2 configurations for the listeners are now possible:
- enableJWT=false with client ssl auth
- enableJWT=true with https
Actual verification of the tokens is handled by
https://github.com/openshift-online/ocm-sdk-go.
An authentication handler is run as the top level handler, before any
routing is done. Routes which do not require authentication should be
listed as exceptions.
Authentication can be restricted using an ACL file which allows
filtering based on JWT claims. For more information see the inline
comments in ocm-sdk/authentication.
As an added quirk the `-v` flag for the osbuild-composer executable was
changed to `-verbose` to avoid flag collision with glog which declares
the `-v` flag in the package `init()` function. The ocm-sdk depends on
glog and pulls it in.
The `ec2` and `ec2-ha` images include RHUI client packages, which are
not publicly available. For this reason, building of such images in the
on-premise use case via WeldrAPI would always fail, unless the system
would be inside the Red Hat internal network or VPN.
Mark the `ec2` and `ec2-ha` image types for `rhel-*` distribution as
denied in WeldrAPI by default.
Extend and modify affected unit tests.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Change the Image Type denylist in Weldr API from being applied to all
distributions to being distribution-specific. A special name `*`
can be used in the configuration to match any distribution
or any image type.
Modify NEWS entry and unit tests to reflect this change.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Extend Weldr API to accept a list of denied image types, which should
not be exposed via API for any supported distribution. This
functionality will be needed to not expose image types which can't be
successfully built outside of Red Hat VPN. Example of such images are
the official RHEL EC2 images, which include RHUI client packages not
available publicly.
Image Types are filters when listing available compose types and
creating a new compose using Weldr API.
Extend osbuild-composer configuration to allow specifying the list of
denied Image Types for Weldr API.
Add unit tests for implemented changes.
Add NEWS entry describing the newly introduced functionality.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Now that all interaciton with the koji API happens in the workers
we can drop koji configuration from composer itself. This means
that composer no longer needs to be provisioned with kerberos
credentials, and does not need to know about which koji servers
the workers support.
The default values of fields in both ComposerConfig.Koji and
ComposerConfig.Worker are well-suited for how they're used.
The nil-checks in main.go only checked that the sections exist. This is
quite a weak check for validity, because the sections could be empty. If
anything is required for composer to function, we could add proper
validation in the future.
Do the same for the CA fields, which contain file names. Go has lots of
precedent for using empty strings to denote "no value" in the standard
library. Use it for CA files, too, instead of pointers.
