[pmg-devel] [PATCH pmg-api v2] add pmg_verify_tls_policy_strict and use it in API
Stoiko Ivanov
s.ivanov at proxmox.com
Thu Sep 27 18:38:13 CEST 2018
This patch splits the parsing of tls_policies in 2 parts:
While reading we just require a line to start with one of the valid tls_policies,
while writing we only accept one of the policies w/o any attributes.
This should help users, who already have a manually crafted file in place, to
use API-calls for adding/modifying entries.
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
changes from v1:
* require word-boundary (\b) after $VALID_TLS_POLICY_RE when reading the
tls_policy file
PMG/API2/DestinationTLSPolicy.pm | 9 ++++++++-
PMG/Config.pm | 16 ++++++++++++----
2 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/PMG/API2/DestinationTLSPolicy.pm b/PMG/API2/DestinationTLSPolicy.pm
index 4c1ab56..ecb5a8f 100644
--- a/PMG/API2/DestinationTLSPolicy.pm
+++ b/PMG/API2/DestinationTLSPolicy.pm
@@ -71,6 +71,10 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
my $domain = $param->{domain};
+ my $policy = PMG::Config::pmg_verify_tls_policy_strict($param->{policy});
+
+ raise_param_exc({ policy => "$param->{policy} is not a valid TLSPolicy" })
+ if ! defined($policy);
my $code = sub {
my $tls_policy = PVE::INotify::read_file('tls_policy');
@@ -152,7 +156,10 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
my $domain = $param->{domain};
- my $policy = $param->{policy};
+ my $policy = PMG::Config::pmg_verify_tls_policy_strict($param->{policy});
+
+ raise_param_exc({ policy => "$param->{policy} is not a valid TLSPolicy" })
+ if ! defined($policy);
my $code = sub {
diff --git a/PMG/Config.pm b/PMG/Config.pm
index 2667db6..a3fa4ac 100755
--- a/PMG/Config.pm
+++ b/PMG/Config.pm
@@ -947,19 +947,27 @@ PVE::INotify::register_file('mynetworks', $mynetworks_filename,
PVE::JSONSchema::register_format(
'tls-policy', \&pmg_verify_tls_policy);
+# TODO: extend to parse attributes of the policy
+my $VALID_TLS_POLICY_RE = qr/none|may|encrypt|dane|dane-only|fingerprint|verify|secure/;
sub pmg_verify_tls_policy {
my ($policy, $noerr) = @_;
- # TODO: extend to parse attributes of the policy
- my $valid_policy = qr/none|may|encrypt|dane|dane-only|fingerprint|verify|secure/;
-
- if ($policy !~ /^${valid_policy}$/) {
+ if ($policy !~ /^$VALID_TLS_POLICY_RE\b/) {
return undef if $noerr;
die "value '$policy' does not look like a valid tls policy\n";
}
return $policy;
}
+sub pmg_verify_tls_policy_strict {
+ my ($policy) = @_;
+
+ return $policy
+ if ($policy =~ /^$VALID_TLS_POLICY_RE$/);
+
+ return undef;
+}
+
sub read_tls_policy {
my ($filename, $fh) = @_;
--
2.11.0
More information about the pmg-devel
mailing list