treewide: forbid use of selected site variables in domain specific or site configs
[Matthias schiffer: rebase, add a few more restrictions]
This commit is contained in:
parent
8d8d4fa0c3
commit
50812b162c
@ -1 +1 @@
|
||||
need_string_array 'authorized_keys'
|
||||
need_string_array(in_site('authorized_keys'))
|
||||
|
@ -1,14 +1,14 @@
|
||||
need_string 'autoupdater.branch'
|
||||
need_string(in_site('autoupdater.branch'))
|
||||
|
||||
local function check_branch(k, _)
|
||||
assert_uci_name(k)
|
||||
|
||||
local prefix = string.format('autoupdater.branches[%q].', k)
|
||||
|
||||
need_string(prefix .. 'name')
|
||||
need_string(in_site(prefix .. 'name'))
|
||||
need_string_array_match(prefix .. 'mirrors', '^http://')
|
||||
need_number(prefix .. 'good_signatures')
|
||||
need_string_array_match(prefix .. 'pubkeys', '^%x+$')
|
||||
need_number(in_site(prefix .. 'good_signatures'))
|
||||
need_string_array_match(in_site(prefix .. 'pubkeys'), '^%x+$')
|
||||
end
|
||||
|
||||
need_table('autoupdater.branches', check_branch)
|
||||
|
@ -1,15 +1,15 @@
|
||||
need_string_match('next_node.mac', '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$', false)
|
||||
need_string_match(in_domain('next_node.mac'), '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$', false)
|
||||
|
||||
if need_string_match('next_node.ip4', '^%d+.%d+.%d+.%d+$', false) then
|
||||
need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$')
|
||||
if need_string_match(in_domain('next_node.ip4'), '^%d+.%d+.%d+.%d+$', false) then
|
||||
need_string_match(in_domain('prefix4'), '^%d+.%d+.%d+.%d+/%d+$')
|
||||
end
|
||||
|
||||
need_string_match('next_node.ip6', '^[%x:]+$', false)
|
||||
need_string_match(in_domain('next_node.ip6'), '^[%x:]+$', false)
|
||||
|
||||
|
||||
for _, config in ipairs({'wifi24', 'wifi5'}) do
|
||||
if need_table(config .. '.ap', nil, false) then
|
||||
need_string(config .. '.ap.ssid')
|
||||
need_string(in_domain(config .. '.ap.ssid'))
|
||||
need_boolean(config .. '.ap.disabled', false)
|
||||
end
|
||||
end
|
||||
|
@ -1,3 +1,3 @@
|
||||
if need_table('config_mode', nil, false) and need_table('config_mode.owner', nil, false) then
|
||||
need_boolean('config_mode.owner.obligatory', false)
|
||||
if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.owner'), nil, false) then
|
||||
need_boolean(in_site('config_mode.owner.obligatory'), false)
|
||||
end
|
||||
|
@ -1,3 +1,3 @@
|
||||
if need_table('config_mode', nil, false) and need_table('config_mode.geo_location', nil, false) then
|
||||
need_boolean('config_mode.geo_location.show_altitude', false)
|
||||
if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.geo_location'), nil, false) then
|
||||
need_boolean(in_site('config_mode.geo_location.show_altitude'), false)
|
||||
end
|
||||
|
@ -1,6 +1,6 @@
|
||||
need_string 'site_code'
|
||||
need_string 'site_name'
|
||||
need_string_match('domain_seed', '^' .. ('%x'):rep(64) .. '$')
|
||||
need_string(in_site('site_code'))
|
||||
need_string(in_site('site_name'))
|
||||
need_string_match(in_domain('domain_seed'), '^' .. ('%x'):rep(64) .. '$')
|
||||
|
||||
if need_table('opkg', nil, false) then
|
||||
need_string('opkg.lede', false)
|
||||
@ -9,28 +9,29 @@ if need_table('opkg', nil, false) then
|
||||
-- this is not actually a uci name, but using the same naming rules here is fine
|
||||
assert_uci_name(k)
|
||||
|
||||
need_string(string.format('opkg.extra[%q]', k))
|
||||
local path = string.format('opkg.extra[%q]', k)
|
||||
need_string(path)
|
||||
end
|
||||
|
||||
need_table('opkg.extra', check_repo, false)
|
||||
end
|
||||
|
||||
need_string('hostname_prefix', false)
|
||||
need_string 'timezone'
|
||||
need_string(in_site('hostname_prefix'), false)
|
||||
need_string(in_site('timezone'))
|
||||
|
||||
need_string_array('ntp_servers', false)
|
||||
|
||||
need_string_match('prefix6', '^[%x:]+/64$')
|
||||
need_string_match(in_domain('prefix6'), '^[%x:]+/64$')
|
||||
|
||||
|
||||
for _, config in ipairs({'wifi24', 'wifi5'}) do
|
||||
if need_table(config, nil, false) then
|
||||
need_string('regdom') -- regdom is only required when wifi24 or wifi5 is configured
|
||||
need_string(in_site('regdom')) -- regdom is only required when wifi24 or wifi5 is configured
|
||||
|
||||
need_number(config .. '.channel')
|
||||
|
||||
local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000}
|
||||
local supported_rates = need_array_of(config .. '.supported_rates', rates, false)
|
||||
local supported_rates = need_array_of(in_site(config .. '.supported_rates'), rates, false)
|
||||
if supported_rates then
|
||||
need_array_of(config .. '.basic_rate', supported_rates, true)
|
||||
else
|
||||
@ -39,36 +40,36 @@ for _, config in ipairs({'wifi24', 'wifi5'}) do
|
||||
end
|
||||
end
|
||||
|
||||
need_boolean('poe_passthrough', false)
|
||||
need_boolean(in_site('poe_passthrough'), false)
|
||||
if need_table('dns', nil, false) then
|
||||
need_number('dns.cacheentries', false)
|
||||
need_string_array_match('dns.servers', '^[%x:]+$', true)
|
||||
end
|
||||
|
||||
if need_table('next_node', nil, false) then
|
||||
need_string_match('next_node.ip6', '^[%x:]+$', false)
|
||||
need_string_match('next_node.ip4', '^%d+.%d+.%d+.%d+$', false)
|
||||
need_string_match(in_domain('next_node.ip6'), '^[%x:]+$', false)
|
||||
need_string_match(in_domain('next_node.ip4'), '^%d+.%d+.%d+.%d+$', false)
|
||||
end
|
||||
|
||||
for _, config in ipairs({'wifi24', 'wifi5'}) do
|
||||
local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000}
|
||||
rates = need_array_of(config .. '.supported_rates', rates, false) or rates
|
||||
rates = need_array_of(in_site(config .. '.supported_rates'), rates, false) or rates
|
||||
|
||||
if need_table(config .. '.ibss', nil, false) then
|
||||
need_string(config .. '.ibss.ssid')
|
||||
need_string_match(config .. '.ibss.bssid', '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$')
|
||||
need_string(in_domain(config .. '.ibss.ssid'))
|
||||
need_string_match(in_domain(config .. '.ibss.bssid'), '^%x[02468aAcCeE]:%x%x:%x%x:%x%x:%x%x:%x%x$')
|
||||
need_one_of(config .. '.ibss.mcast_rate', rates, false)
|
||||
need_number(config .. '.ibss.vlan', false)
|
||||
need_boolean(config .. '.ibss.disabled', false)
|
||||
end
|
||||
|
||||
if need_table(config .. '.mesh', nil, false) then
|
||||
need_string(config .. '.mesh.id')
|
||||
need_string(in_domain(config .. '.mesh.id'))
|
||||
need_one_of(config .. '.mesh.mcast_rate', rates, false)
|
||||
need_boolean(config .. '.mesh.disabled', false)
|
||||
end
|
||||
end
|
||||
|
||||
need_boolean('mesh_on_wan', false)
|
||||
need_boolean('mesh_on_lan', false)
|
||||
need_boolean('single_as_lan', false)
|
||||
need_boolean(in_site('mesh_on_wan'), false)
|
||||
need_boolean(in_site('mesh_on_lan'), false)
|
||||
need_boolean(in_site('single_as_lan'), false)
|
||||
|
@ -1,2 +1,2 @@
|
||||
need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$', false)
|
||||
need_string_array_match('extra_prefixes6', '^[%x:]+/%d+$', false)
|
||||
need_string_match(in_domain('prefix4'), '^%d+.%d+.%d+.%d+/%d+$', false)
|
||||
need_string_array_match(in_domain('extra_prefixes6'), '^[%x:]+/%d+$', false)
|
||||
|
@ -1,8 +1,8 @@
|
||||
need_boolean('mesh_vpn.enabled', false)
|
||||
need_boolean(in_site('mesh_vpn.enabled'), false)
|
||||
need_number('mesh_vpn.mtu')
|
||||
|
||||
if need_table('mesh_vpn.bandwidth_limit', nil, false) then
|
||||
need_boolean('mesh_vpn.bandwidth_limit.enabled', false)
|
||||
need_number('mesh_vpn.bandwidth_limit.ingress', false)
|
||||
need_number('mesh_vpn.bandwidth_limit.egress', false)
|
||||
if need_table(in_site('mesh_vpn.bandwidth_limit'), nil, false) then
|
||||
need_boolean(in_site('mesh_vpn.bandwidth_limit.enabled'), false)
|
||||
need_number(in_site('mesh_vpn.bandwidth_limit.ingress'), false)
|
||||
need_number(in_site('mesh_vpn.bandwidth_limit.egress'), false)
|
||||
end
|
||||
|
@ -1,8 +1,8 @@
|
||||
local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'}
|
||||
need_array_of('mesh_vpn.fastd.methods', fastd_methods)
|
||||
need_boolean('mesh_vpn.fastd.configurable', false)
|
||||
need_boolean(in_site('mesh_vpn.fastd.configurable'), false)
|
||||
|
||||
need_one_of('mesh_vpn.fastd.syslog_level', {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false)
|
||||
need_one_of(in_site('mesh_vpn.fastd.syslog_level'), {'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false)
|
||||
|
||||
local function check_peer(prefix)
|
||||
return function(k, _)
|
||||
@ -10,8 +10,8 @@ local function check_peer(prefix)
|
||||
|
||||
local table = string.format('%s[%q].', prefix, k)
|
||||
|
||||
need_string_match(table .. 'key', '^%x+$')
|
||||
need_string_array(table .. 'remotes')
|
||||
need_string_match(in_domain(table .. 'key'), '^%x+$')
|
||||
need_string_array(in_domain(table .. 'remotes'))
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -1 +1 @@
|
||||
need_string('roles.default', false)
|
||||
need_string(in_site('roles.default'), false)
|
||||
|
@ -1,2 +1 @@
|
||||
need_boolean('setup_mode.skip', false)
|
||||
|
||||
need_boolean(in_site('setup_mode.skip'), false)
|
||||
|
@ -1,4 +1,4 @@
|
||||
if need_table('config_mode', nil, false) and need_table('config_mode.remote_login', nil, false) then
|
||||
need_boolean('config_mode.remote_login.show_password_form', false)
|
||||
need_number('config_mode.remote_login.min_password_length', false)
|
||||
if need_table(in_site('config_mode'), nil, false) and need_table(in_site('config_mode.remote_login'), nil, false) then
|
||||
need_boolean(in_site('config_mode.remote_login.show_password_form'), false)
|
||||
need_number(in_site('config_mode.remote_login.min_password_length'), false)
|
||||
end
|
||||
|
@ -1,2 +1,2 @@
|
||||
assert(need_boolean('mesh_vpn.fastd.configurable') == true,
|
||||
assert(need_boolean(in_site('mesh_vpn.fastd.configurable')) == true,
|
||||
"site.conf error: expected `mesh_vpn.fastd.configurable' to be true")
|
||||
|
@ -1,2 +1,2 @@
|
||||
need_string 'roles.default'
|
||||
need_string_array 'roles.list'
|
||||
need_string(in_site('roles.default'))
|
||||
need_string_array(in_site('roles.list'))
|
||||
|
Loading…
Reference in New Issue
Block a user