| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455 |
- package config
- import (
- "fmt"
- "strings"
- "text/template"
- "github.com/OliveTin/OliveTin/internal/env"
- "github.com/google/uuid"
- log "github.com/sirupsen/logrus"
- )
- // Sanitize will look for common configuration issues, and fix them. For example,
- // populating undefined fields - name -> title, etc.
- func (cfg *Config) Sanitize() {
- cfg.sanitizeLogLevel()
- cfg.sanitizeAuthRequireGuestsToLogin()
- cfg.sanitizeLogHistoryPageSize()
- cfg.sanitizeLocalUsers()
- cfg.sanitizeSecurityHeaders()
- cfg.sanitizeOnClickDefaults()
- // log.Infof("cfg %p", cfg)
- for idx := range cfg.Actions {
- cfg.Actions[idx].sanitize(cfg)
- }
- cfg.sanitizeDashboardsForInlineActions()
- cfg.sanitizeActionGroups()
- cfg.sanitizeActionGroupReferences()
- if err := cfg.validateReservedActionArgumentNames(); err != nil {
- log.Fatalf("%v", err)
- }
- }
- func (cfg *Config) validateReservedActionArgumentNames() error {
- for _, action := range cfg.Actions {
- if err := action.validateReservedArgumentNames(); err != nil {
- return err
- }
- }
- return nil
- }
- func (action *Action) validateReservedArgumentNames() error {
- if action == nil {
- return nil
- }
- for _, arg := range action.Arguments {
- if strings.HasPrefix(arg.Name, ReservedArgumentNamePrefix) {
- return fmt.Errorf("action %q argument %q uses reserved prefix %q", action.Title, arg.Name, ReservedArgumentNamePrefix)
- }
- }
- return nil
- }
- func (cfg *Config) sanitizeDashboardsForInlineActions() {
- for _, dashboard := range cfg.Dashboards {
- cfg.sanitizeDashboardComponentForInlineActions(dashboard)
- }
- }
- func (cfg *Config) sanitizeDashboardComponentForInlineActions(component *DashboardComponent) {
- visited := make(map[*DashboardComponent]bool)
- cfg.sanitizeDashboardComponentForInlineActionsHelper(component, visited)
- }
- func (cfg *Config) sanitizeDashboardComponentForInlineActionsHelper(component *DashboardComponent, visited map[*DashboardComponent]bool) {
- if component == nil {
- return
- }
- if visited[component] {
- return
- }
- visited[component] = true
- cfg.sanitizeInlineAction(component)
- cfg.sanitizeChildDashboardComponents(component, visited)
- }
- func (cfg *Config) sanitizeInlineAction(component *DashboardComponent) {
- if component.InlineAction == nil {
- return
- }
- sanitizeInlineActionTitles(component)
- if component.Entity != "" && component.InlineAction.Entity == "" {
- component.InlineAction.Entity = component.Entity
- }
- component.InlineAction.sanitize(cfg)
- cfg.addInlineActionIfNotExists(component.InlineAction)
- }
- func (cfg *Config) addInlineActionIfNotExists(action *Action) {
- if cfg.inlineActionExists(action) {
- return
- }
- cfg.Actions = append(cfg.Actions, action)
- }
- func sanitizeInlineActionTitles(component *DashboardComponent) {
- if component.InlineAction.Title == "" {
- component.InlineAction.Title = component.Title
- }
- if component.Title == "" {
- component.Title = component.InlineAction.Title
- }
- }
- func (cfg *Config) inlineActionExists(action *Action) bool {
- if cfg.inlineActionPointerExists(action) {
- return true
- }
- if cfg.inlineActionIDExists(action) {
- return true
- }
- return false
- }
- func (cfg *Config) inlineActionPointerExists(action *Action) bool {
- for _, existingAction := range cfg.Actions {
- if existingAction == action {
- return true
- }
- }
- return false
- }
- func (cfg *Config) inlineActionIDExists(action *Action) bool {
- if action.ID == "" {
- return false
- }
- for _, existingAction := range cfg.Actions {
- if existingAction.ID == action.ID {
- return true
- }
- }
- return false
- }
- func (cfg *Config) sanitizeChildDashboardComponents(component *DashboardComponent, visited map[*DashboardComponent]bool) {
- for _, child := range component.Contents {
- if child.Entity == "" {
- child.Entity = component.Entity
- }
- cfg.sanitizeDashboardComponentForInlineActionsHelper(child, visited)
- }
- }
- func (cfg *Config) sanitizeLogLevel() {
- if logLevel, err := log.ParseLevel(cfg.LogLevel); err == nil {
- log.Info("Setting log level to ", logLevel)
- log.SetLevel(logLevel)
- }
- }
- func (action *Action) sanitize(cfg *Config) {
- if action.Timeout < 3 {
- action.Timeout = 3
- }
- action.ID = getActionID(action)
- action.Icon = lookupHTMLIcon(action.Icon, cfg.DefaultIconForActions)
- migrateActionOnClick(action)
- action.OnClick = sanitizeOnClick(action.OnClick, cfg)
- action.PopupOnStart = action.OnClick
- if action.MaxConcurrent < 1 {
- action.MaxConcurrent = 1
- }
- action.Groups = dedupeStrings(action.Groups)
- for idx := range action.Arguments {
- action.Arguments[idx].sanitize()
- }
- }
- func dedupeStrings(values []string) []string {
- seen := make(map[string]struct{}, len(values))
- out := make([]string, 0, len(values))
- for _, value := range values {
- out = appendUniqueString(out, seen, value)
- }
- return out
- }
- func appendUniqueString(out []string, seen map[string]struct{}, value string) []string {
- if value == "" {
- return out
- }
- if _, found := seen[value]; found {
- return out
- }
- seen[value] = struct{}{}
- return append(out, value)
- }
- const defaultActionGroupQueueSize = 5
- func (cfg *Config) sanitizeActionGroups() {
- for _, group := range cfg.ActionGroups {
- if group == nil {
- continue
- }
- if group.QueueSize <= 0 {
- group.QueueSize = defaultActionGroupQueueSize
- }
- group.Icon = lookupHTMLIcon(group.Icon, cfg.DefaultIconForActions)
- }
- }
- func (cfg *Config) sanitizeActionGroupReferences() {
- for _, action := range cfg.Actions {
- for _, groupName := range action.Groups {
- cfg.warnInvalidActionGroupReference(action, groupName)
- }
- }
- }
- func (cfg *Config) warnInvalidActionGroupReference(action *Action, groupName string) {
- group, found := cfg.ActionGroups[groupName]
- if !found {
- log.WithFields(log.Fields{
- "actionTitle": action.Title,
- "groupName": groupName,
- }).Warn("Action references unknown action group")
- return
- }
- if group == nil || group.MaxConcurrent < 1 {
- log.WithFields(log.Fields{
- "actionTitle": action.Title,
- "groupName": groupName,
- }).Warn("Action references action group that will not be enforced at runtime")
- }
- }
- func (cfg *Config) sanitizeAuthRequireGuestsToLogin() {
- if cfg.AuthRequireGuestsToLogin {
- log.Infof("AuthRequireGuestsToLogin is enabled. All defaultPermissions will be set to false")
- cfg.DefaultPermissions.View = false
- cfg.DefaultPermissions.Exec = false
- cfg.DefaultPermissions.Logs = false
- cfg.DefaultPermissions.Kill = false
- }
- }
- func (cfg *Config) sanitizeLogHistoryPageSize() {
- if cfg.LogHistoryPageSize < 10 {
- log.Warnf("LogsHistoryLimit is too low, setting it to 10")
- cfg.LogHistoryPageSize = 10
- } else if cfg.LogHistoryPageSize > 100 {
- log.Warnf("LogsHistoryLimit is high, you can do this, but expect browser lag.")
- }
- }
- func (cfg *Config) sanitizeLocalUsers() {
- for _, user := range cfg.AuthLocalUsers.Users {
- expandLocalUserEnvTemplates(user)
- }
- if err := validateUniqueLocalUserAPIKeys(cfg.AuthLocalUsers.Users); err != nil {
- log.Fatalf("%v", err)
- }
- }
- func expandLocalUserEnvTemplates(user *LocalUser) {
- if user == nil {
- return
- }
- if user.Password != "" {
- user.Password = expandEnvTemplate(user.Password)
- }
- if user.ApiKey != "" {
- user.ApiKey = expandEnvTemplate(user.ApiKey)
- }
- }
- // validateUniqueLocalUserAPIKeys returns an error when two local users share the same non-empty apiKey.
- func validateUniqueLocalUserAPIKeys(users []*LocalUser) error {
- seen := make(map[string]string)
- for _, user := range users {
- if err := recordUniqueLocalUserAPIKey(seen, user); err != nil {
- return err
- }
- }
- return nil
- }
- func recordUniqueLocalUserAPIKey(seen map[string]string, user *LocalUser) error {
- if user == nil || user.ApiKey == "" {
- return nil
- }
- if prior, ok := seen[user.ApiKey]; ok {
- return fmt.Errorf("duplicate authLocalUsers apiKey for users %q and %q", prior, user.Username)
- }
- seen[user.ApiKey] = user.Username
- return nil
- }
- func (cfg *Config) sanitizeSecurityHeaders() {
- cfg.sanitizeSecurityHeadersCSP()
- cfg.sanitizeSecurityHeadersXFrameOptions()
- }
- func (cfg *Config) sanitizeSecurityHeadersCSP() {
- if !cfg.Security.HeaderContentSecurityPolicy || cfg.Security.ContentSecurityPolicy != "" {
- return
- }
- cfg.Security.ContentSecurityPolicy = ContentSecurityPolicyDefault
- }
- func (cfg *Config) sanitizeSecurityHeadersXFrameOptions() {
- if !cfg.Security.HeaderXFrameOptions || cfg.Security.XFrameOptions != "" {
- return
- }
- cfg.Security.XFrameOptions = "DENY"
- }
- // expandEnvTemplate expands {{ .Env.VAR }} in config strings using the process environment.
- func expandEnvTemplate(source string) string {
- t, err := template.New("envTemplate").Option("missingkey=error").Parse(source)
- if err != nil {
- log.WithFields(log.Fields{"error": err}).Debug("Env template parse failed, using literal")
- return source
- }
- var b strings.Builder
- if err := t.Execute(&b, map[string]interface{}{"Env": env.BuildEnvMap()}); err != nil {
- log.WithFields(log.Fields{"error": err}).Debug("Env template execute failed, using literal")
- return source
- }
- return b.String()
- }
- func getActionID(action *Action) string {
- if action.ID == "" {
- return uuid.NewString()
- }
- if strings.Contains(action.ID, "{{") {
- log.Fatalf("Action IDs cannot contain variables")
- }
- return action.ID
- }
- //gocyclo:ignore
- func sanitizeOnClick(raw string, cfg *Config) string {
- switch raw {
- case "execution-dialog":
- return raw
- case "execution-dialog-output-html":
- return raw
- case "execution-dialog-stdout-only":
- return raw
- case "execution-button":
- return raw
- case "history":
- return raw
- default:
- return cfg.DefaultOnClick
- }
- }
- func migrateActionOnClick(action *Action) {
- if action.OnClick == "" && action.PopupOnStart != "" {
- action.OnClick = action.PopupOnStart
- }
- }
- func shouldMigrateDefaultOnClickFromPopup(onClick, popupOnStart string) bool {
- if popupOnStart == "" {
- return false
- }
- if onClick == "" {
- return true
- }
- return onClick == "nothing" && popupOnStart != "nothing"
- }
- func (cfg *Config) migrateDefaultOnClickFromLegacyPopup() {
- if !shouldMigrateDefaultOnClickFromPopup(cfg.DefaultOnClick, cfg.DefaultPopupOnStart) {
- return
- }
- cfg.DefaultOnClick = cfg.DefaultPopupOnStart
- }
- func (cfg *Config) sanitizeOnClickDefaults() {
- cfg.migrateDefaultOnClickFromLegacyPopup()
- if cfg.DefaultOnClick == "" {
- cfg.DefaultOnClick = "nothing"
- }
- cfg.DefaultPopupOnStart = cfg.DefaultOnClick
- }
- func (arg *ActionArgument) sanitize() {
- if arg.Title == "" {
- arg.Title = arg.Name
- }
- for idx, choice := range arg.Choices {
- if choice.Title == "" {
- arg.Choices[idx].Title = choice.Value
- }
- }
- arg.sanitizeNoType()
- // Default value validation runs in executor at config load (validateArgumentDefaults).
- }
- func (arg *ActionArgument) sanitizeNoType() {
- if len(arg.Choices) == 0 && arg.Type == "" {
- log.WithFields(log.Fields{
- "arg": arg.Name,
- }).Warn("Argument type isn't set, will default to 'ascii' but this may not be safe. You should set a type specifically.")
- arg.Type = "ascii"
- }
- }
|