Add restricting asset downloads via NGINX using subrequest auth

* Add an additional route that returns whether a user is authenticated * Use `X-Original-URI` for the HMAC computation in this additional route so the token auth works despite the changed request URL * Extend configuration template for NGINX to show an example configuration * See https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication * See https://nginx.org/en/docs/http/ngx_http_auth_request_module.html * See https://progress.opensuse.org/issues/174301
os-autoinst · Jan 14, 2025 · 6e2f2ec · 6e2f2ec
1 parent 935d343
commit 6e2f2ec
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/etc/nginx/vhosts.d/openqa-locations.inc b/etc/nginx/vhosts.d/openqa-locations.inc
@@ -13,12 +13,31 @@ if_modified_since before;
 ## Optional faster assets downloads for large deployments
 #location /assets {
 #    alias /var/lib/openqa/share/factory/;
+#    # Optional to require authentication for asset downloads
+#    #auth_request /api/v1/auth;
 #    autoindex          on;
 #    tcp_nopush         on;
 #    sendfile           on;
 #    sendfile_max_chunk 1m;
 #}
-#
+
+## Optional to make use of auth_request to require authentication for asset downloads
+#location /api/v1/auth {
+#    internal;
+#    proxy_pass http://webui;
+#    tcp_nodelay        on;
+#    proxy_read_timeout 900;
+#    proxy_send_timeout 900;
+#    proxy_pass_request_body off;
+#    proxy_set_header Content-Length "";
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Original-URI $request_uri;
+#    proxy_set_header X-Forwarded-Host $host:$server_port;
+#    proxy_set_header X-Forwarded-Server $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#    proxy_set_header X-Forwarded-Proto $scheme;
+#}
+
 ## Optional faster image downloads for large deployments
 #location /image {
 #    alias /var/lib/openqa/images/;

diff --git a/lib/OpenQA/WebAPI.pm b/lib/OpenQA/WebAPI.pm
@@ -330,6 +330,7 @@ sub startup ($self) {
     my $api_r_job = $api_job_auth->any('/')->to(namespace => 'OpenQA::WebAPI::Controller::API::V1');
     push @api_routes, $api_job_auth, $api_r_job;
     $api_r_job->get('/whoami')->name('apiv1_jobauth_whoami')->to('job#whoami');    # primarily for tests
+    $api_ru->get('/auth' => sub ($c) { $c->render(text => 'ok') })->name('apiv1_jobauth_whoami');
 
     # api/v1/job_groups
     $api_public_r->get('/job_groups')->name('apiv1_list_job_groups')->to('job_group#list');