From 442dc43206349d42cb92c3b692d701aaffc42f55 Mon Sep 17 00:00:00 2001
From: "Brian C. Lane" <bcl@redhat.com>
Date: Mon, 12 Feb 2018 14:09:53 -0800
Subject: [PATCH] Open the git repo after dropping root privileges

Also make sure the recipe directory and its contents have correct
ownership, and change the default recipe path when using the systemd
service to /var/lib/lorax/composer/recipes/
---
 src/sbin/lorax-composer        | 18 +++++++++++-------
 systemd/lorax-composer.service |  2 +-
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/sbin/lorax-composer b/src/sbin/lorax-composer
index a499b676..fd6f8b83 100755
--- a/src/sbin/lorax-composer
+++ b/src/sbin/lorax-composer
@@ -29,6 +29,7 @@ import grp
 import os
 import pwd
 import sys
+import subprocess
 from threading import Lock
 from gevent import socket
 from gevent.wsgi import WSGIServer
@@ -177,15 +178,13 @@ if __name__ == '__main__':
             log.error(e)
         sys.exit(1)
 
-    if not os.path.isdir(opts.RECIPES):
-        log.warn("Creating empty recipe directory at %s", opts.RECIPES)
-        os.makedirs(opts.RECIPES)
-
-    server.config["REPO_DIR"] = opts.RECIPES
-    repo = open_or_create_repo(server.config["REPO_DIR"])
-    server.config["GITLOCK"] = GitLock(repo=repo, lock=Lock(), dir=opts.RECIPES)
     server.config["COMPOSER_CFG"] = configure(conf_file=opts.config)
 
+    # Make sure the git repo can be accessed by the API uid/gid
+    repodir_stat = os.stat(opts.RECIPES)
+    if repodir_stat.st_gid != gid or repodir_stat.st_uid != uid:
+        subprocess.call(["chown", "-R", "%s:%s" % (opts.user, opts.group), opts.RECIPES])
+
     # If the user passed in a releasever set it in the configuration
     if opts.releasever:
         server.config["COMPOSER_CFG"].set("composer", "releasever", opts.releasever)
@@ -224,6 +223,11 @@ if __name__ == '__main__':
     yb = get_base_object(server.config["COMPOSER_CFG"])
     server.config["YUMLOCK"] = YumLock(yb=yb, lock=Lock())
 
+    # Setup access to the git repo
+    server.config["REPO_DIR"] = opts.RECIPES
+    repo = open_or_create_repo(server.config["REPO_DIR"])
+    server.config["GITLOCK"] = GitLock(repo=repo, lock=Lock(), dir=opts.RECIPES)
+
     # Import example recipes
     commit_recipe_directory(server.config["GITLOCK"].repo, "master", opts.RECIPES)
 
diff --git a/systemd/lorax-composer.service b/systemd/lorax-composer.service
index 28b700cb..83365005 100644
--- a/systemd/lorax-composer.service
+++ b/systemd/lorax-composer.service
@@ -6,7 +6,7 @@ Wants=network-online.target
 [Service]
 User=root
 Type=simple
-ExecStart=/usr/sbin/lorax-composer /var/lib/lorax-composer/recipes/
+ExecStart=/usr/sbin/lorax-composer /var/lib/lorax/composer/recipes/
 
 [Install]
 WantedBy=multi-user.target