Security: Refactor certs path config #98

Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer 2022-10-12 15:33:35 +02:00
parent fc58c4a875
commit 265fdd0dd3
6 changed files with 24 additions and 23 deletions

View file

@ -125,10 +125,10 @@ func (c *Config) CreateDirectories() error {
return createError(c.ConfigPath(), err)
}
if c.CertsConfigPath() == "" {
return notFoundError("certs config")
} else if err := os.MkdirAll(c.CertsConfigPath(), os.ModePerm); err != nil {
return createError(c.CertsConfigPath(), err)
if c.CertsPath() == "" {
return notFoundError("certs")
} else if err := os.MkdirAll(c.CertsPath(), os.ModePerm); err != nil {
return createError(c.CertsPath(), err)
}
if c.TempPath() == "" {
@ -193,11 +193,6 @@ func (c *Config) ConfigPath() string {
return fs.Abs(c.options.ConfigPath)
}
// CertsConfigPath returns the certificate config path
func (c *Config) CertsConfigPath() string {
return filepath.Join(c.ConfigPath(), "certs")
}
// OptionsYaml returns the config options YAML filename.
func (c *Config) OptionsYaml() string {
return filepath.Join(c.ConfigPath(), "options.yml")

View file

@ -88,15 +88,6 @@ func TestConfig_TempPath(t *testing.T) {
}
}
func TestConfig_CertsConfigPath(t *testing.T) {
c := NewConfig(CliTestContext())
if dir := c.CertsConfigPath(); dir == "" {
t.Fatal("cert config path is empty")
} else if !strings.HasPrefix(dir, c.ConfigPath()) {
t.Fatalf("unexpected cert config path: %s", dir)
}
}
func TestConfig_CmdCachePath(t *testing.T) {
c := NewConfig(CliTestContext())
if dir := c.CmdCachePath(); dir == "" {

View file

@ -7,6 +7,11 @@ import (
"github.com/photoprism/photoprism/pkg/fs"
)
// CertsPath returns the path to the TLS certificates and keys.
func (c *Config) CertsPath() string {
return filepath.Join(c.ConfigPath(), "certs")
}
// AutoTLS returns the email address for enabling automatic HTTPS via Let's Encrypt.
func (c *Config) AutoTLS() string {
return clean.Email(c.options.AutoTLS)
@ -18,7 +23,7 @@ func (c *Config) TLSKey() string {
return ""
} else if fs.FileExistsNotEmpty(c.options.TLSKey) {
return c.options.TLSKey
} else if fileName := filepath.Join(c.CertsConfigPath(), c.options.TLSKey); fs.FileExistsNotEmpty(fileName) {
} else if fileName := filepath.Join(c.CertsPath(), c.options.TLSKey); fs.FileExistsNotEmpty(fileName) {
return fileName
}
@ -31,7 +36,7 @@ func (c *Config) TLSCert() string {
return ""
} else if fs.FileExistsNotEmpty(c.options.TLSCert) {
return c.options.TLSCert
} else if fileName := filepath.Join(c.CertsConfigPath(), c.options.TLSCert); fs.FileExistsNotEmpty(fileName) {
} else if fileName := filepath.Join(c.CertsPath(), c.options.TLSCert); fs.FileExistsNotEmpty(fileName) {
return fileName
}

View file

@ -1,11 +1,21 @@
package config
import (
"strings"
"testing"
"github.com/stretchr/testify/assert"
)
func TestConfig_CertsPath(t *testing.T) {
c := NewConfig(CliTestContext())
if dir := c.CertsPath(); dir == "" {
t.Fatal("certs path is empty")
} else if !strings.HasPrefix(dir, c.ConfigPath()) {
t.Fatalf("unexpected certs path: %s", dir)
}
}
func TestConfig_AutoTLS(t *testing.T) {
c := NewConfig(CliTestContext())

View file

@ -35,6 +35,7 @@ func (c *Config) Report() (rows [][]string, cols []string) {
// Config.
{"config-path", c.ConfigPath()},
{"certs-path", c.CertsPath()},
{"options-yaml", c.OptionsYaml()},
{"defaults-yaml", c.DefaultsYaml()},
{"settings-yaml", c.SettingsYaml()},
@ -50,7 +51,6 @@ func (c *Config) Report() (rows [][]string, cols []string) {
{"albums-path", c.AlbumsPath()},
{"backup-path", c.BackupPath()},
{"cache-path", c.CachePath()},
{"cert-cache-path", c.CertsConfigPath()},
{"cmd-cache-path", c.CmdCachePath()},
{"thumb-cache-path", c.ThumbCachePath()},
{"import-path", c.ImportPath()},

View file

@ -20,8 +20,8 @@ func AutoTLS(conf *config.Config) (*autocert.Manager, error) {
return nil, fmt.Errorf("no fully qualified site domain")
} else if tlsEmail = conf.AutoTLS(); tlsEmail == "" {
return nil, fmt.Errorf("automatic tls disabled")
} else if certDir = conf.CertsConfigPath(); certDir == "" {
return nil, fmt.Errorf("https certificate cache directory is missing")
} else if certDir = conf.CertsPath(); certDir == "" {
return nil, fmt.Errorf("certs path not found")
}
// Create Let's Encrypt cert manager.