support apt archive restriction

alan-turing-institute · Nov 25, 2024 · c615901 · c615901
1 parent 8df6dc0
commit c615901
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -29,6 +29,7 @@ Check and, if you would like, change the following environment variables for the
 | CRAN_REMOTE_URL        | URL of the CRAN Remote repository (`https://cran.r-project.org/` by default) |
 | APT_REMOTE_URL         | URL of the APT Remote repository (`http://deb.debian.org/debian` by default) |
 | APT_DISTRO             | Name of the APT distribution (`bookworm` by default) |
+| APT_ALLOWED_ARCHIVES   | Comma-separated list of the authorized APT archives (`main,contrib,non-free-firmware,non-free` by default) |
 
 Example allowlist files are included in the repository for [PyPI](allowlists/pypi.allowlist), [CRAN](allowlists/cran.allowlist) and [APT](allowlists/apt.allowlist).
 The PyPI allowlist includes numpy, pandas, matplotlib and their dependencies.

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -11,7 +11,7 @@ timestamp() {
 }
 
 hashes() {
-    md5sum $PYPI_ALLOWLIST $CRAN_ALLOWLIST
+    md5sum $PYPI_ALLOWLIST $CRAN_ALLOWLIST $APT_ALLOWLIST
 }
 
 # Ensure allowlist files exist

diff --git a/nexus_allowlist/actions.py b/nexus_allowlist/actions.py
@@ -5,6 +5,7 @@
 
 from nexus_allowlist.nexus import NexusAPI, RepositoryType
 from nexus_allowlist.settings import (
+    ALLOWED_ARCHIVES,
     APT_DISTRO,
     APT_REMOTE_URL,
     CRAN_REMOTE_URL,
@@ -277,7 +278,10 @@ def recreate_privileges(
             nexus_api,
             name="apt-all",
             description="Allow access to all APT packages",
-            expression='format == "apt" and path=^"/pool/"',
+            expression=(
+                'format == "apt" and '
+                f'path=~"^/pool/({'|'.join(ALLOWED_ARCHIVES)})/.*"'
+            ),
             repo_type=_NEXUS_REPOSITORIES["apt_proxy"].repo_type,
             repo=_NEXUS_REPOSITORIES["apt_proxy"].name,
         )
@@ -317,7 +321,10 @@ def recreate_privileges(
                 nexus_api,
                 name=f"apt-{package}",
                 description=f"Allow access to {packages} APT package",
-                expression=f'format == "apt" and path=~"^/pool/.*/{package}.*"',
+                expression=(
+                    'format == "apt" and '
+                    f'path=~"^/pool/({'|'.join(ALLOWED_ARCHIVES)})/.*/{package}.*"'
+                ),
                 repo_type=_NEXUS_REPOSITORIES["apt_proxy"].repo_type,
                 repo=_NEXUS_REPOSITORIES["apt_proxy"].name,
             )

diff --git a/nexus_allowlist/settings.py b/nexus_allowlist/settings.py
@@ -4,3 +4,7 @@
 CRAN_REMOTE_URL = os.getenv("CRAN_REMOTE_URL", "https://cran.r-project.org/")
 APT_REMOTE_URL = os.getenv("APT_REMOTE_URL", "http://deb.debian.org/debian")
 APT_DISTRO = os.getenv("APT_DISTRO", "bookworm")
+ALLOWED_ARCHIVES = os.getenv(
+    "APT_ALLOWED_ARCHIVES",
+    "main,contrib,non-free-firmware,non-free"
+).split(",")