From f8060b5a900ff848f6b8186ab2e0bba78cec2cdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Kadl=C4=8D=C3=ADk?= <frostyx@email.cz>
Date: Thu, 4 Apr 2019 13:50:23 +0200
Subject: [PATCH] Allow 'copr' user to run 'sign' command

See https://pagure.io/copr/copr/issue/636

By default only root can run the `sign` command. This
check is applied within obs-signd code. We need to
allow regular user in the config, see `man sign.conf`.

Also /usr/bin/sign is owned by root:obsrun with
-rwsr-x--- hence we need to add a user to the obsrun group.
---
 roles/copr/backend/tasks/main.yml      | 2 +-
 roles/copr/backend/templates/sign.conf | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml
index c484139087..3b3c497087 100644
--- a/roles/copr/backend/tasks/main.yml
+++ b/roles/copr/backend/tasks/main.yml
@@ -7,7 +7,7 @@
 
 # pre-create copr user and group with predefined uid and gid
 - group: name=copr gid=986
-- user: name=copr group=copr uid=989
+- user: name=copr group=copr uid=989 groups=obsrun
 
 - name: install copr-backend and copr-selinux
   dnf:
diff --git a/roles/copr/backend/templates/sign.conf b/roles/copr/backend/templates/sign.conf
index 1feebf3057..b6859773e9 100644
--- a/roles/copr/backend/templates/sign.conf
+++ b/roles/copr/backend/templates/sign.conf
@@ -1 +1,2 @@
 server: {{ keygen_host }}
+allowuser: copr