From d1231434e7aaa67247e031e67536c700dc2cebf1 Mon Sep 17 00:00:00 2001
From: Pascal Terjan <pterjan@gmail.com>
Date: Sun, 7 Feb 2016 13:18:50 +0100
Subject: Switch to Apache 2.4 auth config for repository vhost

---
 modules/buildsystem/manifests/var/distros.pp       |  3 ++-
 .../buildsystem/templates/vhost_repository.conf    | 27 +++++++++++++++-------
 2 files changed, 21 insertions(+), 9 deletions(-)

(limited to 'modules')

diff --git a/modules/buildsystem/manifests/var/distros.pp b/modules/buildsystem/manifests/var/distros.pp
index aa303191..72b386cc 100644
--- a/modules/buildsystem/manifests/var/distros.pp
+++ b/modules/buildsystem/manifests/var/distros.pp
@@ -75,7 +75,8 @@
 #         # list of IP or hostnames allowed to access this distro on the
 #         # repository. If you don't want to filter allowed IPs, don't set
 #         # this value
-#         'repo_allow_from' => [ '127.0.0.1', '10.0.0.1', ".${::domain}" ],
+#         'repo_allow_from_ips' => [ '127.0.0.1', '10.0.0.1' ],
+#         'repo_allow_from_domains' => [ ".${::domain}" ],
 #         Optionally, the distribution can be based on the repos from an other
 #         distribution. In this example we're saying that the distribution is
 #         based on 2/core/release and 2/core/updates.
diff --git a/modules/buildsystem/templates/vhost_repository.conf b/modules/buildsystem/templates/vhost_repository.conf
index d16cdb63..45ebaf32 100644
--- a/modules/buildsystem/templates/vhost_repository.conf
+++ b/modules/buildsystem/templates/vhost_repository.conf
@@ -23,7 +23,21 @@ distros = scope.lookupvar('buildsystem::var::distros::distros')
 <%-
     distros.keys.sort.each{|distroname| 
 	distro = distros[distroname]
-	allow_from = distro['repo_allow_from'] != nil ? distro['repo_allow_from'] : [ 'all' ]
+	if distro['repo_allow_from_ips'] != nil || distro['repo_allow_from_domains'] != nil then
+	    access_requires = [ 'all denied' ]
+	    if distro['repo_allow_from_ips'] != nil then
+		for allow in distro['repo_allow_from_ips'] do
+		    access_requires << 'ip ' + allow
+		end
+	    end
+	    if distro['repo_allow_from_domains'] != nil then
+		for allow in distro['repo_allow_from_domains'] do
+		    access_requires << 'host ' + allow
+		end
+	    end
+	else
+	    access_requires = [ 'all granted' ]
+	end
 %>
 	Alias /bootstrap/<%= distroname %>/ "<%= bootstrap_reporoot %>/<%= distroname %>/"
 
@@ -33,11 +47,10 @@ distros = scope.lookupvar('buildsystem::var::distros::distros')
 
 	<Directory  <%= bootstrap_reporoot %>/<%= distroname %>>
           Header append Cache-Control "public, must-revalidate"
-          Order deny,allow
 <%-
-        for allow in allow_from do
+        for req in access_requires do
 -%>
-          Allow from <%= allow %>
+          Require <%= req %>
 <%-
         end
 -%>
@@ -46,12 +59,10 @@ distros = scope.lookupvar('buildsystem::var::distros::distros')
 
 	<Directory  <%= mirror_reporoot %>/<%= distroname %>>
           Header append Cache-Control "public, must-revalidate"
-          Order deny,allow
-          Deny from all
 <%-
-	for allow in allow_from do
+	for req in access_requires do
 -%>
-          Allow from <%= allow %>
+          Require <%= req %>
 <%-
         end
 -%>
-- 
cgit v1.2.1