QA (public) » openQA Project (public)

1. Disable directory listing on nginx or echo "" >> /var/lib/openqa/share/factory/*/index.html
2. Not authenticated requests, shall not give more information than it should.
3. Authenticated requests that fail, shall have the least ammount of information required.

e.g, consider implementing error pages for different http status

For this task, it is not needed to go over the implementation details, only 1 and 2 from the list above have to be implemented.

# not authenticated
foursixnine@pakhet gitlab-suse-de-workspace-test % curl -I https://openqa.suse.de/asset/hdd/SLES-15-SP7-aarch64-Build43.1@aarch64-unregistered_functional.qcow2
HTTP/2 403
server: nginx/1.21.5
date: Thu, 28 Nov 2024 10:38:57 GMT
content-type: text/html;charset=UTF-8
content-length: 87
strict-transport-security: max-age=31536000; includeSubDomains

# authenticated and authorized, but no job (or asset is marked as on a need to use basis)
foursixnine@pakhet gitlab-suse-de-workspace-test % curl -I https://openqa.suse.de/hdd/SLES-15-SP7-aarch64-Build43.1@aarch64-unregistered_functional.qcow2
HTTP/2 418
server: nginx/1.21.5
date: Thu, 28 Nov 2024 10:44:47 GMT
content-type: text/html;charset=UTF-8
content-length: 72030
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding

# authenticated and authorized, permitted to access asset
foursixnine@pakhet gitlab-suse-de-workspace-test % curl -I https://openqa.suse.de/tests/16031623/asset/hdd/SLES-15-SP7-aarch64-Build43.1@aarch64-unregistered_functional.qcow2
HTTP/2 302
server: nginx/1.21.5
date: Thu, 28 Nov 2024 10:45:22 GMT
content-length: 0
location: /assets/hdd/SLES-15-SP7-aarch64-Build43.1@aarch64-unregistered_functional.qcow2
strict-transport-security: max-age=31536000; includeSubDomains

# authenticated and authorized, permitted to download
foursixnine@pakhet gitlab-suse-de-workspace-test % curl -I https://openqa.suse.de/hdd/SLES-15-SP7-aarch64-Build43.1@aarch64-unregistered_functional.qcow2
HTTP/2 200
server: nginx/1.21.5
date: Thu, 28 Nov 2024 10:44:47 GMT
content-type: text/html;charset=UTF-8
content-length: 72030
strict-transport-security: max-age=31536000; includeSubDomains
vary: Accept-Encoding

@mkittler we can keep the goal as you stated but I don't think we should make nginx the strict requirement. Maybe native mojo is not the bad, maybe we can redirect to nginx, maybe we use traefik, whatever, all possible :)

Maybe native mojo is not the bad,

I remember we had assets downloads via Mojo accidentally for a while on o3 when switching there to NGINX and it was not good enough.

maybe we can redirect to nginx

I think that's already happening but then we still need authentication in NGINX.

maybe we use traefik

I'll have to look into it.

whatever, all possible

One thing that came to mind when talking with @szarate was to create an NGINX module.

However, maybe there's already something we can use. Or we can simply configure HTTP auth in-line with what we also do in Mojolicious and only rely on that¹. Not sure whether that would be flexible enough to also restrict workers so they can only access assets of their current job (which would be part of the use case of #170383).

¹ Note that basic HTTP auth can be configured via auth_basic_user_file in NGINX and we could probably generate/update those files from the Mojolicious app when new API keys are created or API keys are removed.

@szarate mkittler already picked up the issue. What needs immediate handling today? And please be aware that this is only a spike solution so we don't expect to have a full solution at the time of resolving this.

okurz wrote in #note-10:

@szarate mkittler already picked up the issue. What needs immediate handling today? And please be aware that this is only a spike solution so we don't expect to have a full solution at the time of resolving this.

@okurz It's exactly the solution we discussed one week ago: 1,2 and 3 of this message, https://progress.opensuse.org/issues/170380#note-3

The testing and validation plan provided to the CAB is here, I only need to know when the change is in place, so I can inform the CAB, before their next meeting, day after Monday. I hope its feasible to have this implemented by the end of the week.

Needs to be deployed on all openQA instances that QE LSG Department uses (a ticket that is linked to poo#17366 is sufficient.

https://confluence.suse.com/pages/viewpage.action?pageId=668631174

Draft PR: https://github.com/os-autoinst/openQA/pull/6076

We discussed this in the unblock meeting. mkittler will look into avoiding redirects. As alternative I proposed to symlink assets on the side of the openQA instance to a temporary location and point the web reverse proxy to that and then remove the link to the temporary location again after the job finishes.

I think also with what we had discussed today you can create at least another ticket which can be worked on independantly of #174154 . How about a ticket about an experiment to try out the "symlink"-approach and/or another ticket about doing the implementation w/o any reverse proxy.

I've now created https://github.com/os-autoinst/openQA/pull/6082 which will reduce the size of #174154 when merged. Then we only need to think about the hard parts anymore.

I will figure out the first and most promising point in #174154 to look into and create a separate ticket for that.

I created another ticket, see #174154#note-7.