From 89d9ce39b4c2d61e446fc5efdfe925f8835c9930 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Tue, 28 Feb 2023 15:17:08 +0300 Subject: chore(3p/josh): update josh to recent master commit It's been a long time since we updated josh, almost 400 commits in between. I read through the entire changelog, and here are relevant josh commits from in between that might be interesting to us: 38eecee Fix optimisation bug for compose filter (#1159) e1d10b6 Add :rev(...) filter 0f1a07b Initial implementation of refs locking (#929) 88cea2a Initial work on meta repo support 030ad93 Change magic refs to include "for" 28b1d75 Add split changes feature (#904) 1f908d7 Discover filters only on HEAD (#774) a368d8f Make --require-auth only apply to push 8d80230 Add :linear filter (#741) 3460ec2 Implement redundant refs filtering (#700) 55b4e50 Implement stacked changes support (#699) ea1f814 Handle @sha urls by creating magic ref (#690) 883a381 Run filter discovery only on changed refs (#685) 4bb004f Prepend refs/heads to base parameter as default (#664) Of particular interest is a368d8f, which allows us to drop our authentication patch and use the standard --require-auth flag again. The default behaviour of dropping signatures on commits (which are invalid after filtering) has also been changed in josh, now only occuring when the `:unsign` filter is present. Since this breaks commit hashes with our existing exported histories, we are opting to set a `:unsign` filter prefix on all proxy requests to ensure that the hashes stay consistent. During this update we found a bug (josh#1155) which was fixed in the commit that this CL moves josh to. Change-Id: I3afac1619f3aa90313a0441da91f0e4a96fe0a3b Reviewed-on: https://cl.tvl.fyi/c/depot/+/8186 Autosubmit: tazjin Reviewed-by: flokli Tested-by: BuildkiteCI --- ops/modules/josh.nix | 2 +- ...Always-require-authentication-when-pushin.patch | 43 ---------------------- third_party/josh/default.nix | 16 ++++---- 3 files changed, 8 insertions(+), 53 deletions(-) delete mode 100644 third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch diff --git a/ops/modules/josh.nix b/ops/modules/josh.nix index be9e9e966e6b..c7256259d4ea 100644 --- a/ops/modules/josh.nix +++ b/ops/modules/josh.nix @@ -26,7 +26,7 @@ in DynamicUser = true; StateDirectory = "josh"; Restart = "always"; - ExecStart = "${depot.third_party.josh}/bin/josh-proxy --no-background --local /var/lib/josh --port ${toString cfg.port} --remote https://cl.tvl.fyi/"; + ExecStart = "${depot.third_party.josh}/bin/josh-proxy --no-background --local /var/lib/josh --port ${toString cfg.port} --remote https://cl.tvl.fyi/ --require-auth --filter-prefix ':unsign'"; }; }; }; diff --git a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch b/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch deleted file mode 100644 index d3a2c0e99836..000000000000 --- a/third_party/josh/0001-josh-proxy-Always-require-authentication-when-pushin.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a82ccf1fab187969544b638f6977d698a55dbb2f Mon Sep 17 00:00:00 2001 -From: Vincent Ambo -Date: Fri, 11 Feb 2022 13:14:02 +0300 -Subject: [PATCH] josh-proxy: Always require authentication when pushing - -This supports the use-case where josh serves a public repo without -auth, but requires auth for pushing back. ---- - josh-proxy/src/auth.rs | 4 ++-- - josh-proxy/src/bin/josh-proxy.rs | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/josh-proxy/src/auth.rs b/josh-proxy/src/auth.rs -index 96a8241..0a007f3 100644 ---- a/josh-proxy/src/auth.rs -+++ b/josh-proxy/src/auth.rs -@@ -54,8 +54,8 @@ impl Handle { - } - } - --pub async fn check_auth(url: &str, auth: &Handle, required: bool) -> josh::JoshResult { -- if required && auth.hash.is_empty() { -+pub async fn check_auth(url: &str, pathinfo: &str, auth: &Handle, required: bool) -> josh::JoshResult { -+ if auth.hash.is_empty() && (required || pathinfo == "/git-receive-pack") { - return Ok(false); - } - -diff --git a/josh-proxy/src/bin/josh-proxy.rs b/josh-proxy/src/bin/josh-proxy.rs -index 700f2da..a96da1c 100644 ---- a/josh-proxy/src/bin/josh-proxy.rs -+++ b/josh-proxy/src/bin/josh-proxy.rs -@@ -449,7 +449,7 @@ async fn call_service( - ] - .join(""); - -- if !josh_proxy::auth::check_auth(&remote_url, &auth, ARGS.is_present("require-auth")) -+ if !josh_proxy::auth::check_auth(&remote_url, &parsed_url.pathinfo, &auth, ARGS.is_present("require-auth")) - .in_current_span() - .await? - { --- -2.34.1 - diff --git a/third_party/josh/default.nix b/third_party/josh/default.nix index 8900c6ad4572..bc8640a19bfd 100644 --- a/third_party/josh/default.nix +++ b/third_party/josh/default.nix @@ -1,16 +1,18 @@ -# https://github.com/esrlabs/josh +# https://github.com/josh-project/josh { depot, pkgs, ... }: let + rev = "fc857afda2c1536234e3bb1983c518a1abf63d25"; src = pkgs.fetchFromGitHub { - owner = "esrlabs"; + owner = "josh-project"; repo = "josh"; - rev = "effe6290559136faba5591a115e56c2b30210329"; - hash = "sha256:0kam9rqjk96brvh15wj3h3vm2sqnr5pckz91az2ida5617d5gp9v"; + inherit rev; + hash = "sha256:16ch7al7xfyjipgqh2n7grj985fv713mhi8y5bixb736vsad9q3w"; }; in depot.third_party.naersk.buildPackage { inherit src; + JOSH_VERSION = "git-${builtins.substring 0 8 rev}"; buildInputs = with pkgs; [ libgit2 @@ -20,16 +22,12 @@ depot.third_party.naersk.buildPackage { cargoBuildOptions = x: x ++ [ "-p" - "josh" + "josh-filter" "-p" "josh-proxy" - "-p" - "josh-ui" ]; overrideMain = x: { - patches = [ ./0001-josh-proxy-Always-require-authentication-when-pushin.patch ]; - nativeBuildInputs = (x.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ]; postInstall = '' wrapProgram $out/bin/josh-proxy --prefix PATH : "${pkgs.git}/bin" -- cgit 1.4.1