From c6c33fb2b33d3a910d5c43f9d3b7b9f55859d469 Mon Sep 17 00:00:00 2001
From: Lukasz Nowak <luke@nexedi.com>
Date: Wed, 8 Aug 2018 11:23:59 +0200
Subject: [PATCH] caddy-frontend: Use validators to validate slave's
 custom_domain

Install validators dependency, which is a way to easily check if email is an
email or domain is correct.

As slave requester is able to enter any string in custom domain validate it
against being correct domain name and in case if validation fails reject that
slave.
---
 software/caddy-frontend/buildout.hash.cfg     |  6 ++--
 .../instance-apache-replicate.cfg.in          |  5 ++++
 software/caddy-frontend/instance.cfg.in       |  5 ++++
 software/caddy-frontend/setup.py              |  1 +
 software/caddy-frontend/software.cfg          |  1 +
 software/caddy-frontend/test/test.py          | 28 +++++++++++++++++++
 6 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/software/caddy-frontend/buildout.hash.cfg b/software/caddy-frontend/buildout.hash.cfg
index c402301f4..4bfd72bf7 100644
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = 8bdb588d33bf5cd059495a5c3e6dd049
+md5sum = ae392fdf6e874ac12ee7e490f6fc1faa
 
 [template-common]
 filename = instance-common.cfg.in
@@ -26,7 +26,7 @@ md5sum = 750e2b1c922bf14511a3bc8a42468b1b
 
 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 1cf98844e5daf75a74514dbb292d6506
+md5sum = 2f370174b18f27db5c0f9daf83df8104
 
 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
@@ -106,7 +106,7 @@ md5sum = 455f8765a3afd39fb78562fb9e326c42
 
 [caddyprofiledeps-setup]
 filename = setup.py
-md5sum = a81c679f9ce3c9c905b10de9203aad61
+md5sum = d9b6476bb0b36cf463fddb00d41dfbaa
 
 [caddyprofiledeps-dummy]
 filename = caddyprofiledummy.py
diff --git a/software/caddy-frontend/instance-apache-replicate.cfg.in b/software/caddy-frontend/instance-apache-replicate.cfg.in
index 424c63e11..289478ff8 100644
--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
@@ -80,6 +80,11 @@ context =
 {%         set slave_ok = False %}
 {%       endif %}
 {%     endif %}
+{%     if slave.get('custom_domain') %}
+{%       if not validators.domain(slave['custom_domain']) %}
+{%         set slave_ok = False %}
+{%       endif %}
+{%     endif %}
 {%     if slave_ok %}
 {%       do authorized_slave_list.append(slave) %}
 {%     else %}
diff --git a/software/caddy-frontend/instance.cfg.in b/software/caddy-frontend/instance.cfg.in
index 8b6f8c5fe..e6159d837 100644
--- a/software/caddy-frontend/instance.cfg.in
+++ b/software/caddy-frontend/instance.cfg.in
@@ -5,6 +5,9 @@ parts =
   dynamic-template-caddy-replicate
   switch-softwaretype
 
+[caddyprofiledeps]
+recipe = caddyprofiledeps
+
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/${:filename}
@@ -41,11 +44,13 @@ extra-context =
 
 [dynamic-template-caddy-replicate]
 < = jinja2-template-base
+depends = ${caddyprofiledeps:recipe}
 template = {{ template_caddy_replicate }}
 filename = instance-caddy-replicate.cfg
 extensions = jinja2.ext.do
 extra-context =
     import subprocess_module subprocess
+    import validators validators
     raw caddy_backend_url_validator {{ caddy_backend_url_validator }}
     raw template_publish_slave_information {{ template_replicate_publish_slave_information }}
 # Must match the key id in [switch-softwaretype] which uses this section.
diff --git a/software/caddy-frontend/setup.py b/software/caddy-frontend/setup.py
index 750edae5f..f84eb47f7 100644
--- a/software/caddy-frontend/setup.py
+++ b/software/caddy-frontend/setup.py
@@ -6,6 +6,7 @@ from setuptools import setup
 setup(
   name='caddyprofiledeps',
   install_requires=[
+    'validators',
   ],
   entry_points={
     'zc.buildout': [
diff --git a/software/caddy-frontend/software.cfg b/software/caddy-frontend/software.cfg
index 469edf717..286fd7d79 100644
--- a/software/caddy-frontend/software.cfg
+++ b/software/caddy-frontend/software.cfg
@@ -2,6 +2,7 @@
 extends = common.cfg
 
 [versions]
+validators = 0.12.2
 PyRSS2Gen = 1.1
 apache-libcloud = 0.19.0
 cns.recipe.symlink = 0.2.3
diff --git a/software/caddy-frontend/test/test.py b/software/caddy-frontend/test/test.py
index e4b7782a0..5db8f5f80 100644
--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -3036,8 +3036,28 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         're6st-optimal-test':
         'new\nline;rm -fr ~;,new\line\n[s${esection:eoption}',
       },
+      'custom_domain-unsafe': {
+        'custom_domain': '${section:option} afterspace\nafternewline',
+      },
     }
 
+  def test_master_partition_state(self):
+    parameter_dict = self.computer_partition.getConnectionParameterDict()
+    self.assertKeyWithPop('monitor-setup-url', parameter_dict)
+
+    expected_parameter_dict = {
+      'monitor-base-url': None,
+      'domain': 'example.com',
+      'accepted-slave-amount': '2',
+      'rejected-slave-amount': '1',
+      'slave-amount': '3',
+      'rejected-slave-list': '["_custom_domain-unsafe"]'}
+
+    self.assertEqual(
+      expected_parameter_dict,
+      parameter_dict
+    )
+
   def test_re6st_optimal_test_unsafe(self):
     parameter_dict = self.slave_connection_parameter_dict_dict[
       're6st-optimal-test-unsafe']
@@ -3117,3 +3137,11 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
       [],
       monitor_file_list
     )
+
+  def test_custom_domain_unsafe(self):
+    parameter_dict = self.slave_connection_parameter_dict_dict[
+      'custom_domain-unsafe']
+    self.assertEqual(
+      parameter_dict,
+      {}
+    )
-- 
2.30.9