Merge branch 'dev' into ui

bunkerity · Dec 20, 2023 · 63a9000 · 63a9000
2 parents 20c2f4f + 5c10eae
commit 63a9000
Show file tree

Hide file tree

Showing 17 changed files with 92 additions and 120 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -35,12 +35,12 @@ jobs:
           python -m pip install --no-cache-dir --require-hashes -r src/common/db/requirements.txt
           echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@305f6546310b9203e892c28c1484e82977f4f63d # v2.22.10
+        uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yml
           setup-python-dependencies: false
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@305f6546310b9203e892c28c1484e82977f4f63d # v2.22.10
+        uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -84,7 +84,7 @@ jobs:
       # Compute metadata
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
+        uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0
         with:
           images: bunkerity/${{ inputs.IMAGE }}
       # Build cached image
@@ -115,7 +115,7 @@ jobs:
       # Check OS vulnerabilities
       - name: Check OS vulnerabilities
         if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
-        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 # master
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # master
         with:
           vuln-type: os
           skip-dirs: /root/.cargo

diff --git a/.github/workflows/doc-to-pdf.yml b/.github/workflows/doc-to-pdf.yml
@@ -32,7 +32,7 @@ jobs:
         run: mkdocs serve & sleep 10
       - name: Run pdf script
         run: node docs/misc/pdf.js http://localhost:8000/print_page/ BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf 'BunkerWeb documentation v${{ inputs.VERSION }}'
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
           path: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
diff --git a/.github/workflows/linux-build.yml b/.github/workflows/linux-build.yml
@@ -127,15 +127,15 @@ jobs:
           scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
         env:
           LARCH: ${{ env.LARCH }}
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
           path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
       # Build test image
       - name: Extract metadata
         if: inputs.TEST == true
         id: meta
-        uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
+        uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0
         with:
           images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
       - name: Build test image

diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
@@ -63,7 +63,7 @@ jobs:
       # Compute metadata
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
+        uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0
         with:
           images: bunkerity/${{ inputs.IMAGE }}
       # Build and push

diff --git a/.github/workflows/push-github.yml b/.github/workflows/push-github.yml
@@ -19,7 +19,7 @@ jobs:
       # Get PDF doc
       - name: Get documentation
         if: inputs.VERSION != 'testing'
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
         with:
           name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
       # Create tag

diff --git a/.github/workflows/push-packagecloud.yml b/.github/workflows/push-packagecloud.yml
@@ -48,12 +48,12 @@ jobs:
       - name: Install packagecloud
         run: gem install package_cloud
       # Download packages
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
         if: inputs.LINUX != 'el'
         with:
           name: package-${{ inputs.LINUX }}-${{ inputs.PACKAGE_ARCH }}
           path: /tmp/${{ inputs.LINUX }}
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
         if: inputs.LINUX == 'el'
         with:
           name: package-rhel-${{ inputs.PACKAGE_ARCH }}

diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -25,6 +25,6 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: "Upload SARIF results to code scanning"
-        uses: github/codeql-action/upload-sarif@305f6546310b9203e892c28c1484e82977f4f63d # v2.22.10
+        uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/staging-create-infra.yml b/.github/workflows/staging-create-infra.yml
@@ -55,7 +55,7 @@ jobs:
         if: always()
         env:
           SECRET_KEY: ${{ secrets.SECRET_KEY }}
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         if: always()
         with:
           name: tf-${{ inputs.TYPE }}

diff --git a/.github/workflows/staging-delete-infra.yml b/.github/workflows/staging-delete-infra.yml
@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install terraform
         uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
         with:
           name: tf-${{ inputs.TYPE }}
           path: /tmp

diff --git a/.github/workflows/staging-tests.yml b/.github/workflows/staging-tests.yml
@@ -43,7 +43,7 @@ jobs:
         if: inputs.TYPE == 'swarm'
       - name: Install test dependencies
         run: pip3 install --no-cache-dir --require-hashes --no-deps -r tests/requirements.txt
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
         with:
           name: tf-k8s
           path: /tmp

diff --git a/src/bw/lua/bunkerweb/plugin.lua b/src/bw/lua/bunkerweb/plugin.lua
@@ -13,7 +13,6 @@ function plugin:initialize(id, ctx)
 	local current_phase = ngx.get_phase()
 	for _, check_phase in ipairs {
 		"set",
-		"ssl_certificate",
 		"access",
 		"content",
 		"header_filter",

diff --git a/src/common/confs/server-http/ssl-certificate-lua.conf b/src/common/confs/server-http/ssl-certificate-lua.conf
@@ -8,29 +8,11 @@ ssl_certificate_by_lua_block {
 	local cjson         = require "cjson"
 	local ssl			= require "ngx.ssl"
 
-	-- Don't process internal requests
-	local logger        = clogger:new("SSL-CERTIFICATE")
-	if ngx.req.is_internal() then
-		logger:log(ngx.INFO, "skipped ssl_certificate phase because request is internal")
-		return true
-	end
-
-	-- Start access phase
+	-- Start ssl_certificate phase
+	local logger    = clogger:new("SSL-CERTIFICATE")
 	local datastore = cdatastore:new()
 	logger:log(ngx.INFO, "ssl_certificate phase started")
 
-	-- Fill ctx
-	logger:log(ngx.INFO, "filling ngx.ctx ...")
-	local ok, ret, errors, ctx = helpers.fill_ctx()
-	if not ok then
-		logger:log(ngx.ERR, "fill_ctx() failed : " .. ret)
-	elseif errors then
-		for i, error in ipairs(errors) do
-			logger:log(ngx.ERR, "fill_ctx() error " .. tostring(i) .. " : " .. error)
-		end
-	end
-	logger:log(ngx.INFO, "ngx.ctx filled (ret = " .. ret .. ")")
-
 	-- Get plugins order
 	local order, err = datastore:get("plugins_order", true)
 	if not order then
@@ -48,10 +30,10 @@ ssl_certificate_by_lua_block {
 		elseif plugin_lua == nil then
 			logger:log(ngx.INFO, err)
 		else
-			-- Check if plugin has access method
+			-- Check if plugin has ssl_certificate method
 			if plugin_lua.ssl_certificate ~= nil then
 				-- New call
-				local ok, plugin_obj = helpers.new_plugin(plugin_lua, ctx)
+				local ok, plugin_obj = helpers.new_plugin(plugin_lua)
 				if not ok then
 					logger:log(ngx.ERR, plugin_obj)
 				else
@@ -85,9 +67,6 @@ ssl_certificate_by_lua_block {
 	end
 	logger:log(ngx.INFO, "called ssl_certificate() methods of plugins")
 
-	-- Save ctx
-	ngx.ctx = ctx
-
 	logger:log(ngx.INFO, "ssl_certificate phase ended")
 
 	return true

diff --git a/src/common/core/customcert/customcert.lua b/src/common/core/customcert/customcert.lua
@@ -11,9 +11,9 @@ function customcert:initialize(ctx)
 end
 
 function customcert:init()
-	local ok, err = true, "success"
+	local ret_ok, ret_err = true, "success"
     if utils.has_variable("USE_CUSTOM_SSL", "yes") then
-		local multisite, err = utils.get_variable("MULTISITE")
+		local multisite, err = utils.get_variable("MULTISITE", false)
 		if not multisite then
 			return self:ret(false, "can't get MULTISITE variable : " .. err)
 		end
@@ -26,64 +26,68 @@ function customcert:init()
 				local check, data = self:read_files()
 				if not check then
 					self.logger:log(ngx.ERR, "error while reading files : " .. err)
-					ok = false
-					err = "error reading files"
+					ret_ok = false
+					ret_err = "error reading files"
 				else
 					local check, err = self:load_data(data)
 					if not check then
 						self.logger:log(ngx.ERR, "error while loading data : " .. err)
-						ok = false
-						err = "error loading data"
+						ret_ok = false
+						ret_err = "error loading data"
 					end
 				end
 			end
 			for server_name, multisite_vars in pairs(vars) do
 				if multisite_vars["USE_CUSTOM_SSL"] == "yes" then
 					local check, data = self:read_files(server_name)
 					if not check then
-						self.logger:log(ngx.ERR, "error while reading files : " .. err)
-						ok = false
-						err = "error reading files"
+						self.logger:log(ngx.ERR, "error while reading files : " .. data)
+						ret_ok = false
+						ret_err = "error reading files"
 					else
 						local check, err = self:load_data(data, server_name)
 						if not check then
 							self.logger:log(ngx.ERR, "error while loading data : " .. err)
-							ok = false
-							err = "error loading data"
+							ret_ok = false
+							ret_err = "error loading data"
 						end
 					end
 				end
 			end
 		else
 			local check, data = self:read_files()
 			if not check then
-				self.logger:log(ngx.ERR, "error while reading files : " .. err)
-				ok = false
-				err = "error reading files"
+				self.logger:log(ngx.ERR, "error while reading files : " .. data)
+				ret_ok = false
+				ret_err = "error reading files"
 			else
 				local check, err = self:load_data(data)
 				if not check then
 					self.logger:log(ngx.ERR, "error while loading data : " .. err)
-					ok = false
-					err = "error loading data"
+					ret_ok = false
+					ret_err = "error loading data"
 				end
 			end
 		end
 	else
-		err = "custom ssl is not used"
+		ret_err = "custom ssl is not used"
     end
-	return self:ret(ok, err)
+	return self:ret(ret_ok, ret_err)
 end
 
 function customcert:ssl_certificate()
+	local server_name, err = ssl.server_name()
+	if not server_name then
+		return self:ret(false, "can't get server_name : " .. err)
+	end
     if self.variables["USE_CUSTOM_SSL"] == "yes" then
 		local global_data, err = self.datastore:get("plugin_customcert_global", true)
 		if not global_data and err ~= "not found" then
 			return self:ret(false, "error while getting plugin_customcert_global from datastore : " .. err)
 		end
-		local site_data, err = self.datastore:get("plugin_customcert_" .. self.ctx.bw.server_name, true)
+		local site_data, err = self.datastore:get("plugin_customcert_" .. server_name, true)
 		if not site_data and err ~= "not found" then
-			return self:ret(false, "error while getting plugin_customcert_" .. self.ctx.bw.server_name .. " from datastore : " .. err)
+			return self:ret(false, "error while getting plugin_customcert_" .. server_name .. " from datastore : " .. err)
 		end
 		if not global_data and not site_data then
 			return self:ret(false, "both global and site cert are not present in datastore")
@@ -117,7 +121,7 @@ function customcert:load_data(data, server_name)
 		return false, "error while parsing pem cert : " .. err
 	end
 	-- Load key
-	local priv_key, err = ssl.parse_priv_key(data[2])
+	local priv_key, err = ssl.parse_pem_priv_key(data[2])
 	if not priv_key then
 		return false, "error while parsing pem priv key : " .. err
 	end

diff --git a/src/common/core/customcert/jobs/custom-cert.py b/src/common/core/customcert/jobs/custom-cert.py
@@ -104,24 +104,14 @@ def check_cert(cert_path: str, key_path: str, first_server: Optional[str] = None
         key_data = b64decode(getenv("CUSTOM_SSL_KEY_DATA", ""))
         for file, data in [("cert.pem", cert_data), ("key.pem", key_data)]:
             if data != b"":
-                file_path = Path(
-                    sep,
-                    "var",
-                    "tmp",
-                    "bunkerweb",
-                    "customcert",
-                    file
-                )
+                file_path = Path(sep, "var", "tmp", "bunkerweb", "customcert", file)
                 file_path.parent.mkdir(parents=True, exist_ok=True)
                 file_path.write_bytes(data)
                 if file == "cert.pem":
                     cert_path = str(file_path)
                 else:
                     key_path = str(file_path)
 
-        if cert_data != b"":
-            with open()
-
         if cert_path and key_path:
             logger.info(f"Checking certificate {cert_path} ...")
             need_reload = check_cert(cert_path, key_path)
@@ -151,15 +141,7 @@ def check_cert(cert_path: str, key_path: str, first_server: Optional[str] = None
             key_data = b64decode(getenv(f"{first_server}_CUSTOM_SSL_KEY_DATA", ""))
             for file, data in [("cert.pem", cert_data), ("key.pem", key_data)]:
                 if data != b"":
-                    file_path = Path(
-                        sep,
-                        "var",
-                        "tmp",
-                        "bunkerweb",
-                        "customcert",
-                        server_name,
-                        file
-                    )
+                    file_path = Path(sep, "var", "tmp", "bunkerweb", "customcert", server_name, file)
                     file_path.parent.mkdir(parents=True, exist_ok=True)
                     file_path.write_bytes(data)
                     if file == "cert.pem":