Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kirill Smelkov
slapos
Commits
0a53288f
Commit
0a53288f
authored
5 years ago
by
Łukasz Nowak
Committed by
Łukasz Nowak
5 years ago
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
caddy-frontend: Protect against malformed ssl_proxy_ca_crt
parent
b5c1da06
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
27 additions
and
4 deletions
+27
-4
software/caddy-frontend/buildout.hash.cfg
software/caddy-frontend/buildout.hash.cfg
+1
-1
software/caddy-frontend/instance-apache-replicate.cfg.in
software/caddy-frontend/instance-apache-replicate.cfg.in
+8
-0
software/caddy-frontend/test/test.py
software/caddy-frontend/test/test.py
+18
-3
No files found.
software/caddy-frontend/buildout.hash.cfg
View file @
0a53288f
...
@@ -26,7 +26,7 @@ md5sum = a0edf88cdb73807b0a4793b9fd356199
...
@@ -26,7 +26,7 @@ md5sum = a0edf88cdb73807b0a4793b9fd356199
[template-apache-replicate]
[template-apache-replicate]
filename = instance-apache-replicate.cfg.in
filename = instance-apache-replicate.cfg.in
md5sum =
d62aefe002ec13875924e4c219914795
md5sum =
ef06c04a5aa33b103dc1d25d0dfe8217
[template-slave-list]
[template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
filename = templates/apache-custom-slave-list.cfg.in
...
...
This diff is collapsed.
Click to expand it.
software/caddy-frontend/instance-apache-replicate.cfg.in
View file @
0a53288f
...
@@ -133,6 +133,14 @@ context =
...
@@ -133,6 +133,14 @@ context =
{% do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %}
{% do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %}
{% endif %}
{% endif %}
{% endif %}
{% endif %}
{% set ssl_proxy_ca_crt = slave.get('ssl_proxy_ca_crt') %}
{% if ssl_proxy_ca_crt %}
{% set check_popen = popen([parameter_dict['openssl'], 'x509', '-noout']) %}
{% do check_popen.communicate(ssl_proxy_ca_crt) %}
{% if check_popen.returncode != 0 %}
{% do slave_error_list.append('ssl_proxy_ca_crt is invalid') %}
{% endif %}
{% endif %}
{# BBB: SlapOS Master non-zero knowledge BEGIN #}
{# BBB: SlapOS Master non-zero knowledge BEGIN #}
{% for key in ['ssl_key', 'ssl_crt', 'ssl_ca_crt'] %}
{% for key in ['ssl_key', 'ssl_crt', 'ssl_ca_crt'] %}
{% if key in slave %}
{% if key in slave %}
...
...
This diff is collapsed.
Click to expand it.
software/caddy-frontend/test/test.py
View file @
0a53288f
...
@@ -1012,6 +1012,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
...
@@ -1012,6 +1012,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'
ssl
-
proxy
-
verify
': True,
'
ssl
-
proxy
-
verify
': True,
'
ssl_proxy_ca_crt
': cls.test_server_ca.certificate_pem,
'
ssl_proxy_ca_crt
': cls.test_server_ca.certificate_pem,
},
},
'
ssl
-
proxy
-
verify_ssl_proxy_ca_crt_damaged
': {
'
url
': cls.backend_https_url,
'
ssl
-
proxy
-
verify
': True,
'
ssl_proxy_ca_crt
': '
damaged
',
},
'
ssl
-
proxy
-
verify_ssl_proxy_ca_crt
-
unverified
': {
'
ssl
-
proxy
-
verify_ssl_proxy_ca_crt
-
unverified
': {
'
url
': cls.backend_https_url,
'
url
': cls.backend_https_url,
'
ssl
-
proxy
-
verify
': True,
'
ssl
-
proxy
-
verify
': True,
...
@@ -1238,13 +1243,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
...
@@ -1238,13 +1243,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'monitor-base-url'
:
None
,
'monitor-base-url'
:
None
,
'domain'
:
'example.com'
,
'domain'
:
'example.com'
,
'accepted-slave-amount'
:
'48'
,
'accepted-slave-amount'
:
'48'
,
'rejected-slave-amount'
:
'
4
'
,
'rejected-slave-amount'
:
'
5
'
,
'slave-amount'
:
'5
2
'
,
'slave-amount'
:
'5
3
'
,
'rejected-slave-dict'
:
{
'rejected-slave-dict'
:
{
"_apache_custom_http_s-rejected"
:
[
"slave not authorized"
],
"_apache_custom_http_s-rejected"
:
[
"slave not authorized"
],
"_caddy_custom_http_s"
:
[
"slave not authorized"
],
"_caddy_custom_http_s"
:
[
"slave not authorized"
],
"_caddy_custom_http_s-rejected"
:
[
"slave not authorized"
],
"_caddy_custom_http_s-rejected"
:
[
"slave not authorized"
],
"_type-eventsource"
:
[
"type:eventsource is not implemented"
]
"_type-eventsource"
:
[
"type:eventsource is not implemented"
],
"_ssl-proxy-verify_ssl_proxy_ca_crt_damaged"
:
[
"ssl_proxy_ca_crt is invalid"
]
}
}
}
}
...
@@ -2436,6 +2443,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
...
@@ -2436,6 +2443,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
result_http.headers['
Set
-
Cookie
']
result_http.headers['
Set
-
Cookie
']
)
)
def test_ssl_proxy_verify_ssl_proxy_ca_crt_damaged(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'
ssl
-
proxy
-
verify_ssl_proxy_ca_crt_damaged
']
self.assertEqual(
{'
request
-
error
-
list
': '
[
"ssl_proxy_ca_crt is invalid"
]
'},
parameter_dict
)
def test_ssl_proxy_verify_unverified(self):
def test_ssl_proxy_verify_unverified(self):
parameter_dict = self.assertSlaveBase('
ssl
-
proxy
-
verify
-
unverified
')
parameter_dict = self.assertSlaveBase('
ssl
-
proxy
-
verify
-
unverified
')
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment