aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPascal Terjan <pterjan@gmail.com>2016-02-07 13:18:50 +0100
committerOlivier Blin <dev@blino.org>2016-02-07 13:59:29 +0100
commitd1231434e7aaa67247e031e67536c700dc2cebf1 (patch)
tree33de870bbe6ba1d15039542a620ffa7051dc2b1a
parentf7598c059717dcec44486be9747af8fe5221f208 (diff)
downloadpuppet-d1231434e7aaa67247e031e67536c700dc2cebf1.tar
puppet-d1231434e7aaa67247e031e67536c700dc2cebf1.tar.gz
puppet-d1231434e7aaa67247e031e67536c700dc2cebf1.tar.bz2
puppet-d1231434e7aaa67247e031e67536c700dc2cebf1.tar.xz
puppet-d1231434e7aaa67247e031e67536c700dc2cebf1.zip
Switch to Apache 2.4 auth config for repository vhost
-rw-r--r--deployment/mga_buildsystem/manifests/config.pp34
-rw-r--r--modules/buildsystem/manifests/var/distros.pp3
-rw-r--r--modules/buildsystem/templates/vhost_repository.conf27
3 files changed, 47 insertions, 17 deletions
diff --git a/deployment/mga_buildsystem/manifests/config.pp b/deployment/mga_buildsystem/manifests/config.pp
index b693ae90..885d3c3d 100644
--- a/deployment/mga_buildsystem/manifests/config.pp
+++ b/deployment/mga_buildsystem/manifests/config.pp
@@ -142,7 +142,7 @@ class mga_buildsystem::config {
'vendor' => 'Mageia.Org',
'_real_vendor' => 'mageia',
}
- $repo_allow_from = [
+ $repo_allow_from_ips = [
$::nodes_ipaddr[valstar][ipv6],
$::nodes_ipaddr[valstar][ipv4],
$::nodes_ipaddr[duvel][ipv6],
@@ -151,7 +151,6 @@ class mga_buildsystem::config {
$::nodes_ipaddr[ecosse][ipv4],
$::nodes_ipaddr[jonund][ipv6],
$::nodes_ipaddr[jonund][ipv4],
- ".${::domain}",
'10.42.0',
$::nodes_ipaddr[rabbit][ipv4],
$::nodes_ipaddr[rabbit][ipv6],
@@ -162,6 +161,9 @@ class mga_buildsystem::config {
$::nodes_ipaddr[armagnac][ipv4],
$::nodes_ipaddr[armada][ipv4],
]
+ $repo_allow_from_domains = [
+ ".${::domain}",
+ ]
# the list of checks, actions, posts for cauldron in youri-upload
$cauldron_youri_upload_targets = {
@@ -538,7 +540,8 @@ class mga_buildsystem::config {
'version' => '6',
'submit_allowed' => "${svn_root_packages}/cauldron",
'macros' => $std_macros,
- 'repo_allow_from' => $repo_allow_from,
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $cauldron_youri_upload_targets,
@@ -565,7 +568,8 @@ class mga_buildsystem::config {
'version' => '1',
'submit_allowed' => "${svn_root_packages}/updates/1",
'macros' => $std_macros,
- 'repo_allow_from' => $repo_allow_from,
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $std_youri_upload_targets,
@@ -592,7 +596,8 @@ class mga_buildsystem::config {
'version' => '2',
'submit_allowed' => "${svn_root_packages}/updates/2",
'macros' => $std_macros,
- 'repo_allow_from' => $repo_allow_from,
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $std_youri_upload_targets,
@@ -620,7 +625,8 @@ class mga_buildsystem::config {
'submit_allowed' => "${svn_root_packages}/updates/3",
'backports_allowed' => "${svn_root_packages}/backports/3",
'macros' => $std_macros,
- 'repo_allow_from' => $repo_allow_from,
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $std_youri_upload_targets,
@@ -648,7 +654,8 @@ class mga_buildsystem::config {
'submit_allowed' => "${svn_root_packages}/updates/4",
'backports_allowed' => "${svn_root_packages}/backports/4",
'macros' => $std_macros,
- 'repo_allow_from' => $repo_allow_from,
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $std_youri_upload_targets,
@@ -676,7 +683,8 @@ class mga_buildsystem::config {
'submit_allowed' => "${svn_root_packages}/updates/5",
'backports_allowed' => "${svn_root_packages}/backports/5",
'macros' => $std_macros,
- 'repo_allow_from' => $repo_allow_from,
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $std_youri_upload_targets,
@@ -707,6 +715,8 @@ class mga_buildsystem::config {
'core' => [ 'release', 'updates' ],
},
},
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $infra_youri_upload_targets,
@@ -738,6 +748,8 @@ class mga_buildsystem::config {
'core' => [ 'release', 'updates' ],
},
},
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $infra_youri_upload_targets,
@@ -769,6 +781,8 @@ class mga_buildsystem::config {
'core' => [ 'release', 'updates' ],
},
},
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $infra_youri_upload_targets,
@@ -800,6 +814,8 @@ class mga_buildsystem::config {
'core' => [ 'release', 'updates' ],
},
},
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $infra_youri_upload_targets,
@@ -831,6 +847,8 @@ class mga_buildsystem::config {
'core' => [ 'release', 'updates' ],
},
},
+ 'repo_allow_from_ips' => $repo_allow_from_ips,
+ 'repo_allow_from_domains' => $repo_allow_from_domains,
'youri' => {
'upload' => {
'targets' => $infra_youri_upload_targets,
diff --git a/modules/buildsystem/manifests/var/distros.pp b/modules/buildsystem/manifests/var/distros.pp
index aa303191..72b386cc 100644
--- a/modules/buildsystem/manifests/var/distros.pp
+++ b/modules/buildsystem/manifests/var/distros.pp
@@ -75,7 +75,8 @@
# # list of IP or hostnames allowed to access this distro on the
# # repository. If you don't want to filter allowed IPs, don't set
# # this value
-# 'repo_allow_from' => [ '127.0.0.1', '10.0.0.1', ".${::domain}" ],
+# 'repo_allow_from_ips' => [ '127.0.0.1', '10.0.0.1' ],
+# 'repo_allow_from_domains' => [ ".${::domain}" ],
# Optionally, the distribution can be based on the repos from an other
# distribution. In this example we're saying that the distribution is
# based on 2/core/release and 2/core/updates.
diff --git a/modules/buildsystem/templates/vhost_repository.conf b/modules/buildsystem/templates/vhost_repository.conf
index d16cdb63..45ebaf32 100644
--- a/modules/buildsystem/templates/vhost_repository.conf
+++ b/modules/buildsystem/templates/vhost_repository.conf
@@ -23,7 +23,21 @@ distros = scope.lookupvar('buildsystem::var::distros::distros')
<%-
distros.keys.sort.each{|distroname|
distro = distros[distroname]
- allow_from = distro['repo_allow_from'] != nil ? distro['repo_allow_from'] : [ 'all' ]
+ if distro['repo_allow_from_ips'] != nil || distro['repo_allow_from_domains'] != nil then
+ access_requires = [ 'all denied' ]
+ if distro['repo_allow_from_ips'] != nil then
+ for allow in distro['repo_allow_from_ips'] do
+ access_requires << 'ip ' + allow
+ end
+ end
+ if distro['repo_allow_from_domains'] != nil then
+ for allow in distro['repo_allow_from_domains'] do
+ access_requires << 'host ' + allow
+ end
+ end
+ else
+ access_requires = [ 'all granted' ]
+ end
%>
Alias /bootstrap/<%= distroname %>/ "<%= bootstrap_reporoot %>/<%= distroname %>/"
@@ -33,11 +47,10 @@ distros = scope.lookupvar('buildsystem::var::distros::distros')
<Directory <%= bootstrap_reporoot %>/<%= distroname %>>
Header append Cache-Control "public, must-revalidate"
- Order deny,allow
<%-
- for allow in allow_from do
+ for req in access_requires do
-%>
- Allow from <%= allow %>
+ Require <%= req %>
<%-
end
-%>
@@ -46,12 +59,10 @@ distros = scope.lookupvar('buildsystem::var::distros::distros')
<Directory <%= mirror_reporoot %>/<%= distroname %>>
Header append Cache-Control "public, must-revalidate"
- Order deny,allow
- Deny from all
<%-
- for allow in allow_from do
+ for req in access_requires do
-%>
- Allow from <%= allow %>
+ Require <%= req %>
<%-
end
-%>