From c6c33fb2b33d3a910d5c43f9d3b7b9f55859d469 Mon Sep 17 00:00:00 2001 From: Lukasz Nowak <luke@nexedi.com> Date: Wed, 8 Aug 2018 11:23:59 +0200 Subject: [PATCH] caddy-frontend: Use validators to validate slave's custom_domain Install validators dependency, which is a way to easily check if email is an email or domain is correct. As slave requester is able to enter any string in custom domain validate it against being correct domain name and in case if validation fails reject that slave. --- software/caddy-frontend/buildout.hash.cfg | 6 ++-- .../instance-apache-replicate.cfg.in | 5 ++++ software/caddy-frontend/instance.cfg.in | 5 ++++ software/caddy-frontend/setup.py | 1 + software/caddy-frontend/software.cfg | 1 + software/caddy-frontend/test/test.py | 28 +++++++++++++++++++ 6 files changed, 43 insertions(+), 3 deletions(-) diff --git a/software/caddy-frontend/buildout.hash.cfg b/software/caddy-frontend/buildout.hash.cfg index c402301f4..4bfd72bf7 100644 --- a/software/caddy-frontend/buildout.hash.cfg +++ b/software/caddy-frontend/buildout.hash.cfg @@ -14,7 +14,7 @@ # not need these here). [template] filename = instance.cfg.in -md5sum = 8bdb588d33bf5cd059495a5c3e6dd049 +md5sum = ae392fdf6e874ac12ee7e490f6fc1faa [template-common] filename = instance-common.cfg.in @@ -26,7 +26,7 @@ md5sum = 750e2b1c922bf14511a3bc8a42468b1b [template-apache-replicate] filename = instance-apache-replicate.cfg.in -md5sum = 1cf98844e5daf75a74514dbb292d6506 +md5sum = 2f370174b18f27db5c0f9daf83df8104 [template-slave-list] filename = templates/apache-custom-slave-list.cfg.in @@ -106,7 +106,7 @@ md5sum = 455f8765a3afd39fb78562fb9e326c42 [caddyprofiledeps-setup] filename = setup.py -md5sum = a81c679f9ce3c9c905b10de9203aad61 +md5sum = d9b6476bb0b36cf463fddb00d41dfbaa [caddyprofiledeps-dummy] filename = caddyprofiledummy.py diff --git a/software/caddy-frontend/instance-apache-replicate.cfg.in b/software/caddy-frontend/instance-apache-replicate.cfg.in index 424c63e11..289478ff8 100644 --- a/software/caddy-frontend/instance-apache-replicate.cfg.in +++ b/software/caddy-frontend/instance-apache-replicate.cfg.in @@ -80,6 +80,11 @@ context = {% set slave_ok = False %} {% endif %} {% endif %} +{% if slave.get('custom_domain') %} +{% if not validators.domain(slave['custom_domain']) %} +{% set slave_ok = False %} +{% endif %} +{% endif %} {% if slave_ok %} {% do authorized_slave_list.append(slave) %} {% else %} diff --git a/software/caddy-frontend/instance.cfg.in b/software/caddy-frontend/instance.cfg.in index 8b6f8c5fe..e6159d837 100644 --- a/software/caddy-frontend/instance.cfg.in +++ b/software/caddy-frontend/instance.cfg.in @@ -5,6 +5,9 @@ parts = dynamic-template-caddy-replicate switch-softwaretype +[caddyprofiledeps] +recipe = caddyprofiledeps + [jinja2-template-base] recipe = slapos.recipe.template:jinja2 rendered = ${buildout:directory}/${:filename} @@ -41,11 +44,13 @@ extra-context = [dynamic-template-caddy-replicate] < = jinja2-template-base +depends = ${caddyprofiledeps:recipe} template = {{ template_caddy_replicate }} filename = instance-caddy-replicate.cfg extensions = jinja2.ext.do extra-context = import subprocess_module subprocess + import validators validators raw caddy_backend_url_validator {{ caddy_backend_url_validator }} raw template_publish_slave_information {{ template_replicate_publish_slave_information }} # Must match the key id in [switch-softwaretype] which uses this section. diff --git a/software/caddy-frontend/setup.py b/software/caddy-frontend/setup.py index 750edae5f..f84eb47f7 100644 --- a/software/caddy-frontend/setup.py +++ b/software/caddy-frontend/setup.py @@ -6,6 +6,7 @@ from setuptools import setup setup( name='caddyprofiledeps', install_requires=[ + 'validators', ], entry_points={ 'zc.buildout': [ diff --git a/software/caddy-frontend/software.cfg b/software/caddy-frontend/software.cfg index 469edf717..286fd7d79 100644 --- a/software/caddy-frontend/software.cfg +++ b/software/caddy-frontend/software.cfg @@ -2,6 +2,7 @@ extends = common.cfg [versions] +validators = 0.12.2 PyRSS2Gen = 1.1 apache-libcloud = 0.19.0 cns.recipe.symlink = 0.2.3 diff --git a/software/caddy-frontend/test/test.py b/software/caddy-frontend/test/test.py index e4b7782a0..5db8f5f80 100644 --- a/software/caddy-frontend/test/test.py +++ b/software/caddy-frontend/test/test.py @@ -3036,8 +3036,28 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): 're6st-optimal-test': 'new\nline;rm -fr ~;,new\line\n[s${esection:eoption}', }, + 'custom_domain-unsafe': { + 'custom_domain': '${section:option} afterspace\nafternewline', + }, } + def test_master_partition_state(self): + parameter_dict = self.computer_partition.getConnectionParameterDict() + self.assertKeyWithPop('monitor-setup-url', parameter_dict) + + expected_parameter_dict = { + 'monitor-base-url': None, + 'domain': 'example.com', + 'accepted-slave-amount': '2', + 'rejected-slave-amount': '1', + 'slave-amount': '3', + 'rejected-slave-list': '["_custom_domain-unsafe"]'} + + self.assertEqual( + expected_parameter_dict, + parameter_dict + ) + def test_re6st_optimal_test_unsafe(self): parameter_dict = self.slave_connection_parameter_dict_dict[ 're6st-optimal-test-unsafe'] @@ -3117,3 +3137,11 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): [], monitor_file_list ) + + def test_custom_domain_unsafe(self): + parameter_dict = self.slave_connection_parameter_dict_dict[ + 'custom_domain-unsafe'] + self.assertEqual( + parameter_dict, + {} + ) -- 2.30.9