Commit a1943594 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

Revert "caddy-frontend: Protect against wrong custom config"

This reverts commit 7993ff81.

Custom configuration checks are hard to be trusted, as they can impact too
many aspects of running frontend.

Frontend administrator knows the risks of custom configuration, and shall take
proper care.

/reviewed-on nexedi/slapos!543
parent 4eee4c81
......@@ -220,14 +220,10 @@ caddy_custom_https
~~~~~~~~~~~~~~~~~~
Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the https port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above.
*Note*: The system will reject slaves which does not pass validation of caddy configuration, despite them being in ``-frontend-authorized-slave-string``, as otherwise this will lead to the whole frontend to fail.
caddy_custom_http
~~~~~~~~~~~~~~~~~
Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the http port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above
*Note*: The system will reject slaves which does not pass validation of caddy configuration, despite them being in ``-frontend-authorized-slave-string``, as otherwise this will lead to the whole frontend to fail.
url
~~~
Necessary to activate cache. ``url`` of backend to use.
......@@ -345,7 +341,7 @@ Request slave frontend instance so that https://[1:2:3:4:5:6:7:8]:1234 will be::
"caddy_custom_https":'
https://www.example.com:%(https_port)s, https://example.com:%(https_port)s {
bind %(local_ipv4)s
tls %%(certificate)s %%(certificate)s
tls %(certificate)s %(certificate)s
log / %(access_log)s {combined}
errors %(error_log)s
......
......@@ -14,7 +14,7 @@
# not need these here).
[template]
filename = instance.cfg.in
md5sum = 111ff0794c90657b658e3d50525e7fed
md5sum = fd2ff61d9270109115ced8f56fb0be17
[template-common]
filename = instance-common.cfg.in
......@@ -26,7 +26,7 @@ md5sum = 1d39842e07e6a8674f3157ffc3f7a042
[template-apache-replicate]
filename = instance-apache-replicate.cfg.in
md5sum = 0f5af15a0cc024ff181c15e946d92808
md5sum = 37edefdb9963daa67b01e5d55d97c17d
[template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
......@@ -48,10 +48,6 @@ md5sum = 7ba0f98ce1692cbd34d98c79488bf240
filename = templates/caddy-backend-url-validator.in
md5sum = 0979a03476e86bf038516c9565dadc17
[caddy-custom-http-validator]
filename = templates/caddy-custom-http-validator.in
md5sum = a264208e960cdcd25ef27ed8cf730240
[template-not-found-html]
filename = templates/notfound.html
md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
......
......@@ -152,7 +152,6 @@ context =
key template_kedifa template-kedifa:target
key template_replicate_publish_slave_information template-replicate-publish-slave-information:target
key caddy_backend_url_validator caddy-backend-url-validator:output
key caddy_custom_http_validator caddy-custom-http-validator:output
section template_frontend_parameter_dict template-frontend-parameter-section
key caucase_jinja2_library caucase-jinja2-library:target
......@@ -169,13 +168,6 @@ filename = caddy-backend-url-validator.in
output = ${buildout:directory}/caddy-backend-url-validator
mode = 0750
[caddy-custom-http-validator]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/templates/${:filename}
filename = caddy-custom-http-validator.in
output = ${buildout:directory}/caddy-custom-http-validator
mode = 0750
[template-caddy-replicate]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/instance-apache-replicate.cfg.in
......
......@@ -114,8 +114,6 @@ context =
{% if not unauthorized_message in slave_error_list %}
{% do slave_error_list.append(unauthorized_message) %}
{% endif %}
{% elif subprocess_module.call([caddy_custom_http_validator, '' ~ slave[key]]) == 1 %}
{% do slave_error_list.append('slave %s configuration invalid' % (key,)) %}
{% endif %}
{% endif %}
{% endfor %} {# for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] #}
......
......@@ -59,7 +59,6 @@ extra-context =
import validators validators
key cluster_identification instance-parameter:root-instance-title
raw caddy_backend_url_validator {{ caddy_backend_url_validator }}
raw caddy_custom_http_validator {{ caddy_custom_http_validator }}
raw template_publish_slave_information {{ template_replicate_publish_slave_information }}
# Must match the key id in [switch-softwaretype] which uses this section.
raw software_type RootSoftwareInstance-default-custom-personal-replicate
......
#!${dash:location}/bin/dash
config="$1"
echo -e $config | ${caddy:output} -conf stdin -validate > /dev/null 2>&1
......@@ -3739,7 +3739,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'domain': 'example.com',
'nginx-domain': 'nginx.example.com',
'public-ipv4': SLAPOS_TEST_IPV4,
'-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
'port': HTTPS_PORT,
'plain_http_port': HTTP_PORT,
'nginx_port': NGINX_HTTPS_PORT,
......@@ -3754,16 +3753,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod
def getSlaveParameterDictDict(cls):
return {
'caddy_custom_http_s-reject': {
'caddy_custom_https': """DestroyCaddyHttps
For sure
This shall not be valid
https://www.google.com {}""",
'caddy_custom_http': """DestroyCaddyHttp
For sure
This shall not be valid
https://www.google.com {}""",
},
're6st-optimal-test-nocomma': {
're6st-optimal-test': 'nocomma',
},
......@@ -3818,9 +3807,6 @@ https://www.google.com {}""",
'rejected-slave-amount': '3',
'slave-amount': '11',
'rejected-slave-dict': {
'_caddy_custom_http_s-reject': [
'slave caddy_custom_http configuration invalid',
'slave caddy_custom_https configuration invalid'],
'_custom_domain-unsafe': [
"custom_domain '${section:option} afterspace\\nafternewline' invalid"
],
......@@ -4140,18 +4126,6 @@ https://www.google.com {}""",
}
)
def test_caddy_custom_http_s_reject(self):
parameter_dict = self.parseSlaveParameterDict('caddy_custom_http_s-reject')
self.assertEqual(
{
'request-error-list': [
"slave caddy_custom_http configuration invalid",
"slave caddy_custom_https configuration invalid"
]
},
parameter_dict
)
class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod
......@@ -4160,7 +4134,6 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
'domain': 'example.com',
'nginx-domain': 'nginx.example.com',
'public-ipv4': SLAPOS_TEST_IPV4,
'-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
'port': HTTPS_PORT,
'plain_http_port': HTTP_PORT,
'nginx_port': NGINX_HTTPS_PORT,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment