Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
103
Merge Requests
103
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
slapos
Commits
e337b853
Commit
e337b853
authored
Sep 29, 2023
by
Thomas Gambier
Browse files
Options
Browse Files
Download
Plain Diff
Update Release Candidate
parents
45b42e27
87b81684
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
39 additions
and
10 deletions
+39
-10
component/binutils/buildout.cfg
component/binutils/buildout.cfg
+1
-0
component/firewalld/buildout.cfg
component/firewalld/buildout.cfg
+1
-1
component/glib/buildout.cfg
component/glib/buildout.cfg
+3
-0
software/erp5/test/test/test_balancer.py
software/erp5/test/test/test_balancer.py
+28
-2
software/re6stnet/buildout.hash.cfg
software/re6stnet/buildout.hash.cfg
+1
-1
software/re6stnet/instance-re6stnet.cfg.in
software/re6stnet/instance-re6stnet.cfg.in
+1
-1
stack/erp5/buildout.hash.cfg
stack/erp5/buildout.hash.cfg
+1
-1
stack/erp5/haproxy.cfg.in
stack/erp5/haproxy.cfg.in
+3
-4
No files found.
component/binutils/buildout.cfg
View file @
e337b853
...
@@ -57,3 +57,4 @@ configure-options =
...
@@ -57,3 +57,4 @@ configure-options =
environment =
environment =
LDFLAGS=-L${gettext:location}/lib -lintl -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${zlib:location}/lib
LDFLAGS=-L${gettext:location}/lib -lintl -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${zlib:location}/lib
PATH=${texinfo7:location}/bin:${bison:location}/bin:${m4:location}/bin:%(PATH)s
PATH=${texinfo7:location}/bin:${bison:location}/bin:${m4:location}/bin:%(PATH)s
BISON_PKGDATADIR=${bison:location}/share/bison
component/firewalld/buildout.cfg
View file @
e337b853
...
@@ -76,7 +76,7 @@ environment =
...
@@ -76,7 +76,7 @@ environment =
CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${zlib:location}/lib/ -Wl,-rpath=${zlib:location}/lib/
LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${zlib:location}/lib/ -Wl,-rpath=${zlib:location}/lib/
GLIB_CFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
GLIB_CFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -l
intl -l
gobject-2.0
GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lgobject-2.0
FFI_CFLAGS=-I${libffi:location}/include
FFI_CFLAGS=-I${libffi:location}/include
FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi
FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi
GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0
GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0
...
...
component/glib/buildout.cfg
View file @
e337b853
...
@@ -14,6 +14,9 @@ extends =
...
@@ -14,6 +14,9 @@ extends =
parts =
parts =
glib
glib
[gcc]
min_version = 8
[glib]
[glib]
recipe = slapos.recipe.cmmi
recipe = slapos.recipe.cmmi
shared = true
shared = true
...
...
software/erp5/test/test/test_balancer.py
View file @
e337b853
...
@@ -805,7 +805,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
...
@@ -805,7 +805,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
).
json
()
).
json
()
self
.
assertEqual
(
result
[
'Incoming Headers'
].
get
(
'x-forwarded-for'
,
''
).
split
(
', '
)[
0
],
'1.2.3.4'
)
self
.
assertEqual
(
result
[
'Incoming Headers'
].
get
(
'x-forwarded-for'
,
''
).
split
(
', '
)[
0
],
'1.2.3.4'
)
def
test_x_forwarded_for_stripped_when_no
t_verified_connection
(
self
):
def
test_x_forwarded_for_stripped_when_no
_certificate
(
self
):
# type: () -> None
# type: () -> None
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default'
]
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default'
]
result
=
requests
.
get
(
result
=
requests
.
get
(
...
@@ -813,7 +813,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
...
@@ -813,7 +813,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
headers
=
{
'X-Forwarded-For'
:
'1.2.3.4'
},
headers
=
{
'X-Forwarded-For'
:
'1.2.3.4'
},
verify
=
False
,
verify
=
False
,
).
json
()
).
json
()
self
.
assertNot
Equal
(
result
[
'Incoming Headers'
].
get
(
'x-forwarded-for'
,
''
).
split
(
', '
)[
0
],
'1.2.3.4'
)
self
.
assertNot
In
(
'x-fowarded-for'
,
[
k
.
lower
()
for
k
in
result
[
'Incoming Headers'
].
keys
()]
)
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default-auth'
]
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default-auth'
]
with
self
.
assertRaisesRegex
(
Exception
,
"certificate required"
):
with
self
.
assertRaisesRegex
(
Exception
,
"certificate required"
):
requests
.
get
(
requests
.
get
(
...
@@ -822,6 +822,32 @@ class TestFrontendXForwardedFor(BalancerTestCase):
...
@@ -822,6 +822,32 @@ class TestFrontendXForwardedFor(BalancerTestCase):
verify
=
False
,
verify
=
False
,
)
)
def
test_x_forwarded_for_stripped_when_not_verified_certificate
(
self
):
# type: () -> None
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default'
]
# certificate from an unknown CA
another_unrelated_caucase
=
self
.
getManagedResource
(
'another_unrelated_caucase'
,
CaucaseService
)
unknown_client_certificate
=
self
.
getManagedResource
(
'unknown_client_certificate'
,
CaucaseCertificate
)
unknown_client_certificate
.
request
(
'unknown client certificate'
,
another_unrelated_caucase
)
result
=
requests
.
get
(
balancer_url
,
headers
=
{
'X-Forwarded-For'
:
'1.2.3.4'
},
cert
=
(
unknown_client_certificate
.
cert_file
,
unknown_client_certificate
.
key_file
),
verify
=
False
,
).
json
()
self
.
assertNotIn
(
'x-fowarded-for'
,
[
k
.
lower
()
for
k
in
result
[
'Incoming Headers'
].
keys
()])
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default-auth'
]
with
self
.
assertRaisesRegex
(
Exception
,
"unknown ca"
):
requests
.
get
(
balancer_url
,
headers
=
{
'X-Forwarded-For'
:
'1.2.3.4'
},
cert
=
(
unknown_client_certificate
.
cert_file
,
unknown_client_certificate
.
key_file
),
verify
=
False
,
)
class
TestServerTLSProvidedCertificate
(
BalancerTestCase
):
class
TestServerTLSProvidedCertificate
(
BalancerTestCase
):
"""Check that certificate and key can be provided as instance parameters.
"""Check that certificate and key can be provided as instance parameters.
...
...
software/re6stnet/buildout.hash.cfg
View file @
e337b853
...
@@ -18,7 +18,7 @@ md5sum = 7be0c21751f8385ef876c3d7192d4057
...
@@ -18,7 +18,7 @@ md5sum = 7be0c21751f8385ef876c3d7192d4057
[template-re6stnet]
[template-re6stnet]
filename = instance-re6stnet.cfg.in
filename = instance-re6stnet.cfg.in
md5sum = 01
a24f1983a1d40f31c4b36b7a2448fe
md5sum = 01
da4462b5e20cab73b87e7415f7483d
[template-apache-conf]
[template-apache-conf]
filename = apache.conf.in
filename = apache.conf.in
...
...
software/re6stnet/instance-re6stnet.cfg.in
View file @
e337b853
...
@@ -107,7 +107,7 @@ recipe = slapos.cookbook:wrapper
...
@@ -107,7 +107,7 @@ recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:services}/re6st-registry
wrapper-path = ${directory:services}/re6st-registry
pidfile = ${directory:run}/registry.pid
pidfile = ${directory:run}/registry.pid
command-line = {{ bin_directory }}/re6st-registry @${re6st-registry-conf:output}
command-line = {{ bin_directory }}/re6st-registry @${re6st-registry-conf:output}
hash-
existing-
files = ${re6st-registry-conf:output}
hash-files = ${re6st-registry-conf:output}
[cron-entry-re6st-backup]
[cron-entry-re6st-backup]
recipe = slapos.cookbook:cron.d
recipe = slapos.cookbook:cron.d
...
...
stack/erp5/buildout.hash.cfg
View file @
e337b853
...
@@ -94,7 +94,7 @@ md5sum = b0751d3d12cfcc8934cb1027190f5e5e
...
@@ -94,7 +94,7 @@ md5sum = b0751d3d12cfcc8934cb1027190f5e5e
[template-haproxy-cfg]
[template-haproxy-cfg]
filename = haproxy.cfg.in
filename = haproxy.cfg.in
md5sum =
1645ef8990ab2b50f91a4c02f0cf8882
md5sum =
85a8c0dadf7b648ef9748b6199dcfeb6
[template-rsyslogd-cfg]
[template-rsyslogd-cfg]
filename = rsyslogd.cfg.in
filename = rsyslogd.cfg.in
...
...
stack/erp5/haproxy.cfg.in
View file @
e337b853
...
@@ -154,7 +154,7 @@ defaults
...
@@ -154,7 +154,7 @@ defaults
{% for name, (port, _, certificate_authentication, timeout, backend_list) in sorted(six.iteritems(parameter_dict['backend-dict'])) -%}
{% for name, (port, _, certificate_authentication, timeout, backend_list) in sorted(six.iteritems(parameter_dict['backend-dict'])) -%}
listen family_{{ name }}
listen family_{{ name }}
{%- if parameter_dict.get('ca-cert') -%}
{%- if parameter_dict.get('ca-cert') -%}
{%- set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
{%- set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional
crt-ignore-err all
' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
{%- else %}
{%- else %}
{%- set ssl_auth = '' %}
{%- set ssl_auth = '' %}
{%- endif %}
{%- endif %}
...
@@ -173,11 +173,10 @@ listen family_{{ name }}
...
@@ -173,11 +173,10 @@ listen family_{{ name }}
{%- endif %}
{%- endif %}
# remove X-Forwarded-For unless client presented a verified certificate
# remove X-Forwarded-For unless client presented a verified certificate
acl client_cert_verified ssl_c_used ssl_c_verify 0
http-request del-header X-Forwarded-For unless { ssl_c_verify 0 } { ssl_c_used 1 }
http-request del-header X-Forwarded-For unless client_cert_verified
# set Remote-User if client presented a verified certificate
# set Remote-User if client presented a verified certificate
http-request del-header Remote-User
http-request del-header Remote-User
http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if
client_cert_verified
http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if
{ ssl_c_verify 0 } { ssl_c_used 1 }
# logs
# logs
capture request header Referer len 512
capture request header Referer len 512
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment