mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 19:46:55 +08:00
cedcdb0057
Due to default CSP web workers instantiated from CDN based assets are still
treated as "same-origin" meaning that we had no way of safely instansiating
a web worker from a theme.
This limits the theme system and adds the arbitrary restriction that WASM
based components can not be safely used.
To resolve this limitation all js assets in about.json are also cached on
local domain.
{
"name": "Header Icons",
"assets" : {
"worker" : "assets/worker.js"
}
}
This can then be referenced in JS via:
settings.theme_uploads_local.worker
local_js_assets are unconditionally served from the site directly and
bypass the entire CDN, using the pre-existing JavascriptCache
Previous to this change this code was completely dormant on sites which
used s3 based uploads, this reuses the very well tested and cached asset
system on s3 based sites.
Note, when creating local_js_assets it is highly recommended to keep the
assets lean and keep all the heavy working in CDN based assets. For example
wasm files can still live on the CDN but the lean worker that loads it can
live on local.
This change unlocks wasm in theme components, so wasm is now also allowed
in `theme_authorized_extensions`
* more usages of upload.content
* add a specific test for upload.content
* Adjust logic to ensure that after upgrades we still get a cached local js
on save
124 lines
3.5 KiB
Ruby
124 lines
3.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module ThemeStore; end
|
|
|
|
class ThemeStore::GitImporter
|
|
COMMAND_TIMEOUT_SECONDS = 20
|
|
|
|
attr_reader :url
|
|
|
|
def initialize(url, private_key: nil, branch: nil)
|
|
@url = url
|
|
if @url.start_with?("https://github.com") && !@url.end_with?(".git")
|
|
@url = @url.gsub(/\/$/, '')
|
|
@url += ".git"
|
|
end
|
|
@temp_folder = "#{Pathname.new(Dir.tmpdir).realpath}/discourse_theme_#{SecureRandom.hex}"
|
|
@private_key = private_key
|
|
@branch = branch
|
|
end
|
|
|
|
def import!
|
|
if @private_key
|
|
import_private!
|
|
else
|
|
import_public!
|
|
end
|
|
if version = Discourse.find_compatible_git_resource(@temp_folder)
|
|
begin
|
|
execute "git", "cat-file", "-e", version
|
|
rescue RuntimeError => e
|
|
tracking_ref = execute "git", "rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{upstream}"
|
|
remote_name = tracking_ref.split("/", 2)[0]
|
|
execute "git", "fetch", remote_name, "#{version}:#{version}"
|
|
end
|
|
|
|
begin
|
|
execute "git", "reset", "--hard", version
|
|
rescue RuntimeError
|
|
raise RemoteTheme::ImportError.new(I18n.t("themes.import_error.git_ref_not_found", ref: version))
|
|
end
|
|
end
|
|
end
|
|
|
|
def commits_since(hash)
|
|
commit_hash, commits_behind = nil
|
|
|
|
commit_hash = execute("git", "rev-parse", "HEAD").strip
|
|
commits_behind = execute("git", "rev-list", "#{hash}..HEAD", "--count").strip rescue -1
|
|
|
|
[commit_hash, commits_behind]
|
|
end
|
|
|
|
def version
|
|
execute("git", "rev-parse", "HEAD").strip
|
|
end
|
|
|
|
def cleanup!
|
|
FileUtils.rm_rf(@temp_folder)
|
|
end
|
|
|
|
def real_path(relative)
|
|
fullpath = "#{@temp_folder}/#{relative}"
|
|
return nil unless File.exist?(fullpath)
|
|
|
|
# careful to handle symlinks here, don't want to expose random data
|
|
fullpath = Pathname.new(fullpath).realpath.to_s
|
|
|
|
if fullpath && fullpath.start_with?(@temp_folder)
|
|
fullpath
|
|
else
|
|
nil
|
|
end
|
|
end
|
|
|
|
def all_files
|
|
Dir.glob("**/*", base: @temp_folder).reject { |f| File.directory?(File.join(@temp_folder, f)) }
|
|
end
|
|
|
|
def [](value)
|
|
fullpath = real_path(value)
|
|
return nil unless fullpath
|
|
File.read(fullpath)
|
|
end
|
|
|
|
protected
|
|
|
|
def import_public!
|
|
begin
|
|
if @branch.present?
|
|
Discourse::Utils.execute_command({ "GIT_TERMINAL_PROMPT" => "0" }, "git", "clone", "--single-branch", "-b", @branch, @url, @temp_folder)
|
|
else
|
|
Discourse::Utils.execute_command({ "GIT_TERMINAL_PROMPT" => "0" }, "git", "clone", @url, @temp_folder)
|
|
end
|
|
rescue RuntimeError
|
|
raise RemoteTheme::ImportError.new(I18n.t("themes.import_error.git"))
|
|
end
|
|
end
|
|
|
|
def import_private!
|
|
ssh_folder = "#{Pathname.new(Dir.tmpdir).realpath}/discourse_theme_ssh_#{SecureRandom.hex}"
|
|
FileUtils.mkdir_p ssh_folder
|
|
|
|
File.write("#{ssh_folder}/id_rsa", @private_key)
|
|
FileUtils.chmod(0600, "#{ssh_folder}/id_rsa")
|
|
|
|
begin
|
|
git_ssh_command = { 'GIT_SSH_COMMAND' => "ssh -i #{ssh_folder}/id_rsa -o StrictHostKeyChecking=no" }
|
|
if @branch.present?
|
|
Discourse::Utils.execute_command(git_ssh_command, "git", "clone", "--single-branch", "-b", @branch, @url, @temp_folder)
|
|
else
|
|
Discourse::Utils.execute_command(git_ssh_command, "git", "clone", @url, @temp_folder)
|
|
end
|
|
rescue RuntimeError
|
|
raise RemoteTheme::ImportError.new(I18n.t("themes.import_error.git"))
|
|
end
|
|
ensure
|
|
FileUtils.rm_rf ssh_folder
|
|
end
|
|
|
|
def execute(*args)
|
|
Discourse::Utils.execute_command(*args, chdir: @temp_folder, timeout: COMMAND_TIMEOUT_SECONDS)
|
|
end
|
|
end
|