mirror of
https://projects.blender.org/infrastructure/gitea-custom.git
synced 2024-12-22 15:23:32 -05:00
Sphinx: simplify running process as another user
This commit is contained in:
parent
968618dac3
commit
5c53375672
2 changed files with 7 additions and 18 deletions
|
@ -15,8 +15,7 @@ Add to Gitea app.ini.
|
||||||
[markup.restructuredtext]
|
[markup.restructuredtext]
|
||||||
ENABLED = true
|
ENABLED = true
|
||||||
FILE_EXTENSIONS = .rst
|
FILE_EXTENSIONS = .rst
|
||||||
RENDER_COMMAND = "timeout 30s ./custom/sphinx/sphinx_to_html.py --user sphinx --user-work-dir /path/to/dir"
|
RENDER_COMMAND = timeout 30s sudo -u sphinx python3 ./custom/sphinx/sphinx_to_html.py
|
||||||
IS_INPUT_FILE = true
|
|
||||||
|
|
||||||
[markup.sanitizer.restructuredtext]
|
[markup.sanitizer.restructuredtext]
|
||||||
ELEMENT = div
|
ELEMENT = div
|
||||||
|
@ -28,6 +27,6 @@ Add to Gitea app.ini.
|
||||||
PREVIEWABLE_FILE_MODES = markdown,restructuredtext
|
PREVIEWABLE_FILE_MODES = markdown,restructuredtext
|
||||||
|
|
||||||
The `sphinx` user is required for sandboxing of sphinx-build which we do not
|
The `sphinx` user is required for sandboxing of sphinx-build which we do not
|
||||||
assume to be secure. The work directory should be writable by both the gitea
|
assume to be so secure that it should have access to all gitea data. This user
|
||||||
user and sphinx user, with the sphinx user having as little access as possible
|
needs read-only access to the custom/sphinx, and the user running gitea needs
|
||||||
to other directories.
|
to be able to run a process as the `sphinx` user.
|
||||||
|
|
|
@ -10,11 +10,7 @@ import subprocess
|
||||||
import sys
|
import sys
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
parser = argparse.ArgumentParser(prog="sphinx_to_html")
|
page_contents = sys.stdin.read()
|
||||||
parser.add_argument("filename_rst", help="Input .rst file")
|
|
||||||
parser.add_argument("--user", help="Run sphinx as another user", type=str)
|
|
||||||
parser.add_argument("--user-work-dir", help="Do work in specified folder accessible by user", type=str)
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
base_url = "https://projects.blender.org"
|
base_url = "https://projects.blender.org"
|
||||||
local_url = "http://localhost:3000"
|
local_url = "http://localhost:3000"
|
||||||
|
@ -44,15 +40,12 @@ else:
|
||||||
image_url = ""
|
image_url = ""
|
||||||
|
|
||||||
# Set up temporary directory with sphinx configuration.
|
# Set up temporary directory with sphinx configuration.
|
||||||
with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir:
|
with tempfile.TemporaryDirectory() as tmp_dir:
|
||||||
work_dir = pathlib.Path(tmp_dir) / "work"
|
work_dir = pathlib.Path(tmp_dir) / "work"
|
||||||
|
|
||||||
script_dir = pathlib.Path(__file__).parent.resolve()
|
script_dir = pathlib.Path(__file__).parent.resolve()
|
||||||
shutil.copytree(script_dir / "template", work_dir)
|
shutil.copytree(script_dir / "template", work_dir)
|
||||||
page_filepath = work_dir / "contents.rst"
|
page_filepath = work_dir / "contents.rst"
|
||||||
shutil.copyfile(args.filename_rst, page_filepath)
|
|
||||||
|
|
||||||
page_contents = page_filepath.read_text()
|
|
||||||
|
|
||||||
# Turn links into external links since internal links are not found and stripped.
|
# Turn links into external links since internal links are not found and stripped.
|
||||||
def path_to_label(path):
|
def path_to_label(path):
|
||||||
|
@ -103,9 +96,6 @@ with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir:
|
||||||
out_filepath = out_dir / "contents.html"
|
out_filepath = out_dir / "contents.html"
|
||||||
|
|
||||||
sphinx_cmd = ["sphinx-build", "-b", "html", work_dir, out_dir]
|
sphinx_cmd = ["sphinx-build", "-b", "html", work_dir, out_dir]
|
||||||
if args.user:
|
|
||||||
result = subprocess.run(sphinx_cmd, capture_output=True, user=args.user)
|
|
||||||
else:
|
|
||||||
result = subprocess.run(sphinx_cmd, capture_output=True)
|
result = subprocess.run(sphinx_cmd, capture_output=True)
|
||||||
|
|
||||||
# Output errors.
|
# Output errors.
|
||||||
|
|
Loading…
Reference in a new issue