particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kojiapi: add domain allowlist

Browse source 
This commit adds a domain allowlist which works the same way as the one
for remote workers.

To accept just w1.osbuild.org and w2.osbuild.org, use:

[koji]
domain_allowlist = [ "w1.osbuild.org", "w2.osbuild.org" ]
This commit is contained in:
Ondřej Budai 2020-09-21 12:17:56 +02:00 committed by Tom Gundersen
parent c9abb66637
commit 7fc3b47348
2 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmd/osbuild-composer/main.go
View file

@ -79,6 +79,7 @@ func main() {
KeyTab string `toml:"keytab"` KeyTab string `toml:"keytab"`
} `toml:"kerberos,omitempty"` } `toml:"kerberos,omitempty"`
} `toml:"servers"` } `toml:"servers"`
AllowedDomains []string `toml:"allowed_domains"`
} `toml:"koji"` } `toml:"koji"`
Worker *struct { Worker *struct {
AllowedDomains []string `toml:"allowed_domains"` AllowedDomains []string `toml:"allowed_domains"`
@ -213,6 +214,7 @@ func main() {
CACertFile: "/etc/osbuild-composer/ca-crt.pem", CACertFile: "/etc/osbuild-composer/ca-crt.pem",
ServerKeyFile: "/etc/osbuild-composer/composer-key.pem", ServerKeyFile: "/etc/osbuild-composer/composer-key.pem",
ServerCertFile: "/etc/osbuild-composer/composer-crt.pem", ServerCertFile: "/etc/osbuild-composer/composer-crt.pem",
AllowedDomains: config.Koji.AllowedDomains,
}) })
if err != nil { if err != nil {
log.Fatalf("TLS configuration cannot be created: " + err.Error()) log.Fatalf("TLS configuration cannot be created: " + err.Error())

3
test/image-tests/osbuild-composer.toml
View file

@ -1,3 +1,6 @@
[koji]
allowed_domains = [ "localhost", "*.osbuild.org" ]
[koji.servers.localhost.kerberos] [koji.servers.localhost.kerberos]
principal = "osbuild-krb@LOCAL" principal = "osbuild-krb@LOCAL"
keytab = "/etc/osbuild-composer/client.keytab" keytab = "/etc/osbuild-composer/client.keytab"