WIP: run0 support

Signed-off-by: Christian Heusel <christian@heusel.eu>

doc/man/offload-build.1.asciidoc

@@ -14,7 +14,7 @@ Description
 
 Build a PKGBUILD on a remote server using makechrootpkg. Requires a remote user
 that can run archbuild in a non-interactive manner, e.g. must be able to
-elevate permissions using passwordless sudo.
+elevate permissions using passwordless run0.
 
 Options
 -------

doc/man/pkgctl-auth.1.asciidoc

@@ -3,7 +3,7 @@ pkgctl-auth(1)
 
 Name
 ----
-pkgctl-auth - Authenticate with serivces like GitLab.
+pkgctl-auth - Authenticate with services like GitLab.
 
 Synopsis
 --------

src/lib/api/gitlab.sh

@@ -901,61 +901,3 @@ gitlab_issue_state_color() {
 	fi
 	printf "%s" "${state_color}"
 }
-
-# Star a GitLab project
-gitlab_api_star() {
-	local pkgbase=$1
-	local outfile project_path project_id
-
-	[[ -z ${WORKDIR:-} ]] && setup_workdir
-	outfile=$(mktemp --tmpdir="${WORKDIR}" pkgctl-gitlab-api.XXXXXXXXXX)
-
-	project_path=$(gitlab_project_name_to_path "${pkgbase}")
-
-	# Get project details first
-	if ! gitlab_api_call "${outfile}" GET "projects/archlinux%2fpackaging%2fpackages%2f${project_path}/"; then
-		return 1
-	fi
-
-	# Extract project ID
-	if ! project_id=$(jq --raw-output --exit-status '.id' < "${outfile}"); then
-		msg_error "  failed to get project ID: $(cat "${outfile}")"
-		return 1
-	fi
-
-	# Star the project
-	if ! gitlab_api_call "${outfile}" POST "/projects/${project_id}/star"; then
-		return 1
-	fi
-
-	return 0
-}
-
-# Unstar a GitLab project
-gitlab_api_unstar() {
-	local pkgbase=$1
-	local outfile project_path project_id
-
-	[[ -z ${WORKDIR:-} ]] && setup_workdir
-	outfile=$(mktemp --tmpdir="${WORKDIR}" pkgctl-gitlab-api.XXXXXXXXXX)
-
-	project_path=$(gitlab_project_name_to_path "${pkgbase}")
-
-	# Get project details first
-	if ! gitlab_api_call "${outfile}" GET "projects/archlinux%2fpackaging%2fpackages%2f${project_path}/"; then
-		return 1
-	fi
-
-	# Extract project ID
-	if ! project_id=$(jq --raw-output --exit-status '.id' < "${outfile}"); then
-		msg_error "  failed to get project ID: $(cat "${outfile}")"
-		return 1
-	fi
-
-	# Unstar the project
-	if ! gitlab_api_call "${outfile}" POST "/projects/${project_id}/unstar"; then
-		return 1
-	fi
-
-	return 0
-}

src/lib/archroot.sh

@@ -15,7 +15,11 @@ check_root() {
 	local orig_argv=("$@")
 
 	(( EUID == 0 )) && return
-	if type -P sudo >/dev/null; then
+	if type -P run0 >/dev/null; then
+		keepenv=",$keepenv"
+		command="run0 ${keepenv//,/ --setenv=}"
+		exec ${command} -- "${orig_argv[@]}"
+	elif type -P sudo >/dev/null; then
 		exec sudo --preserve-env="${keepenv}" -- "${orig_argv[@]}"
 	else
 		exec su root -c "$(printf ' %q' "${orig_argv[@]}")"

src/lib/star.sh

@@ -1,89 +0,0 @@
-#!/hint/bash
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-[[ -z ${DEVTOOLS_INCLUDE_STAR_SH:-} ]] || return 0
-DEVTOOLS_INCLUDE_STAR_SH=1
-
-_DEVTOOLS_LIBRARY_DIR=${_DEVTOOLS_LIBRARY_DIR:-@pkgdatadir@}
-# shellcheck source=src/lib/api/gitlab.sh
-source "${_DEVTOOLS_LIBRARY_DIR}"/lib/api/gitlab.sh
-
-set -e
-
-pkgctl_star_usage() {
-	local -r COMMAND=${_DEVTOOLS_COMMAND:-${BASH_SOURCE[0]##*/}}
-	cat <<- _EOF_
-		Usage: ${COMMAND} [OPTIONS] [PKGBASE...]
-
-		Star a package's GitLab project.
-
-		If no package is specified, the current directory's package will be used.
-		Multiple packages can be specified to star multiple projects at once.
-
-		Every usage of the star command must be authenticated. Consult the
-		'pkgctl auth' command to authenticate with GitLab or view the
-		authentication status.
-
-		OPTIONS
-		    -h, --help     Show this help text
-		    -u, --unstar   Remove star from the project instead
-
-		EXAMPLES
-		    $ ${COMMAND} pacman
-		    $ ${COMMAND} --unstar pacman
-		    $ ${COMMAND} libfoo libbar
-_EOF_
-}
-
-pkgctl_star() {
-	if (( $# == 0 )) && [[ ! -f PKGBUILD ]]; then
-		pkgctl_star_usage
-		exit 1
-	fi
-
-	# Check authentication
-	if [[ -z ${GITLAB_TOKEN} ]]; then
-		die "GitLab authentication required. Run 'pkgctl auth login' first"
-	fi
-
-	local unstar=0
-	local pkgbases=()
-
-	# option checking
-	while (( $# )); do
-		case $1 in
-			-h|--help)
-				pkgctl_star_usage
-				exit 0
-				;;
-			-u|--unstar)
-				unstar=1
-				shift
-				;;
-			-*)
-				die "invalid argument: %s" "$1"
-				;;
-			*)
-				pkgbases+=("$1")
-				shift
-				;;
-		esac
-	done
-
-	# Use current directory if no packages specified
-	if (( ${#pkgbases[@]} == 0 )); then
-		pkgbases=("$(basename "$PWD")")
-	fi
-
-	# Star/unstar each package
-	for pkgbase in "${pkgbases[@]}"; do
-		if (( unstar )); then
-			msg "Unstarring %s..." "${pkgbase}"
-			gitlab_api_unstar "${pkgbase}"
-		else
-			msg "Starring %s..." "${pkgbase}"
-			gitlab_api_star "${pkgbase}"
-		fi
-	done
-}

src/makechrootpkg.in

@@ -185,10 +185,18 @@ prepare_chroot() {
 		echo "$x" >>"$copydir/etc/makepkg.conf"
 	done
 
-	cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
+	# TODO(gromit): check if this rule is sane
-builduser ALL = NOPASSWD: /usr/bin/pacman
+	# TODO(gromit): this will require a full container
+	cat > "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules" <<EOF
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units") {
+        if (subject.isInGroup("wheel")) {
+            return polkit.Result.YES;
+        }
+    }
+});
 EOF
-	chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"
+	chmod 440 "$copydir/etc/polkit-1/rules.d/10-systemd-nopasswd.rules"
 
 	cat > "$copydir/etc/gitconfig" <<EOF
 [safe]
@@ -222,17 +230,14 @@ _chrootbuild() {
 	# shellcheck source=/dev/null
 	. /etc/profile
 
-	# Beware, there are some stupid arbitrary rules on how you can
+	run0 --setenv=SOURCE_DATE_EPOCH \
-	# use "$" in arguments to commands with "sudo -i".  ${foo} or
+		 --setenv=BUILDTOOL \
-	# ${1} is OK, but $foo or $1 isn't.
+		 --setenv=BUILDTOOLVER \
-	# https://bugzilla.sudo.ws/show_bug.cgi?id=765
+		 --via-shell --chdir='~' \
-	sudo --preserve-env=SOURCE_DATE_EPOCH \
+		 --user=builduser -- bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
-		--preserve-env=BUILDTOOL \
-		--preserve-env=BUILDTOOLVER \
-		-iu builduser bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
 	ret=$?
 	case $ret in
-		0|14)
+		0)
 			return 0;;
 		*)
 			return $ret;;
@@ -243,7 +248,7 @@ _chrootnamcap() {
 	pacman -S --needed --noconfirm namcap
 	for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
 		echo "Checking ${pkgfile##*/}"
-		sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
+		run0 --user=builduser -- namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
 	done
 }
 
@@ -252,8 +257,12 @@ download_sources() {
 	chown "$makepkg_user:" "$WORKDIR"
 
 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME,SSH_AUTH_SOCK \
+	run0 --user="$makepkg_user" \
-		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
+		--setenv=GNUPGHOME \
+		--setenv=SSH_AUTH_SOCK \
+		--setenv=SRCDEST="$SRCDEST" \
+		--setenv=BUILDDIR="$WORKDIR" \
+		--chdir=. -- \
 		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o "${verifysource_args[@]}" ||
 		die "Could not download sources."
 }
@@ -400,7 +409,7 @@ if arch-nspawn "$copydir" \
 	"${nspawn_build_args[@]}" \
 	/chrootbuild "${makepkg_args[@]}"
 then
-	mapfile -t pkgnames < <(sudo -u "$makepkg_user" bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
+	mapfile -t pkgnames < <(run0 --user="$makepkg_user" -- bash -c 'source PKGBUILD; printf "%s\n" "${pkgname[@]}"')
 	move_products
 else
 	(( ret += 1 ))
@@ -453,7 +462,7 @@ else
 		done
 
 		msg2 "Checking packages"
-		sudo -u "$makepkg_user" checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
+		run0 --user="$makepkg_user" -- checkpkg --rmdir --warn --makepkg-config "$copydir/etc/makepkg.conf" "${remotepkgs[@]/#file:\/\//}"
 	fi
 	true
 fi

src/makerepropkg.in

@@ -192,7 +192,7 @@ for p in "$@"; do
         pkgfile=${pkgfile_remote#file://}
         if [[ ! -f ${pkgfile} ]]; then
             msg "Downloading package '%s' into pacman's cache" "${pkgfile}"
-            sudo pacman -Swdd --noconfirm --logfile /dev/null "${p}" || exit 1
+            run0 -- pacman -Swdd --noconfirm --logfile /dev/null "${p}" || exit 1
             pkgfile_remote=$(pacman -Sddp "${p}" 2>/dev/null)
             pkgfile="${pkgfile_remote#file://}"
         fi

src/pkgctl.in

@@ -29,7 +29,6 @@ usage() {
 		    release Release step to commit, tag and upload build artifacts
 		    repo    Manage Git packaging repositories and their configuration
 		    search  Search for an expression across the GitLab packaging group
-		    star    Star a package's GitLab project
 		    version Check and manage package versions against upstream
 
 		OPTIONS
@@ -139,14 +138,6 @@ while (( $# )); do
 			pkgctl_search "$@"
 			exit 0
 			;;
-		star)
-			_DEVTOOLS_COMMAND+=" $1"
-			shift
-			# shellcheck source=src/lib/star.sh
-			source "${_DEVTOOLS_LIBRARY_DIR}"/lib/star.sh
-			pkgctl_star "$@"
-			exit 0
-			;;
 		version)
 			_DEVTOOLS_COMMAND+=" $1"
 			shift