Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #38015 - Enable org and CVE scoping for flatpak content #11251

Merged
merged 1 commit into from
Jan 15, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ class Api::Registry::RegistryProxiesController < Api::V2::ApiController
before_action :confirm_settings
skip_before_action :authorize
before_action :optional_authorize, only: [:token, :catalog]
before_action :registry_authorize, except: [:token, :v1_search, :catalog]
before_action :registry_authorize, except: [:token, :v1_search, :catalog, :static_index]
before_action :authorize_repository_read, only: [:pull_manifest, :tags_list, :check_blob, :pull_blob]
before_action :container_push_prop_validation, only: [:start_upload_blob, :upload_blob, :finish_upload_blob, :push_manifest]
before_action :create_container_repo_if_needed, only: [:start_upload_blob, :upload_blob, :finish_upload_blob, :push_manifest]
Expand Down Expand Up @@ -806,5 +806,25 @@ def render_podman_error(code, message, status = :bad_request)
def item_not_found(item)
render_podman_error("NAME_UNKNOWN", _("%s was not found!") % item, :not_found)
end

def static_index
host_ip = request.remote_ip
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why identify based on IP rather than hostname? Will this have implications for IPv6? In registration_manager we look at the hostname; there may be stuff you could reuse in there?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh I just remembered that in registration_manager it's the hostname of the capsule, not of the host. So possibly nevermind.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me see if I can grab hostname here..

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see something like this from resolv could work. We do something similar in foreman in atleast a text search I did on the repo.

Resolv.getname(request.remote_ip)

remote_ip should be able to provide ipv4 or ipv6 address whatever is passed to the request header by the client. As long as we store that on the host's nic ip, we should be able to get the host record.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be able to resolve ipv4 or ipv6 address I believe via the same getname method.

I think one big question is if we should rely on Foreman's primary interface or DNS to resolve the IP to a hostname. Can we always rely on DNS being available? Foreman relies on DNS a lot so I think that might be true, but it might be worth asking someone from the platform side.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adamruzicka : Would you know if this is a good way to get the host from request.remote_ip and would this be ipv4/v6 proof?

Host.joins(:primary_interface).where("nics.ip = :host_ip OR nics.ip6 = :host_ip", host_ip: host_ip)&.first

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we always rely on DNS being available? Foreman relies on DNS a lot so I think that might be true

I would suggest against relying on this. Foreman may not be able to resolve hostnames that are managed by a dns server running in a remote location, even if that remote location's dns server is managed by a smart proxy. I'm also not sure if we also set up PTR records or just A/AAAA ones.

if we should rely on Foreman's primary interface

Why limit ourselves only to the primary interface?

Would you know if this is a good way to get the host from request.remote_ip and would this be ipv4/v6 proof?

From the top of my head I can't think of any other approach and it should be ip-version agnostic.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Adam!

Why limit ourselves only to the primary interface?

I found other instances of using primary interface to get/set host's ip address in foreman..Is there some other interface we can use for our purpose here?

From the top of my head I can't think of any other approach and it should be ip-version agnostic.

Updated to use the above query to look at ipv4 and ipv6..

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about collecting the IPs from all host interfaces? Host.first.interfaces ...

We'd be even more likely to get a hit in case a different NIC is used for flatpak.

host = ::Host.joins(:primary_interface).where("nics.ip = :host_ip OR nics.ip6 = :host_ip", host_ip: host_ip)&.first
flatpak_index = (redirect_client { Resources::Registry::Proxy.get(@_request.fullpath, headers) })
flatpak_index_json = JSON.parse(flatpak_index)
# Filter out repositories if it's a registered host
if host&.content_view_environments&.any?
sjha4 marked this conversation as resolved.
Show resolved Hide resolved
# host.update(flatpak_index: flatpak_index) Will this help??
sjha4 marked this conversation as resolved.
Show resolved Hide resolved
repos = host.content_view_environments.flat_map do |cve|
cve.content_view_version.repositories
end
available_container_repo_names = repos.map(&:container_repository_name)
flatpak_index_json['Results'] = flatpak_index_json['Results'].select do |result|
available_container_repo_names.include?(result['Name'])
end
end
# Otherwise just return unfiltered pulp flatpak index
render json: flatpak_index_json
end
end
end
1 change: 1 addition & 0 deletions config/routes/api/registry.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ class ActionDispatch::Routing::Mapper
match '/v2' => 'registry_proxies#ping', :via => :get
match '/v1/_ping' => 'registry_proxies#v1_ping', :via => :get
match '/v1/search' => 'registry_proxies#v1_search', :via => :get
match '/index/static' => 'registry_proxies#static_index', :via => :get
end
end
end
1 change: 1 addition & 0 deletions lib/katello/permissions/registry_permissions.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,5 @@
'katello/api/registry/registry_proxies/start_upload_blob',
'katello/api/registry/registry_proxies/upload_blob',
'katello/api/registry/registry_proxies/finish_upload_blob',
'katello/api/registry/registry_proxies/static_index',
]
Loading