[IMP] runbot: add blacklist support

Deny access to running builds by setting a white spaces separated list of ip's in `runbot.client.blacklist` config parameter.
2025-03-15 15:35:46 +07:00 · 2022-08-18 13:15:13 +02:00 · 2022-08-18 13:15:13 +02:00 · 4a0a2ab9b3
commit 4a0a2ab9b3
parent b44ed5f7a6
2 changed files with 21 additions and 1 deletions
--- a/runbot/models/runbot.py
+++ b/runbot/models/runbot.py
@ -8,6 +8,7 @@ import subprocess
 import shutil

 from contextlib import contextmanager
+from pathlib import Path
 from requests.exceptions import HTTPError
 from subprocess import CalledProcessError

@ -162,7 +163,7 @@ class Runbot(models.AbstractModel):
        if os.path.isfile(nginx_conf_path):
            with open(nginx_conf_path, 'r') as f:
                content = f.read()
-        if content != nginx_config:
+        if content != nginx_config or self._write_nginx_blacklist():
            _logger.info('reload nginx')
            with open(nginx_conf_path, 'w') as f:
                f.write(str(nginx_config))
@ -179,6 +180,19 @@ class Runbot(models.AbstractModel):
                    else:
                        _logger.warning('failed to start nginx - failed to kill orphan worker - oh well')

+    def _write_nginx_blacklist(self):
+        """ Build and write an nginx black list of ip adresses.
+        :returns: True if the file changed and thus nginx needs a reload
+        """
+        ips = self.env['ir.config_parameter'].get_param('runbot.client.blacklist', default='')
+        if ips:
+            new_content = '\n'.join([f'deny {ip.strip()};' for ip in ips.split(' ')])
+            blacklist_path = Path(self._root()) / 'nginx/blacklist.conf'
+            content = blacklist_path.exists() and blacklist_path.read_text()
+            if new_content != content:
+                blacklist_path.write_text()
+                return True
+
    def _get_cron_period(self):
        """ Compute a randomized cron period with a 2 min margin below
        real cron timeout from config.
--- a/runbot/templates/nginx.xml
+++ b/runbot/templates/nginx.xml
@ -37,6 +37,12 @@ proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Proto $real_scheme;
 proxy_set_header Host $host;

+set_real_ip_from 127.0.0.1;
+real_ip_header   X-Forwarded-For;
+real_ip_recursive on;
+
+include blacklist*.conf;
+
 server {
    listen 8080 default;
    location /runbot/static/ {