diff --git a/koji-pr243-CheckClientIP-and-TrustForwardedIP.patch b/koji-pr243-CheckClientIP-and-TrustForwardedIP.patch new file mode 100644 index 0000000..a10fdd6 --- /dev/null +++ b/koji-pr243-CheckClientIP-and-TrustForwardedIP.patch @@ -0,0 +1,137 @@ +From b7bbd1e835ef7c21809173902fd78375f0aec072 Mon Sep 17 00:00:00 2001 +From: Mike McLean +Date: Dec 14 2016 18:34:16 +0000 +Subject: [PATCH 1/2] new hub CheckClientIP option + + +--- + +diff --git a/hub/kojixmlrpc.py b/hub/kojixmlrpc.py +index 295a197..47c1284 100644 +--- a/hub/kojixmlrpc.py ++++ b/hub/kojixmlrpc.py +@@ -430,6 +430,8 @@ def load_config(environ): + ['DNUsernameComponent', 'string', 'CN'], + ['ProxyDNs', 'string', ''], + ++ ['CheckClientIP', 'boolean', True], ++ + ['LoginCreatesUser', 'boolean', True], + ['KojiWebURL', 'string', 'http://localhost.localdomain/koji'], + ['EmailDomain', 'string', None], +diff --git a/koji/auth.py b/koji/auth.py +index ef2f338..ef7635f 100644 +--- a/koji/auth.py ++++ b/koji/auth.py +@@ -72,11 +72,7 @@ class Session(object): + self.message = 'no session args' + return + args = cgi.parse_qs(args, strict_parsing=True) +- if hostip is None: +- hostip = context.environ['REMOTE_ADDR'] +- #XXX - REMOTE_ADDR not promised by wsgi spec +- if hostip == '127.0.0.1': +- hostip = socket.gethostbyname(socket.gethostname()) ++ hostip = self.get_remote_ip(override=hostip) + try: + id = long(args['session-id'][0]) + key = args['session-key'][0] +@@ -239,6 +235,18 @@ class Session(object): + raise koji.AuthLockError, self.lockerror + return True + ++ def get_remote_ip(self, override=None): ++ if not context.opts['CheckClientIP']: ++ return '-' ++ elif override is not None: ++ return override ++ else: ++ hostip = context.environ['REMOTE_ADDR'] ++ #XXX - REMOTE_ADDR not promised by wsgi spec ++ if hostip == '127.0.0.1': ++ hostip = socket.gethostbyname(socket.gethostname()) ++ return hostip ++ + def checkLoginAllowed(self, user_id): + """Verify that the user is allowed to login""" + cursor = context.cnx.cursor() +@@ -260,12 +268,7 @@ class Session(object): + raise koji.AuthError, 'invalid username or password' + if self.logged_in: + raise koji.GenericError, "Already logged in" +- hostip = opts.get('hostip') +- if hostip is None: +- hostip = context.environ['REMOTE_ADDR'] +- #XXX - REMOTE_ADDR not promised by wsgi spec +- if hostip == '127.0.0.1': +- hostip = socket.gethostbyname(socket.gethostname()) ++ hostip = self.get_remote_ip(override=opts.get('hostip')) + + # check passwd + c = context.cnx.cursor() +@@ -332,10 +335,7 @@ class Session(object): + + self.checkLoginAllowed(user_id) + +- hostip = context.environ['REMOTE_ADDR'] +- #XXX - REMOTE_ADDR not promised by wsgi spec +- if hostip == '127.0.0.1': +- hostip = socket.gethostbyname(socket.gethostname()) ++ hostip = self.get_remote_ip() + + sinfo = self.createSession(user_id, hostip, koji.AUTHTYPE_KERB) + +@@ -412,10 +412,7 @@ class Session(object): + + self.checkLoginAllowed(user_id) + +- hostip = context.environ['REMOTE_ADDR'] +- #XXX - REMOTE_ADDR not promised by wsgi spec +- if hostip == '127.0.0.1': +- hostip = socket.gethostbyname(socket.gethostname()) ++ hostip = self.get_remote_ip() + + sinfo = self.createSession(user_id, hostip, authtype) + return sinfo + +From 09af8f548665fab35174f731bf51bab0c4c65063 Mon Sep 17 00:00:00 2001 +From: Mike McLean +Date: Dec 14 2016 19:15:19 +0000 +Subject: [PATCH 2/2] hub option: TrustForwardedIP + + +An option to trust the X_FORWARDED_FOR header (defaults to false) when +determining client ip address + +--- + +diff --git a/hub/kojixmlrpc.py b/hub/kojixmlrpc.py +index 47c1284..2572e13 100644 +--- a/hub/kojixmlrpc.py ++++ b/hub/kojixmlrpc.py +@@ -431,6 +431,7 @@ def load_config(environ): + ['ProxyDNs', 'string', ''], + + ['CheckClientIP', 'boolean', True], ++ ['TrustForwardedIP', 'boolean', False], + + ['LoginCreatesUser', 'boolean', True], + ['KojiWebURL', 'string', 'http://localhost.localdomain/koji'], +diff --git a/koji/auth.py b/koji/auth.py +index ef7635f..0cf2ffd 100644 +--- a/koji/auth.py ++++ b/koji/auth.py +@@ -241,7 +241,11 @@ class Session(object): + elif override is not None: + return override + else: +- hostip = context.environ['REMOTE_ADDR'] ++ if (context.opts['TrustForwardedIP'] ++ and 'HTTP_X_FORWARDED_FOR' in context.environ): ++ hostip = context.environ['HTTP_X_FORWARDED_FOR'].split(',')[-1].strip() ++ else: ++ hostip = context.environ['REMOTE_ADDR'] + #XXX - REMOTE_ADDR not promised by wsgi spec + if hostip == '127.0.0.1': + hostip = socket.gethostbyname(socket.gethostname()) + diff --git a/koji.spec b/koji.spec index 24050a8..4b21345 100644 --- a/koji.spec +++ b/koji.spec @@ -9,7 +9,7 @@ Name: koji Version: 1.11.0 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2 and GPLv2+ # koji.ssl libs (from plague) are GPLv2+ Summary: Build system tools @@ -18,9 +18,11 @@ URL: https://pagure.io/koji/ Source0: https://releases.pagure.org/koji/koji-%{version}.tar.bz2 Patch0: fedora-config.patch # https://pagure.io/koji/pull-request/246 -# https://pagure.io/koji/pull-request/248 Patch1: koji-pr246-kojigc-krb_rds-support.patch +# https://pagure.io/koji/pull-request/248 Patch2: koji-pr248-kojigc-keytab-support.patch +# https://pagure.io/koji/pull-request/243 +Patch3: koji-pr243-CheckClientIP-and-TrustForwardedIP.patch BuildArch: noarch Requires: python-krbV >= 1.0.13 @@ -173,6 +175,7 @@ koji-web is a web UI to the Koji system. %patch0 -p1 -b orig %patch1 -p1 -b .246 %patch2 -p1 -b .248 +%patch3 -p1 -b .243 %build @@ -340,6 +343,9 @@ fi %endif %changelog +* Sat Jan 07 2017 Till Maas - 1.11.0-3 +- Add patches for proxy IP forwarding + * Fri Jan 06 2017 Till Maas - 1.11.0-2 - Update upstream URLs - Add upstream koji-gc kerberos patches