opendev/system-config
Code Issues Proposed changes

Use a wildcard regex for storyboard-dev OAuth/CORS

Browse Source 
With the move to object storage, we no longer have predictable
hosting locations for draft builds of opendev/storyboard-webclient
changes. Switch the OAuth and CORS ACLs in the storyboard
configuration on storyboard-dev.openstack.org to allow webclient
builds hosted anywhere, as there should be nothing sensitive we need
to protect in that StoryBoard deployment.

While here, tighten up the same ACLs for production StoryBoard to
just allow its local webclient deployment, reducing the risk of
cross-site scripting attacks.

Depends-On: https://review.opendev.org/691034
Change-Id: Ie4f5eb49a864848cfa95a3e956e6dbfa122fbb1d
This commit is contained in:
Jeremy Stanley 2019-10-25 21:20:23 +00:00
parent a441dddaa4
commit fd3d792c8d
1 changed files with 8 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
manifests/site.pp
View File

@ -535,16 +535,10 @@ node /^storyboard\d+\.opendev\.org$/ {
ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'), ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'), ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
hostname => 'storyboard.openstack.org', hostname => 'storyboard.openstack.org',
valid_oauth_clients => [ valid_oauth_clients => ['storyboard.openstack.org',],
'storyboard.openstack.org', cors_allowed_origins => ['https://storyboard.openstack.org',],
'logs.openstack.org', sender_email_address => 'storyboard@storyboard.openstack.org',
], default_url => 'https://storyboard.openstack.org',
cors_allowed_origins => [
'https://storyboard.openstack.org',
'http://logs.openstack.org',
],
sender_email_address => 'storyboard@storyboard.openstack.org',
default_url => 'https://storyboard.openstack.org',
} }
} }
@ -560,16 +554,10 @@ node /^storyboard-dev\d+\.opendev\.org$/ {
rabbitmq_user => hiera('storyboard_rabbit_user', 'username'), rabbitmq_user => hiera('storyboard_rabbit_user', 'username'),
rabbitmq_password => hiera('storyboard_rabbit_password'), rabbitmq_password => hiera('storyboard_rabbit_password'),
hostname => 'storyboard-dev.openstack.org', hostname => 'storyboard-dev.openstack.org',
valid_oauth_clients => [ valid_oauth_clients => ['^.*',],
'storyboard-dev.openstack.org', cors_allowed_origins => ['^.*',],
'logs.openstack.org', sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
], default_url => 'https://storyboard-dev.openstack.org',
cors_allowed_origins => [
'https://storyboard-dev.openstack.org',
'http://logs.openstack.org',
],
sender_email_address => 'storyboard-dev@storyboard-dev.openstack.org',
default_url => 'https://storyboard-dev.openstack.org',
} }
} }