CP-35846: Restrict access to internal yum repo server (members only)

[robhoes]

This restricts the /repository endpoint to local-root only. This
endpoint is exposed only on the coordinator, and used by other pool
members to access the pool's yum repo mirror.

Yum calls to this endpoint now require a pool secret to be used in a
cookie, which is implemented through a yum plugin.

Signed-off-by: Rob Hoes rob.hoes@citrix.com

[edwintorok]

If we're sending the pool token along with every request we should probably forbid http:// URIs in our yum config where ptoken is used. i.e. you either use an internal mirror through http, or the one through ptoken but that must be https.

[robhoes]

Yes, that is already the case. See:

• https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/repository.ml#L466
• https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/fileserver.ml#L83

That is, the server only accepts HTTPS.

[robhoes]

And by the way, the code where this plugin is used doesn't use https directly in the yum config, but goes through stunnel to provide TLS and cert checking: https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/repository_helpers.ml#L1009.

[minglumlu]

Is it worth to restrict the repo URL to "http://127.0.0.1:8000"?

[robhoes]

How exactly? Something like if repo.getConfigOption('baseurl') != "http://127.0.0.1:8000": continue?

[lindig]

Do we have to worry about the token containing anything that would need escaping when passed in an URL? Or would whoever constructs the URL take care of this?

[robhoes]

It goes into a cookie header, not the URL. And it's a fixed format, defined by xapi, that doesn't have weird characters.

[minglumlu]

How exactly? Something like if repo.getConfigOption('baseurl') != "http://127.0.0.1:8000": continue?

Yes. Maybe we have to have some hard-coding in this plugin.

[robhoes]

I've now added a restriction for the baseurl to localhost.