Commit c9745b96 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Matevz Golob

caddy-frontend: Protect against malformed ssl_proxy_ca_crt

parent 4e8f0114
...@@ -26,7 +26,7 @@ md5sum = a0edf88cdb73807b0a4793b9fd356199 ...@@ -26,7 +26,7 @@ md5sum = a0edf88cdb73807b0a4793b9fd356199
[template-apache-replicate] [template-apache-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
md5sum = d62aefe002ec13875924e4c219914795 md5sum = ef06c04a5aa33b103dc1d25d0dfe8217
[template-slave-list] [template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
......
...@@ -133,6 +133,14 @@ context = ...@@ -133,6 +133,14 @@ context =
{% do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %} {% do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% set ssl_proxy_ca_crt = slave.get('ssl_proxy_ca_crt') %}
{% if ssl_proxy_ca_crt %}
{% set check_popen = popen([parameter_dict['openssl'], 'x509', '-noout']) %}
{% do check_popen.communicate(ssl_proxy_ca_crt) %}
{% if check_popen.returncode != 0 %}
{% do slave_error_list.append('ssl_proxy_ca_crt is invalid') %}
{% endif %}
{% endif %}
{# BBB: SlapOS Master non-zero knowledge BEGIN #} {# BBB: SlapOS Master non-zero knowledge BEGIN #}
{% for key in ['ssl_key', 'ssl_crt', 'ssl_ca_crt'] %} {% for key in ['ssl_key', 'ssl_crt', 'ssl_ca_crt'] %}
{% if key in slave %} {% if key in slave %}
......
...@@ -1012,6 +1012,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1012,6 +1012,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'ssl-proxy-verify': True, 'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem, 'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
}, },
'ssl-proxy-verify_ssl_proxy_ca_crt_damaged': {
'url': cls.backend_https_url,
'ssl-proxy-verify': True,
'ssl_proxy_ca_crt': 'damaged',
},
'ssl-proxy-verify_ssl_proxy_ca_crt-unverified': { 'ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
'url': cls.backend_https_url, 'url': cls.backend_https_url,
'ssl-proxy-verify': True, 'ssl-proxy-verify': True,
...@@ -1238,13 +1243,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -1238,13 +1243,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
'monitor-base-url': None, 'monitor-base-url': None,
'domain': 'example.com', 'domain': 'example.com',
'accepted-slave-amount': '48', 'accepted-slave-amount': '48',
'rejected-slave-amount': '4', 'rejected-slave-amount': '5',
'slave-amount': '52', 'slave-amount': '53',
'rejected-slave-dict': { 'rejected-slave-dict': {
"_apache_custom_http_s-rejected": ["slave not authorized"], "_apache_custom_http_s-rejected": ["slave not authorized"],
"_caddy_custom_http_s": ["slave not authorized"], "_caddy_custom_http_s": ["slave not authorized"],
"_caddy_custom_http_s-rejected": ["slave not authorized"], "_caddy_custom_http_s-rejected": ["slave not authorized"],
"_type-eventsource": ["type:eventsource is not implemented"] "_type-eventsource": ["type:eventsource is not implemented"],
"_ssl-proxy-verify_ssl_proxy_ca_crt_damaged": [
"ssl_proxy_ca_crt is invalid"]
} }
} }
...@@ -2436,6 +2443,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s { ...@@ -2436,6 +2443,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
result_http.headers['Set-Cookie'] result_http.headers['Set-Cookie']
) )
def test_ssl_proxy_verify_ssl_proxy_ca_crt_damaged(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'ssl-proxy-verify_ssl_proxy_ca_crt_damaged']
self.assertEqual(
{'request-error-list': '["ssl_proxy_ca_crt is invalid"]'},
parameter_dict
)
def test_ssl_proxy_verify_unverified(self): def test_ssl_proxy_verify_unverified(self):
parameter_dict = self.assertSlaveBase('ssl-proxy-verify-unverified') parameter_dict = self.assertSlaveBase('ssl-proxy-verify-unverified')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment