174 lines
4.7 KiB
Go
174 lines
4.7 KiB
Go
// Package config defines the configuration types and loading for fence.
|
|
package config
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"slices"
|
|
"strings"
|
|
)
|
|
|
|
// Config is the main configuration for fence.
|
|
type Config struct {
|
|
Network NetworkConfig `json:"network"`
|
|
Filesystem FilesystemConfig `json:"filesystem"`
|
|
AllowPty bool `json:"allowPty,omitempty"`
|
|
}
|
|
|
|
// NetworkConfig defines network restrictions.
|
|
type NetworkConfig struct {
|
|
AllowedDomains []string `json:"allowedDomains"`
|
|
DeniedDomains []string `json:"deniedDomains"`
|
|
AllowUnixSockets []string `json:"allowUnixSockets,omitempty"`
|
|
AllowAllUnixSockets bool `json:"allowAllUnixSockets,omitempty"`
|
|
AllowLocalBinding bool `json:"allowLocalBinding,omitempty"`
|
|
HTTPProxyPort int `json:"httpProxyPort,omitempty"`
|
|
SOCKSProxyPort int `json:"socksProxyPort,omitempty"`
|
|
}
|
|
|
|
// FilesystemConfig defines filesystem restrictions.
|
|
type FilesystemConfig struct {
|
|
DenyRead []string `json:"denyRead"`
|
|
AllowWrite []string `json:"allowWrite"`
|
|
DenyWrite []string `json:"denyWrite"`
|
|
AllowGitConfig bool `json:"allowGitConfig,omitempty"`
|
|
}
|
|
|
|
// Default returns the default configuration with all network blocked.
|
|
func Default() *Config {
|
|
return &Config{
|
|
Network: NetworkConfig{
|
|
AllowedDomains: []string{},
|
|
DeniedDomains: []string{},
|
|
},
|
|
Filesystem: FilesystemConfig{
|
|
DenyRead: []string{},
|
|
AllowWrite: []string{},
|
|
DenyWrite: []string{},
|
|
},
|
|
}
|
|
}
|
|
|
|
// DefaultConfigPath returns the default config file path.
|
|
func DefaultConfigPath() string {
|
|
home, err := os.UserHomeDir()
|
|
if err != nil {
|
|
return ".fence.json"
|
|
}
|
|
return filepath.Join(home, ".fence.json")
|
|
}
|
|
|
|
// Load loads configuration from a file path.
|
|
func Load(path string) (*Config, error) {
|
|
data, err := os.ReadFile(path)
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
return nil, nil
|
|
}
|
|
return nil, fmt.Errorf("failed to read config file: %w", err)
|
|
}
|
|
|
|
// Handle empty file
|
|
if len(strings.TrimSpace(string(data))) == 0 {
|
|
return nil, nil
|
|
}
|
|
|
|
var cfg Config
|
|
if err := json.Unmarshal(data, &cfg); err != nil {
|
|
return nil, fmt.Errorf("invalid JSON in config file: %w", err)
|
|
}
|
|
|
|
if err := cfg.Validate(); err != nil {
|
|
return nil, fmt.Errorf("invalid configuration: %w", err)
|
|
}
|
|
|
|
return &cfg, nil
|
|
}
|
|
|
|
// Validate validates the configuration.
|
|
func (c *Config) Validate() error {
|
|
for _, domain := range c.Network.AllowedDomains {
|
|
if err := validateDomainPattern(domain); err != nil {
|
|
return fmt.Errorf("invalid allowed domain %q: %w", domain, err)
|
|
}
|
|
}
|
|
for _, domain := range c.Network.DeniedDomains {
|
|
if err := validateDomainPattern(domain); err != nil {
|
|
return fmt.Errorf("invalid denied domain %q: %w", domain, err)
|
|
}
|
|
}
|
|
|
|
if slices.Contains(c.Filesystem.DenyRead, "") {
|
|
return errors.New("filesystem.denyRead contains empty path")
|
|
}
|
|
if slices.Contains(c.Filesystem.AllowWrite, "") {
|
|
return errors.New("filesystem.allowWrite contains empty path")
|
|
}
|
|
if slices.Contains(c.Filesystem.DenyWrite, "") {
|
|
return errors.New("filesystem.denyWrite contains empty path")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func validateDomainPattern(pattern string) error {
|
|
if pattern == "localhost" {
|
|
return nil
|
|
}
|
|
|
|
if strings.Contains(pattern, "://") || strings.Contains(pattern, "/") || strings.Contains(pattern, ":") {
|
|
return errors.New("domain pattern cannot contain protocol, path, or port")
|
|
}
|
|
|
|
// Handle wildcard patterns
|
|
if strings.HasPrefix(pattern, "*.") {
|
|
domain := pattern[2:]
|
|
// Must have at least one more dot after the wildcard
|
|
if !strings.Contains(domain, ".") {
|
|
return errors.New("wildcard pattern too broad (e.g., *.com not allowed)")
|
|
}
|
|
if strings.HasPrefix(domain, ".") || strings.HasSuffix(domain, ".") {
|
|
return errors.New("invalid domain format")
|
|
}
|
|
// Check each part has content
|
|
parts := strings.Split(domain, ".")
|
|
if len(parts) < 2 {
|
|
return errors.New("wildcard pattern too broad")
|
|
}
|
|
if slices.Contains(parts, "") {
|
|
return errors.New("invalid domain format")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Reject other uses of wildcards
|
|
if strings.Contains(pattern, "*") {
|
|
return errors.New("only *.domain.com wildcard patterns are allowed")
|
|
}
|
|
|
|
// Regular domains must have at least one dot
|
|
if !strings.Contains(pattern, ".") || strings.HasPrefix(pattern, ".") || strings.HasSuffix(pattern, ".") {
|
|
return errors.New("invalid domain format")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// MatchesDomain checks if a hostname matches a domain pattern.
|
|
func MatchesDomain(hostname, pattern string) bool {
|
|
hostname = strings.ToLower(hostname)
|
|
pattern = strings.ToLower(pattern)
|
|
|
|
// Wildcard pattern like *.example.com
|
|
if strings.HasPrefix(pattern, "*.") {
|
|
baseDomain := pattern[2:]
|
|
return strings.HasSuffix(hostname, "."+baseDomain)
|
|
}
|
|
|
|
// Exact match
|
|
return hostname == pattern
|
|
}
|