From 50812b162ca0bb6296db05838335e0e0cf2d0f79 Mon Sep 17 00:00:00 2001
From: lemoer <git@irrelefant.net>
Date: Sat, 28 Oct 2017 17:05:53 +0200
Subject: [PATCH] treewide: forbid use of selected site variables in domain
 specific or site configs

[Matthias schiffer: rebase, add a few more restrictions]
---
 package/gluon-authorized-keys/check_site.lua  |  2 +-
 package/gluon-autoupdater/check_site.lua      |  8 ++--
 package/gluon-client-bridge/check_site.lua    | 10 ++---
 .../check_site.lua                            |  4 +-
 .../check_site.lua                            |  4 +-
 package/gluon-core/check_site.lua             | 39 ++++++++++---------
 .../check_site.lua                            |  4 +-
 package/gluon-mesh-vpn-core/check_site.lua    | 10 ++---
 package/gluon-mesh-vpn-fastd/check_site.lua   |  8 ++--
 package/gluon-node-info/check_site.lua        |  2 +-
 package/gluon-setup-mode/check_site.lua       |  3 +-
 package/gluon-web-admin/check_site.lua        |  6 +--
 .../gluon-web-mesh-vpn-fastd/check_site.lua   |  2 +-
 package/gluon-web-node-role/check_site.lua    |  4 +-
 14 files changed, 53 insertions(+), 53 deletions(-)

diff --git a/package/gluon-authorized-keys/check_site.lua b/package/gluon-authorized-keys/check_site.lua
index d1acfabe..4c4d0729 100644
--- a/package/gluon-authorized-keys/check_site.lua
+++ b/package/gluon-authorized-keys/check_site.lua
@@ -1 +1 @@
-need_string_array 'authorized_keys'
+need_string_array(in_site('authorized_keys'))
diff --git a/package/gluon-autoupdater/check_site.lua b/package/gluon-autoupdater/check_site.lua
index f02d34c8..faefe876 100644
--- a/package/gluon-autoupdater/check_site.lua
+++ b/package/gluon-autoupdater/check_site.lua
@@ -1,14 +1,14 @@
-need_string 'autoupdater.branch'
+need_string(in_site('autoupdater.branch'))
 
 local function check_branch(k, _)
    assert_uci_name(k)
 
    local prefix = string.format('autoupdater.branches[%q].', k)
 
-   need_string(prefix .. 'name')
+   need_string(in_site(prefix .. 'name'))
    need_string_array_match(prefix .. 'mirrors', '^http://')
-   need_number(prefix .. 'good_signatures')
-   need_string_array_match(prefix .. 'pubkeys', '^%x+$')
+   need_number(in_site(prefix .. 'good_signatures'))
+   need_string_array_match(in_site(prefix .. 'pubkeys'), '^%x+$')
 end
 
 need_table('autoupdater.branches', check_branch)
diff --git a/package/gluon-client-bridge/check_site.lua b/package/gluon-client-bridge/check_site.lua
index 34060f16..fb8f8df6 100644
--- a/package/gluon-client-bridge/check_site.lua
+++ b/package/gluon-client-bridge/check_site.lua
@@ -1,15 +1,15 @@
-need_string_match('next_node.mac', '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$', false)
+need_string_match(in_domain('next_node.mac'), '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$', false)
 
-if need_string_match('next_node.ip4', '^%d+.%d+.%d+.%d+$', false) then
-	need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$')
+if need_string_match(in_domain('next_node.ip4'), '^%d+.%d+.%d+.%d+$', false) then
+	need_string_match(in_domain('prefix4'), '^%d+.%d+.%d+.%d+/%d+$')
 end
 
-need_string_match('next_node.ip6', '^[%x:]+$', false)
+need_string_match(in_domain('next_node.ip6'), '^[%x:]+$', false)
 
 
 for _, config in ipairs({'wifi24', 'wifi5'}) do
 	if need_table(config .. '.ap', nil, false) then
-		need_string(config .. '.ap.ssid')
+		need_string(in_domain(config .. '.ap.ssid'))
 		need_boolean(config .. '.ap.disabled', false)
 	end
 end
diff --git a/package/gluon-config-mode-contact-info/check_site.lua b/package/gluon-config-mode-contact-info/check_site.lua
index fe818616..cd86afea 100644
--- a/package/gluon-config-mode-contact-info/check_site.lua
+++ b/package/gluon-config-mode-contact-info/check_site.lua
@@ -1,3 +1,3 @@
-if need_table('config_mode', nil, false) and need_table('config_mode.owner', nil, false) then
-  need_boolean('config_mode.owner.obligatory', false)
+if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.owner'), nil, false) then
+  need_boolean(in_site('config_mode.owner.obligatory'), false)
 end
diff --git a/package/gluon-config-mode-geo-location/check_site.lua b/package/gluon-config-mode-geo-location/check_site.lua
index 509226fe..5654c8e6 100644
--- a/package/gluon-config-mode-geo-location/check_site.lua
+++ b/package/gluon-config-mode-geo-location/check_site.lua
@@ -1,3 +1,3 @@
-if need_table('config_mode', nil, false) and need_table('config_mode.geo_location', nil, false) then
-  need_boolean('config_mode.geo_location.show_altitude', false)
+if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.geo_location'), nil, false) then
+  need_boolean(in_site('config_mode.geo_location.show_altitude'), false)
 end
diff --git a/package/gluon-core/check_site.lua b/package/gluon-core/check_site.lua
index 95ddba2e..60f30537 100644
--- a/package/gluon-core/check_site.lua
+++ b/package/gluon-core/check_site.lua
@@ -1,6 +1,6 @@
-need_string 'site_code'
-need_string 'site_name'
-need_string_match('domain_seed', '^' .. ('%x'):rep(64) .. '$')
+need_string(in_site('site_code'))
+need_string(in_site('site_name'))
+need_string_match(in_domain('domain_seed'), '^' .. ('%x'):rep(64) .. '$')
 
 if need_table('opkg', nil, false) then
 	need_string('opkg.lede', false)
@@ -9,28 +9,29 @@ if need_table('opkg', nil, false) then
 		-- this is not actually a uci name, but using the same naming rules here is fine
 		assert_uci_name(k)
 
-		need_string(string.format('opkg.extra[%q]', k))
+		local path = string.format('opkg.extra[%q]', k)
+		need_string(path)
 	end
 
 	need_table('opkg.extra', check_repo, false)
 end
 
-need_string('hostname_prefix', false)
-need_string 'timezone'
+need_string(in_site('hostname_prefix'), false)
+need_string(in_site('timezone'))
 
 need_string_array('ntp_servers', false)
 
-need_string_match('prefix6', '^[%x:]+/64$')
+need_string_match(in_domain('prefix6'), '^[%x:]+/64$')
 
 
 for _, config in ipairs({'wifi24', 'wifi5'}) do
 	if need_table(config, nil, false) then
-		need_string('regdom') -- regdom is only required when wifi24 or wifi5 is configured
+		need_string(in_site('regdom')) -- regdom is only required when wifi24 or wifi5 is configured
 
 		need_number(config .. '.channel')
 
 		local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000}
-		local supported_rates = need_array_of(config .. '.supported_rates', rates, false)
+		local supported_rates = need_array_of(in_site(config .. '.supported_rates'), rates, false)
 		if supported_rates then
 			need_array_of(config .. '.basic_rate', supported_rates, true)
 		else
@@ -39,36 +40,36 @@ for _, config in ipairs({'wifi24', 'wifi5'}) do
 	end
 end
 
-need_boolean('poe_passthrough', false)
+need_boolean(in_site('poe_passthrough'), false)
 if need_table('dns', nil, false) then
 	need_number('dns.cacheentries', false)
 	need_string_array_match('dns.servers', '^[%x:]+$', true)
 end
 
 if need_table('next_node', nil, false) then
-	need_string_match('next_node.ip6', '^[%x:]+$', false)
-	need_string_match('next_node.ip4', '^%d+.%d+.%d+.%d+$', false)
+	need_string_match(in_domain('next_node.ip6'), '^[%x:]+$', false)
+	need_string_match(in_domain('next_node.ip4'), '^%d+.%d+.%d+.%d+$', false)
 end
 
 for _, config in ipairs({'wifi24', 'wifi5'}) do
   local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000}
-  rates = need_array_of(config .. '.supported_rates', rates, false) or rates
+  rates = need_array_of(in_site(config .. '.supported_rates'), rates, false) or rates
 
   if need_table(config .. '.ibss', nil, false) then
-    need_string(config .. '.ibss.ssid')
-    need_string_match(config .. '.ibss.bssid', '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$')
+    need_string(in_domain(config .. '.ibss.ssid'))
+    need_string_match(in_domain(config .. '.ibss.bssid'), '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$')
     need_one_of(config .. '.ibss.mcast_rate', rates, false)
     need_number(config .. '.ibss.vlan', false)
     need_boolean(config .. '.ibss.disabled', false)
   end
 
   if need_table(config .. '.mesh', nil, false) then
-    need_string(config .. '.mesh.id')
+    need_string(in_domain(config .. '.mesh.id'))
     need_one_of(config .. '.mesh.mcast_rate', rates, false)
     need_boolean(config .. '.mesh.disabled', false)
   end
 end
 
-need_boolean('mesh_on_wan', false)
-need_boolean('mesh_on_lan', false)
-need_boolean('single_as_lan', false)
+need_boolean(in_site('mesh_on_wan'), false)
+need_boolean(in_site('mesh_on_lan'), false)
+need_boolean(in_site('single_as_lan'), false)
diff --git a/package/gluon-ebtables-source-filter/check_site.lua b/package/gluon-ebtables-source-filter/check_site.lua
index 815c7296..d0e7ccfd 100644
--- a/package/gluon-ebtables-source-filter/check_site.lua
+++ b/package/gluon-ebtables-source-filter/check_site.lua
@@ -1,2 +1,2 @@
-need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$', false)
-need_string_array_match('extra_prefixes6', '^[%x:]+/%d+$', false)
+need_string_match(in_domain('prefix4'), '^%d+.%d+.%d+.%d+/%d+$', false)
+need_string_array_match(in_domain('extra_prefixes6'), '^[%x:]+/%d+$', false)
diff --git a/package/gluon-mesh-vpn-core/check_site.lua b/package/gluon-mesh-vpn-core/check_site.lua
index 94c0887b..7a4b526f 100644
--- a/package/gluon-mesh-vpn-core/check_site.lua
+++ b/package/gluon-mesh-vpn-core/check_site.lua
@@ -1,8 +1,8 @@
-need_boolean('mesh_vpn.enabled', false)
+need_boolean(in_site('mesh_vpn.enabled'), false)
 need_number('mesh_vpn.mtu')
 
-if need_table('mesh_vpn.bandwidth_limit', nil, false) then
-	need_boolean('mesh_vpn.bandwidth_limit.enabled', false)
-	need_number('mesh_vpn.bandwidth_limit.ingress', false)
-	need_number('mesh_vpn.bandwidth_limit.egress', false)
+if need_table(in_site('mesh_vpn.bandwidth_limit'), nil, false) then
+	need_boolean(in_site('mesh_vpn.bandwidth_limit.enabled'), false)
+	need_number(in_site('mesh_vpn.bandwidth_limit.ingress'), false)
+	need_number(in_site('mesh_vpn.bandwidth_limit.egress'), false)
 end
diff --git a/package/gluon-mesh-vpn-fastd/check_site.lua b/package/gluon-mesh-vpn-fastd/check_site.lua
index 64da9c88..cfb3e5ee 100644
--- a/package/gluon-mesh-vpn-fastd/check_site.lua
+++ b/package/gluon-mesh-vpn-fastd/check_site.lua
@@ -1,8 +1,8 @@
 local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'}
 need_array_of('mesh_vpn.fastd.methods', fastd_methods)
-need_boolean('mesh_vpn.fastd.configurable', false)
+need_boolean(in_site('mesh_vpn.fastd.configurable'), false)
 
-need_one_of('mesh_vpn.fastd.syslog_level', {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false)
+need_one_of(in_site('mesh_vpn.fastd.syslog_level'), {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false)
 
 local function check_peer(prefix)
 	return function(k, _)
@@ -10,8 +10,8 @@ local function check_peer(prefix)
 
 		local table = string.format('%s[%q].', prefix, k)
 
-		need_string_match(table .. 'key', '^%x+$')
-		need_string_array(table .. 'remotes')
+		need_string_match(in_domain(table .. 'key'), '^%x+$')
+		need_string_array(in_domain(table .. 'remotes'))
 	end
 end
 
diff --git a/package/gluon-node-info/check_site.lua b/package/gluon-node-info/check_site.lua
index 7e50edfc..b7c4226d 100644
--- a/package/gluon-node-info/check_site.lua
+++ b/package/gluon-node-info/check_site.lua
@@ -1 +1 @@
-need_string('roles.default', false)
+need_string(in_site('roles.default'), false)
diff --git a/package/gluon-setup-mode/check_site.lua b/package/gluon-setup-mode/check_site.lua
index 07baaad3..b1df6a68 100644
--- a/package/gluon-setup-mode/check_site.lua
+++ b/package/gluon-setup-mode/check_site.lua
@@ -1,2 +1 @@
-need_boolean('setup_mode.skip', false)
-
+need_boolean(in_site('setup_mode.skip'), false)
diff --git a/package/gluon-web-admin/check_site.lua b/package/gluon-web-admin/check_site.lua
index 7fdce6fb..8c88d147 100644
--- a/package/gluon-web-admin/check_site.lua
+++ b/package/gluon-web-admin/check_site.lua
@@ -1,4 +1,4 @@
-if need_table('config_mode', nil, false) and need_table('config_mode.remote_login', nil, false) then
-  need_boolean('config_mode.remote_login.show_password_form', false)
-  need_number('config_mode.remote_login.min_password_length', false)
+if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.remote_login'), nil, false) then
+  need_boolean(in_site('config_mode.remote_login.show_password_form'), false)
+  need_number(in_site('config_mode.remote_login.min_password_length'), false)
 end
diff --git a/package/gluon-web-mesh-vpn-fastd/check_site.lua b/package/gluon-web-mesh-vpn-fastd/check_site.lua
index b9e41e11..1704204a 100644
--- a/package/gluon-web-mesh-vpn-fastd/check_site.lua
+++ b/package/gluon-web-mesh-vpn-fastd/check_site.lua
@@ -1,2 +1,2 @@
-assert(need_boolean('mesh_vpn.fastd.configurable') == true,
+assert(need_boolean(in_site('mesh_vpn.fastd.configurable')) == true,
        "site.conf error: expected `mesh_vpn.fastd.configurable' to be true")
diff --git a/package/gluon-web-node-role/check_site.lua b/package/gluon-web-node-role/check_site.lua
index ab01eeb5..747915be 100644
--- a/package/gluon-web-node-role/check_site.lua
+++ b/package/gluon-web-node-role/check_site.lua
@@ -1,2 +1,2 @@
-need_string 'roles.default'
-need_string_array 'roles.list'
+need_string(in_site('roles.default'))
+need_string_array(in_site('roles.list'))