Commit a1943594 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

Revert "caddy-frontend: Protect against wrong custom config"

This reverts commit 7993ff81.

Custom configuration checks are hard to be trusted, as they can impact too
many aspects of running frontend.

Frontend administrator knows the risks of custom configuration, and shall take
proper care.

/reviewed-on nexedi/slapos!543
parent 4eee4c81
...@@ -220,14 +220,10 @@ caddy_custom_https ...@@ -220,14 +220,10 @@ caddy_custom_https
~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the https port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above. Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the https port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above.
*Note*: The system will reject slaves which does not pass validation of caddy configuration, despite them being in ``-frontend-authorized-slave-string``, as otherwise this will lead to the whole frontend to fail.
caddy_custom_http caddy_custom_http
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~
Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the http port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the http port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above
*Note*: The system will reject slaves which does not pass validation of caddy configuration, despite them being in ``-frontend-authorized-slave-string``, as otherwise this will lead to the whole frontend to fail.
url url
~~~ ~~~
Necessary to activate cache. ``url`` of backend to use. Necessary to activate cache. ``url`` of backend to use.
...@@ -345,7 +341,7 @@ Request slave frontend instance so that https://[1:2:3:4:5:6:7:8]:1234 will be:: ...@@ -345,7 +341,7 @@ Request slave frontend instance so that https://[1:2:3:4:5:6:7:8]:1234 will be::
"caddy_custom_https":' "caddy_custom_https":'
https://www.example.com:%(https_port)s, https://example.com:%(https_port)s { https://www.example.com:%(https_port)s, https://example.com:%(https_port)s {
bind %(local_ipv4)s bind %(local_ipv4)s
tls %%(certificate)s %%(certificate)s tls %(certificate)s %(certificate)s
log / %(access_log)s {combined} log / %(access_log)s {combined}
errors %(error_log)s errors %(error_log)s
......
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
# not need these here). # not need these here).
[template] [template]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 111ff0794c90657b658e3d50525e7fed md5sum = fd2ff61d9270109115ced8f56fb0be17
[template-common] [template-common]
filename = instance-common.cfg.in filename = instance-common.cfg.in
...@@ -26,7 +26,7 @@ md5sum = 1d39842e07e6a8674f3157ffc3f7a042 ...@@ -26,7 +26,7 @@ md5sum = 1d39842e07e6a8674f3157ffc3f7a042
[template-apache-replicate] [template-apache-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
md5sum = 0f5af15a0cc024ff181c15e946d92808 md5sum = 37edefdb9963daa67b01e5d55d97c17d
[template-slave-list] [template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
...@@ -48,10 +48,6 @@ md5sum = 7ba0f98ce1692cbd34d98c79488bf240 ...@@ -48,10 +48,6 @@ md5sum = 7ba0f98ce1692cbd34d98c79488bf240
filename = templates/caddy-backend-url-validator.in filename = templates/caddy-backend-url-validator.in
md5sum = 0979a03476e86bf038516c9565dadc17 md5sum = 0979a03476e86bf038516c9565dadc17
[caddy-custom-http-validator]
filename = templates/caddy-custom-http-validator.in
md5sum = a264208e960cdcd25ef27ed8cf730240
[template-not-found-html] [template-not-found-html]
filename = templates/notfound.html filename = templates/notfound.html
md5sum = f20d6c3d2d94fb685f8d26dfca1e822b md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
......
...@@ -152,7 +152,6 @@ context = ...@@ -152,7 +152,6 @@ context =
key template_kedifa template-kedifa:target key template_kedifa template-kedifa:target
key template_replicate_publish_slave_information template-replicate-publish-slave-information:target key template_replicate_publish_slave_information template-replicate-publish-slave-information:target
key caddy_backend_url_validator caddy-backend-url-validator:output key caddy_backend_url_validator caddy-backend-url-validator:output
key caddy_custom_http_validator caddy-custom-http-validator:output
section template_frontend_parameter_dict template-frontend-parameter-section section template_frontend_parameter_dict template-frontend-parameter-section
key caucase_jinja2_library caucase-jinja2-library:target key caucase_jinja2_library caucase-jinja2-library:target
...@@ -169,13 +168,6 @@ filename = caddy-backend-url-validator.in ...@@ -169,13 +168,6 @@ filename = caddy-backend-url-validator.in
output = ${buildout:directory}/caddy-backend-url-validator output = ${buildout:directory}/caddy-backend-url-validator
mode = 0750 mode = 0750
[caddy-custom-http-validator]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/templates/${:filename}
filename = caddy-custom-http-validator.in
output = ${buildout:directory}/caddy-custom-http-validator
mode = 0750
[template-caddy-replicate] [template-caddy-replicate]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/instance-apache-replicate.cfg.in url = ${:_profile_base_location_}/instance-apache-replicate.cfg.in
......
...@@ -114,8 +114,6 @@ context = ...@@ -114,8 +114,6 @@ context =
{% if not unauthorized_message in slave_error_list %} {% if not unauthorized_message in slave_error_list %}
{% do slave_error_list.append(unauthorized_message) %} {% do slave_error_list.append(unauthorized_message) %}
{% endif %} {% endif %}
{% elif subprocess_module.call([caddy_custom_http_validator, '' ~ slave[key]]) == 1 %}
{% do slave_error_list.append('slave %s configuration invalid' % (key,)) %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endfor %} {# for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] #} {% endfor %} {# for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] #}
......
...@@ -59,7 +59,6 @@ extra-context = ...@@ -59,7 +59,6 @@ extra-context =
import validators validators import validators validators
key cluster_identification instance-parameter:root-instance-title key cluster_identification instance-parameter:root-instance-title
raw caddy_backend_url_validator {{ caddy_backend_url_validator }} raw caddy_backend_url_validator {{ caddy_backend_url_validator }}
raw caddy_custom_http_validator {{ caddy_custom_http_validator }}
raw template_publish_slave_information {{ template_replicate_publish_slave_information }} raw template_publish_slave_information {{ template_replicate_publish_slave_information }}
# Must match the key id in [switch-softwaretype] which uses this section. # Must match the key id in [switch-softwaretype] which uses this section.
raw software_type RootSoftwareInstance-default-custom-personal-replicate raw software_type RootSoftwareInstance-default-custom-personal-replicate
......
#!${dash:location}/bin/dash
config="$1"
echo -e $config | ${caddy:output} -conf stdin -validate > /dev/null 2>&1
...@@ -3739,7 +3739,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3739,7 +3739,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'domain': 'example.com', 'domain': 'example.com',
'nginx-domain': 'nginx.example.com', 'nginx-domain': 'nginx.example.com',
'public-ipv4': SLAPOS_TEST_IPV4, 'public-ipv4': SLAPOS_TEST_IPV4,
'-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
'port': HTTPS_PORT, 'port': HTTPS_PORT,
'plain_http_port': HTTP_PORT, 'plain_http_port': HTTP_PORT,
'nginx_port': NGINX_HTTPS_PORT, 'nginx_port': NGINX_HTTPS_PORT,
...@@ -3754,16 +3753,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -3754,16 +3753,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod @classmethod
def getSlaveParameterDictDict(cls): def getSlaveParameterDictDict(cls):
return { return {
'caddy_custom_http_s-reject': {
'caddy_custom_https': """DestroyCaddyHttps
For sure
This shall not be valid
https://www.google.com {}""",
'caddy_custom_http': """DestroyCaddyHttp
For sure
This shall not be valid
https://www.google.com {}""",
},
're6st-optimal-test-nocomma': { 're6st-optimal-test-nocomma': {
're6st-optimal-test': 'nocomma', 're6st-optimal-test': 'nocomma',
}, },
...@@ -3818,9 +3807,6 @@ https://www.google.com {}""", ...@@ -3818,9 +3807,6 @@ https://www.google.com {}""",
'rejected-slave-amount': '3', 'rejected-slave-amount': '3',
'slave-amount': '11', 'slave-amount': '11',
'rejected-slave-dict': { 'rejected-slave-dict': {
'_caddy_custom_http_s-reject': [
'slave caddy_custom_http configuration invalid',
'slave caddy_custom_https configuration invalid'],
'_custom_domain-unsafe': [ '_custom_domain-unsafe': [
"custom_domain '${section:option} afterspace\\nafternewline' invalid" "custom_domain '${section:option} afterspace\\nafternewline' invalid"
], ],
...@@ -4140,18 +4126,6 @@ https://www.google.com {}""", ...@@ -4140,18 +4126,6 @@ https://www.google.com {}""",
} }
) )
def test_caddy_custom_http_s_reject(self):
parameter_dict = self.parseSlaveParameterDict('caddy_custom_http_s-reject')
self.assertEqual(
{
'request-error-list': [
"slave caddy_custom_http configuration invalid",
"slave caddy_custom_https configuration invalid"
]
},
parameter_dict
)
class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin): class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod @classmethod
...@@ -4160,7 +4134,6 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -4160,7 +4134,6 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
'domain': 'example.com', 'domain': 'example.com',
'nginx-domain': 'nginx.example.com', 'nginx-domain': 'nginx.example.com',
'public-ipv4': SLAPOS_TEST_IPV4, 'public-ipv4': SLAPOS_TEST_IPV4,
'-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
'port': HTTPS_PORT, 'port': HTTPS_PORT,
'plain_http_port': HTTP_PORT, 'plain_http_port': HTTP_PORT,
'nginx_port': NGINX_HTTPS_PORT, 'nginx_port': NGINX_HTTPS_PORT,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment