From 6d2300aeb91cb43310e17b31084863300aae617b Mon Sep 17 00:00:00 2001 From: Oleksander Piskun Date: Mon, 18 Nov 2024 19:23:47 +0300 Subject: [PATCH 1/2] (fix): do not expose haproxy password to UI Signed-off-by: Oleksander Piskun --- lib/Controller/DaemonConfigController.php | 45 ++++++++++++++++++++++- lib/Service/DaemonConfigService.php | 12 +++++- 2 files changed, 54 insertions(+), 3 deletions(-) diff --git a/lib/Controller/DaemonConfigController.php b/lib/Controller/DaemonConfigController.php index 7b2cfd83..0541708a 100644 --- a/lib/Controller/DaemonConfigController.php +++ b/lib/Controller/DaemonConfigController.php @@ -59,11 +59,37 @@ public function registerDaemonConfig(array $daemonConfigParams, bool $defaultDae #[PasswordConfirmationRequired] public function updateDaemonConfig(string $name, array $daemonConfigParams): Response { $daemonConfig = $this->daemonConfigService->getDaemonConfigByName($name); + + // Safely check if "haproxy_password" exists before accessing it + $haproxyPassword = $daemonConfigParams['deployConfig']['haproxy_password'] ?? null; + + // Restore the original password if "dummySecret123" is provided + if ($haproxyPassword === 'dummySecret123') { + $daemonConfigParams['deployConfig']['haproxy_password'] = $daemonConfig->getDeployConfig()['haproxy_password'] ?? ""; + } + + // Create and update DaemonConfig instance $updatedDaemonConfig = new DaemonConfig($daemonConfigParams); $updatedDaemonConfig->setId($daemonConfig->getId()); $updatedDaemonConfig = $this->daemonConfigService->updateDaemonConfig($updatedDaemonConfig); + + // Check if update was successful before proceeding + if ($updatedDaemonConfig === null) { + return new JSONResponse([ + 'success' => false, + 'daemonConfig' => null, + ]); + } + + // Mask the password with "dummySecret123" if it is set + $updatedDeployConfig = $updatedDaemonConfig->getDeployConfig(); + if (!empty($updatedDeployConfig['haproxy_password'] ?? null)) { + $updatedDeployConfig['haproxy_password'] = 'dummySecret123'; + $updatedDaemonConfig->setDeployConfig($updatedDeployConfig); + } + return new JSONResponse([ - 'success' => $updatedDaemonConfig !== null, + 'success' => true, 'daemonConfig' => $updatedDaemonConfig, ]); } @@ -98,6 +124,23 @@ public function verifyDaemonConnection(string $name): Response { } public function checkDaemonConnection(array $daemonParams): Response { + // Safely check if "haproxy_password" exists before accessing it + // note: UI passes here 'deploy_config' instead of 'deployConfig' + $haproxyPassword = $daemonParams['deploy_config']['haproxy_password'] ?? null; + + if ($haproxyPassword === 'dummySecret123') { + // If the secret is "dummySecret123" we check if such record is present in DB + $daemonConfig = $this->daemonConfigService->getDaemonConfigByName($daemonParams['name']); + if ($daemonConfig !== null) { + $haproxyPasswordDB = $daemonConfig->getDeployConfig()['haproxy_password'] ?? ""; + if ($haproxyPasswordDB) { + // if there is a record in the DB and there is a password, + // then we request it from the DB instead of the “masked” one + $daemonParams['deploy_config']['haproxy_password'] = $haproxyPasswordDB; + } + } + } + $daemonConfig = new DaemonConfig([ 'name' => $daemonParams['name'], 'display_name' => $daemonParams['display_name'], diff --git a/lib/Service/DaemonConfigService.php b/lib/Service/DaemonConfigService.php index d2ebd084..d7938142 100644 --- a/lib/Service/DaemonConfigService.php +++ b/lib/Service/DaemonConfigService.php @@ -81,10 +81,18 @@ public function getDaemonConfigsWithAppsCount(): array { $carry[$exApp->getDaemonConfigName()] += 1; return $carry; }, []); + return array_map(function (DaemonConfig $daemonConfig) use ($daemonsExAppsCount) { + $serializedConfig = $daemonConfig->jsonSerialize(); + + // Check if "haproxy_password" exists in "deployConfig" and mask it + if (!empty($serializedConfig['deploy_config']['haproxy_password'])) { + $serializedConfig['deploy_config']['haproxy_password'] = 'dummySecret123'; + } + return [ - ...$daemonConfig->jsonSerialize(), - 'exAppsCount' => isset($daemonsExAppsCount[$daemonConfig->getName()]) ? $daemonsExAppsCount[$daemonConfig->getName()] : 0, + ...$serializedConfig, + 'exAppsCount' => $daemonsExAppsCount[$daemonConfig->getName()] ?? 0, ]; }, $this->getRegisteredDaemonConfigs()); } From 56eab3b36fccecd09dc72dde8dd9f1bbf0ba62ef Mon Sep 17 00:00:00 2001 From: Oleksander Piskun Date: Wed, 20 Nov 2024 11:41:54 +0300 Subject: [PATCH 2/2] fixed important typo that lead to incorrect logic Signed-off-by: Oleksander Piskun --- lib/Controller/DaemonConfigController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Controller/DaemonConfigController.php b/lib/Controller/DaemonConfigController.php index 0541708a..e8624c9c 100644 --- a/lib/Controller/DaemonConfigController.php +++ b/lib/Controller/DaemonConfigController.php @@ -61,11 +61,11 @@ public function updateDaemonConfig(string $name, array $daemonConfigParams): Res $daemonConfig = $this->daemonConfigService->getDaemonConfigByName($name); // Safely check if "haproxy_password" exists before accessing it - $haproxyPassword = $daemonConfigParams['deployConfig']['haproxy_password'] ?? null; + $haproxyPassword = $daemonConfigParams['deploy_config']['haproxy_password'] ?? null; // Restore the original password if "dummySecret123" is provided if ($haproxyPassword === 'dummySecret123') { - $daemonConfigParams['deployConfig']['haproxy_password'] = $daemonConfig->getDeployConfig()['haproxy_password'] ?? ""; + $daemonConfigParams['deploy_config']['haproxy_password'] = $daemonConfig->getDeployConfig()['haproxy_password'] ?? ""; } // Create and update DaemonConfig instance