RubyGems - unicorn-lockdown - Versions diffs - 1.1.0 → 1.2.0 - Mend

unicorn-lockdown 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG +10 -0
data/files/rc.unicorn +3 -11
data/files/rc.unicorn.71 +21 -0
data/files/unicorn_lockdown_add.rb +8 -3
data/files/unicorn_lockdown_setup.rb +5 -1
data/lib/unveiler.rb +22 -3
metadata +7 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f0b84f88c8502c942f5b15b50bb7ac6946de87ef31ee14cf96e9d71b569b8a3
-  data.tar.gz: 69d55260a85368464b5dbb0b9b24120eacb3d9f95f07c4be765f8d913b8e7f2d
+  metadata.gz: 5f259ec0943a03a9e2a80a569eea0bb121c0fac02eec20236f8882820f59d512
+  data.tar.gz: c2a19c1f58425582eb16654aadfac8d8fa2717f5265e27aaf882a49fdf9fa42d
 SHA512:
-  metadata.gz: 2622fa1ea4b31f117037175273420574269b8f976e905d39a76137aefb4da44e94e13e1ec121db5a9d21fcef901dc3d5fec42434c36d5dd5cc21640d64379131
-  data.tar.gz: 032dbedbb2e5eab750fb10ae6f9ef0cb108fdedac239bf3adead2faa637bddfb8613a1d9a865730d449e2d4d6d334f35bab5b762f5b97bf4e946872ebdbf1d63
+  metadata.gz: 53c95408bc17f6d1285b7d48c35ae3c42b9d327075b6829f504b40d2ebc600d87279cc66c0134f40f2457cf00ce646d2c43475e7c825abc28e564ecf57d9c130
+  data.tar.gz: d5db79ff12242b857b03b7bacc058dec630436c20a73bf3308c76008cd67cb87ce9182b4fffd7eaf606cc2404f2dac1a448bed5eae3af369a2341db1e832ad6e

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,13 @@
+= 1.2.0 (2022-11-16)
+* Remove access_log format from generated nginx configurations (jeremyevans)
+* Create and unveil the coverage directory when using SimpleCov with Unveiler (jeremyevans)
+* Add getpw to default master_execpledge, necessary on OpenBSD 7.2+ (jeremyevans)
+* Support OpenBSD 7.2 daemon_execdir for setting directory (jeremyevans)
 = 1.1.0 (2022-07-18)
 * Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)

data/files/rc.unicorn CHANGED Viewed

@@ -2,20 +2,12 @@
 daemon="/usr/local/bin/unicorn"
 daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
-[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
-[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+rc_stop_signal=QUIT
 . /etc/rc.d/rc.subr
 pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
-rc_start() {
-  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
-}
-rc_stop() {
-   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
-}
+[ -n "${daemon_execdir}" ] || _rc_err "$0: daemon_execdir is not set"
+[ -n "${unicorn_app}" ] || _rc_err "$0: unicorn_app is not set"
 rc_cmd $1

data/files/rc.unicorn.71 ADDED Viewed

@@ -0,0 +1,21 @@
+[ -z "${unicorn_conf}" ] && unicorn_conf=unicorn.conf
+daemon="/usr/local/bin/unicorn"
+daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
+[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
+[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+. /etc/rc.d/rc.subr
+pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
+rc_start() {
+  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
+}
+rc_stop() {
+   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
+}
+rc_cmd $1

data/files/unicorn_lockdown_add.rb CHANGED Viewed

@@ -146,7 +146,7 @@ Unicorn.lockdown(self,
   # More pledges may be needed depending on application
   :pledge=>'rpath prot_exec inet unix flock',
   :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
-  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
+  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock getpw',
   # More unveils may be needed depending on application
   :unveil=>{
@@ -169,7 +169,7 @@ upstream #{app}_unicorn {
 }
 server {
     server_name #{app};
-    access_log #{nginx_access_log_file} main;
+    access_log #{nginx_access_log_file};
     error_log #{nginx_error_log_file} warn;
     root #{dir}/public;
     error_page   500 503 /500.html;
@@ -212,12 +212,17 @@ end
 # Setup /etc/rc.d/unicorn_* file for daemon management
 unless File.file?(rc_file)
   puts "Creating #{rc_file}"
+  # :nocov:
+  dir_var = `/usr/bin/uname -r` < '7.2' ? 'unicorn_dir' : 'daemon_execdir'
+  # :nocov:
   File.binwrite(rc_file, <<END)
 #!/bin/ksh
 daemon_user=#{user}
+#{dir_var}=#{dir}
 unicorn_app=#{app}
-unicorn_dir=#{dir}
 #{unicorn}#{rackup}
 . /etc/rc.d/rc.unicorn
 END

data/files/unicorn_lockdown_setup.rb CHANGED Viewed

@@ -68,7 +68,11 @@ end
 # Setup rc.unicorn file
 unless File.file?(rc_unicorn_file)
   puts "Creating #{rc_unicorn_file}"
-  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
+  filename = File.join(File.dirname(__dir__), 'files', 'rc.unicorn')
+  # :nocov:
+  filename << ".71" if `/usr/bin/uname -r` < '7.2'
+  # :nocov:
+  File.binwrite(rc_unicorn_file, File.binread(filename))
   File.chmod(0644, rc_unicorn_file)
   chown.(root_id, root_id, rc_unicorn_file)
 end

data/lib/unveiler.rb CHANGED Viewed

@@ -27,16 +27,35 @@ module Unveiler
       end
     end
-    Pledge.unveil(unveil)
     # :nocov:
     if defined?(SimpleCov)
     # :nocov:
-      # If running coverage tests, add necessary pledges for
+      # If running coverage tests, add necessary pledges and unveils for
       # coverage testing to work.
+      dir = SimpleCov.coverage_dir
+      unveil[dir] = 'rwc'
+      # Unveil read access to the entire current directory, since any part
+      # that has covered code needs to be read to generate the coverage
+      # information.
+      unveil['.'] = 'r'
+      if defined?(Gem)
+        # Unveil access to the simplecov-html gem, since that is used by default
+        # to build the coverage pages.
+        unveil['simplecov-html'] = :gem
+      end
+      # :nocov:
+      # Must create directory before attempting to unveil it.
+      # When running unveiler tests, the coverage directory is already created.
+      Dir.mkdir(dir) unless File.directory?(dir)
+      # :nocov:
       pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
     end
+    Pledge.unveil(unveil)
     Pledge.pledge(pledge)
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Jeremy Evans
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-07-18 00:00:00.000000000 Z
+date: 2022-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -94,7 +94,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description:
+description:
 email: code@jeremyevans.net
 executables:
 - unicorn-lockdown-add
@@ -108,6 +108,7 @@ files:
 - bin/unicorn-lockdown-add
 - bin/unicorn-lockdown-setup
 - files/rc.unicorn
+- files/rc.unicorn.71
 - files/unicorn_lockdown_add.rb
 - files/unicorn_lockdown_setup.rb
 - lib/rack/email_exceptions.rb
@@ -122,7 +123,7 @@ metadata:
   changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
   mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
   source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.7
-signing_key:
+signing_key:
 specification_version: 4
 summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
 test_files: []