MK8S-25: Disable HTTP directory listing for RPM repository

Security fix to prevent exposing repository structure on port 8080.
Changed autoindex from on to off in nginx configuration.

Create empty index.html files only in repository-specific directories
to prevent 403 errors when autoindex is disabled, while avoiding doit
task conflicts from multiple repositories targeting the same shared
directory files.

This maintains the original health check functionality while preventing
directory structure exposure.

Related: RD-680

Author: rdebay-scality

CHANGELOG.md

@@ -17,6 +17,9 @@
 
 ### Bug Fixes
 
+- Disable HTTP directory listing for RPM repository to improve security
+  (PR[#4651](https://github.com/scality/metalk8s/pull/4651))
+
 - Fix a Bug where NodeSystemSaturation alert triggers too early after only 15 minutes of high load
   (PR[#4641](https://github.com/scality/metalk8s/pull/4641))
 

buildchain/buildchain/packaging.py

@@ -32,6 +32,7 @@
 import doit  # type: ignore
 
 from buildchain import builder
+from buildchain import config
 from buildchain import constants
 from buildchain import coreutils
 from buildchain import docker_command
@@ -45,7 +46,7 @@
 
 
 def _list_packages_to_build(
-    pkg_cats: Mapping[str, Mapping[str, Tuple[targets.Package, ...]]]
+    pkg_cats: Mapping[str, Mapping[str, Tuple[targets.Package, ...]]],
 ) -> Dict[str, List[str]]:
     return {
         version: [pkg.name for pkg in pkg_list]
@@ -149,11 +150,27 @@ def task__package_mkdir_iso_root() -> types.TaskDict:
 
 def task__package_mkdir_redhat_iso_root() -> types.TaskDict:
     """Create the RedHat packages root directory on the ISO."""
-    return targets.Mkdir(
+
+    def clean() -> None:
+        """Clean RedHat directory including saltenv directory structure."""
+        # Remove saltenv directory structure created by repository index files
+        saltenv_dir = (
+            constants.REPO_REDHAT_ROOT
+            / f"{config.PROJECT_NAME.lower()}-{versions.VERSION}"
+        )
+        if saltenv_dir.exists():
+            coreutils.rm_rf(saltenv_dir)
+
+    mkdir_task = targets.Mkdir(
         directory=constants.REPO_REDHAT_ROOT,
         task_dep=["_package_mkdir_iso_root"],
     ).task
 
+    # Add our custom cleanup function
+    mkdir_task["clean"] = [clean]
+
+    return mkdir_task
+
 
 def _package_mkdir_redhat_release_iso_root(releasever: str) -> types.TaskDict:
     """
@@ -263,6 +280,7 @@ def task__build_redhat_8_repositories() -> Iterator[types.TaskDict]:
 # }}}
 # RPM packages and repository {{{
 
+
 # Packages to build, per repository.
 def _rpm_package(name: str, releasever: str, sources: List[Path]) -> targets.RPMPackage:
     try:
@@ -362,11 +380,11 @@ def _rpm_package_metalk8s_sosreport(releasever: str) -> targets.RPMPackage:
 
 
 # Store these versions in a dict to use with doit.tools.config_changed
-_TO_DOWNLOAD_RPM_CONFIG: Dict[
-    str, Dict[str, Optional[str]]
-] = _list_packages_to_download(
-    versions.REDHAT_PACKAGES,
-    _RPM_TO_BUILD_PKG_NAMES,
+_TO_DOWNLOAD_RPM_CONFIG: Dict[str, Dict[str, Optional[str]]] = (
+    _list_packages_to_download(
+        versions.REDHAT_PACKAGES,
+        _RPM_TO_BUILD_PKG_NAMES,
+    )
 )
 
 

buildchain/buildchain/targets/repository.py

@@ -40,6 +40,7 @@
 from buildchain import constants
 from buildchain import types
 from buildchain import utils
+from buildchain import versions
 from buildchain import docker_command
 
 from . import base
@@ -206,6 +207,107 @@ def clean() -> None:
             task["file_dep"].extend([self.get_rpm_path(pkg) for pkg in self.packages])
         return task
 
+    def create_index_files(self) -> types.TaskDict:
+        """Create index.html files for repository directories."""
+
+        def clean() -> None:
+            """Delete the index.html files created by this task."""
+            # Clean repository-specific index files
+            index_files = [
+                self.rootdir / "index.html",
+                self.rootdir / self.ARCH / "index.html",
+            ]
+            # Clean shared directory index files if this is scality repo
+            if self.name == "scality":
+                saltenv_dir = (
+                    self._repo_root
+                    / f"{config.PROJECT_NAME.lower()}-{versions.VERSION}"
+                )
+                index_files.extend(
+                    [
+                        saltenv_dir / "index.html",
+                        saltenv_dir / "redhat" / "index.html",
+                        saltenv_dir / "redhat" / str(self._releasever) / "index.html",
+                    ]
+                )
+
+            for index_file in index_files:
+                if index_file.exists():
+                    index_file.unlink()
+
+        def create_index() -> None:
+            """Create empty index.html files in repository directories."""
+            repository_directories = [
+                self.rootdir,  # Repository root (e.g., metalk8s-scality-el8)
+                self.rootdir / self.ARCH,  # Architecture directory (e.g., x86_64)
+            ]
+
+            # Also create shared directory index files, but only from scality repo
+            # to avoid doit task conflicts between multiple repositories
+            if self.name == "scality":
+                saltenv_dir = (
+                    self._repo_root
+                    / f"{config.PROJECT_NAME.lower()}-{versions.VERSION}"
+                )
+                repository_directories.extend(
+                    [
+                        saltenv_dir,  # /{saltenv}/ (needed for health check)
+                        saltenv_dir / "redhat",
+                        saltenv_dir / "redhat" / str(self._releasever),
+                    ]
+                )
+
+            for repository_directory in repository_directories:
+                # Create directory if it doesn't exist, then create index.html
+                repository_directory.mkdir(parents=True, exist_ok=True)
+                index_file = repository_directory / "index.html"
+                index_file.touch()
+                # Set readable permissions for nginx
+                index_file.chmod(0o644)
+
+        # Build targets list - include shared directories only for scality repo
+        targets = [
+            self.rootdir / "index.html",
+            self.rootdir / self.ARCH / "index.html",
+        ]
+        if self.name == "scality":
+            saltenv_dir = (
+                self._repo_root / f"{config.PROJECT_NAME.lower()}-{versions.VERSION}"
+            )
+            targets.extend(
+                [
+                    saltenv_dir / "index.html",
+                    saltenv_dir / "redhat" / "index.html",
+                    saltenv_dir / "redhat" / str(self._releasever) / "index.html",
+                ]
+            )
+
+        task = self.basic_task
+        task.update(
+            {
+                "name": self._get_task_name("create_index_files"),
+                "actions": [create_index],
+                "doc": f"Create index.html files for {self.name} repository "
+                f"directories.",
+                "title": utils.title_with_target1("CREATE INDEX FILES"),
+                "targets": targets,
+                "uptodate": [True],
+                "verbosity": 0,
+                "clean": [clean],
+                "task_dep": [self._get_task_name("build_repodata", with_basename=True)],
+            }
+        )
+        return task
+
+    @property
+    def execution_plan(self) -> List[types.TaskDict]:
+        """Override execution plan to include index.html file creation."""
+        tasks = [self.build_repo()]
+        if self._packages:
+            tasks.extend(self.build_packages())
+        tasks.append(self.create_index_files())
+        return tasks
+
     def build_packages(self) -> List[types.TaskDict]:
         """Build the RPMs from SRPMs."""
         tasks = [self._mkdir_repo_root(), self._mkdir_repo_arch()]

salt/metalk8s/repo/files/nginx.conf.j2

@@ -4,7 +4,10 @@ server {
 
     location / {
         root   /var/www/repositories;
-        autoindex on;
+        # Security fix: Disable directory listing to prevent exposing repository structure
+        autoindex off;
+        # Serve index.html when directory is accessed
+        index index.html;
     }
 
     include conf.d/*.inc;