Korbs/blender-projects-gitea-custom
0
Fork 0
mirror of https://projects.blender.org/infrastructure/gitea-custom.git synced 2024-12-22 15:23:32 -05:00
Code Issues Activity

Sphinx: simplify running process as another user

Browse source
This commit is contained in:
Brecht Van Lommel 2023-05-09 16:45:35 +02:00
parent 968618dac3
commit 5c53375672
2 changed files with 7 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
sphinx/README.md
View file

@ -15,8 +15,7 @@ Add to Gitea app.ini.
[markup.restructuredtext] [markup.restructuredtext]
ENABLED = true ENABLED = true
FILE_EXTENSIONS = .rst FILE_EXTENSIONS = .rst
RENDER_COMMAND = "timeout 30s ./custom/sphinx/sphinx_to_html.py --user sphinx --user-work-dir /path/to/dir" RENDER_COMMAND = timeout 30s sudo -u sphinx python3 ./custom/sphinx/sphinx_to_html.py
IS_INPUT_FILE = true
[markup.sanitizer.restructuredtext] [markup.sanitizer.restructuredtext]
ELEMENT = div ELEMENT = div
@ -28,6 +27,6 @@ Add to Gitea app.ini.
PREVIEWABLE_FILE_MODES = markdown,restructuredtext PREVIEWABLE_FILE_MODES = markdown,restructuredtext
The `sphinx` user is required for sandboxing of sphinx-build which we do not The `sphinx` user is required for sandboxing of sphinx-build which we do not
assume to be secure. The work directory should be writable by both the gitea assume to be so secure that it should have access to all gitea data. This user
user and sphinx user, with the sphinx user having as little access as possible needs read-only access to the custom/sphinx, and the user running gitea needs
to other directories. to be able to run a process as the `sphinx` user.

16
sphinx/sphinx_to_html.py
View file

@ -10,11 +10,7 @@ import subprocess
import sys import sys
import tempfile import tempfile
parser = argparse.ArgumentParser(prog="sphinx_to_html") page_contents = sys.stdin.read()
parser.add_argument("filename_rst", help="Input .rst file")
parser.add_argument("--user", help="Run sphinx as another user", type=str)
parser.add_argument("--user-work-dir", help="Do work in specified folder accessible by user", type=str)
args = parser.parse_args()
base_url = "https://projects.blender.org" base_url = "https://projects.blender.org"
local_url = "http://localhost:3000" local_url = "http://localhost:3000"
@ -44,15 +40,12 @@ else:
image_url = "" image_url = ""
# Set up temporary directory with sphinx configuration. # Set up temporary directory with sphinx configuration.
with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir: with tempfile.TemporaryDirectory() as tmp_dir:
work_dir = pathlib.Path(tmp_dir) / "work" work_dir = pathlib.Path(tmp_dir) / "work"
script_dir = pathlib.Path(__file__).parent.resolve() script_dir = pathlib.Path(__file__).parent.resolve()
shutil.copytree(script_dir / "template", work_dir) shutil.copytree(script_dir / "template", work_dir)
page_filepath = work_dir / "contents.rst" page_filepath = work_dir / "contents.rst"
shutil.copyfile(args.filename_rst, page_filepath)
page_contents = page_filepath.read_text()
# Turn links into external links since internal links are not found and stripped. # Turn links into external links since internal links are not found and stripped.
def path_to_label(path): def path_to_label(path):
@ -103,10 +96,7 @@ with tempfile.TemporaryDirectory(dir=args.user_work_dir) as tmp_dir:
out_filepath = out_dir / "contents.html" out_filepath = out_dir / "contents.html"
sphinx_cmd = ["sphinx-build", "-b", "html", work_dir, out_dir] sphinx_cmd = ["sphinx-build", "-b", "html", work_dir, out_dir]
if args.user: result = subprocess.run(sphinx_cmd, capture_output=True)
result = subprocess.run(sphinx_cmd, capture_output=True, user=args.user)
else:
result = subprocess.run(sphinx_cmd, capture_output=True)
# Output errors. # Output errors.
error = result.stderr.decode("utf-8", "ignore").strip() error = result.stderr.decode("utf-8", "ignore").strip()