unicorn-lockdown 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f0b84f88c8502c942f5b15b50bb7ac6946de87ef31ee14cf96e9d71b569b8a3
-  data.tar.gz: 69d55260a85368464b5dbb0b9b24120eacb3d9f95f07c4be765f8d913b8e7f2d
+  metadata.gz: 5f259ec0943a03a9e2a80a569eea0bb121c0fac02eec20236f8882820f59d512
+  data.tar.gz: c2a19c1f58425582eb16654aadfac8d8fa2717f5265e27aaf882a49fdf9fa42d
 SHA512:
-  metadata.gz: 2622fa1ea4b31f117037175273420574269b8f976e905d39a76137aefb4da44e94e13e1ec121db5a9d21fcef901dc3d5fec42434c36d5dd5cc21640d64379131
-  data.tar.gz: 032dbedbb2e5eab750fb10ae6f9ef0cb108fdedac239bf3adead2faa637bddfb8613a1d9a865730d449e2d4d6d334f35bab5b762f5b97bf4e946872ebdbf1d63
+  metadata.gz: 53c95408bc17f6d1285b7d48c35ae3c42b9d327075b6829f504b40d2ebc600d87279cc66c0134f40f2457cf00ce646d2c43475e7c825abc28e564ecf57d9c130
+  data.tar.gz: d5db79ff12242b857b03b7bacc058dec630436c20a73bf3308c76008cd67cb87ce9182b4fffd7eaf606cc2404f2dac1a448bed5eae3af369a2341db1e832ad6e

data/CHANGELOG

@@ -1,3 +1,13 @@
+= 1.2.0 (2022-11-16)
+
+* Remove access_log format from generated nginx configurations (jeremyevans)
+
+* Create and unveil the coverage directory when using SimpleCov with Unveiler (jeremyevans)
+
+* Add getpw to default master_execpledge, necessary on OpenBSD 7.2+ (jeremyevans)
+
+* Support OpenBSD 7.2 daemon_execdir for setting directory (jeremyevans)
+
 = 1.1.0 (2022-07-18)
 
 * Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)

data/files/rc.unicorn

@@ -2,20 +2,12 @@
 
 daemon="/usr/local/bin/unicorn"
 daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
-
-[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
-[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+rc_stop_signal=QUIT
 
 . /etc/rc.d/rc.subr
 
 pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
-
-rc_start() {
-  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
-}
-
-rc_stop() {
-   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}" 
-}
+[ -n "${daemon_execdir}" ] || _rc_err "$0: daemon_execdir is not set"
+[ -n "${unicorn_app}" ] || _rc_err "$0: unicorn_app is not set"
 
 rc_cmd $1

data/files/rc.unicorn.71

@@ -0,0 +1,21 @@
+[ -z "${unicorn_conf}" ] && unicorn_conf=unicorn.conf
+
+daemon="/usr/local/bin/unicorn"
+daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
+
+[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
+[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+
+. /etc/rc.d/rc.subr
+
+pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
+
+rc_start() {
+  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
+}
+
+rc_stop() {
+   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}" 
+}
+
+rc_cmd $1

data/files/unicorn_lockdown_add.rb

@@ -146,7 +146,7 @@ Unicorn.lockdown(self,
   # More pledges may be needed depending on application
   :pledge=>'rpath prot_exec inet unix flock',
   :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
-  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
+  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock getpw',
 
   # More unveils may be needed depending on application
   :unveil=>{
@@ -169,7 +169,7 @@ upstream #{app}_unicorn {
 }
 server {
     server_name #{app};
-    access_log #{nginx_access_log_file} main;
+    access_log #{nginx_access_log_file};
     error_log #{nginx_error_log_file} warn;
     root #{dir}/public;
     error_page   500 503 /500.html;
@@ -212,12 +212,17 @@ end
 # Setup /etc/rc.d/unicorn_* file for daemon management
 unless File.file?(rc_file)
   puts "Creating #{rc_file}"
+
+  # :nocov:
+  dir_var = `/usr/bin/uname -r` < '7.2' ? 'unicorn_dir' : 'daemon_execdir'
+  # :nocov:
+
   File.binwrite(rc_file, <<END)
 #!/bin/ksh
 
 daemon_user=#{user}
+#{dir_var}=#{dir}
 unicorn_app=#{app}
-unicorn_dir=#{dir}
 #{unicorn}#{rackup}
 . /etc/rc.d/rc.unicorn
 END

data/files/unicorn_lockdown_setup.rb

@@ -68,7 +68,11 @@ end
 # Setup rc.unicorn file
 unless File.file?(rc_unicorn_file)
   puts "Creating #{rc_unicorn_file}"
-  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
+  filename = File.join(File.dirname(__dir__), 'files', 'rc.unicorn')
+  # :nocov:
+  filename << ".71" if `/usr/bin/uname -r` < '7.2'
+  # :nocov:
+  File.binwrite(rc_unicorn_file, File.binread(filename))
   File.chmod(0644, rc_unicorn_file)
   chown.(root_id, root_id, rc_unicorn_file)
 end

data/lib/unveiler.rb

@@ -27,16 +27,35 @@ module Unveiler
       end
     end
 
-    Pledge.unveil(unveil)
-
     # :nocov:
     if defined?(SimpleCov)
     # :nocov:
-      # If running coverage tests, add necessary pledges for
+      # If running coverage tests, add necessary pledges and unveils for
       # coverage testing to work.
+      dir = SimpleCov.coverage_dir
+      unveil[dir] = 'rwc'
+
+      # Unveil read access to the entire current directory, since any part
+      # that has covered code needs to be read to generate the coverage
+      # information.
+      unveil['.'] = 'r'
+
+      if defined?(Gem)
+        # Unveil access to the simplecov-html gem, since that is used by default
+        # to build the coverage pages.
+        unveil['simplecov-html'] = :gem
+      end
+
+      # :nocov:
+      # Must create directory before attempting to unveil it.
+      # When running unveiler tests, the coverage directory is already created.
+      Dir.mkdir(dir) unless File.directory?(dir)
+      # :nocov:
+
       pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
     end
 
+    Pledge.unveil(unveil)
     Pledge.pledge(pledge)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Jeremy Evans
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-07-18 00:00:00.000000000 Z
+date: 2022-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -94,7 +94,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email: code@jeremyevans.net
 executables:
 - unicorn-lockdown-add
@@ -108,6 +108,7 @@ files:
 - bin/unicorn-lockdown-add
 - bin/unicorn-lockdown-setup
 - files/rc.unicorn
+- files/rc.unicorn.71
 - files/unicorn_lockdown_add.rb
 - files/unicorn_lockdown_setup.rb
 - lib/rack/email_exceptions.rb
@@ -122,7 +123,7 @@ metadata:
   changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
   mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
   source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.7
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
 test_files: []