not self.sudo().share
--- a/runbot/templates/nginx.xml
+++ b/runbot/templates/nginx.xml
@ -70,6 +70,22 @@ server {
    }
    <t id="build_anchor"/>
 }
+
+server {
+    listen 8080;
+    server_name ~^<t t-out="re_escape(build.dest)"/>(-[a-z0-9_]+)?-<t t-esc="build._get_run_token()[0]"/>(-[a-z0-9_]{4})\.<t t-esc="re_escape(build.host)"/>$;
+    location / { proxy_pass http://127.0.0.1:<t t-esc="build.port"/>; }
+    location /longpolling { proxy_pass http://127.0.0.1:<t t-esc="build.port + 1"/>; }
+    location /websocket {
+      proxy_pass http://127.0.0.1:<t t-esc="build.port + 1"/>;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Proto $real_scheme;
+      proxy_set_header Host $host;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "Upgrade";
+    }
+    <t id="build_anchor_authenticated"/>
+}
 </t>
 server {
    listen 8080;