Commit c7ee2259 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Validate slave's server-alias

As slave requester is able to enter any string in server-alias validate it
against being correct domain name and in case if validation fails reject that
slave.

Also use a trick to have access to global slave state, see
https://fabianlee.org/2016/10/18/saltstack-setting-a-jinja2-variable-from-an-inner-block-scope/
parent c6c33fb2
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
# not need these here). # not need these here).
[template] [template]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = ae392fdf6e874ac12ee7e490f6fc1faa md5sum = 5360ac713bc1f00b2668238027dc253b
[template-common] [template-common]
filename = instance-common.cfg.in filename = instance-common.cfg.in
......
...@@ -69,23 +69,30 @@ context = ...@@ -69,23 +69,30 @@ context =
{% for slave in slave_instance_list %} {% for slave in slave_instance_list %}
{# BBB: apache_custom_https AND apache_custom_http #} {# BBB: apache_custom_https AND apache_custom_http #}
{% if not ((slave.has_key('caddy_custom_http') or slave.has_key('apache_custom_http') or slave.has_key('caddy_custom_https') or slave.has_key('apache_custom_https')) and not slave.get('slave_reference') in authorized_slave_string) %} {% if not ((slave.has_key('caddy_custom_http') or slave.has_key('apache_custom_http') or slave.has_key('caddy_custom_https') or slave.has_key('apache_custom_https')) and not slave.get('slave_reference') in authorized_slave_string) %}
{% set slave_ok = True %} {% set slave_dict = {'state': True} %}
{% if slave.get('url') %} {% if slave.get('url') %}
{% if subprocess_module.call([caddy_backend_url_validator, slave['url']]) == 1 %} {% if subprocess_module.call([caddy_backend_url_validator, slave['url']]) == 1 %}
{% set slave_ok = False %} {% do slave_dict.__setitem__('state', False) %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if slave.get('https-url') %} {% if slave.get('https-url') %}
{% if subprocess_module.call([caddy_backend_url_validator, slave['https-url']]) == 1 %} {% if subprocess_module.call([caddy_backend_url_validator, slave['https-url']]) == 1 %}
{% set slave_ok = False %} {% do slave_dict.__setitem__('state', False) %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if slave.get('custom_domain') %} {% if slave.get('custom_domain') %}
{% if not validators.domain(slave['custom_domain']) %} {% if not validators.domain(slave['custom_domain']) %}
{% set slave_ok = False %} {% do slave_dict.__setitem__('state', False) %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if slave_ok %} {% if slave.get('server-alias') %}
{% for slave_alias in slave['server-alias'].split() %}
{% if not validators.domain(slave_alias) %}
{% do slave_dict.__setitem__('state', False) %}
{% endif %}
{% endfor %}
{% endif %}
{% if slave_dict['state'] %}
{% do authorized_slave_list.append(slave) %} {% do authorized_slave_list.append(slave) %}
{% else %} {% else %}
{% do rejected_slave_list.append(slave.get('slave_reference')) %} {% do rejected_slave_list.append(slave.get('slave_reference')) %}
......
...@@ -95,4 +95,4 @@ configuration.enable-http2-by-default = true ...@@ -95,4 +95,4 @@ configuration.enable-http2-by-default = true
configuration.enable-quic = false configuration.enable-quic = false
configuration.mpm-graceful-shutdown-timeout = 5 configuration.mpm-graceful-shutdown-timeout = 5
configuration.monitor-httpd-port = 8072 configuration.monitor-httpd-port = 8072
configuration.frontend-name = configuration.frontend-name =
\ No newline at end of file
...@@ -3039,6 +3039,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3039,6 +3039,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'custom_domain-unsafe': { 'custom_domain-unsafe': {
'custom_domain': '${section:option} afterspace\nafternewline', 'custom_domain': '${section:option} afterspace\nafternewline',
}, },
'server-alias-unsafe': {
'server-alias': '${section:option} afterspace',
},
} }
def test_master_partition_state(self): def test_master_partition_state(self):
...@@ -3049,9 +3052,10 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3049,9 +3052,10 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'monitor-base-url': None, 'monitor-base-url': None,
'domain': 'example.com', 'domain': 'example.com',
'accepted-slave-amount': '2', 'accepted-slave-amount': '2',
'rejected-slave-amount': '1', 'rejected-slave-amount': '2',
'slave-amount': '3', 'slave-amount': '4',
'rejected-slave-list': '["_custom_domain-unsafe"]'} 'rejected-slave-list':
'["_server-alias-unsafe", "_custom_domain-unsafe"]'}
self.assertEqual( self.assertEqual(
expected_parameter_dict, expected_parameter_dict,
...@@ -3145,3 +3149,11 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3145,3 +3149,11 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
parameter_dict, parameter_dict,
{} {}
) )
def test_server_alias_unsafe(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'server-alias-unsafe']
self.assertEqual(
parameter_dict,
{}
)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment