Merge pull request #4687 from minglumlu/private/mingl/internal_repo_a…

…ccess

Add temporary feature 'Internal_repo_access' to allow update in mix mode

ocaml/idl/datamodel.ml

@@ -8394,6 +8394,7 @@ let public_http_actions_with_no_rbac_check =
   ; "post_jsonrpc"
   ; "post_jsonrpc_options"
   ; "get_pool_update_download"
+  ; "get_repository"
   ]
 
 (* permissions not associated with any object message or field *)

ocaml/xapi-types/features.ml

@@ -62,6 +62,7 @@ type feature =
   | Pool_secret_rotation
   | Certificate_verification
   | Updates
+  | Internal_repo_access
 [@@deriving rpc]
 
 type orientation = Positive | Negative
@@ -126,6 +127,9 @@ let keys_of_features =
     , ("restrict_certificate_verification", Negative, "Certificate_verification")
     )
   ; (Updates, ("restrict_updates", Negative, "Upd"))
+  ; ( Internal_repo_access
+    , ("restrict_internal_repo_access", Negative, "Internal_repo_access")
+    )
   ]
 
 (* A list of features that must be considered "enabled" by `of_assoc_list`

ocaml/xapi-types/features.mli

@@ -69,6 +69,8 @@ type feature =
   | Pool_secret_rotation  (** Enable Pool Secret Rotation *)
   | Certificate_verification  (** Used by XenCenter *)
   | Updates  (** Enable host updates from a repository *)
+  | Internal_repo_access
+      (** Enable restriction on repository access to pool members only *)
 
 val feature_of_rpc : Rpc.t -> feature
 (** Convert RPC into {!feature}s *)

ocaml/xapi/repository.ml

@@ -465,24 +465,44 @@ let get_repository_handler (req : Http.Request.t) s _ =
   req.Request.close <- true ;
   if Fileserver.access_forbidden req s then
     Http_svr.response_forbidden ~req s
-  else if is_local_pool_repo_enabled () then (
-    try
-      let len = String.length Constants.get_repository_uri in
-      match String.sub_to_end req.Request.uri len with
-      | uri_path ->
-          let root = !Xapi_globs.local_pool_repo_dir in
-          Fileserver.response_file s (Helpers.resolve_uri_path ~root ~uri_path)
-      | exception e ->
-          let msg =
-            Printf.sprintf "Failed to get path from uri': %s"
-              (ExnHelper.string_of_exn e)
-          in
-          raise Api_errors.(Server_error (internal_error, [msg]))
-    with e ->
-      error "Failed to serve for request on uri %s: %s" req.Request.uri
-        (ExnHelper.string_of_exn e) ;
-      Http_svr.response_forbidden ~req s
-  ) else (
+  else if is_local_pool_repo_enabled () then
+    let can_be_authorized =
+      try
+        Xapi_http.with_context "get_repository_handler" req s (fun _ -> ()) ;
+        true
+      with _ -> false
+    in
+    let internal_repo_access_only =
+      let __context =
+        Context.make ~origin:(Http (req, s)) "get_repository_handler"
+      in
+      Pool_features.is_enabled ~__context Features.Internal_repo_access
+    in
+    match (can_be_authorized, internal_repo_access_only) with
+    | false, true ->
+        error
+          "Invalid secret for authorization when Internal_repo_access is \
+           enabled" ;
+        Http_svr.response_forbidden ~req s
+    | _ -> (
+      try
+        let len = String.length Constants.get_repository_uri in
+        match String.sub_to_end req.Request.uri len with
+        | uri_path ->
+            let root = !Xapi_globs.local_pool_repo_dir in
+            Fileserver.response_file s (Helpers.resolve_uri_path ~root ~uri_path)
+        | exception e ->
+            let msg =
+              Printf.sprintf "Failed to get path from uri': %s"
+                (ExnHelper.string_of_exn e)
+            in
+            raise Api_errors.(Server_error (internal_error, [msg]))
+      with e ->
+        error "Failed to serve for request on uri %s: %s" req.Request.uri
+          (ExnHelper.string_of_exn e) ;
+        Http_svr.response_forbidden ~req s
+    )
+  else (
     error "Rejecting request: local pool repository is not enabled" ;
     Http_svr.response_forbidden ~req s
   )