ClusterCockpit/cc-backend
1
0
Fork 0
mirror of https://github.com/ClusterCockpit/cc-backend synced 2025-04-30 07:01:42 +02:00
Code Issues Packages Releases Activity

fix: enforce apiAllowedIPs config option

Browse Source 
Fixes #385
This commit is contained in:
Jan Eitzinger 2025-04-28 09:54:22 +02:00
parent 95de9ad3b3
commit 161f0744aa
9 changed files with 113 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ReleaseNotes.md
View File

@ -6,6 +6,20 @@ This is a bug fix release of `cc-backend`, the API backend and frontend
implementation of ClusterCockpit. implementation of ClusterCockpit.
For release specific notes visit the [ClusterCockpit Documentation](https://clusterockpit.org/docs/release/). For release specific notes visit the [ClusterCockpit Documentation](https://clusterockpit.org/docs/release/).
## Breaking changes
The option `apiAllowedIPs` is now a required configuration attribute in
`config.json`. This option restricts access to the admin API.
To retain the previous behavior that the API is per default accessible from
everywhere set:
```json
"apiAllowedIPs": [
"*"
]
```
## Breaking changes for minor release 1.4.x ## Breaking changes for minor release 1.4.x
- You need to perform a database migration. Depending on your database size the - You need to perform a database migration. Depending on your database size the

12
cmd/cc-backend/init.go
View File

@ -32,6 +32,18 @@ const configString = `
"jwts": { "jwts": {
"max-age": "2000h" "max-age": "2000h"
}, },
"apiAllowedIPs": [
"*"
],
"enable-resampling": {
"trigger": 30,
"resolutions": [
600,
300,
120,
60
]
},
"clusters": [ "clusters": [
{ {
"name": "name", "name": "name",

3
configs/config-demo.json
View File

@ -17,6 +17,9 @@
60 60
] ]
}, },
"apiAllowedIPs": [
"*"
],
"emission-constant": 317, "emission-constant": 317,
"clusters": [ "clusters": [
{ {

14
configs/config.json
View File

@ -15,7 +15,10 @@
"kind": "file", "kind": "file",
"path": "./var/job-archive" "path": "./var/job-archive"
}, },
"validate": true, "validate": false,
"apiAllowedIPs": [
"*"
],
"clusters": [ "clusters": [
{ {
"name": "test", "name": "test",
@ -46,5 +49,14 @@
"max-age": "2000h", "max-age": "2000h",
"trustedIssuer": "" "trustedIssuer": ""
}, },
"enable-resampling": {
"trigger": 30,
"resolutions": [
600,
300,
120,
60
]
},
"short-running-jobs-duration": 300 "short-running-jobs-duration": 300
} }

3
internal/api/api_test.go
View File

@ -45,6 +45,9 @@ func setup(t *testing.T) *api.RestApi {
"jwts": { "jwts": {
"max-age": "2m" "max-age": "2m"
}, },
"apiAllowedIPs": [
"*"
],
"clusters": [ "clusters": [
{ {
"name": "testcluster", "name": "testcluster",

3
internal/importer/importer_test.go
View File

@ -45,6 +45,9 @@ func setup(t *testing.T) *repository.JobRepository {
"jwts": { "jwts": {
"max-age": "2m" "max-age": "2m"
}, },
"apiAllowedIPs": [
"*"
],
"clusters": [ "clusters": [
{ {
"name": "testcluster", "name": "testcluster",

3
internal/repository/userConfig_test.go
View File

@ -25,6 +25,9 @@ func setupUserTest(t *testing.T) *UserCfgRepo {
"jwts": { "jwts": {
"max-age": "2m" "max-age": "2m"
}, },
"apiAllowedIPs": [
"*"
],
"clusters": [ "clusters": [
{ {
"name": "testcluster", "name": "testcluster",

3
pkg/schema/schemas/config.schema.json
View File

@ -492,6 +492,7 @@
}, },
"required": [ "required": [
"jwts", "jwts",
"clusters" "clusters",
"apiAllowedIPs"
] ]
} }

4
pkg/schema/validate_test.go
View File

@ -14,6 +14,9 @@ func TestValidateConfig(t *testing.T) {
"jwts": { "jwts": {
"max-age": "2m" "max-age": "2m"
}, },
"apiAllowedIPs": [
"*"
],
"clusters": [ "clusters": [
{ {
"name": "testcluster", "name": "testcluster",
@ -33,7 +36,6 @@ func TestValidateConfig(t *testing.T) {
} }
func TestValidateJobMeta(t *testing.T) { func TestValidateJobMeta(t *testing.T) {
} }
func TestValidateCluster(t *testing.T) { func TestValidateCluster(t *testing.T) {