caddy-frontend: Protect against malformed ssl_proxy_ca_crt

0a53288f · Łukasz Nowak · Łukasz Nowak · b5c1da06 · 0a53288f · 0a53288f
Commit 0a53288f authored May 27, 2019 by Łukasz Nowak Committed by Łukasz Nowak May 28, 2019
3 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -26,7 +26,7 @@ md5sum = a0edf88cdb73807b0a4793b9fd356199

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = d62aefe002ec13875924e4c219914795
+md5sum = ef06c04a5aa33b103dc1d25d0dfe8217

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in

--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
@@ -133,6 +133,14 @@ context =
 {%       do slave_error_list.append('slave https-url %r invalid' % (slave['https-url'],)) %}
 {%     endif %}
 {%   endif %}
+{%   set ssl_proxy_ca_crt = slave.get('ssl_proxy_ca_crt') %}
+{%   if ssl_proxy_ca_crt %}
+{%     set check_popen = popen([parameter_dict['openssl'], 'x509', '-noout']) %}
+{%     do check_popen.communicate(ssl_proxy_ca_crt) %}
+{%     if check_popen.returncode != 0 %}
+{%       do slave_error_list.append('ssl_proxy_ca_crt is invalid') %}
+{%     endif %}
+{%   endif %}
 {# BBB: SlapOS Master non-zero knowledge BEGIN #}
 {%   for key in ['ssl_key', 'ssl_crt', 'ssl_ca_crt'] %}
 {%     if key in slave %}

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -1012,6 +1012,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
        'ssl-proxy-verify': True,
        'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
      },
+      'ssl-proxy-verify_ssl_proxy_ca_crt_damaged': {
+        'url': cls.backend_https_url,
+        'ssl-proxy-verify': True,
+        'ssl_proxy_ca_crt': 'damaged',
+      },
      'ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
        'url': cls.backend_https_url,
        'ssl-proxy-verify': True,
@@ -1238,13 +1243,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'monitor-base-url': None,
      'domain': 'example.com',
      'accepted-slave-amount': '48',
-      'rejected-slave-amount': '4',
-      'slave-amount': '52',
+      'rejected-slave-amount': '5',
+      'slave-amount': '53',
      'rejected-slave-dict': {
        "_apache_custom_http_s-rejected": ["slave not authorized"],
        "_caddy_custom_http_s": ["slave not authorized"],
        "_caddy_custom_http_s-rejected": ["slave not authorized"],
-        "_type-eventsource": ["type:eventsource is not implemented"]
+        "_type-eventsource": ["type:eventsource is not implemented"],
+        "_ssl-proxy-verify_ssl_proxy_ca_crt_damaged": [
+          "ssl_proxy_ca_crt is invalid"]
      }
    }

@@ -2436,6 +2443,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      result_http.headers['Set-Cookie']
    )

+  def test_ssl_proxy_verify_ssl_proxy_ca_crt_damaged(self):
+    parameter_dict = self.slave_connection_parameter_dict_dict[
+      'ssl-proxy-verify_ssl_proxy_ca_crt_damaged']
+    self.assertEqual(
+      {'request-error-list': '["ssl_proxy_ca_crt is invalid"]'},
+      parameter_dict
+    )
+
  def test_ssl_proxy_verify_unverified(self):
    parameter_dict = self.assertSlaveBase('ssl-proxy-verify-unverified')