phorge-phorge

revi-archive/phorge-phorge

Fork 0

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-15 19:32:40 +01:00

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
epriestley	d8550c114d	Promote instance identity to the upstream and pass it to commit hooks Summary: Fixes T7019. In a cluster environment, pushes currently fail because the commit hook can't identify the instance. For web processes, the hostname identifies the instance -- but we don't have a hostname in the hook. For CLI processes, the environment identifies the instance -- but we don't have an environment in the hook under SVN. Promote the instance identifier into the upstream and pack/unpack it explicitly for hooks. This is probably not useful for anyone but us, but the amount of special-purpose code we're introducing is very small. I poked at trying to do this in a more general way, but: - We MUST know this BEFORE we run code, so the normal subclassing stuff is useless. - I couldn't come up with any other parameter which might ever be useful to pass in. Test Plan: Used `git push` to push code through proxied HTTP, got a clean push. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7019 Differential Revision: https://secure.phabricator.com/D11495	2015-01-27 14:51:48 -08:00
epriestley	fa7bb8ff7a	Add `cluster.addresses` and require membership before accepting cluster authentication tokens Summary: Ref T2783. Ref T6706. - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts. - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it. - This provides a general layer of security for these mechanisms. - In particular, it means they do not work by default on unconfigured hosts. - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it. - This provides a general layer of security for getting the Ops side of cluster configuration correct. - If cluster nodes have public IPs and are listening on them, we'll reject requests. - Basically, this means that any requests which bypass the LB get rejected. Test Plan: - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism. - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster. - With addresses configured correctly, made valid requests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6706, T2783 Differential Revision: https://secure.phabricator.com/D11159	2015-01-02 15:13:41 -08:00

epriestley

d8550c114d

Promote instance identity to the upstream and pass it to commit hooks

Summary:
Fixes T7019. In a cluster environment, pushes currently fail because the commit hook can't identify the instance.

For web processes, the hostname identifies the instance -- but we don't have a hostname in the hook.

For CLI processes, the environment identifies the instance -- but we don't have an environment in the hook under SVN.

Promote the instance identifier into the upstream and pack/unpack it explicitly for hooks. This is probably not useful for anyone but us, but the amount of special-purpose code we're introducing is very small.

I poked at trying to do this in a more general way, but:

  - We MUST know this BEFORE we run code, so the normal subclassing stuff is useless.
  - I couldn't come up with any other parameter which might ever be useful to pass in.

Test Plan: Used `git push` to push code through proxied HTTP, got a clean push.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T7019

Differential Revision: https://secure.phabricator.com/D11495

2015-01-27 14:51:48 -08:00

epriestley

fa7bb8ff7a

Add cluster.addresses and require membership before accepting cluster authentication tokens

Summary:
Ref T2783. Ref T6706.

  - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts.
  - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it.
    - This provides a general layer of security for these mechanisms.
    - In particular, it means they do not work by default on unconfigured hosts.
  - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it.
    - This provides a general layer of security for getting the Ops side of cluster configuration correct.
    - If cluster nodes have public IPs and are listening on them, we'll reject requests.
    - Basically, this means that any requests which bypass the LB get rejected.

Test Plan:
  - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism.
  - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster.
  - With addresses configured correctly, made valid requests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6706, T2783

Differential Revision: https://secure.phabricator.com/D11159

2015-01-02 15:13:41 -08:00

2 commits