From d1231434e7aaa67247e031e67536c700dc2cebf1 Mon Sep 17 00:00:00 2001 From: Pascal Terjan Date: Sun, 7 Feb 2016 13:18:50 +0100 Subject: Switch to Apache 2.4 auth config for repository vhost --- deployment/mga_buildsystem/manifests/config.pp | 34 +++++++++++++++++----- modules/buildsystem/manifests/var/distros.pp | 3 +- .../buildsystem/templates/vhost_repository.conf | 27 ++++++++++++----- 3 files changed, 47 insertions(+), 17 deletions(-) diff --git a/deployment/mga_buildsystem/manifests/config.pp b/deployment/mga_buildsystem/manifests/config.pp index b693ae90..885d3c3d 100644 --- a/deployment/mga_buildsystem/manifests/config.pp +++ b/deployment/mga_buildsystem/manifests/config.pp @@ -142,7 +142,7 @@ class mga_buildsystem::config { 'vendor' => 'Mageia.Org', '_real_vendor' => 'mageia', } - $repo_allow_from = [ + $repo_allow_from_ips = [ $::nodes_ipaddr[valstar][ipv6], $::nodes_ipaddr[valstar][ipv4], $::nodes_ipaddr[duvel][ipv6], @@ -151,7 +151,6 @@ class mga_buildsystem::config { $::nodes_ipaddr[ecosse][ipv4], $::nodes_ipaddr[jonund][ipv6], $::nodes_ipaddr[jonund][ipv4], - ".${::domain}", '10.42.0', $::nodes_ipaddr[rabbit][ipv4], $::nodes_ipaddr[rabbit][ipv6], @@ -162,6 +161,9 @@ class mga_buildsystem::config { $::nodes_ipaddr[armagnac][ipv4], $::nodes_ipaddr[armada][ipv4], ] + $repo_allow_from_domains = [ + ".${::domain}", + ] # the list of checks, actions, posts for cauldron in youri-upload $cauldron_youri_upload_targets = { @@ -538,7 +540,8 @@ class mga_buildsystem::config { 'version' => '6', 'submit_allowed' => "${svn_root_packages}/cauldron", 'macros' => $std_macros, - 'repo_allow_from' => $repo_allow_from, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $cauldron_youri_upload_targets, @@ -565,7 +568,8 @@ class mga_buildsystem::config { 'version' => '1', 'submit_allowed' => "${svn_root_packages}/updates/1", 'macros' => $std_macros, - 'repo_allow_from' => $repo_allow_from, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $std_youri_upload_targets, @@ -592,7 +596,8 @@ class mga_buildsystem::config { 'version' => '2', 'submit_allowed' => "${svn_root_packages}/updates/2", 'macros' => $std_macros, - 'repo_allow_from' => $repo_allow_from, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $std_youri_upload_targets, @@ -620,7 +625,8 @@ class mga_buildsystem::config { 'submit_allowed' => "${svn_root_packages}/updates/3", 'backports_allowed' => "${svn_root_packages}/backports/3", 'macros' => $std_macros, - 'repo_allow_from' => $repo_allow_from, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $std_youri_upload_targets, @@ -648,7 +654,8 @@ class mga_buildsystem::config { 'submit_allowed' => "${svn_root_packages}/updates/4", 'backports_allowed' => "${svn_root_packages}/backports/4", 'macros' => $std_macros, - 'repo_allow_from' => $repo_allow_from, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $std_youri_upload_targets, @@ -676,7 +683,8 @@ class mga_buildsystem::config { 'submit_allowed' => "${svn_root_packages}/updates/5", 'backports_allowed' => "${svn_root_packages}/backports/5", 'macros' => $std_macros, - 'repo_allow_from' => $repo_allow_from, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $std_youri_upload_targets, @@ -707,6 +715,8 @@ class mga_buildsystem::config { 'core' => [ 'release', 'updates' ], }, }, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $infra_youri_upload_targets, @@ -738,6 +748,8 @@ class mga_buildsystem::config { 'core' => [ 'release', 'updates' ], }, }, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $infra_youri_upload_targets, @@ -769,6 +781,8 @@ class mga_buildsystem::config { 'core' => [ 'release', 'updates' ], }, }, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $infra_youri_upload_targets, @@ -800,6 +814,8 @@ class mga_buildsystem::config { 'core' => [ 'release', 'updates' ], }, }, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $infra_youri_upload_targets, @@ -831,6 +847,8 @@ class mga_buildsystem::config { 'core' => [ 'release', 'updates' ], }, }, + 'repo_allow_from_ips' => $repo_allow_from_ips, + 'repo_allow_from_domains' => $repo_allow_from_domains, 'youri' => { 'upload' => { 'targets' => $infra_youri_upload_targets, diff --git a/modules/buildsystem/manifests/var/distros.pp b/modules/buildsystem/manifests/var/distros.pp index aa303191..72b386cc 100644 --- a/modules/buildsystem/manifests/var/distros.pp +++ b/modules/buildsystem/manifests/var/distros.pp @@ -75,7 +75,8 @@ # # list of IP or hostnames allowed to access this distro on the # # repository. If you don't want to filter allowed IPs, don't set # # this value -# 'repo_allow_from' => [ '127.0.0.1', '10.0.0.1', ".${::domain}" ], +# 'repo_allow_from_ips' => [ '127.0.0.1', '10.0.0.1' ], +# 'repo_allow_from_domains' => [ ".${::domain}" ], # Optionally, the distribution can be based on the repos from an other # distribution. In this example we're saying that the distribution is # based on 2/core/release and 2/core/updates. diff --git a/modules/buildsystem/templates/vhost_repository.conf b/modules/buildsystem/templates/vhost_repository.conf index d16cdb63..45ebaf32 100644 --- a/modules/buildsystem/templates/vhost_repository.conf +++ b/modules/buildsystem/templates/vhost_repository.conf @@ -23,7 +23,21 @@ distros = scope.lookupvar('buildsystem::var::distros::distros') <%- distros.keys.sort.each{|distroname| distro = distros[distroname] - allow_from = distro['repo_allow_from'] != nil ? distro['repo_allow_from'] : [ 'all' ] + if distro['repo_allow_from_ips'] != nil || distro['repo_allow_from_domains'] != nil then + access_requires = [ 'all denied' ] + if distro['repo_allow_from_ips'] != nil then + for allow in distro['repo_allow_from_ips'] do + access_requires << 'ip ' + allow + end + end + if distro['repo_allow_from_domains'] != nil then + for allow in distro['repo_allow_from_domains'] do + access_requires << 'host ' + allow + end + end + else + access_requires = [ 'all granted' ] + end %> Alias /bootstrap/<%= distroname %>/ "<%= bootstrap_reporoot %>/<%= distroname %>/" @@ -33,11 +47,10 @@ distros = scope.lookupvar('buildsystem::var::distros::distros') /<%= distroname %>> Header append Cache-Control "public, must-revalidate" - Order deny,allow <%- - for allow in allow_from do + for req in access_requires do -%> - Allow from <%= allow %> + Require <%= req %> <%- end -%> @@ -46,12 +59,10 @@ distros = scope.lookupvar('buildsystem::var::distros::distros') /<%= distroname %>> Header append Cache-Control "public, must-revalidate" - Order deny,allow - Deny from all <%- - for allow in allow_from do + for req in access_requires do -%> - Allow from <%= allow %> + Require <%= req %> <%- end -%> -- cgit v1.2.1