Update Release Candidate

e337b853 · Thomas Gambier · 45b42e27 · 87b81684 · e337b853 · e337b853
Commit e337b853 authored Sep 29, 2023 by Thomas Gambier
8 changed files
--- a/component/binutils/buildout.cfg
+++ b/component/binutils/buildout.cfg
@@ -57,3 +57,4 @@ configure-options =
 environment =
  LDFLAGS=-L${gettext:location}/lib -lintl -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${zlib:location}/lib
  PATH=${texinfo7:location}/bin:${bison:location}/bin:${m4:location}/bin:%(PATH)s
+  BISON_PKGDATADIR=${bison:location}/share/bison
--- a/component/firewalld/buildout.cfg
+++ b/component/firewalld/buildout.cfg
@@ -76,7 +76,7 @@ environment =
  CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${zlib:location}/lib/ -Wl,-rpath=${zlib:location}/lib/
  GLIB_CFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
-  GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lintl -lgobject-2.0
+  GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lgobject-2.0
  FFI_CFLAGS=-I${libffi:location}/include
  FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi
  GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0

--- a/component/glib/buildout.cfg
+++ b/component/glib/buildout.cfg
@@ -14,6 +14,9 @@ extends =
 parts =
  glib

+[gcc]
+min_version = 8
+
 [glib]
 recipe = slapos.recipe.cmmi
 shared = true

--- a/software/erp5/test/test/test_balancer.py
+++ b/software/erp5/test/test/test_balancer.py
@@ -805,7 +805,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
      ).json()
      self.assertEqual(result['Incoming Headers'].get('x-forwarded-for', '').split(', ')[0], '1.2.3.4')

-  def test_x_forwarded_for_stripped_when_not_verified_connection(self):
+  def test_x_forwarded_for_stripped_when_no_certificate(self):
    # type: () -> None
    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
    result = requests.get(
@@ -813,7 +813,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
      headers={'X-Forwarded-For': '1.2.3.4'},
      verify=False,
    ).json()
-    self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for', '').split(', ')[0], '1.2.3.4')
+    self.assertNotIn('x-fowarded-for', [k.lower() for k in result['Incoming Headers'].keys()])
    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
    with self.assertRaisesRegex(Exception, "certificate required"):
      requests.get(
@@ -822,6 +822,32 @@ class TestFrontendXForwardedFor(BalancerTestCase):
        verify=False,
      )

+  def test_x_forwarded_for_stripped_when_not_verified_certificate(self):
+    # type: () -> None
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
+
+    # certificate from an unknown CA
+    another_unrelated_caucase = self.getManagedResource('another_unrelated_caucase', CaucaseService)
+    unknown_client_certificate = self.getManagedResource('unknown_client_certificate', CaucaseCertificate)
+    unknown_client_certificate.request('unknown client certificate', another_unrelated_caucase)
+
+    result = requests.get(
+      balancer_url,
+      headers={'X-Forwarded-For': '1.2.3.4'},
+      cert=(unknown_client_certificate.cert_file, unknown_client_certificate.key_file),
+      verify=False,
+    ).json()
+    self.assertNotIn('x-fowarded-for', [k.lower() for k in result['Incoming Headers'].keys()])
+
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
+    with self.assertRaisesRegex(Exception, "unknown ca"):
+      requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        cert=(unknown_client_certificate.cert_file, unknown_client_certificate.key_file),
+        verify=False,
+      )
+

 class TestServerTLSProvidedCertificate(BalancerTestCase):
  """Check that certificate and key can be provided as instance parameters.

--- a/software/re6stnet/buildout.hash.cfg
+++ b/software/re6stnet/buildout.hash.cfg
@@ -18,7 +18,7 @@ md5sum = 7be0c21751f8385ef876c3d7192d4057

 [template-re6stnet]
 filename = instance-re6stnet.cfg.in
-md5sum = 01a24f1983a1d40f31c4b36b7a2448fe
+md5sum = 01da4462b5e20cab73b87e7415f7483d

 [template-apache-conf]
 filename = apache.conf.in

--- a/software/re6stnet/instance-re6stnet.cfg.in
+++ b/software/re6stnet/instance-re6stnet.cfg.in
@@ -107,7 +107,7 @@ recipe = slapos.cookbook:wrapper
 wrapper-path = ${directory:services}/re6st-registry
 pidfile = ${directory:run}/registry.pid
 command-line = {{ bin_directory }}/re6st-registry @${re6st-registry-conf:output}
-hash-existing-files = ${re6st-registry-conf:output}
+hash-files = ${re6st-registry-conf:output}

 [cron-entry-re6st-backup]
 recipe = slapos.cookbook:cron.d

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -94,7 +94,7 @@ md5sum = b0751d3d12cfcc8934cb1027190f5e5e

 [template-haproxy-cfg]
 filename = haproxy.cfg.in
-md5sum = 1645ef8990ab2b50f91a4c02f0cf8882
+md5sum = 85a8c0dadf7b648ef9748b6199dcfeb6

 [template-rsyslogd-cfg]
 filename = rsyslogd.cfg.in

--- a/stack/erp5/haproxy.cfg.in
+++ b/stack/erp5/haproxy.cfg.in
@@ -154,7 +154,7 @@ defaults
 {% for name, (port, _, certificate_authentication, timeout, backend_list) in sorted(six.iteritems(parameter_dict['backend-dict'])) -%}
 listen family_{{ name }}
 {%-  if parameter_dict.get('ca-cert') -%}
-{%-    set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
+{%-    set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional crt-ignore-err all' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
 {%-  else %}
 {%-    set ssl_auth = '' %}
 {%-  endif %}
@@ -173,11 +173,10 @@ listen family_{{ name }}
 {%-  endif %}

  # remove X-Forwarded-For unless client presented a verified certificate
-  acl client_cert_verified ssl_c_used ssl_c_verify 0
-  http-request del-header X-Forwarded-For unless client_cert_verified
+  http-request del-header X-Forwarded-For unless { ssl_c_verify 0 } { ssl_c_used 1 }
  # set Remote-User if client presented a verified certificate
  http-request del-header Remote-User
-  http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if client_cert_verified
+  http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_verify 0 } { ssl_c_used 1 }

  # logs
  capture request header Referer len 512