Use a wildcard regex for storyboard-dev OAuth/CORS

With the move to object storage, we no longer have predictable hosting locations for draft builds of opendev/storyboard-webclient changes. Switch the OAuth and CORS ACLs in the storyboard configuration on storyboard-dev.openstack.org to allow webclient builds hosted anywhere, as there should be nothing sensitive we need to protect in that StoryBoard deployment. While here, tighten up the same ACLs for production StoryBoard to just allow its local webclient deployment, reducing the risk of cross-site scripting attacks. Depends-On: https://review.opendev.org/691034 Change-Id: Ie4f5eb49a864848cfa95a3e956e6dbfa122fbb1d
2019-10-25 21:20:23 +00:00 · 2019-10-25 21:20:23 +00:00 · fd3d792c8d
commit fd3d792c8d
parent a441dddaa4
1 changed files with 8 additions and 20 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -535,14 +535,8 @@ node /^storyboard\d+\.opendev\.org$/ {
    ssl_key_file_contents   => hiera('storyboard_ssl_key_file_contents'),
    ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
    hostname                => 'storyboard.openstack.org',
-    valid_oauth_clients     => [
-      'storyboard.openstack.org',
-      'logs.openstack.org',
-    ],
-    cors_allowed_origins     => [
-      'https://storyboard.openstack.org',
-      'http://logs.openstack.org',
-    ],
+    valid_oauth_clients     => ['storyboard.openstack.org',],
+    cors_allowed_origins    => ['https://storyboard.openstack.org',],
    sender_email_address    => 'storyboard@storyboard.openstack.org',
    default_url             => 'https://storyboard.openstack.org',
  }
@ -560,14 +554,8 @@ node /^storyboard-dev\d+\.opendev\.org$/ {
    rabbitmq_user           => hiera('storyboard_rabbit_user', 'username'),
    rabbitmq_password       => hiera('storyboard_rabbit_password'),
    hostname                => 'storyboard-dev.openstack.org',
-    valid_oauth_clients     => [
-      'storyboard-dev.openstack.org',
-      'logs.openstack.org',
-    ],
-    cors_allowed_origins     => [
-      'https://storyboard-dev.openstack.org',
-      'http://logs.openstack.org',
-    ],
+    valid_oauth_clients     => ['^.*',],
+    cors_allowed_origins    => ['^.*',],
    sender_email_address    => 'storyboard-dev@storyboard-dev.openstack.org',
    default_url             => 'https://storyboard-dev.openstack.org',
  }