Commit c7ee2259 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Validate slave's server-alias

As slave requester is able to enter any string in server-alias validate it
against being correct domain name and in case if validation fails reject that
slave.

Also use a trick to have access to global slave state, see
https://fabianlee.org/2016/10/18/saltstack-setting-a-jinja2-variable-from-an-inner-block-scope/
parent c6c33fb2
......@@ -14,7 +14,7 @@
# not need these here).
[template]
filename = instance.cfg.in
md5sum = ae392fdf6e874ac12ee7e490f6fc1faa
md5sum = 5360ac713bc1f00b2668238027dc253b
[template-common]
filename = instance-common.cfg.in
......
......@@ -69,23 +69,30 @@ context =
{% for slave in slave_instance_list %}
{# BBB: apache_custom_https AND apache_custom_http #}
{% if not ((slave.has_key('caddy_custom_http') or slave.has_key('apache_custom_http') or slave.has_key('caddy_custom_https') or slave.has_key('apache_custom_https')) and not slave.get('slave_reference') in authorized_slave_string) %}
{% set slave_ok = True %}
{% set slave_dict = {'state': True} %}
{% if slave.get('url') %}
{% if subprocess_module.call([caddy_backend_url_validator, slave['url']]) == 1 %}
{% set slave_ok = False %}
{% do slave_dict.__setitem__('state', False) %}
{% endif %}
{% endif %}
{% if slave.get('https-url') %}
{% if subprocess_module.call([caddy_backend_url_validator, slave['https-url']]) == 1 %}
{% set slave_ok = False %}
{% do slave_dict.__setitem__('state', False) %}
{% endif %}
{% endif %}
{% if slave.get('custom_domain') %}
{% if not validators.domain(slave['custom_domain']) %}
{% set slave_ok = False %}
{% do slave_dict.__setitem__('state', False) %}
{% endif %}
{% endif %}
{% if slave_ok %}
{% if slave.get('server-alias') %}
{% for slave_alias in slave['server-alias'].split() %}
{% if not validators.domain(slave_alias) %}
{% do slave_dict.__setitem__('state', False) %}
{% endif %}
{% endfor %}
{% endif %}
{% if slave_dict['state'] %}
{% do authorized_slave_list.append(slave) %}
{% else %}
{% do rejected_slave_list.append(slave.get('slave_reference')) %}
......
......@@ -95,4 +95,4 @@ configuration.enable-http2-by-default = true
configuration.enable-quic = false
configuration.mpm-graceful-shutdown-timeout = 5
configuration.monitor-httpd-port = 8072
configuration.frontend-name =
\ No newline at end of file
configuration.frontend-name =
......@@ -3039,6 +3039,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'custom_domain-unsafe': {
'custom_domain': '${section:option} afterspace\nafternewline',
},
'server-alias-unsafe': {
'server-alias': '${section:option} afterspace',
},
}
def test_master_partition_state(self):
......@@ -3049,9 +3052,10 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'monitor-base-url': None,
'domain': 'example.com',
'accepted-slave-amount': '2',
'rejected-slave-amount': '1',
'slave-amount': '3',
'rejected-slave-list': '["_custom_domain-unsafe"]'}
'rejected-slave-amount': '2',
'slave-amount': '4',
'rejected-slave-list':
'["_server-alias-unsafe", "_custom_domain-unsafe"]'}
self.assertEqual(
expected_parameter_dict,
......@@ -3145,3 +3149,11 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
parameter_dict,
{}
)
def test_server_alias_unsafe(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'server-alias-unsafe']
self.assertEqual(
parameter_dict,
{}
)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment