From 9872a4dc113e5f52e013823d8a67dc045ee9d850 Mon Sep 17 00:00:00 2001
From: Lukasz Nowak <luke@nexedi.com>
Date: Thu, 9 Aug 2018 14:08:31 +0200
Subject: [PATCH] caddy-frontend: Escape command line for monitor-ipv[46]-test

---
 .../templates/apache-custom-slave-list.cfg.in |  4 +-
 software/caddy-frontend/test/test.py          | 96 ++++++++++++++++++-
 ...BadParameters.test_file_list_log-CADDY.txt |  4 +
 ...meters.test_monitor_promise_list-CADDY.txt |  6 ++
 4 files changed, 106 insertions(+), 4 deletions(-)

diff --git a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
index d1f6230e8..9282b21bf 100644
--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -257,7 +257,7 @@ wrapper-path = {{ promise_directory }}/${:filename}
 {%     do part_list.append(monitor_ipv6_section_title) %}
 [{{ monitor_ipv6_section_title }}]
 recipe = slapos.cookbook:wrapper
-command-line = {{ bin_directory }}/is-icmp-packet-lost -a {{monitor_ipv6_test}} 
+command-line = {{ dumps(bin_directory ~ '/is-icmp-packet-lost -a ' ~ monitor_ipv6_test) }}
 filename = {{ monitor_ipv6_section_title }}
 wrapper-path = {{ promise_directory }}/${:filename}
 {%   endif %}
@@ -268,7 +268,7 @@ wrapper-path = {{ promise_directory }}/${:filename}
 {%     do part_list.append(monitor_ipv4_section_title) %}
 [{{ monitor_ipv4_section_title }}]
 recipe = slapos.cookbook:wrapper
-command-line = {{ bin_directory }}/is-icmp-packet-lost -4 -a {{monitor_ipv4_test}}
+command-line = {{ dumps(bin_directory ~ '/is-icmp-packet-lost -4 -a ' ~ monitor_ipv4_test) }}
 filename = {{ monitor_ipv4_section_title }}
 wrapper-path = {{ promise_directory }}/${:filename}
 {%   endif %}
diff --git a/software/caddy-frontend/test/test.py b/software/caddy-frontend/test/test.py
index 1c71278b2..a09c41f80 100644
--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -3057,6 +3057,12 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         'url': cls.backend_url,
         'default-path': '${section:option}\nn"\newline\n}\n}proxy\n/slashed',
       },
+      'monitor-ipv4-test-unsafe': {
+        'monitor-ipv4-test': '${section:option}\nafternewline ipv4',
+      },
+      'monitor-ipv6-test-unsafe': {
+        'monitor-ipv6-test': '${section:option}\nafternewline ipv6',
+      },
     }
 
   def test_master_partition_state(self):
@@ -3066,9 +3072,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
     expected_parameter_dict = {
       'monitor-base-url': None,
       'domain': 'example.com',
-      'accepted-slave-amount': '5',
+      'accepted-slave-amount': '7',
       'rejected-slave-amount': '2',
-      'slave-amount': '7',
+      'slave-amount': '9',
       'rejected-slave-list':
       '["_server-alias-unsafe", "_custom_domain-unsafe"]'}
 
@@ -3261,3 +3267,89 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
       'https://defaultpathunsafe.example.com:%s/%%24%%7Bsection%%3Aoption%%7D'
       '%%0An%%22%%0Aewline%%0A%%7D%%0A%%7Dproxy%%0A/slashed' % (HTTPS_PORT,)
     )
+
+  def test_monitor_ipv4_test_unsafe(self):
+    parameter_dict = self.slave_connection_parameter_dict_dict[
+      'monitor-ipv4-test-unsafe']
+    self.assertLogAccessUrlWithPop(parameter_dict, 'monitor-ipv4-test-unsafe')
+    self.assertEqual(
+      parameter_dict,
+      {
+        'domain': 'monitoripv4testunsafe.example.com',
+        'replication_number': '1',
+        'url': 'http://monitoripv4testunsafe.example.com',
+        'site_url': 'http://monitoripv4testunsafe.example.com',
+        'secure_access': 'https://monitoripv4testunsafe.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      }
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      der2pem(result.peercert),
+      open('wildcard.example.com.crt').read())
+
+    self.assertEqual(result.status_code, no_backend_response_code)
+
+    result_http = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+    self.assertEqual(result_http.status_code, no_backend_response_code)
+
+    # rewrite SR/bin/is-icmp-packet-lost
+    open(
+      os.path.join(self.software_path, 'bin', 'is-icmp-packet-lost'), 'w'
+    ).write('echo "$@"')
+    # call the monitor for this partition
+    monitor_file = glob.glob(
+      os.path.join(
+        self.instance_path, '*', 'etc', 'monitor-promise',
+        'check-_monitor-ipv4-test-unsafe-ipv4-packet-list-test'))[0]
+    self.assertEqual(
+      '-4 -a ${section:option} afternewline ipv4',
+      subprocess.check_output(monitor_file).strip()
+    )
+
+  def test_monitor_ipv6_test_unsafe(self):
+    parameter_dict = self.slave_connection_parameter_dict_dict[
+      'monitor-ipv6-test-unsafe']
+    self.assertLogAccessUrlWithPop(parameter_dict, 'monitor-ipv6-test-unsafe')
+    self.assertEqual(
+      parameter_dict,
+      {
+        'domain': 'monitoripv6testunsafe.example.com',
+        'replication_number': '1',
+        'url': 'http://monitoripv6testunsafe.example.com',
+        'site_url': 'http://monitoripv6testunsafe.example.com',
+        'secure_access': 'https://monitoripv6testunsafe.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      }
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      der2pem(result.peercert),
+      open('wildcard.example.com.crt').read())
+
+    self.assertEqual(result.status_code, no_backend_response_code)
+
+    result_http = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+    self.assertEqual(result_http.status_code, no_backend_response_code)
+
+    # rewrite SR/bin/is-icmp-packet-lost
+    open(
+      os.path.join(self.software_path, 'bin', 'is-icmp-packet-lost'), 'w'
+    ).write('echo "$@"')
+    # call the monitor for this partition
+    monitor_file = glob.glob(
+      os.path.join(
+        self.instance_path, '*', 'etc', 'monitor-promise',
+        'check-_monitor-ipv6-test-unsafe-ipv6-packet-list-test'))[0]
+    self.assertEqual(
+      '-a ${section:option} afternewline ipv6',
+      subprocess.check_output(monitor_file).strip()
+    )
diff --git a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_log-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_log-CADDY.txt
index f04c799f6..695e9acaf 100644
--- a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_log-CADDY.txt
@@ -3,6 +3,10 @@ TestSlaveBadParameters-1/var/log/frontend-access.log
 TestSlaveBadParameters-1/var/log/frontend-error.log
 TestSlaveBadParameters-1/var/log/httpd/_default-path-unsafe_access_log
 TestSlaveBadParameters-1/var/log/httpd/_default-path-unsafe_error_log
+TestSlaveBadParameters-1/var/log/httpd/_monitor-ipv4-test-unsafe_access_log
+TestSlaveBadParameters-1/var/log/httpd/_monitor-ipv4-test-unsafe_error_log
+TestSlaveBadParameters-1/var/log/httpd/_monitor-ipv6-test-unsafe_access_log
+TestSlaveBadParameters-1/var/log/httpd/_monitor-ipv6-test-unsafe_error_log
 TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_access_log
 TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-nocomma_error_log
 TestSlaveBadParameters-1/var/log/httpd/_re6st-optimal-test-unsafe_access_log
diff --git a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_monitor_promise_list-CADDY.txt b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_monitor_promise_list-CADDY.txt
index 950e691a5..8d9471799 100644
--- a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_monitor_promise_list-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_monitor_promise_list-CADDY.txt
@@ -1,5 +1,11 @@
 TestSlaveBadParameters-1/etc/monitor-promise/check-_default-path-unsafe-error-log-last-day
 TestSlaveBadParameters-1/etc/monitor-promise/check-_default-path-unsafe-error-log-last-hour
+TestSlaveBadParameters-1/etc/monitor-promise/check-_monitor-ipv4-test-unsafe-error-log-last-day
+TestSlaveBadParameters-1/etc/monitor-promise/check-_monitor-ipv4-test-unsafe-error-log-last-hour
+TestSlaveBadParameters-1/etc/monitor-promise/check-_monitor-ipv4-test-unsafe-ipv4-packet-list-test
+TestSlaveBadParameters-1/etc/monitor-promise/check-_monitor-ipv6-test-unsafe-error-log-last-day
+TestSlaveBadParameters-1/etc/monitor-promise/check-_monitor-ipv6-test-unsafe-error-log-last-hour
+TestSlaveBadParameters-1/etc/monitor-promise/check-_monitor-ipv6-test-unsafe-ipv6-packet-list-test
 TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-error-log-last-day
 TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-nocomma-error-log-last-hour
 TestSlaveBadParameters-1/etc/monitor-promise/check-_re6st-optimal-test-unsafe-error-log-last-day
-- 
2.30.9