From d07200b88174d322023f7915cc8b4ec1aaeb2f5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Nowak?= <luke@nexedi.com>
Date: Tue, 17 May 2011 17:51:48 +0200
Subject: [PATCH] Fix implementation following backend scenario.

Backend will know (somehow) list of possible frontends which are allowed
to access it -- and fully it.

Snippet for security per location is left for future frontend
implementation.
---
 .../erp5/src/slapos/recipe/erp5/__init__.py   | 24 ++++++++-----------
 .../apache.zope.conf.path-protected.in        |  7 ++++++
 2 files changed, 17 insertions(+), 14 deletions(-)
 create mode 100644 slapos/recipe/erp5/src/slapos/recipe/erp5/template/apache.zope.conf.path-protected.in

diff --git a/slapos/recipe/erp5/src/slapos/recipe/erp5/__init__.py b/slapos/recipe/erp5/src/slapos/recipe/erp5/__init__.py
index 05d6725be7..b3514c0528 100644
--- a/slapos/recipe/erp5/src/slapos/recipe/erp5/__init__.py
+++ b/slapos/recipe/erp5/src/slapos/recipe/erp5/__init__.py
@@ -697,17 +697,18 @@ class Recipe(BaseSlapRecipe):
     return apache_conf
 
   def _writeApacheConfiguration(self, prefix, apache_conf, backend,
-      location_access_mapping=None):
-    if location_access_mapping is None:
-      location_access_mapping = {}
+      access_control_string=None):
     rewrite_rule_template = \
         "RewriteRule (.*) http://%(backend)s$1 [L,P]"
-    path_template = pkg_resources.resource_string(__name__,
-      'template/apache.zope.conf.path.in')
-    if location_access_mapping is None:
+    if access_control_string is None:
+      path_template = pkg_resources.resource_string(__name__,
+        'template/apache.zope.conf.path.in')
       path = path_template % dict(path='/')
     else:
-      path = ''
+      path_template = pkg_resources.resource_string(__name__,
+        'template/apache.zope.conf.path-protected.in')
+      path = path_template % dict(path='/',
+          access_control_string=access_control_string)
     d = dict(
           path=path,
           backend=backend,
@@ -722,15 +723,10 @@ class Recipe(BaseSlapRecipe):
     ))
     apache_conf_string = pkg_resources.resource_string(__name__,
           'template/apache.zope.conf.in') % apache_conf
-    location_template = pkg_resources.resource_string(__name__,
-          'template/apache.location-snippet.conf.in')
-    for location, allow_string in location_access_mapping.iteritems():
-      apache_conf_string += '\n' + location_template % dict(location=location,
-          allow_string=allow_string) + '\n'
     return self.createConfigurationFile(prefix + '.conf', apache_conf_string)
 
   def installLoginApache(self, ip, port, backend, key, certificate,
-      suffix='', location_access_mapping=None):
+      suffix='', access_control_string=None):
     ssl_template = """SSLEngine on
 SSLCertificateFile %(login_certificate)s
 SSLCertificateKeyFile %(login_key)s
@@ -743,7 +739,7 @@ SSLRandomSeed connect builtin
     apache_conf['ssl_snippet'] = ssl_template % dict(
         login_certificate=certificate, login_key=key)
     apache_config_file = self._writeApacheConfiguration('login_apache'+suffix,
-        apache_conf, backend, location_access_mapping)
+        apache_conf, backend, access_control_string)
     self.path_list.append(apache_config_file)
     self.path_list.extend(zc.buildout.easy_install.scripts([(
       'login_apache'+suffix,
diff --git a/slapos/recipe/erp5/src/slapos/recipe/erp5/template/apache.zope.conf.path-protected.in b/slapos/recipe/erp5/src/slapos/recipe/erp5/template/apache.zope.conf.path-protected.in
new file mode 100644
index 0000000000..46921da448
--- /dev/null
+++ b/slapos/recipe/erp5/src/slapos/recipe/erp5/template/apache.zope.conf.path-protected.in
@@ -0,0 +1,7 @@
+# Path protected
+<Location %(path)s>
+  Order Deny,Allow
+  Deny from all
+  Allow from %(access_control_string)s
+</Location>
+
-- 
2.30.9