fix(buildbot): fix CORS properly

wildcards are not allowed in the headers. We need to include credentials as well. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-10-18 13:47:18 +02:00 · 2024-10-18 13:47:18 +02:00 · e3129fec51
parent 437293bdaa
commit e3129fec51
3 changed files with 13 additions and 9 deletions
--- a/hosts/buildbot-lix/default.nix
+++ b/hosts/buildbot-lix/default.nix
@ -38,7 +38,9 @@
      port = 2022;
      username = "buildbot";
    };
-    cors.allowedOrigin = "gerrit.lix.systems";
+    cors.allowedOrigins = [
+      "https://*.lix.systems"
+    ];
    projects = [
      "lix"
      "lix-installer"
--- a/hosts/buildbot/default.nix
+++ b/hosts/buildbot/default.nix
@ -36,7 +36,9 @@
        port = cfgGerrit.port;
        username = "buildbot";
      };
-    cors.allowedOrigin = "cl.forkos.org";
+    cors.allowedOrigins = [
+      "https://*.forkos.org"
+    ];
    projects = [
      "buildbot-test"
      "nixpkgs"
--- a/services/buildbot/default.nix
+++ b/services/buildbot/default.nix
@ -53,9 +53,9 @@ in
      };
    };

-    cors.allowedOrigin = mkOption {
-      type = types.str;
-      example = "*.forkos.org";
+    cors.allowedOrigins = mkOption {
+      type = types.listOf types.str;
+      example = [ "*.forkos.org" ];
      description = "Allowed origin for Buildbot and NGINX for CORS without the protocol";
    };

@ -100,6 +100,7 @@ in
    };

    services.nginx = {
+      recommendedProxySettings = true;
      appendHttpConfig = ''
        # Our session stuff is too big with the TWISTED_COOKIE in addition.
        # Default is usually 4k or 8k.
@ -109,8 +110,8 @@ in
        forceSSL = true;
        enableACME = true;
        extraConfig = ''
+          # This is needed so that logged-in users in Buildbot can include their credentials in their requests.
          add_header Access-Control-Allow-Credentials 'true' always;
-          add_header Access-Control-Allow-Origin 'https://${cfg.cors.allowedOrigin}' always;
        '';
      };
    };
@ -155,9 +156,8 @@ in
      # we can replace all of this with automatic localworker generation on buildbot-nix side.
      workersFile = config.age.secrets.buildbot-workers.path;

-      allowedOrigins = [
-        cfg.cors.allowedOrigin
-      ];
+      # We rely on NGINX to do the CORS dance.
+      allowedOrigins = cfg.cors.allowedOrigins;

      buildMachines = map (n: {
          hostName = nodes.${n}.config.networking.fqdn;