arti: use fs-mistrust to validate configuration file locations.
This commit is contained in:
parent
2938268f34
commit
b0f39abe32
|
@ -81,6 +81,7 @@ dependencies = [
|
|||
"clap",
|
||||
"config",
|
||||
"derive_builder",
|
||||
"fs-mistrust",
|
||||
"futures",
|
||||
"libc",
|
||||
"notify",
|
||||
|
|
|
@ -181,7 +181,8 @@ impl<R: Runtime> TorClientBuilder<R> {
|
|||
self.runtime,
|
||||
self.config,
|
||||
self.bootstrap_behavior,
|
||||
self.fs_mistrust.unwrap_or_else(default_fs_mistrust),
|
||||
self.fs_mistrust
|
||||
.unwrap_or_else(crate::config::default_fs_mistrust),
|
||||
self.dirmgr_builder.as_ref(),
|
||||
dirmgr_extensions,
|
||||
)
|
||||
|
@ -195,14 +196,3 @@ impl<R: Runtime> TorClientBuilder<R> {
|
|||
Ok(r)
|
||||
}
|
||||
}
|
||||
|
||||
/// Return a default value for our fs_mistrust configuration.
|
||||
///
|
||||
/// This is based on the environment rather on the configuration file since,
|
||||
fn default_fs_mistrust() -> fs_mistrust::Mistrust {
|
||||
let mut mistrust = fs_mistrust::Mistrust::new();
|
||||
if std::env::var_os("ARTI_FS_DISABLE_PERMISSION_CHECKS").is_some() {
|
||||
mistrust.dangerously_trust_everyone();
|
||||
}
|
||||
mistrust
|
||||
}
|
||||
|
|
|
@ -358,6 +358,18 @@ impl TorClientConfigBuilder {
|
|||
}
|
||||
}
|
||||
|
||||
/// Return a default value for our fs_mistrust configuration.
|
||||
///
|
||||
/// This is based on the environment rather on the configuration, since we may
|
||||
/// want to use it to determine whether configuration files are safe to read.
|
||||
pub fn default_fs_mistrust() -> fs_mistrust::Mistrust {
|
||||
let mut mistrust = fs_mistrust::Mistrust::new();
|
||||
if std::env::var_os("ARTI_FS_DISABLE_PERMISSION_CHECKS").is_some() {
|
||||
mistrust.dangerously_trust_everyone();
|
||||
}
|
||||
mistrust
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod test {
|
||||
#![allow(clippy::unwrap_used)]
|
||||
|
|
|
@ -24,6 +24,7 @@ journald = ["tracing-journald"]
|
|||
|
||||
[dependencies]
|
||||
arti-client = { package = "arti-client", path = "../arti-client", version = "0.2.0", default-features = false }
|
||||
fs-mistrust = { path = "../fs-mistrust", version = "0.1.0" }
|
||||
tor-config = { path = "../tor-config", version = "0.2.0" }
|
||||
tor-error = { path = "../tor-error", version = "0.2.0", default-features = false }
|
||||
tor-rtcompat = { path = "../tor-rtcompat", version = "0.2.0", default-features = false }
|
||||
|
|
|
@ -151,6 +151,7 @@ pub async fn run<R: Runtime>(
|
|||
config_sources: arti_config::ConfigurationSources,
|
||||
arti_config: ArtiConfig,
|
||||
client_config: TorClientConfig,
|
||||
fs_permissions: fs_mistrust::Mistrust,
|
||||
) -> Result<()> {
|
||||
// Using OnDemand arranges that, while we are bootstrapping, incoming connections wait
|
||||
// for bootstrap to complete, rather than getting errors.
|
||||
|
@ -159,6 +160,7 @@ pub async fn run<R: Runtime>(
|
|||
let client = TorClient::with_runtime(runtime.clone())
|
||||
.config(client_config)
|
||||
.bootstrap_behavior(OnDemand)
|
||||
.override_fs_permission_checks(fs_permissions)
|
||||
.create_unbootstrapped()?;
|
||||
if arti_config.application().watch_configuration {
|
||||
watch_cfg::watch_for_config_changes(config_sources, arti_config, client.clone())?;
|
||||
|
@ -281,16 +283,26 @@ pub fn main_main() -> Result<()> {
|
|||
.setting(AppSettings::SubcommandRequiredElseHelp)
|
||||
.get_matches();
|
||||
|
||||
let mistrust = arti_client::config::default_fs_mistrust();
|
||||
|
||||
let cfg_sources = {
|
||||
let mut cfg_sources = arti_config::ConfigurationSources::new();
|
||||
|
||||
let config_files = matches.values_of_os("config-files").unwrap_or_default();
|
||||
if config_files.len() == 0 {
|
||||
if let Some(default) = default_config_file() {
|
||||
match mistrust.verifier().require_file().check(&default) {
|
||||
Ok(()) => {}
|
||||
Err(fs_mistrust::Error::NotFound(_)) => {}
|
||||
Err(e) => return Err(e.into()),
|
||||
}
|
||||
cfg_sources.push_optional_file(default);
|
||||
}
|
||||
} else {
|
||||
config_files.for_each(|f| cfg_sources.push_file(f));
|
||||
for f in config_files {
|
||||
mistrust.verifier().require_file().check(f)?;
|
||||
cfg_sources.push_file(f);
|
||||
}
|
||||
}
|
||||
|
||||
matches
|
||||
|
@ -355,6 +367,7 @@ pub fn main_main() -> Result<()> {
|
|||
cfg_sources,
|
||||
config,
|
||||
client_config,
|
||||
mistrust,
|
||||
))?;
|
||||
Ok(())
|
||||
} else {
|
||||
|
|
|
@ -38,6 +38,7 @@ MODIFIED: Configuration builder structs are now all Serialize+Deseralize+Debug.
|
|||
BREAKING: Replaced LoggingConfigBuilder::file (taking Vec) with LoggingConfigBuilder::files
|
||||
BREAKING: LoggingConfigBuilder::build() throws ConfigBuildError, not a bespoke error
|
||||
MODIFIED: LoggingConfigBuilder is now Deserialize
|
||||
BREAKING: Replaced API for `run` to require a fs_mistrust.
|
||||
|
||||
|
||||
### arti-client
|
||||
|
|
Loading…
Reference in New Issue