NextERP/runbot
5
0
Fork 0
mirror of https://github.com/odoo/runbot.git synced 2025-03-27 13:25:47 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

[IMP] runbot: add blacklist support

Browse Source 
Deny access to running builds by setting a white spaces separated list of ip's
in `runbot.client.blacklist` config parameter.
This commit is contained in:
Christophe Monniez 2022-08-18 13:15:13 +02:00
parent b44ed5f7a6
commit 4a0a2ab9b3
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
runbot/models/runbot.py
View File

@ -8,6 +8,7 @@ import subprocess
import shutil import shutil
from contextlib import contextmanager from contextlib import contextmanager
from pathlib import Path
from requests.exceptions import HTTPError from requests.exceptions import HTTPError
from subprocess import CalledProcessError from subprocess import CalledProcessError
@ -162,7 +163,7 @@ class Runbot(models.AbstractModel):
if os.path.isfile(nginx_conf_path): if os.path.isfile(nginx_conf_path):
with open(nginx_conf_path, 'r') as f: with open(nginx_conf_path, 'r') as f:
content = f.read() content = f.read()
if content != nginx_config: if content != nginx_config or self._write_nginx_blacklist():
_logger.info('reload nginx') _logger.info('reload nginx')
with open(nginx_conf_path, 'w') as f: with open(nginx_conf_path, 'w') as f:
f.write(str(nginx_config)) f.write(str(nginx_config))
@ -179,6 +180,19 @@ class Runbot(models.AbstractModel):
else: else:
_logger.warning('failed to start nginx - failed to kill orphan worker - oh well') _logger.warning('failed to start nginx - failed to kill orphan worker - oh well')
def _write_nginx_blacklist(self):
""" Build and write an nginx black list of ip adresses.
:returns: True if the file changed and thus nginx needs a reload
"""
ips = self.env['ir.config_parameter'].get_param('runbot.client.blacklist', default='')
if ips:
new_content = '\n'.join([f'deny {ip.strip()};' for ip in ips.split(' ')])
blacklist_path = Path(self._root()) / 'nginx/blacklist.conf'
content = blacklist_path.exists() and blacklist_path.read_text()
if new_content != content:
blacklist_path.write_text()
return True
def _get_cron_period(self): def _get_cron_period(self):
""" Compute a randomized cron period with a 2 min margin below """ Compute a randomized cron period with a 2 min margin below
real cron timeout from config. real cron timeout from config.

6
runbot/templates/nginx.xml
View File

@ -37,6 +37,12 @@ proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $real_scheme; proxy_set_header X-Forwarded-Proto $real_scheme;
proxy_set_header Host $host; proxy_set_header Host $host;
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include blacklist*.conf;
server { server {
listen 8080 default; listen 8080 default;
location /runbot/static/ { location /runbot/static/ {