Skip to content

Commit

Permalink
(fix): do not expose haproxy password to UI
Browse files Browse the repository at this point in the history
Signed-off-by: Oleksander Piskun <[email protected]>
  • Loading branch information
oleksandr-nc committed Nov 18, 2024
1 parent 34eb208 commit 6d2300a
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 3 deletions.
45 changes: 44 additions & 1 deletion lib/Controller/DaemonConfigController.php
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,37 @@ public function registerDaemonConfig(array $daemonConfigParams, bool $defaultDae
#[PasswordConfirmationRequired]
public function updateDaemonConfig(string $name, array $daemonConfigParams): Response {
$daemonConfig = $this->daemonConfigService->getDaemonConfigByName($name);

// Safely check if "haproxy_password" exists before accessing it
$haproxyPassword = $daemonConfigParams['deployConfig']['haproxy_password'] ?? null;

// Restore the original password if "dummySecret123" is provided
if ($haproxyPassword === 'dummySecret123') {
$daemonConfigParams['deployConfig']['haproxy_password'] = $daemonConfig->getDeployConfig()['haproxy_password'] ?? "";
}

// Create and update DaemonConfig instance
$updatedDaemonConfig = new DaemonConfig($daemonConfigParams);
$updatedDaemonConfig->setId($daemonConfig->getId());
$updatedDaemonConfig = $this->daemonConfigService->updateDaemonConfig($updatedDaemonConfig);

// Check if update was successful before proceeding
if ($updatedDaemonConfig === null) {
return new JSONResponse([
'success' => false,
'daemonConfig' => null,
]);
}

// Mask the password with "dummySecret123" if it is set
$updatedDeployConfig = $updatedDaemonConfig->getDeployConfig();
if (!empty($updatedDeployConfig['haproxy_password'] ?? null)) {
$updatedDeployConfig['haproxy_password'] = 'dummySecret123';
$updatedDaemonConfig->setDeployConfig($updatedDeployConfig);
}

return new JSONResponse([
'success' => $updatedDaemonConfig !== null,
'success' => true,
'daemonConfig' => $updatedDaemonConfig,
]);
}
Expand Down Expand Up @@ -98,6 +124,23 @@ public function verifyDaemonConnection(string $name): Response {
}

public function checkDaemonConnection(array $daemonParams): Response {
// Safely check if "haproxy_password" exists before accessing it
// note: UI passes here 'deploy_config' instead of 'deployConfig'
$haproxyPassword = $daemonParams['deploy_config']['haproxy_password'] ?? null;

if ($haproxyPassword === 'dummySecret123') {
// If the secret is "dummySecret123" we check if such record is present in DB
$daemonConfig = $this->daemonConfigService->getDaemonConfigByName($daemonParams['name']);
if ($daemonConfig !== null) {
$haproxyPasswordDB = $daemonConfig->getDeployConfig()['haproxy_password'] ?? "";
if ($haproxyPasswordDB) {
// if there is a record in the DB and there is a password,
// then we request it from the DB instead of the “masked” one
$daemonParams['deploy_config']['haproxy_password'] = $haproxyPasswordDB;
}
}
}

$daemonConfig = new DaemonConfig([
'name' => $daemonParams['name'],
'display_name' => $daemonParams['display_name'],
Expand Down
12 changes: 10 additions & 2 deletions lib/Service/DaemonConfigService.php
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,18 @@ public function getDaemonConfigsWithAppsCount(): array {
$carry[$exApp->getDaemonConfigName()] += 1;
return $carry;
}, []);

return array_map(function (DaemonConfig $daemonConfig) use ($daemonsExAppsCount) {
$serializedConfig = $daemonConfig->jsonSerialize();

// Check if "haproxy_password" exists in "deployConfig" and mask it
if (!empty($serializedConfig['deploy_config']['haproxy_password'])) {
$serializedConfig['deploy_config']['haproxy_password'] = 'dummySecret123';
}

return [
...$daemonConfig->jsonSerialize(),
'exAppsCount' => isset($daemonsExAppsCount[$daemonConfig->getName()]) ? $daemonsExAppsCount[$daemonConfig->getName()] : 0,
...$serializedConfig,
'exAppsCount' => $daemonsExAppsCount[$daemonConfig->getName()] ?? 0,
];
}, $this->getRegisteredDaemonConfigs());
}
Expand Down

0 comments on commit 6d2300a

Please sign in to comment.