luisgulo/photoprism
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Security: Refactor certs path config #98

Browse source 
Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
Michael Mayer 2022-10-12 15:33:35 +02:00
parent fc58c4a875
commit 265fdd0dd3
6 changed files with 24 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
internal/config/config_filepaths.go
View file

@ -125,10 +125,10 @@ func (c *Config) CreateDirectories() error {
return createError(c.ConfigPath(), err) return createError(c.ConfigPath(), err)
} }
if c.CertsConfigPath() == "" { if c.CertsPath() == "" {
return notFoundError("certs config") return notFoundError("certs")
} else if err := os.MkdirAll(c.CertsConfigPath(), os.ModePerm); err != nil { } else if err := os.MkdirAll(c.CertsPath(), os.ModePerm); err != nil {
return createError(c.CertsConfigPath(), err) return createError(c.CertsPath(), err)
} }
if c.TempPath() == "" { if c.TempPath() == "" {
@ -193,11 +193,6 @@ func (c *Config) ConfigPath() string {
return fs.Abs(c.options.ConfigPath) return fs.Abs(c.options.ConfigPath)
} }
// CertsConfigPath returns the certificate config path
func (c *Config) CertsConfigPath() string {
return filepath.Join(c.ConfigPath(), "certs")
}
// OptionsYaml returns the config options YAML filename. // OptionsYaml returns the config options YAML filename.
func (c *Config) OptionsYaml() string { func (c *Config) OptionsYaml() string {
return filepath.Join(c.ConfigPath(), "options.yml") return filepath.Join(c.ConfigPath(), "options.yml")

9
internal/config/config_filepaths_test.go
View file

@ -88,15 +88,6 @@ func TestConfig_TempPath(t *testing.T) {
} }
} }
func TestConfig_CertsConfigPath(t *testing.T) {
c := NewConfig(CliTestContext())
if dir := c.CertsConfigPath(); dir == "" {
t.Fatal("cert config path is empty")
} else if !strings.HasPrefix(dir, c.ConfigPath()) {
t.Fatalf("unexpected cert config path: %s", dir)
}
}
func TestConfig_CmdCachePath(t *testing.T) { func TestConfig_CmdCachePath(t *testing.T) {
c := NewConfig(CliTestContext()) c := NewConfig(CliTestContext())
if dir := c.CmdCachePath(); dir == "" { if dir := c.CmdCachePath(); dir == "" {

9
internal/config/config_server_tls.go
View file

@ -7,6 +7,11 @@ import (
"github.com/photoprism/photoprism/pkg/fs" "github.com/photoprism/photoprism/pkg/fs"
) )
// CertsPath returns the path to the TLS certificates and keys.
func (c *Config) CertsPath() string {
return filepath.Join(c.ConfigPath(), "certs")
}
// AutoTLS returns the email address for enabling automatic HTTPS via Let's Encrypt. // AutoTLS returns the email address for enabling automatic HTTPS via Let's Encrypt.
func (c *Config) AutoTLS() string { func (c *Config) AutoTLS() string {
return clean.Email(c.options.AutoTLS) return clean.Email(c.options.AutoTLS)
@ -18,7 +23,7 @@ func (c *Config) TLSKey() string {
return "" return ""
} else if fs.FileExistsNotEmpty(c.options.TLSKey) { } else if fs.FileExistsNotEmpty(c.options.TLSKey) {
return c.options.TLSKey return c.options.TLSKey
} else if fileName := filepath.Join(c.CertsConfigPath(), c.options.TLSKey); fs.FileExistsNotEmpty(fileName) { } else if fileName := filepath.Join(c.CertsPath(), c.options.TLSKey); fs.FileExistsNotEmpty(fileName) {
return fileName return fileName
} }
@ -31,7 +36,7 @@ func (c *Config) TLSCert() string {
return "" return ""
} else if fs.FileExistsNotEmpty(c.options.TLSCert) { } else if fs.FileExistsNotEmpty(c.options.TLSCert) {
return c.options.TLSCert return c.options.TLSCert
} else if fileName := filepath.Join(c.CertsConfigPath(), c.options.TLSCert); fs.FileExistsNotEmpty(fileName) { } else if fileName := filepath.Join(c.CertsPath(), c.options.TLSCert); fs.FileExistsNotEmpty(fileName) {
return fileName return fileName
} }

10
internal/config/config_server_tls_test.go
View file

@ -1,11 +1,21 @@
package config package config
import ( import (
"strings"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
func TestConfig_CertsPath(t *testing.T) {
c := NewConfig(CliTestContext())
if dir := c.CertsPath(); dir == "" {
t.Fatal("certs path is empty")
} else if !strings.HasPrefix(dir, c.ConfigPath()) {
t.Fatalf("unexpected certs path: %s", dir)
}
}
func TestConfig_AutoTLS(t *testing.T) { func TestConfig_AutoTLS(t *testing.T) {
c := NewConfig(CliTestContext()) c := NewConfig(CliTestContext())

2
internal/config/config_report.go → internal/config/report.go
View file

@ -35,6 +35,7 @@ func (c *Config) Report() (rows [][]string, cols []string) {
// Config. // Config.
{"config-path", c.ConfigPath()}, {"config-path", c.ConfigPath()},
{"certs-path", c.CertsPath()},
{"options-yaml", c.OptionsYaml()}, {"options-yaml", c.OptionsYaml()},
{"defaults-yaml", c.DefaultsYaml()}, {"defaults-yaml", c.DefaultsYaml()},
{"settings-yaml", c.SettingsYaml()}, {"settings-yaml", c.SettingsYaml()},
@ -50,7 +51,6 @@ func (c *Config) Report() (rows [][]string, cols []string) {
{"albums-path", c.AlbumsPath()}, {"albums-path", c.AlbumsPath()},
{"backup-path", c.BackupPath()}, {"backup-path", c.BackupPath()},
{"cache-path", c.CachePath()}, {"cache-path", c.CachePath()},
{"cert-cache-path", c.CertsConfigPath()},
{"cmd-cache-path", c.CmdCachePath()}, {"cmd-cache-path", c.CmdCachePath()},
{"thumb-cache-path", c.ThumbCachePath()}, {"thumb-cache-path", c.ThumbCachePath()},
{"import-path", c.ImportPath()}, {"import-path", c.ImportPath()},

4
internal/server/autotls.go
View file

@ -20,8 +20,8 @@ func AutoTLS(conf *config.Config) (*autocert.Manager, error) {
return nil, fmt.Errorf("no fully qualified site domain") return nil, fmt.Errorf("no fully qualified site domain")
} else if tlsEmail = conf.AutoTLS(); tlsEmail == "" { } else if tlsEmail = conf.AutoTLS(); tlsEmail == "" {
return nil, fmt.Errorf("automatic tls disabled") return nil, fmt.Errorf("automatic tls disabled")
} else if certDir = conf.CertsConfigPath(); certDir == "" { } else if certDir = conf.CertsPath(); certDir == "" {
return nil, fmt.Errorf("https certificate cache directory is missing") return nil, fmt.Errorf("certs path not found")
} }
// Create Let's Encrypt cert manager. // Create Let's Encrypt cert manager.