sanitize.go 6.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273
  1. package config
  2. import (
  3. "strings"
  4. "text/template"
  5. "github.com/OliveTin/OliveTin/internal/env"
  6. "github.com/google/uuid"
  7. log "github.com/sirupsen/logrus"
  8. )
  9. // Sanitize will look for common configuration issues, and fix them. For example,
  10. // populating undefined fields - name -> title, etc.
  11. func (cfg *Config) Sanitize() {
  12. cfg.sanitizeLogLevel()
  13. cfg.sanitizeAuthRequireGuestsToLogin()
  14. cfg.sanitizeLogHistoryPageSize()
  15. cfg.sanitizeLocalUserPasswords()
  16. cfg.sanitizeSecurityHeaders()
  17. // log.Infof("cfg %p", cfg)
  18. for idx := range cfg.Actions {
  19. cfg.Actions[idx].sanitize(cfg)
  20. }
  21. cfg.sanitizeDashboardsForInlineActions()
  22. }
  23. func (cfg *Config) sanitizeDashboardsForInlineActions() {
  24. for _, dashboard := range cfg.Dashboards {
  25. cfg.sanitizeDashboardComponentForInlineActions(dashboard)
  26. }
  27. }
  28. func (cfg *Config) sanitizeDashboardComponentForInlineActions(component *DashboardComponent) {
  29. visited := make(map[*DashboardComponent]bool)
  30. cfg.sanitizeDashboardComponentForInlineActionsHelper(component, visited)
  31. }
  32. func (cfg *Config) sanitizeDashboardComponentForInlineActionsHelper(component *DashboardComponent, visited map[*DashboardComponent]bool) {
  33. if component == nil {
  34. return
  35. }
  36. if visited[component] {
  37. return
  38. }
  39. visited[component] = true
  40. cfg.sanitizeInlineAction(component)
  41. cfg.sanitizeChildDashboardComponents(component, visited)
  42. }
  43. func (cfg *Config) sanitizeInlineAction(component *DashboardComponent) {
  44. if component.InlineAction == nil {
  45. return
  46. }
  47. sanitizeInlineActionTitles(component)
  48. if component.Entity != "" && component.InlineAction.Entity == "" {
  49. component.InlineAction.Entity = component.Entity
  50. }
  51. component.InlineAction.sanitize(cfg)
  52. cfg.addInlineActionIfNotExists(component.InlineAction)
  53. }
  54. func (cfg *Config) addInlineActionIfNotExists(action *Action) {
  55. if cfg.inlineActionExists(action) {
  56. return
  57. }
  58. cfg.Actions = append(cfg.Actions, action)
  59. }
  60. func sanitizeInlineActionTitles(component *DashboardComponent) {
  61. if component.InlineAction.Title == "" {
  62. component.InlineAction.Title = component.Title
  63. }
  64. if component.Title == "" {
  65. component.Title = component.InlineAction.Title
  66. }
  67. }
  68. func (cfg *Config) inlineActionExists(action *Action) bool {
  69. if cfg.inlineActionPointerExists(action) {
  70. return true
  71. }
  72. if cfg.inlineActionIDExists(action) {
  73. return true
  74. }
  75. return false
  76. }
  77. func (cfg *Config) inlineActionPointerExists(action *Action) bool {
  78. for _, existingAction := range cfg.Actions {
  79. if existingAction == action {
  80. return true
  81. }
  82. }
  83. return false
  84. }
  85. func (cfg *Config) inlineActionIDExists(action *Action) bool {
  86. if action.ID == "" {
  87. return false
  88. }
  89. for _, existingAction := range cfg.Actions {
  90. if existingAction.ID == action.ID {
  91. return true
  92. }
  93. }
  94. return false
  95. }
  96. func (cfg *Config) sanitizeChildDashboardComponents(component *DashboardComponent, visited map[*DashboardComponent]bool) {
  97. for _, child := range component.Contents {
  98. if child.Entity == "" {
  99. child.Entity = component.Entity
  100. }
  101. cfg.sanitizeDashboardComponentForInlineActionsHelper(child, visited)
  102. }
  103. }
  104. func (cfg *Config) sanitizeLogLevel() {
  105. if logLevel, err := log.ParseLevel(cfg.LogLevel); err == nil {
  106. log.Info("Setting log level to ", logLevel)
  107. log.SetLevel(logLevel)
  108. }
  109. }
  110. func (action *Action) sanitize(cfg *Config) {
  111. if action.Timeout < 3 {
  112. action.Timeout = 3
  113. }
  114. action.ID = getActionID(action)
  115. action.Icon = lookupHTMLIcon(action.Icon, cfg.DefaultIconForActions)
  116. action.PopupOnStart = sanitizePopupOnStart(action.PopupOnStart, cfg)
  117. if action.MaxConcurrent < 1 {
  118. action.MaxConcurrent = 1
  119. }
  120. for idx := range action.Arguments {
  121. action.Arguments[idx].sanitize()
  122. }
  123. }
  124. func (cfg *Config) sanitizeAuthRequireGuestsToLogin() {
  125. if cfg.AuthRequireGuestsToLogin {
  126. log.Infof("AuthRequireGuestsToLogin is enabled. All defaultPermissions will be set to false")
  127. cfg.DefaultPermissions.View = false
  128. cfg.DefaultPermissions.Exec = false
  129. cfg.DefaultPermissions.Logs = false
  130. cfg.DefaultPermissions.Kill = false
  131. }
  132. }
  133. func (cfg *Config) sanitizeLogHistoryPageSize() {
  134. if cfg.LogHistoryPageSize < 10 {
  135. log.Warnf("LogsHistoryLimit is too low, setting it to 10")
  136. cfg.LogHistoryPageSize = 10
  137. } else if cfg.LogHistoryPageSize > 100 {
  138. log.Warnf("LogsHistoryLimit is high, you can do this, but expect browser lag.")
  139. }
  140. }
  141. func (cfg *Config) sanitizeLocalUserPasswords() {
  142. for _, user := range cfg.AuthLocalUsers.Users {
  143. if user.Password != "" {
  144. user.Password = parsePasswordTemplate(user.Password)
  145. }
  146. }
  147. }
  148. func (cfg *Config) sanitizeSecurityHeaders() {
  149. cfg.sanitizeSecurityHeadersCSP()
  150. cfg.sanitizeSecurityHeadersXFrameOptions()
  151. }
  152. func (cfg *Config) sanitizeSecurityHeadersCSP() {
  153. if !cfg.Security.HeaderContentSecurityPolicy || cfg.Security.ContentSecurityPolicy != "" {
  154. return
  155. }
  156. cfg.Security.ContentSecurityPolicy = ContentSecurityPolicyDefault
  157. }
  158. func (cfg *Config) sanitizeSecurityHeadersXFrameOptions() {
  159. if !cfg.Security.HeaderXFrameOptions || cfg.Security.XFrameOptions != "" {
  160. return
  161. }
  162. cfg.Security.XFrameOptions = "DENY"
  163. }
  164. // parsePasswordTemplate expands {{ .Env.VAR }} in local user password fields using the process environment.
  165. func parsePasswordTemplate(source string) string {
  166. t, err := template.New("password").Option("missingkey=error").Parse(source)
  167. if err != nil {
  168. log.WithFields(log.Fields{"error": err}).Debug("Password template parse failed, using literal")
  169. return source
  170. }
  171. var b strings.Builder
  172. if err := t.Execute(&b, map[string]interface{}{"Env": env.BuildEnvMap()}); err != nil {
  173. log.WithFields(log.Fields{"error": err}).Debug("Password template execute failed, using literal")
  174. return source
  175. }
  176. return b.String()
  177. }
  178. func getActionID(action *Action) string {
  179. if action.ID == "" {
  180. return uuid.NewString()
  181. }
  182. if strings.Contains(action.ID, "{{") {
  183. log.Fatalf("Action IDs cannot contain variables")
  184. }
  185. return action.ID
  186. }
  187. //gocyclo:ignore
  188. func sanitizePopupOnStart(raw string, cfg *Config) string {
  189. switch raw {
  190. case "execution-dialog":
  191. return raw
  192. case "execution-dialog-output-html":
  193. return raw
  194. case "execution-dialog-stdout-only":
  195. return raw
  196. case "execution-button":
  197. return raw
  198. default:
  199. return cfg.DefaultPopupOnStart
  200. }
  201. }
  202. func (arg *ActionArgument) sanitize() {
  203. if arg.Title == "" {
  204. arg.Title = arg.Name
  205. }
  206. for idx, choice := range arg.Choices {
  207. if choice.Title == "" {
  208. arg.Choices[idx].Title = choice.Value
  209. }
  210. }
  211. arg.sanitizeNoType()
  212. // Default value validation runs in executor at config load (validateArgumentDefaults).
  213. }
  214. func (arg *ActionArgument) sanitizeNoType() {
  215. if len(arg.Choices) == 0 && arg.Type == "" {
  216. log.WithFields(log.Fields{
  217. "arg": arg.Name,
  218. }).Warn("Argument type isn't set, will default to 'ascii' but this may not be safe. You should set a type specifically.")
  219. arg.Type = "ascii"
  220. }
  221. }