Hello community, here is the log from the commit of package hawk for openSUSE:Factory checked in at 2015-10-02 09:23:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hawk (Old) and /work/SRC/openSUSE:Factory/.hawk.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "hawk" Changes: -------- --- /work/SRC/openSUSE:Factory/hawk/hawk.changes 2015-09-30 05:52:59.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.hawk.new/hawk.changes 2015-10-02 09:23:48.000000000 +0200 @@ -1,0 +2,11 @@ +Wed Sep 30 15:16:35 UTC 2015 - kgronlund@suse.com + +- Update to version 1.0.0+git.1443626139.ed258cf: + + Backport CORS handling from hawk2 (bsc#947766) + + Make Cib and user injection thread-safe (bsc#947748) + + Run up to 16 threads in a single worker by default + + Monitor: require login + + Kill remaining processes if necessary + + Remove include of nonexisting file + +------------------------------------------------------------------- Old: ---- hawk-1.0.0+git.1443432013.2f906a6.tar.bz2 New: ---- hawk-1.0.0+git.1443626139.ed258cf.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hawk.spec ++++++ --- /var/tmp/diff_new_pack.x7pNyU/_old 2015-10-02 09:23:49.000000000 +0200 +++ /var/tmp/diff_new_pack.x7pNyU/_new 2015-10-02 09:23:49.000000000 +0200 @@ -39,7 +39,7 @@ Summary: HA Web Konsole License: GPL-2.0 and Apache-2.0 Group: %{pkg_group} -Version: 1.0.0+git.1443432013.2f906a6 +Version: 1.0.0+git.1443626139.ed258cf Release: 0 Url: http://www.clusterlabs.org/wiki/Hawk Source: %{name}-%{version}.tar.bz2 ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.x7pNyU/_old 2015-10-02 09:23:49.000000000 +0200 +++ /var/tmp/diff_new_pack.x7pNyU/_new 2015-10-02 09:23:49.000000000 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">git://github.com/ClusterLabs/hawk.git</param> - <param name="changesrevision">2f906a643f54fb1c5b9cd67aa5b71ec242c26b7f</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">ed258cfdaaea78d7920e8f34e729e92b6572c392</param></service></servicedata> \ No newline at end of file ++++++ hawk-1.0.0+git.1443432013.2f906a6.tar.bz2 -> hawk-1.0.0+git.1443626139.ed258cf.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/application_controller.rb new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/application_controller.rb --- old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/application_controller.rb 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/application_controller.rb 2015-09-30 17:16:27.000000000 +0200 @@ -36,6 +36,8 @@ include FastGettext::Translation before_filter :set_users_locale + before_filter :cors_preflight_check + after_filter :cors_set_access_control_headers def set_users_locale # the locale cookie is set via JS in the preferences dialog @@ -74,6 +76,28 @@ @_current_user ||= session[:username] end + def cors_set_access_control_headers + if request.headers['Origin'] + response.headers['Access-Control-Allow-Origin'] = request.headers["Origin"] + response.headers['Access-Control-Allow-Credentials'] = 'true' + response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS' + response.headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, X-CSRF-Token, Token' + response.headers['Access-Control-Max-Age'] = "1728000" + end + end + + def cors_preflight_check + if request.method == 'OPTIONS' && request.headers['Origin'] + response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"] + response.headers['Access-Control-Allow-Credentials'] = 'true' + response.headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS' + response.headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Token' + response.headers['Access-Control-Max-Age'] = '1728000' + + render json: {}, status: 200 + end + end + # # Technique based on one presented by a very unhappy sounding person at: # @@ -94,11 +118,8 @@ def inject_current_user_into_invoker # Can't use self inside the proc, or the binding is wrong current_controller = self - # TODO(should): Ruby 1.9 apparently doesn't allow send to call private - # methods - need to replace with funcall. - Invoker.send(:define_method, 'current_user', proc { current_controller.current_user }) + Thread.current[:current_user] = proc { current_controller.send(:current_user) } yield - Invoker.send(:remove_method, 'current_user') end before_filter :init_shadow_cib @@ -157,14 +178,6 @@ # - you should be redirected back to the login page def access_denied - # As in the Cib controller, we need to allow cross-domain requests - # here in order for the client to actually see the permission denied - # error - if request.headers["Origin"] - response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"] - response.headers["Access-Control-Allow-Credentials"] = "true" - end - respond_to do |format| format.any do # Have to use format.any not format.html due to stupid IE accept diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/cib_controller.rb new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/cib_controller.rb --- old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/cib_controller.rb 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/cib_controller.rb 2015-09-30 17:16:27.000000000 +0200 @@ -51,17 +51,6 @@ end def show - - # We explicitly allow cross-site read-only access to the CIB via AJAX - # requests so the Dashboard will work. Still needs a login cookie of - # course, so this is OK, but we have to set a couple of response headers - # else Firefox will refuse to give the data from the request to the - # client. - if request.headers["Origin"] - response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"] - response.headers["Access-Control-Allow-Credentials"] = "true" - end - begin # Not mass assignment (CWE-642) or improper access control (CWE-285) # because Cib::initialize sanitizes params[:id], so RORSCAN_INL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/monitor_controller.rb new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/monitor_controller.rb --- old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/monitor_controller.rb 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/monitor_controller.rb 2015-09-30 17:16:27.000000000 +0200 @@ -35,13 +35,15 @@ class MonitorController < ApplicationController include ActionController::Live + skip_before_filter :set_users_locale + skip_around_filter :inject_current_user_into_invoker + before_filter :login_required + def monitor ENV['QUERY_STRING'] = request.query_string.to_s ENV['HTTP_ORIGIN'] = request.env['HTTP_ORIGIN'] response.headers['Content-Type'] = 'text/event-stream' - response.headers['Access-Control-Allow-Origin'] = request.env['HTTP_ORIGIN'] - response.headers['Access-Control-Allow-Credentials'] = "true" # may not be necessary Open3.popen3("/usr/sbin/hawk_monitor") do |i, o| result = o.read _, body = result.split("\n\n", 2) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/sessions_controller.rb new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/sessions_controller.rb --- old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/controllers/sessions_controller.rb 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/controllers/sessions_controller.rb 2015-09-30 17:16:27.000000000 +0200 @@ -48,12 +48,6 @@ redirect_back_or_default root_url if authorized? end format.json do - # Explicity allow CORS - # TODO(should): Consolidate with CibController and ApplicationController - if request.headers["Origin"] - response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"] - response.headers["Access-Control-Allow-Credentials"] = "true" - end # This is fake, to allow the dashboard to figure out whether it # can talk to this node at all (very quick response) render :status => 200, :json => nil @@ -103,12 +97,6 @@ end end format.json do - # Explicity allow CORS - # TODO(should): Consolidate with CibController and ApplicationController - if request.headers["Origin"] - response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"] - response.headers["Access-Control-Allow-Credentials"] = "true" - end if ok render :status => 200, :json => nil else @@ -133,5 +121,4 @@ end redirect_to :action => 'new' end - end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/views/dashboard/index.html.erb new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/views/dashboard/index.html.erb --- old/hawk-1.0.0+git.1443432013.2f906a6/hawk/app/views/dashboard/index.html.erb 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/hawk/app/views/dashboard/index.html.erb 2015-09-30 17:16:27.000000000 +0200 @@ -1,6 +1,5 @@ <% content_for :head do %> <%= stylesheet_link_tag "dashboard" %> -<%= javascript_include_tag "dashboard" %> <% end %> <script type="text/javascript"> <% diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/hawk/lib/invoker.rb new/hawk-1.0.0+git.1443626139.ed258cf/hawk/lib/invoker.rb --- old/hawk-1.0.0+git.1443432013.2f906a6/hawk/lib/invoker.rb 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/hawk/lib/invoker.rb 2015-09-30 17:16:27.000000000 +0200 @@ -34,8 +34,7 @@ # # Singleton class for invoking crm configuration tools as the current -# user, obtained by trickery from ApplicationController, which injects -# a "current_user" method into this class. +# user. # class Invoker include FastGettext::Translation @@ -171,5 +170,9 @@ [exitstatus, stderr] end end + + def current_user + Thread.current[:current_user].call + end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/scripts/hawk.service.bundle_gems.in new/hawk-1.0.0+git.1443626139.ed258cf/scripts/hawk.service.bundle_gems.in --- old/hawk-1.0.0+git.1443432013.2f906a6/scripts/hawk.service.bundle_gems.in 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/scripts/hawk.service.bundle_gems.in 2015-09-30 17:16:27.000000000 +0200 @@ -4,8 +4,9 @@ [Service] Type=simple -KillMode=none -TimeoutSec=300 +KillMode=control-group +TimeoutStartSec=300 +TimeoutStopSec=10 User=hacluster Group=haclient @@ -14,8 +15,8 @@ Environment="GEM_PATH=@GEM_PATH@" Environment="HAWK_ENV=production" -Environment="HAWK_THREADS=1" -Environment="HAWK_WORKERS=3" +Environment="HAWK_THREADS=16" +Environment="HAWK_WORKERS=1" Environment="HAWK_LISTEN=0.0.0.0" Environment="HAWK_PORT=7630" Environment="HAWK_KEY=/etc/hawk/hawk.pem" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hawk-1.0.0+git.1443432013.2f906a6/scripts/hawk.service.in new/hawk-1.0.0+git.1443626139.ed258cf/scripts/hawk.service.in --- old/hawk-1.0.0+git.1443432013.2f906a6/scripts/hawk.service.in 2015-09-28 11:31:09.000000000 +0200 +++ new/hawk-1.0.0+git.1443626139.ed258cf/scripts/hawk.service.in 2015-09-30 17:16:27.000000000 +0200 @@ -4,8 +4,9 @@ [Service] Type=simple -KillMode=none -TimeoutSec=300 +KillMode=control-group +TimeoutStartSec=300 +TimeoutStopSec=10 User=hacluster Group=haclient @@ -13,8 +14,8 @@ WorkingDirectory=@WWW_BASE@/hawk Environment="HAWK_ENV=production" -Environment="HAWK_THREADS=1" -Environment="HAWK_WORKERS=3" +Environment="HAWK_THREADS=16" +Environment="HAWK_WORKERS=1" Environment="HAWK_LISTEN=0.0.0.0" Environment="HAWK_PORT=7630" Environment="HAWK_KEY=/etc/hawk/hawk.pem"