treewide: forbid use of selected site variables in domain specific or site configs
[Matthias schiffer: rebase, add a few more restrictions]
This commit is contained in:
		
							parent
							
								
									8d8d4fa0c3
								
							
						
					
					
						commit
						50812b162c
					
				| @ -1 +1 @@ | |||||||
| need_string_array 'authorized_keys' | need_string_array(in_site('authorized_keys')) | ||||||
|  | |||||||
| @ -1,14 +1,14 @@ | |||||||
| need_string 'autoupdater.branch' | need_string(in_site('autoupdater.branch')) | ||||||
| 
 | 
 | ||||||
| local function check_branch(k, _) | local function check_branch(k, _) | ||||||
|    assert_uci_name(k) |    assert_uci_name(k) | ||||||
| 
 | 
 | ||||||
|    local prefix = string.format('autoupdater.branches[%q].', k) |    local prefix = string.format('autoupdater.branches[%q].', k) | ||||||
| 
 | 
 | ||||||
|    need_string(prefix .. 'name') |    need_string(in_site(prefix .. 'name')) | ||||||
|    need_string_array_match(prefix .. 'mirrors', '^http://') |    need_string_array_match(prefix .. 'mirrors', '^http://') | ||||||
|    need_number(prefix .. 'good_signatures') |    need_number(in_site(prefix .. 'good_signatures')) | ||||||
|    need_string_array_match(prefix .. 'pubkeys', '^%x+$') |    need_string_array_match(in_site(prefix .. 'pubkeys'), '^%x+$') | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
| need_table('autoupdater.branches', check_branch) | need_table('autoupdater.branches', check_branch) | ||||||
|  | |||||||
| @ -1,15 +1,15 @@ | |||||||
| need_string_match('next_node.mac', '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$', false) | need_string_match(in_domain('next_node.mac'), '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$', false) | ||||||
| 
 | 
 | ||||||
| if need_string_match('next_node.ip4', '^%d+.%d+.%d+.%d+$', false) then | if need_string_match(in_domain('next_node.ip4'), '^%d+.%d+.%d+.%d+$', false) then | ||||||
| 	need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$') | 	need_string_match(in_domain('prefix4'), '^%d+.%d+.%d+.%d+/%d+$') | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
| need_string_match('next_node.ip6', '^[%x:]+$', false) | need_string_match(in_domain('next_node.ip6'), '^[%x:]+$', false) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| for _, config in ipairs({'wifi24', 'wifi5'}) do | for _, config in ipairs({'wifi24', 'wifi5'}) do | ||||||
| 	if need_table(config .. '.ap', nil, false) then | 	if need_table(config .. '.ap', nil, false) then | ||||||
| 		need_string(config .. '.ap.ssid') | 		need_string(in_domain(config .. '.ap.ssid')) | ||||||
| 		need_boolean(config .. '.ap.disabled', false) | 		need_boolean(config .. '.ap.disabled', false) | ||||||
| 	end | 	end | ||||||
| end | end | ||||||
|  | |||||||
| @ -1,3 +1,3 @@ | |||||||
| if need_table('config_mode', nil, false) and need_table('config_mode.owner', nil, false) then | if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.owner'), nil, false) then | ||||||
|   need_boolean('config_mode.owner.obligatory', false) |   need_boolean(in_site('config_mode.owner.obligatory'), false) | ||||||
| end | end | ||||||
|  | |||||||
| @ -1,3 +1,3 @@ | |||||||
| if need_table('config_mode', nil, false) and need_table('config_mode.geo_location', nil, false) then | if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.geo_location'), nil, false) then | ||||||
|   need_boolean('config_mode.geo_location.show_altitude', false) |   need_boolean(in_site('config_mode.geo_location.show_altitude'), false) | ||||||
| end | end | ||||||
|  | |||||||
| @ -1,6 +1,6 @@ | |||||||
| need_string 'site_code' | need_string(in_site('site_code')) | ||||||
| need_string 'site_name' | need_string(in_site('site_name')) | ||||||
| need_string_match('domain_seed', '^' .. ('%x'):rep(64) .. '$') | need_string_match(in_domain('domain_seed'), '^' .. ('%x'):rep(64) .. '$') | ||||||
| 
 | 
 | ||||||
| if need_table('opkg', nil, false) then | if need_table('opkg', nil, false) then | ||||||
| 	need_string('opkg.lede', false) | 	need_string('opkg.lede', false) | ||||||
| @ -9,28 +9,29 @@ if need_table('opkg', nil, false) then | |||||||
| 		-- this is not actually a uci name, but using the same naming rules here is fine | 		-- this is not actually a uci name, but using the same naming rules here is fine | ||||||
| 		assert_uci_name(k) | 		assert_uci_name(k) | ||||||
| 
 | 
 | ||||||
| 		need_string(string.format('opkg.extra[%q]', k)) | 		local path = string.format('opkg.extra[%q]', k) | ||||||
|  | 		need_string(path) | ||||||
| 	end | 	end | ||||||
| 
 | 
 | ||||||
| 	need_table('opkg.extra', check_repo, false) | 	need_table('opkg.extra', check_repo, false) | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
| need_string('hostname_prefix', false) | need_string(in_site('hostname_prefix'), false) | ||||||
| need_string 'timezone' | need_string(in_site('timezone')) | ||||||
| 
 | 
 | ||||||
| need_string_array('ntp_servers', false) | need_string_array('ntp_servers', false) | ||||||
| 
 | 
 | ||||||
| need_string_match('prefix6', '^[%x:]+/64$') | need_string_match(in_domain('prefix6'), '^[%x:]+/64$') | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| for _, config in ipairs({'wifi24', 'wifi5'}) do | for _, config in ipairs({'wifi24', 'wifi5'}) do | ||||||
| 	if need_table(config, nil, false) then | 	if need_table(config, nil, false) then | ||||||
| 		need_string('regdom') -- regdom is only required when wifi24 or wifi5 is configured | 		need_string(in_site('regdom')) -- regdom is only required when wifi24 or wifi5 is configured | ||||||
| 
 | 
 | ||||||
| 		need_number(config .. '.channel') | 		need_number(config .. '.channel') | ||||||
| 
 | 
 | ||||||
| 		local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000} | 		local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000} | ||||||
| 		local supported_rates = need_array_of(config .. '.supported_rates', rates, false) | 		local supported_rates = need_array_of(in_site(config .. '.supported_rates'), rates, false) | ||||||
| 		if supported_rates then | 		if supported_rates then | ||||||
| 			need_array_of(config .. '.basic_rate', supported_rates, true) | 			need_array_of(config .. '.basic_rate', supported_rates, true) | ||||||
| 		else | 		else | ||||||
| @ -39,36 +40,36 @@ for _, config in ipairs({'wifi24', 'wifi5'}) do | |||||||
| 	end | 	end | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
| need_boolean('poe_passthrough', false) | need_boolean(in_site('poe_passthrough'), false) | ||||||
| if need_table('dns', nil, false) then | if need_table('dns', nil, false) then | ||||||
| 	need_number('dns.cacheentries', false) | 	need_number('dns.cacheentries', false) | ||||||
| 	need_string_array_match('dns.servers', '^[%x:]+$', true) | 	need_string_array_match('dns.servers', '^[%x:]+$', true) | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
| if need_table('next_node', nil, false) then | if need_table('next_node', nil, false) then | ||||||
| 	need_string_match('next_node.ip6', '^[%x:]+$', false) | 	need_string_match(in_domain('next_node.ip6'), '^[%x:]+$', false) | ||||||
| 	need_string_match('next_node.ip4', '^%d+.%d+.%d+.%d+$', false) | 	need_string_match(in_domain('next_node.ip4'), '^%d+.%d+.%d+.%d+$', false) | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
| for _, config in ipairs({'wifi24', 'wifi5'}) do | for _, config in ipairs({'wifi24', 'wifi5'}) do | ||||||
|   local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000} |   local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000} | ||||||
|   rates = need_array_of(config .. '.supported_rates', rates, false) or rates |   rates = need_array_of(in_site(config .. '.supported_rates'), rates, false) or rates | ||||||
| 
 | 
 | ||||||
|   if need_table(config .. '.ibss', nil, false) then |   if need_table(config .. '.ibss', nil, false) then | ||||||
|     need_string(config .. '.ibss.ssid') |     need_string(in_domain(config .. '.ibss.ssid')) | ||||||
|     need_string_match(config .. '.ibss.bssid', '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$') |     need_string_match(in_domain(config .. '.ibss.bssid'), '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$') | ||||||
|     need_one_of(config .. '.ibss.mcast_rate', rates, false) |     need_one_of(config .. '.ibss.mcast_rate', rates, false) | ||||||
|     need_number(config .. '.ibss.vlan', false) |     need_number(config .. '.ibss.vlan', false) | ||||||
|     need_boolean(config .. '.ibss.disabled', false) |     need_boolean(config .. '.ibss.disabled', false) | ||||||
|   end |   end | ||||||
| 
 | 
 | ||||||
|   if need_table(config .. '.mesh', nil, false) then |   if need_table(config .. '.mesh', nil, false) then | ||||||
|     need_string(config .. '.mesh.id') |     need_string(in_domain(config .. '.mesh.id')) | ||||||
|     need_one_of(config .. '.mesh.mcast_rate', rates, false) |     need_one_of(config .. '.mesh.mcast_rate', rates, false) | ||||||
|     need_boolean(config .. '.mesh.disabled', false) |     need_boolean(config .. '.mesh.disabled', false) | ||||||
|   end |   end | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
| need_boolean('mesh_on_wan', false) | need_boolean(in_site('mesh_on_wan'), false) | ||||||
| need_boolean('mesh_on_lan', false) | need_boolean(in_site('mesh_on_lan'), false) | ||||||
| need_boolean('single_as_lan', false) | need_boolean(in_site('single_as_lan'), false) | ||||||
|  | |||||||
| @ -1,2 +1,2 @@ | |||||||
| need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$', false) | need_string_match(in_domain('prefix4'), '^%d+.%d+.%d+.%d+/%d+$', false) | ||||||
| need_string_array_match('extra_prefixes6', '^[%x:]+/%d+$', false) | need_string_array_match(in_domain('extra_prefixes6'), '^[%x:]+/%d+$', false) | ||||||
|  | |||||||
| @ -1,8 +1,8 @@ | |||||||
| need_boolean('mesh_vpn.enabled', false) | need_boolean(in_site('mesh_vpn.enabled'), false) | ||||||
| need_number('mesh_vpn.mtu') | need_number('mesh_vpn.mtu') | ||||||
| 
 | 
 | ||||||
| if need_table('mesh_vpn.bandwidth_limit', nil, false) then | if need_table(in_site('mesh_vpn.bandwidth_limit'), nil, false) then | ||||||
| 	need_boolean('mesh_vpn.bandwidth_limit.enabled', false) | 	need_boolean(in_site('mesh_vpn.bandwidth_limit.enabled'), false) | ||||||
| 	need_number('mesh_vpn.bandwidth_limit.ingress', false) | 	need_number(in_site('mesh_vpn.bandwidth_limit.ingress'), false) | ||||||
| 	need_number('mesh_vpn.bandwidth_limit.egress', false) | 	need_number(in_site('mesh_vpn.bandwidth_limit.egress'), false) | ||||||
| end | end | ||||||
|  | |||||||
| @ -1,8 +1,8 @@ | |||||||
| local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'} | local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'} | ||||||
| need_array_of('mesh_vpn.fastd.methods', fastd_methods) | need_array_of('mesh_vpn.fastd.methods', fastd_methods) | ||||||
| need_boolean('mesh_vpn.fastd.configurable', false) | need_boolean(in_site('mesh_vpn.fastd.configurable'), false) | ||||||
| 
 | 
 | ||||||
| need_one_of('mesh_vpn.fastd.syslog_level', {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false) | need_one_of(in_site('mesh_vpn.fastd.syslog_level'), {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false) | ||||||
| 
 | 
 | ||||||
| local function check_peer(prefix) | local function check_peer(prefix) | ||||||
| 	return function(k, _) | 	return function(k, _) | ||||||
| @ -10,8 +10,8 @@ local function check_peer(prefix) | |||||||
| 
 | 
 | ||||||
| 		local table = string.format('%s[%q].', prefix, k) | 		local table = string.format('%s[%q].', prefix, k) | ||||||
| 
 | 
 | ||||||
| 		need_string_match(table .. 'key', '^%x+$') | 		need_string_match(in_domain(table .. 'key'), '^%x+$') | ||||||
| 		need_string_array(table .. 'remotes') | 		need_string_array(in_domain(table .. 'remotes')) | ||||||
| 	end | 	end | ||||||
| end | end | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1 +1 @@ | |||||||
| need_string('roles.default', false) | need_string(in_site('roles.default'), false) | ||||||
|  | |||||||
| @ -1,2 +1 @@ | |||||||
| need_boolean('setup_mode.skip', false) | need_boolean(in_site('setup_mode.skip'), false) | ||||||
| 
 |  | ||||||
|  | |||||||
| @ -1,4 +1,4 @@ | |||||||
| if need_table('config_mode', nil, false) and need_table('config_mode.remote_login', nil, false) then | if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.remote_login'), nil, false) then | ||||||
|   need_boolean('config_mode.remote_login.show_password_form', false) |   need_boolean(in_site('config_mode.remote_login.show_password_form'), false) | ||||||
|   need_number('config_mode.remote_login.min_password_length', false) |   need_number(in_site('config_mode.remote_login.min_password_length'), false) | ||||||
| end | end | ||||||
|  | |||||||
| @ -1,2 +1,2 @@ | |||||||
| assert(need_boolean('mesh_vpn.fastd.configurable') == true, | assert(need_boolean(in_site('mesh_vpn.fastd.configurable')) == true, | ||||||
|        "site.conf error: expected `mesh_vpn.fastd.configurable' to be true") |        "site.conf error: expected `mesh_vpn.fastd.configurable' to be true") | ||||||
|  | |||||||
| @ -1,2 +1,2 @@ | |||||||
| need_string 'roles.default' | need_string(in_site('roles.default')) | ||||||
| need_string_array 'roles.list' | need_string_array(in_site('roles.list')) | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user