config.c (49313B)
1 /*
2 * Copyright (c) 2013-2022 Joris Vink <joris@coders.se>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17 #include <sys/param.h>
18 #include <sys/types.h>
19 #include <sys/stat.h>
20
21 #include <stdio.h>
22 #include <string.h>
23 #include <stdint.h>
24 #include <ctype.h>
25 #include <limits.h>
26 #include <fcntl.h>
27 #include <pwd.h>
28
29 #include "kore.h"
30 #include "http.h"
31
32 #if defined(KORE_USE_PGSQL)
33 #include "pgsql.h"
34 #endif
35
36 #if defined(KORE_USE_TASKS)
37 #include "tasks.h"
38 #endif
39
40 #if defined(KORE_USE_PYTHON)
41 #include "python_api.h"
42 #endif
43
44 #if defined(KORE_USE_CURL)
45 #include "curl.h"
46 #endif
47
48 #if defined(KORE_USE_ACME)
49 #include "acme.h"
50 #endif
51
52 #if defined(__linux__)
53 #include "seccomp.h"
54 #endif
55
56 /* XXX - This is becoming a clusterfuck. Fix it. */
57
58 static int configure_load(char *);
59 static char *configure_resolve_var(char *);
60 static void configure_check_var(char **, const char *, const char *);
61
62 #if defined(KORE_SINGLE_BINARY)
63 static FILE *config_file_write(void);
64 extern u_int8_t asset_builtin_kore_conf[];
65 extern u_int32_t asset_len_builtin_kore_conf;
66 #elif defined(KORE_USE_PYTHON)
67 static int configure_file(char *);
68 #endif
69
70 #if defined(KORE_USE_ACME)
71 static int configure_acme(char *);
72 static int configure_acme_email(char *);
73 static int configure_acme_provider(char *);
74 #endif
75
76 static int configure_tls(char *);
77 static int configure_server(char *);
78 static int configure_include(char *);
79 static int configure_bind(char *);
80 static int configure_bind_unix(char *);
81 static int configure_attach(char *);
82 static int configure_domain(char *);
83 static int configure_privsep(char *);
84 static int configure_logfile(char *);
85 static int configure_workers(char *);
86 static int configure_pidfile(char *);
87 static int configure_rlimit_nofiles(char *);
88 static int configure_max_connections(char *);
89 static int configure_accept_threshold(char *);
90 static int configure_death_policy(char *);
91 static int configure_set_affinity(char *);
92 static int configure_socket_backlog(char *);
93 static int configure_privsep_skip(char *);
94 static int configure_privsep_root(char *);
95 static int configure_privsep_runas(char *);
96
97 #if defined(KORE_USE_PLATFORM_PLEDGE)
98 static int configure_add_pledge(char *);
99 #endif
100
101 static int configure_rand_file(char *);
102 static int configure_certfile(char *);
103 static int configure_certkey(char *);
104 static int configure_tls_version(char *);
105 static int configure_tls_cipher(char *);
106 static int configure_tls_dhparam(char *);
107 static int configure_client_verify(char *);
108 static int configure_client_verify_depth(char *);
109
110 #if !defined(KORE_NO_HTTP)
111 static int configure_route(char *);
112 static int configure_route_methods(char *);
113 static int configure_route_handler(char *);
114 static int configure_route_on_free(char *);
115 static int configure_route_on_headers(char *);
116 static int configure_route_authenticate(char *);
117 static int configure_route_on_body_chunk(char *);
118 static int configure_filemap(char *);
119 static int configure_return(char *);
120 static int configure_redirect(char *);
121 static int configure_static_handler(char *);
122 static int configure_dynamic_handler(char *);
123 static int configure_accesslog(char *);
124 static int configure_http_header_max(char *);
125 static int configure_http_header_timeout(char *);
126 static int configure_http_body_max(char *);
127 static int configure_http_body_timeout(char *);
128 static int configure_filemap_ext(char *);
129 static int configure_filemap_index(char *);
130 static int configure_http_media_type(char *);
131 static int configure_http_hsts_enable(char *);
132 static int configure_http_keepalive_time(char *);
133 static int configure_http_request_ms(char *);
134 static int configure_http_request_limit(char *);
135 static int configure_http_body_disk_offload(char *);
136 static int configure_http_body_disk_path(char *);
137 static int configure_http_server_version(char *);
138 static int configure_http_pretty_error(char *);
139 static int configure_validator(char *);
140 static int configure_validate(char *);
141 static int configure_authentication(char *);
142 static int configure_authentication_uri(char *);
143 static int configure_authentication_type(char *);
144 static int configure_authentication_value(char *);
145 static int configure_authentication_validator(char *);
146 static int configure_websocket_maxframe(char *);
147 static int configure_websocket_timeout(char *);
148 #endif
149
150 #if defined(KORE_USE_PGSQL)
151 static int configure_pgsql_conn_max(char *);
152 static int configure_pgsql_queue_limit(char *);
153 #endif
154
155 #if defined(KORE_USE_TASKS)
156 static int configure_task_threads(char *);
157 #endif
158
159 #if defined(KORE_USE_PYTHON)
160 static int configure_deployment(char *);
161 static int configure_python_path(char *);
162 static int configure_python_import(char *);
163 #endif
164
165 #if defined(KORE_USE_CURL)
166 static int configure_curl_timeout(char *);
167 static int configure_curl_recv_max(char *);
168 #endif
169
170 #if defined(__linux__)
171 static int configure_seccomp_tracing(char *);
172 #endif
173
174 static struct {
175 const char *name;
176 int (*configure)(char *);
177 } config_directives[] = {
178 { "tls", configure_tls },
179 #if defined(KORE_USE_ACME)
180 { "acme", configure_acme },
181 #endif
182 { "bind", configure_bind },
183 { "load", configure_load },
184 { "domain", configure_domain },
185 { "privsep", configure_privsep },
186 { "server", configure_server },
187 { "attach", configure_attach },
188 { "certkey", configure_certkey },
189 { "certfile", configure_certfile },
190 { "include", configure_include },
191 { "unix", configure_bind_unix },
192 { "skip", configure_privsep_skip },
193 { "root", configure_privsep_root },
194 { "runas", configure_privsep_runas },
195 { "client_verify", configure_client_verify },
196 { "client_verify_depth", configure_client_verify_depth },
197 #if defined(KORE_USE_PYTHON)
198 { "python_path", configure_python_path },
199 { "python_import", configure_python_import },
200 #endif
201 #if !defined(KORE_NO_HTTP)
202 { "route", configure_route },
203 { "handler", configure_route_handler },
204 { "on_headers", configure_route_on_headers },
205 { "on_body_chunk", configure_route_on_body_chunk },
206 { "on_free", configure_route_on_free },
207 { "methods", configure_route_methods },
208 { "authenticate", configure_route_authenticate },
209 { "filemap", configure_filemap },
210 { "redirect", configure_redirect },
211 { "return", configure_return },
212 { "static", configure_static_handler },
213 { "dynamic", configure_dynamic_handler },
214 { "accesslog", configure_accesslog },
215 { "validator", configure_validator },
216 { "validate", configure_validate },
217 { "authentication", configure_authentication },
218 { "authentication_uri", configure_authentication_uri },
219 { "authentication_type", configure_authentication_type },
220 { "authentication_value", configure_authentication_value },
221 { "authentication_validator", configure_authentication_validator },
222 #endif
223 { NULL, NULL },
224 };
225
226 static struct {
227 const char *name;
228 int (*configure)(char *);
229 } config_settings[] = {
230 { "logfile", configure_logfile },
231 { "workers", configure_workers },
232 { "worker_max_connections", configure_max_connections },
233 { "worker_rlimit_nofiles", configure_rlimit_nofiles },
234 { "worker_accept_threshold", configure_accept_threshold },
235 { "worker_death_policy", configure_death_policy },
236 { "worker_set_affinity", configure_set_affinity },
237 { "pidfile", configure_pidfile },
238 { "socket_backlog", configure_socket_backlog },
239 { "tls_version", configure_tls_version },
240 { "tls_cipher", configure_tls_cipher },
241 { "tls_dhparam", configure_tls_dhparam },
242 { "rand_file", configure_rand_file },
243 #if defined(KORE_USE_ACME)
244 { "acme_email", configure_acme_email },
245 { "acme_provider", configure_acme_provider },
246 #endif
247 #if defined(KORE_USE_PLATFORM_PLEDGE)
248 { "pledge", configure_add_pledge },
249 #endif
250 #if defined(__linux__)
251 { "seccomp_tracing", configure_seccomp_tracing },
252 #endif
253 #if !defined(KORE_NO_HTTP)
254 { "filemap_ext", configure_filemap_ext },
255 { "filemap_index", configure_filemap_index },
256 { "http_media_type", configure_http_media_type },
257 { "http_header_max", configure_http_header_max },
258 { "http_header_timeout", configure_http_header_timeout },
259 { "http_body_max", configure_http_body_max },
260 { "http_body_timeout", configure_http_body_timeout },
261 { "http_hsts_enable", configure_http_hsts_enable },
262 { "http_keepalive_time", configure_http_keepalive_time },
263 { "http_request_ms", configure_http_request_ms },
264 { "http_request_limit", configure_http_request_limit },
265 { "http_body_disk_offload", configure_http_body_disk_offload },
266 { "http_body_disk_path", configure_http_body_disk_path },
267 { "http_server_version", configure_http_server_version },
268 { "http_pretty_error", configure_http_pretty_error },
269 { "websocket_maxframe", configure_websocket_maxframe },
270 { "websocket_timeout", configure_websocket_timeout },
271 #endif
272 #if defined(KORE_USE_PYTHON)
273 { "deployment", configure_deployment },
274 #endif
275 #if defined(KORE_USE_PGSQL)
276 { "pgsql_conn_max", configure_pgsql_conn_max },
277 { "pgsql_queue_limit", configure_pgsql_queue_limit },
278 #endif
279 #if defined(KORE_USE_TASKS)
280 { "task_threads", configure_task_threads },
281 #endif
282 #if defined(KORE_USE_CURL)
283 { "curl_timeout", configure_curl_timeout },
284 { "curl_recv_max", configure_curl_recv_max },
285 #endif
286 #if !defined(KORE_SINGLE_BINARY) && defined(KORE_USE_PYTHON)
287 { "file", configure_file },
288 #endif
289 { NULL, NULL },
290 };
291
292 static int finalized = 0;
293
294 #if !defined(KORE_SINGLE_BINARY)
295 char *config_file = NULL;
296 #endif
297
298 #if !defined(KORE_NO_HTTP)
299 static struct kore_auth *current_auth = NULL;
300 static struct kore_route *current_route = NULL;
301 #endif
302
303 extern const char *__progname;
304 static struct kore_domain *current_domain = NULL;
305 static struct kore_server *current_server = NULL;
306 static struct kore_privsep *current_privsep = NULL;
307
308 void
309 kore_parse_config(void)
310 {
311 FILE *fp;
312 struct passwd *pwd;
313 char path[PATH_MAX];
314
315 if (finalized)
316 return;
317
318 fp = NULL;
319
320 #if !defined(KORE_SINGLE_BINARY)
321 if (config_file != NULL) {
322 if ((fp = fopen(config_file, "r")) == NULL) {
323 fatal("configuration given cannot be opened: %s",
324 config_file);
325 }
326 }
327 #else
328 fp = config_file_write();
329 #endif
330
331 if (fp != NULL) {
332 kore_parse_config_file(fp);
333 (void)fclose(fp);
334 }
335
336 kore_tls_dh_check();
337
338 if (!kore_module_loaded())
339 fatal("no application module was loaded");
340
341 if (worker_privsep.root == NULL) {
342 if (getcwd(path, sizeof(path)) == NULL)
343 fatal("getcwd: %s", errno_s);
344 worker_privsep.root = kore_strdup(path);
345
346 if (!kore_quiet)
347 kore_log(LOG_NOTICE, "privsep: no root path set");
348 }
349
350 if (worker_privsep.runas == NULL) {
351 if ((pwd = getpwuid(getuid())) == NULL)
352 fatal("getpwuid: %s", errno_s);
353
354 worker_privsep.runas = kore_strdup(pwd->pw_name);
355 if (!kore_quiet)
356 kore_log(LOG_NOTICE, "privsep: no runas user set");
357
358 endpwent();
359 }
360
361 configure_check_var(&keymgr_privsep.runas, worker_privsep.runas,
362 "privsep: no keymgr runas set");
363 #if defined(KORE_USE_ACME)
364 configure_check_var(&acme_privsep.runas, worker_privsep.runas,
365 "privsep: no acme runas set");
366 #endif
367
368 configure_check_var(&keymgr_privsep.root, worker_privsep.root,
369 "privsep: no keymgr root set");
370 #if defined(KORE_USE_ACME)
371 configure_check_var(&acme_privsep.root, worker_privsep.root,
372 "privsep: no acme root set");
373 #endif
374
375 if (skip_chroot) {
376 worker_privsep.skip_chroot = 1;
377 keymgr_privsep.skip_chroot = 1;
378 #if defined(KORE_USE_ACME)
379 acme_privsep.skip_chroot = 1;
380 #endif
381 }
382
383 if (skip_runas) {
384 worker_privsep.skip_runas = 1;
385 keymgr_privsep.skip_runas = 1;
386 #if defined(KORE_USE_ACME)
387 acme_privsep.skip_runas = 1;
388 #endif
389 }
390
391 if (skip_runas && !kore_quiet)
392 kore_log(LOG_NOTICE, "privsep: skipping all runas options");
393
394 if (skip_chroot && !kore_quiet)
395 kore_log(LOG_NOTICE, "privsep: skipping all chroot options");
396
397 finalized = 1;
398 }
399
400 void
401 kore_parse_config_file(FILE *fp)
402 {
403 int i, lineno;
404 char buf[BUFSIZ], *p, *t, *v;
405
406 lineno = 1;
407 while ((p = kore_read_line(fp, buf, sizeof(buf))) != NULL) {
408 if (strlen(p) == 0) {
409 lineno++;
410 continue;
411 }
412
413 if (!strcmp(p, "}") && current_privsep != NULL) {
414 lineno++;
415 current_privsep = NULL;
416 continue;
417 }
418
419 if (!strcmp(p, "}") && current_server != NULL) {
420 lineno++;
421 kore_server_finalize(current_server);
422 current_server = NULL;
423 continue;
424 }
425
426 #if !defined(KORE_NO_HTTP)
427 if (!strcmp(p, "}") && current_route != NULL) {
428 lineno++;
429 current_route = NULL;
430 continue;
431 }
432
433 if (!strcmp(p, "}") && current_auth != NULL) {
434 if (current_auth->validator == NULL) {
435 fatal("no authentication validator for %s",
436 current_auth->name);
437 }
438
439 lineno++;
440 current_auth = NULL;
441 continue;
442 }
443 #endif
444
445 if (!strcmp(p, "}") && current_domain != NULL) {
446 if (current_domain->server == NULL) {
447 fatal("domain '%s' not attached to server",
448 current_domain->domain);
449 }
450
451 if (current_domain->server->tls == 1) {
452 #if defined(KORE_USE_ACME)
453 if (current_domain->acme) {
454 lineno++;
455 current_domain = NULL;
456 continue;
457 }
458 #endif
459 if (current_domain->certfile == NULL ||
460 current_domain->certkey == NULL) {
461 fatal("incomplete TLS setup for '%s'",
462 current_domain->domain);
463 }
464 }
465
466 current_domain = NULL;
467 }
468
469 if (!strcmp(p, "}")) {
470 lineno++;
471 continue;
472 }
473
474 if ((t = strchr(p, ' ')) == NULL) {
475 kore_log(LOG_NOTICE,
476 "ignoring \"%s\" on line %d", p, lineno++);
477 continue;
478 }
479
480 *(t)++ = '\0';
481
482 p = kore_text_trim(p, strlen(p));
483 t = kore_text_trim(t, strlen(t));
484
485 if (strlen(p) == 0 || strlen(t) == 0) {
486 kore_log(LOG_NOTICE,
487 "ignoring \"%s\" on line %d", p, lineno++);
488 continue;
489 }
490
491 for (i = 0; config_directives[i].name != NULL; i++) {
492 if (!strcmp(config_directives[i].name, p)) {
493 if ((v = configure_resolve_var(t)) == NULL)
494 fatal("variable %s does not exist", t);
495 if (config_directives[i].configure(v))
496 break;
497 fatal("configuration error on line %d", lineno);
498 /* NOTREACHED */
499 }
500 }
501
502 if (config_directives[i].name != NULL) {
503 lineno++;
504 continue;
505 }
506
507 for (i = 0; config_settings[i].name != NULL; i++) {
508 if (!strcmp(config_settings[i].name, p)) {
509 if ((v = configure_resolve_var(t)) == NULL)
510 fatal("variable %s does not exist", t);
511 if (config_settings[i].configure(v))
512 break;
513 fatal("configuration error on line %d", lineno);
514 /* NOTREACHED */
515 }
516 }
517
518 if (config_settings[i].name == NULL) {
519 kore_log(LOG_NOTICE,
520 "ignoring \"%s\" on line %d", p, lineno);
521 }
522
523 lineno++;
524 }
525 }
526
527 #if defined(KORE_USE_PYTHON)
528 int
529 kore_configure_setting(const char *name, char *value)
530 {
531 int i;
532
533 if (finalized)
534 return (KORE_RESULT_ERROR);
535
536 for (i = 0; config_settings[i].name != NULL; i++) {
537 if (!strcmp(config_settings[i].name, name)) {
538 if (config_settings[i].configure(value))
539 return (KORE_RESULT_OK);
540 fatal("bad value '%s' for '%s'", value, name);
541 }
542 }
543
544 kore_log(LOG_NOTICE, "ignoring unknown kore.config.%s setting", name);
545 return (KORE_RESULT_OK);
546 }
547 #endif
548
549 static void
550 configure_check_var(char **var, const char *other, const char *logmsg)
551 {
552 if (*var == NULL) {
553 if (!kore_quiet)
554 kore_log(LOG_NOTICE, "%s", logmsg);
555 *var = kore_strdup(other);
556 }
557 }
558
559 static char *
560 configure_resolve_var(char *var)
561 {
562 char *v;
563
564 if (var[0] == '$') {
565 if ((v = getenv(&var[1])) == NULL)
566 return (NULL);
567 } else {
568 v = var;
569 }
570
571 return (v);
572 }
573
574 static int
575 configure_include(char *path)
576 {
577 FILE *fp;
578
579 if ((fp = fopen(path, "r")) == NULL)
580 fatal("failed to open include '%s'", path);
581
582 kore_parse_config_file(fp);
583 (void)fclose(fp);
584
585 return (KORE_RESULT_OK);
586 }
587
588 static int
589 configure_server(char *options)
590 {
591 struct kore_server *srv;
592 char *argv[3];
593
594 if (current_server != NULL) {
595 kore_log(LOG_ERR, "nested server contexts are not allowed");
596 return (KORE_RESULT_ERROR);
597 }
598
599 kore_split_string(options, " ", argv, 3);
600
601 if (argv[0] == NULL || argv[1] == NULL) {
602 kore_log(LOG_ERR, "server context invalid");
603 return (KORE_RESULT_ERROR);
604 }
605
606 if (strcmp(argv[1], "{")) {
607 kore_log(LOG_ERR, "server context not opened correctly");
608 return (KORE_RESULT_ERROR);
609 }
610
611 if ((srv = kore_server_lookup(argv[0])) != NULL) {
612 kore_log(LOG_ERR, "server with name '%s' exists", srv->name);
613 return (KORE_RESULT_ERROR);
614 }
615
616 current_server = kore_server_create(argv[0]);
617
618 return (KORE_RESULT_OK);
619 }
620
621 static int
622 configure_tls(char *yesno)
623 {
624 if (!kore_tls_supported()) {
625 current_server->tls = 0;
626
627 if (!strcmp(yesno, "yes")) {
628 kore_log(LOG_ERR, "TLS not supported in this build");
629 return (KORE_RESULT_ERROR);
630 }
631
632 return (KORE_RESULT_OK);
633 }
634
635 if (current_server == NULL) {
636 kore_log(LOG_ERR, "tls keyword not inside a server context");
637 return (KORE_RESULT_ERROR);
638 }
639
640 if (!strcmp(yesno, "no")) {
641 current_server->tls = 0;
642 } else if (!strcmp(yesno, "yes")) {
643 current_server->tls = 1;
644 } else {
645 kore_log(LOG_ERR, "invalid '%s' for yes|no tls option", yesno);
646 return (KORE_RESULT_ERROR);
647 }
648
649 return (KORE_RESULT_OK);
650 }
651
652 #if defined(KORE_USE_ACME)
653 static int
654 configure_acme(char *yesno)
655 {
656 if (current_domain == NULL) {
657 kore_log(LOG_ERR, "acme keyword not inside a domain context");
658 return (KORE_RESULT_ERROR);
659 }
660
661 if (strchr(current_domain->domain, '*')) {
662 kore_log(LOG_ERR,
663 "wildcards not supported due to lack of dns-01");
664 return (KORE_RESULT_ERROR);
665 }
666
667 if (!strcmp(yesno, "no")) {
668 current_domain->acme = 0;
669 } else if (!strcmp(yesno, "yes")) {
670 current_domain->acme = 1;
671
672 /* Override keyfile and certfile locations. */
673 kore_free(current_domain->certkey);
674 kore_free(current_domain->certfile);
675
676 kore_acme_get_paths(current_domain->domain,
677 ¤t_domain->certkey, ¤t_domain->certfile);
678 acme_domains++;
679 } else {
680 kore_log(LOG_ERR, "invalid '%s' for yes|no acme option", yesno);
681 return (KORE_RESULT_ERROR);
682 }
683
684 return (KORE_RESULT_OK);
685 }
686
687 static int
688 configure_acme_email(char *email)
689 {
690 kore_free(acme_email);
691 acme_email = kore_strdup(email);
692
693 return (KORE_RESULT_OK);
694 }
695
696 static int
697 configure_acme_provider(char *provider)
698 {
699 kore_free(acme_provider);
700 acme_provider = kore_strdup(provider);
701
702 return (KORE_RESULT_OK);
703 }
704
705 #endif
706
707 static int
708 configure_bind(char *options)
709 {
710 char *argv[4];
711
712 if (current_server == NULL) {
713 kore_log(LOG_ERR, "bind keyword not inside a server context");
714 return (KORE_RESULT_ERROR);
715 }
716
717 kore_split_string(options, " ", argv, 4);
718 if (argv[0] == NULL || argv[1] == NULL)
719 return (KORE_RESULT_ERROR);
720
721 return (kore_server_bind(current_server, argv[0], argv[1], argv[2]));
722 }
723
724 static int
725 configure_bind_unix(char *options)
726 {
727 char *argv[3];
728
729 if (current_server == NULL) {
730 kore_log(LOG_ERR,
731 "bind_unix keyword not inside a server context");
732 return (KORE_RESULT_ERROR);
733 }
734
735 kore_split_string(options, " ", argv, 3);
736 if (argv[0] == NULL)
737 return (KORE_RESULT_ERROR);
738
739 return (kore_server_bind_unix(current_server, argv[0], argv[1]));
740 }
741
742 static int
743 configure_load(char *options)
744 {
745 char *argv[3];
746
747 kore_split_string(options, " ", argv, 3);
748 if (argv[0] == NULL)
749 return (KORE_RESULT_ERROR);
750
751 kore_module_load(argv[0], argv[1], KORE_MODULE_NATIVE);
752 return (KORE_RESULT_OK);
753 }
754
755 #if defined(KORE_SINGLE_BINARY)
756 static FILE *
757 config_file_write(void)
758 {
759 FILE *fp;
760 ssize_t ret;
761 int fd, len;
762 char fpath[MAXPATHLEN];
763
764 len = snprintf(fpath, sizeof(fpath), "%s/%s.XXXXXX", KORE_TMPDIR,
765 __progname);
766 if (len == -1 || (size_t)len >= sizeof(fpath))
767 fatal("failed to create temporary path");
768
769 if ((fd = mkstemp(fpath)) == -1)
770 fatal("mkstemp(%s): %s", fpath, errno_s);
771
772 (void)unlink(fpath);
773
774 for (;;) {
775 ret = write(fd, asset_builtin_kore_conf,
776 asset_len_builtin_kore_conf);
777 if (ret == -1) {
778 if (errno == EINTR)
779 continue;
780 fatal("failed to write temporary config: %s", errno_s);
781 }
782
783 if ((size_t)ret != asset_len_builtin_kore_conf)
784 fatal("failed to write temporary config");
785 break;
786 }
787
788 if ((fp = fdopen(fd, "w+")) == NULL)
789 fatal("fdopen(): %s", errno_s);
790
791 rewind(fp);
792
793 return (fp);
794 }
795 #elif defined(KORE_USE_PYTHON)
796 static int
797 configure_file(char *file)
798 {
799 free(config_file);
800 if ((config_file = strdup(file)) == NULL)
801 fatal("strdup");
802
803 return (KORE_RESULT_OK);
804 }
805 #endif
806
807 static int
808 configure_tls_version(char *version)
809 {
810 int ver;
811
812 if (!strcmp(version, "1.3")) {
813 ver = KORE_TLS_VERSION_1_3;
814 } else if (!strcmp(version, "1.2")) {
815 ver = KORE_TLS_VERSION_1_2;
816 } else if (!strcmp(version, "both")) {
817 ver = KORE_TLS_VERSION_BOTH;
818 } else {
819 kore_log(LOG_ERR,
820 "unknown value for tls_version: %s (use 1.3, 1.2, both)",
821 version);
822 return (KORE_RESULT_ERROR);
823 }
824
825 kore_tls_version_set(ver);
826
827 return (KORE_RESULT_OK);
828 }
829
830 static int
831 configure_tls_cipher(char *cipherlist)
832 {
833 return (kore_tls_ciphersuite_set(cipherlist));
834 }
835
836 static int
837 configure_tls_dhparam(char *path)
838 {
839 return (kore_tls_dh_load(path));
840 }
841
842 static int
843 configure_client_verify_depth(char *value)
844 {
845 int err, depth;
846
847 if (current_domain == NULL) {
848 kore_log(LOG_ERR,
849 "client_verify_depth keyword not in domain context");
850 return (KORE_RESULT_ERROR);
851 }
852
853 depth = kore_strtonum(value, 10, 0, INT_MAX, &err);
854 if (err != KORE_RESULT_OK) {
855 kore_log(LOG_ERR, "bad client_verify_depth value: %s", value);
856 return (KORE_RESULT_ERROR);
857 }
858
859 current_domain->x509_verify_depth = depth;
860
861 return (KORE_RESULT_OK);
862 }
863
864 static int
865 configure_client_verify(char *options)
866 {
867 char *argv[3];
868
869 if (current_domain == NULL) {
870 kore_log(LOG_ERR,
871 "client_verify keyword not in domain context");
872 return (KORE_RESULT_ERROR);
873 }
874
875 kore_split_string(options, " ", argv, 3);
876 if (argv[0] == NULL) {
877 kore_log(LOG_ERR, "client_verify is missing a parameter");
878 return (KORE_RESULT_ERROR);
879 }
880
881 if (current_domain->cafile != NULL) {
882 kore_log(LOG_ERR, "client_verify already set for '%s'",
883 current_domain->domain);
884 return (KORE_RESULT_ERROR);
885 }
886
887 current_domain->cafile = kore_strdup(argv[0]);
888 if (argv[1] != NULL)
889 current_domain->crlfile = kore_strdup(argv[1]);
890
891 return (KORE_RESULT_OK);
892 }
893
894 static int
895 configure_rand_file(char *path)
896 {
897 if (kore_rand_file != NULL)
898 kore_free(kore_rand_file);
899
900 kore_rand_file = kore_strdup(path);
901
902 return (KORE_RESULT_OK);
903 }
904
905 static int
906 configure_certfile(char *path)
907 {
908 if (current_domain == NULL) {
909 kore_log(LOG_ERR,
910 "certfile keyword not specified in domain context");
911 return (KORE_RESULT_ERROR);
912 }
913
914 kore_free(current_domain->certfile);
915 current_domain->certfile = kore_strdup(path);
916 return (KORE_RESULT_OK);
917 }
918
919 static int
920 configure_certkey(char *path)
921 {
922 if (current_domain == NULL) {
923 kore_log(LOG_ERR,
924 "certkey keyword not specified in domain context");
925 return (KORE_RESULT_ERROR);
926 }
927
928 kore_free(current_domain->certkey);
929 current_domain->certkey = kore_strdup(path);
930 return (KORE_RESULT_OK);
931 }
932
933 static int
934 configure_privsep(char *options)
935 {
936 char *argv[3];
937
938 if (current_privsep != NULL) {
939 kore_log(LOG_ERR, "nested privsep contexts are not allowed");
940 return (KORE_RESULT_ERROR);
941 }
942
943 kore_split_string(options, " ", argv, 3);
944
945 if (argv[0] == NULL || argv[1] == NULL) {
946 kore_log(LOG_ERR, "invalid privsep context");
947 return (KORE_RESULT_ERROR);
948 }
949
950 if (strcmp(argv[1], "{")) {
951 kore_log(LOG_ERR, "privsep context not opened correctly");
952 return (KORE_RESULT_ERROR);
953 }
954
955 if (!strcmp(argv[0], "worker")) {
956 current_privsep = &worker_privsep;
957 } else if (!strcmp(argv[0], "keymgr")) {
958 current_privsep = &keymgr_privsep;
959 #if defined(KORE_USE_ACME)
960 } else if (!strcmp(argv[0], "acme")) {
961 current_privsep = &acme_privsep;
962 #endif
963 } else {
964 kore_log(LOG_ERR, "unknown privsep context: %s", argv[0]);
965 return (KORE_RESULT_ERROR);
966 }
967
968 return (KORE_RESULT_OK);
969 }
970
971 static int
972 configure_privsep_runas(char *user)
973 {
974 if (current_privsep == NULL) {
975 kore_log(LOG_ERR, "runas keyword not in privsep context");
976 return (KORE_RESULT_ERROR);
977 }
978
979 if (current_privsep->runas != NULL)
980 kore_free(current_privsep->runas);
981
982 current_privsep->runas = kore_strdup(user);
983
984 return (KORE_RESULT_OK);
985 }
986
987 static int
988 configure_privsep_root(char *root)
989 {
990 if (current_privsep == NULL) {
991 kore_log(LOG_ERR, "root keyword not in privsep context");
992 return (KORE_RESULT_ERROR);
993 }
994
995 if (current_privsep->root != NULL)
996 kore_free(current_privsep->root);
997
998 current_privsep->root = kore_strdup(root);
999
1000 return (KORE_RESULT_OK);
1001 }
1002
1003 static int
1004 configure_privsep_skip(char *option)
1005 {
1006 if (current_privsep == NULL) {
1007 kore_log(LOG_ERR, "skip keyword not in privsep context");
1008 return (KORE_RESULT_ERROR);
1009 }
1010
1011 if (!strcmp(option, "chroot")) {
1012 current_privsep->skip_chroot = 1;
1013 } else {
1014 kore_log(LOG_ERR, "unknown skip option '%s'", option);
1015 return (KORE_RESULT_ERROR);
1016 }
1017
1018 return (KORE_RESULT_OK);
1019 }
1020
1021 static int
1022 configure_domain(char *options)
1023 {
1024 char *argv[3];
1025
1026 if (current_domain != NULL) {
1027 kore_log(LOG_ERR, "nested domain contexts are not allowed");
1028 return (KORE_RESULT_ERROR);
1029 }
1030
1031 kore_split_string(options, " ", argv, 3);
1032
1033 if (argv[0] == NULL || argv[1] == NULL) {
1034 kore_log(LOG_ERR, "invalid domain context");
1035 return (KORE_RESULT_ERROR);
1036 }
1037
1038 if (strcmp(argv[1], "{")) {
1039 kore_log(LOG_ERR, "domain context not opened correctly");
1040 return (KORE_RESULT_ERROR);
1041 }
1042
1043 if (strlen(argv[0]) >= KORE_DOMAINNAME_LEN - 1) {
1044 kore_log(LOG_ERR, "domain name '%s' too long", argv[0]);
1045 return (KORE_RESULT_ERROR);
1046 }
1047
1048 current_domain = kore_domain_new(argv[0]);
1049
1050 return (KORE_RESULT_OK);
1051 }
1052
1053 static int
1054 configure_attach(char *name)
1055 {
1056 struct kore_server *srv;
1057
1058 if (current_domain == NULL) {
1059 kore_log(LOG_ERR, "attach keyword not in domain context");
1060 return (KORE_RESULT_ERROR);
1061 }
1062
1063 if (current_domain->server != NULL) {
1064 kore_log(LOG_ERR, "domain '%s' already attached to server",
1065 current_domain->domain);
1066 return (KORE_RESULT_ERROR);
1067 }
1068
1069 if ((srv = kore_server_lookup(name)) == NULL) {
1070 kore_log(LOG_ERR, "server '%s' does not exist", name);
1071 return (KORE_RESULT_ERROR);
1072 }
1073
1074 if (!kore_domain_attach(current_domain, srv)) {
1075 kore_log(LOG_ERR, "failed to attach '%s' to '%s'",
1076 current_domain->domain, name);
1077 return (KORE_RESULT_ERROR);
1078 }
1079
1080 return (KORE_RESULT_OK);
1081 }
1082
1083 #if !defined(KORE_NO_HTTP)
1084 static int
1085 configure_static_handler(char *options)
1086 {
1087 kore_log(LOG_NOTICE, "static keyword removed, use route instead");
1088 return (KORE_RESULT_ERROR);
1089 }
1090
1091 static int
1092 configure_dynamic_handler(char *options)
1093 {
1094 kore_log(LOG_NOTICE, "dynamic keyword removed, use route instead");
1095 return (KORE_RESULT_ERROR);
1096 }
1097
1098 static int
1099 configure_route(char *options)
1100 {
1101 struct kore_route *rt;
1102 int type;
1103 char *argv[4];
1104
1105 if (current_domain == NULL) {
1106 kore_log(LOG_ERR, "route keyword not in domain context");
1107 return (KORE_RESULT_ERROR);
1108 }
1109
1110 if (current_route != NULL) {
1111 kore_log(LOG_ERR, "nested route contexts not allowed");
1112 return (KORE_RESULT_ERROR);
1113 }
1114
1115 kore_split_string(options, " ", argv, 4);
1116
1117 if (argv[1] == NULL || strcmp(argv[1], "{")) {
1118 kore_log(LOG_ERR, "invalid route context");
1119 return (KORE_RESULT_ERROR);
1120 }
1121
1122 if (*argv[0] == '/')
1123 type = HANDLER_TYPE_STATIC;
1124 else
1125 type = HANDLER_TYPE_DYNAMIC;
1126
1127 if ((rt = kore_route_create(current_domain, argv[0], type)) == NULL) {
1128 kore_log(LOG_ERR,
1129 "failed to create route handler for '%s'", argv[0]);
1130 return (KORE_RESULT_ERROR);
1131 }
1132
1133 current_route = rt;
1134
1135 return (KORE_RESULT_OK);
1136 }
1137
1138 static int
1139 configure_route_handler(char *name)
1140 {
1141 if (current_route == NULL) {
1142 kore_log(LOG_ERR,
1143 "handler keyword not inside of route context");
1144 return (KORE_RESULT_ERROR);
1145 }
1146
1147 kore_route_callback(current_route, name);
1148
1149 return (KORE_RESULT_OK);
1150 }
1151
1152 static int
1153 configure_route_on_headers(char *name)
1154 {
1155 if (current_route == NULL) {
1156 kore_log(LOG_ERR,
1157 "on_header keyword not inside of route context");
1158 return (KORE_RESULT_ERROR);
1159 }
1160
1161 if ((current_route->on_headers = kore_runtime_getcall(name)) == NULL) {
1162 kore_log(LOG_ERR, "on_headers callback '%s' for '%s' not found",
1163 name, current_route->path);
1164 return (KORE_RESULT_ERROR);
1165 }
1166
1167 return (KORE_RESULT_OK);
1168 }
1169
1170 static int
1171 configure_route_on_body_chunk(char *name)
1172 {
1173 if (current_route == NULL) {
1174 kore_log(LOG_ERR,
1175 "on_body_chunk keyword not inside of route context");
1176 return (KORE_RESULT_ERROR);
1177 }
1178
1179 current_route->on_body_chunk = kore_runtime_getcall(name);
1180 if (current_route->on_body_chunk == NULL) {
1181 kore_log(LOG_ERR,
1182 "on_body_chunk callback '%s' for '%s' not found",
1183 name, current_route->path);
1184 return (KORE_RESULT_ERROR);
1185 }
1186
1187 return (KORE_RESULT_OK);
1188 }
1189
1190 static int
1191 configure_route_on_free(char *name)
1192 {
1193 if (current_route == NULL) {
1194 kore_log(LOG_ERR,
1195 "on_free keyword not inside of route context");
1196 return (KORE_RESULT_ERROR);
1197 }
1198
1199 if ((current_route->on_free = kore_runtime_getcall(name)) == NULL) {
1200 kore_log(LOG_ERR, "on_free callback '%s' for '%s' not found",
1201 name, current_route->path);
1202 return (KORE_RESULT_ERROR);
1203 }
1204
1205 return (KORE_RESULT_OK);
1206 }
1207
1208 static int
1209 configure_route_authenticate(char *name)
1210 {
1211 if (current_route == NULL) {
1212 kore_log(LOG_ERR,
1213 "authenticate keyword not inside of route context");
1214 return (KORE_RESULT_ERROR);
1215 }
1216
1217 current_route->auth = kore_auth_lookup(name);
1218
1219 if (current_route->auth == NULL) {
1220 kore_log(LOG_ERR, "no such authentication '%s' for '%s' found",
1221 name, current_route->path);
1222 return (KORE_RESULT_ERROR);
1223 }
1224
1225 return (KORE_RESULT_OK);
1226 }
1227
1228 static int
1229 configure_route_methods(char *options)
1230 {
1231 int i, cnt;
1232 char *argv[10];
1233
1234 if (current_route == NULL) {
1235 kore_log(LOG_ERR,
1236 "methods keyword not inside of route context");
1237 return (KORE_RESULT_ERROR);
1238 }
1239
1240 cnt = kore_split_string(options, " ", argv, 10);
1241 if (cnt < 1) {
1242 kore_log(LOG_ERR,
1243 "bad methods option '%s', missing methods", options);
1244 return (KORE_RESULT_ERROR);
1245 }
1246
1247 current_route->methods = 0;
1248
1249 for (i = 0; i < cnt; i++) {
1250 if (!strcasecmp(argv[i], "post")) {
1251 current_route->methods |= HTTP_METHOD_POST;
1252 } else if (!strcasecmp(argv[i], "get")) {
1253 current_route->methods |= HTTP_METHOD_GET;
1254 } else if (!strcasecmp(argv[i], "put")) {
1255 current_route->methods |= HTTP_METHOD_PUT;
1256 } else if (!strcasecmp(argv[i], "delete")) {
1257 current_route->methods |= HTTP_METHOD_DELETE;
1258 } else if (!strcasecmp(argv[i], "head")) {
1259 current_route->methods |= HTTP_METHOD_HEAD;
1260 } else if (!strcasecmp(argv[i], "patch")) {
1261 current_route->methods |= HTTP_METHOD_PATCH;
1262 } else {
1263 kore_log(LOG_ERR, "unknown method: %s in method for %s",
1264 argv[i], current_route->path);
1265 return (KORE_RESULT_ERROR);
1266 }
1267 }
1268
1269 return (KORE_RESULT_OK);
1270 }
1271
1272 static int
1273 configure_return(char *options)
1274 {
1275 char *argv[3];
1276 int elm, status, err;
1277
1278 if (current_domain == NULL) {
1279 kore_log(LOG_ERR, "return keyword not in domain context");
1280 return (KORE_RESULT_ERROR);
1281 }
1282
1283 elm = kore_split_string(options, " ", argv, 3);
1284 if (elm != 2) {
1285 kore_log(LOG_ERR, "missing parameters for return");
1286 return (KORE_RESULT_ERROR);
1287 }
1288
1289 status = kore_strtonum(argv[1], 10, 400, 600, &err);
1290 if (err != KORE_RESULT_OK) {
1291 kore_log(LOG_ERR,
1292 "invalid status code on return (%s)", argv[1]);
1293 return (KORE_RESULT_ERROR);
1294 }
1295
1296 if (!http_redirect_add(current_domain, argv[0], status, NULL)) {
1297 kore_log(LOG_ERR, "invalid regex on return path");
1298 return (KORE_RESULT_ERROR);
1299 }
1300
1301 return (KORE_RESULT_OK);
1302 }
1303
1304 static int
1305 configure_redirect(char *options)
1306 {
1307 char *argv[4];
1308 int elm, status, err;
1309
1310 if (current_domain == NULL) {
1311 kore_log(LOG_ERR, "redirect keyword not in domain context");
1312 return (KORE_RESULT_ERROR);
1313 }
1314
1315 elm = kore_split_string(options, " ", argv, 4);
1316 if (elm != 3) {
1317 kore_log(LOG_ERR, "missing parameters for redirect");
1318 return (KORE_RESULT_ERROR);
1319 }
1320
1321 status = kore_strtonum(argv[1], 10, 300, 399, &err);
1322 if (err != KORE_RESULT_OK) {
1323 kore_log(LOG_ERR,
1324 "invalid status code on redirect (%s)", argv[1]);
1325 return (KORE_RESULT_ERROR);
1326 }
1327
1328 if (!http_redirect_add(current_domain, argv[0], status, argv[2])) {
1329 kore_log(LOG_ERR, "invalid regex on redirect path");
1330 return (KORE_RESULT_ERROR);
1331 }
1332
1333 return (KORE_RESULT_OK);
1334 }
1335
1336 static int
1337 configure_filemap(char *options)
1338 {
1339 char *argv[4];
1340
1341 if (current_domain == NULL) {
1342 kore_log(LOG_ERR, "filemap keyword not in domain context");
1343 return (KORE_RESULT_ERROR);
1344 }
1345
1346 kore_split_string(options, " ", argv, 4);
1347
1348 if (argv[0] == NULL || argv[1] == NULL) {
1349 kore_log(LOG_ERR, "missing parameters for filemap");
1350 return (KORE_RESULT_ERROR);
1351 }
1352
1353 if (kore_filemap_create(current_domain,
1354 argv[1], argv[0], argv[2]) == NULL) {
1355 kore_log(LOG_ERR, "cannot create filemap for %s", argv[1]);
1356 return (KORE_RESULT_ERROR);
1357 }
1358
1359 return (KORE_RESULT_OK);
1360 }
1361
1362 static int
1363 configure_accesslog(char *path)
1364 {
1365 if (current_domain == NULL) {
1366 kore_log(LOG_ERR, "accesslog not specified in domain context");
1367 return (KORE_RESULT_ERROR);
1368 }
1369
1370 if (current_domain->accesslog != -1) {
1371 kore_log(LOG_ERR, "domain '%s' already has an open accesslog",
1372 current_domain->domain);
1373 return (KORE_RESULT_ERROR);
1374 }
1375
1376 current_domain->accesslog = open(path,
1377 O_CREAT | O_APPEND | O_WRONLY,
1378 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
1379 if (current_domain->accesslog == -1) {
1380 kore_log(LOG_ERR, "accesslog open(%s): %s", path, errno_s);
1381 return (KORE_RESULT_ERROR);
1382 }
1383
1384 return (KORE_RESULT_OK);
1385 }
1386
1387 static int
1388 configure_filemap_ext(char *ext)
1389 {
1390 kore_free(kore_filemap_ext);
1391 kore_filemap_ext = kore_strdup(ext);
1392
1393 return (KORE_RESULT_OK);
1394 }
1395
1396 static int
1397 configure_filemap_index(char *index)
1398 {
1399 kore_free(kore_filemap_index);
1400 kore_filemap_index = kore_strdup(index);
1401
1402 return (KORE_RESULT_OK);
1403 }
1404
1405 static int
1406 configure_http_media_type(char *type)
1407 {
1408 int i;
1409 char *extensions, *ext[10];
1410
1411 extensions = strchr(type, ' ');
1412 if (extensions == NULL) {
1413 kore_log(LOG_ERR, "bad http_media_type value '%s'", type);
1414 return (KORE_RESULT_ERROR);
1415 }
1416
1417 *(extensions)++ = '\0';
1418
1419 kore_split_string(extensions, " \t", ext, 10);
1420 for (i = 0; ext[i] != NULL; i++) {
1421 if (!http_media_register(ext[i], type)) {
1422 kore_log(LOG_ERR,
1423 "duplicate extension found '%s'", ext[i]);
1424 return (KORE_RESULT_ERROR);
1425 }
1426 }
1427
1428 if (i == 0) {
1429 kore_log(LOG_ERR, "missing extensions in '%s'", type);
1430 return (KORE_RESULT_ERROR);
1431 }
1432
1433 return (KORE_RESULT_OK);
1434 }
1435
1436 static int
1437 configure_http_header_max(char *option)
1438 {
1439 int err;
1440
1441 http_header_max = kore_strtonum(option, 10, 1, 65535, &err);
1442 if (err != KORE_RESULT_OK) {
1443 kore_log(LOG_ERR, "bad http_header_max value '%s'", option);
1444 return (KORE_RESULT_ERROR);
1445 }
1446
1447 return (KORE_RESULT_OK);
1448 }
1449
1450 static int
1451 configure_http_header_timeout(char *option)
1452 {
1453 int err;
1454
1455 http_header_timeout = kore_strtonum(option, 10, 1, 65535, &err);
1456 if (err != KORE_RESULT_OK) {
1457 kore_log(LOG_ERR, "bad http_header_timeout value '%s'", option);
1458 return (KORE_RESULT_ERROR);
1459 }
1460
1461 return (KORE_RESULT_OK);
1462 }
1463
1464 static int
1465 configure_http_body_max(char *option)
1466 {
1467 int err;
1468
1469 http_body_max = kore_strtonum(option, 10, 0, LONG_MAX, &err);
1470 if (err != KORE_RESULT_OK) {
1471 kore_log(LOG_ERR, "bad http_body_max value '%s'", option);
1472 return (KORE_RESULT_ERROR);
1473 }
1474
1475 return (KORE_RESULT_OK);
1476 }
1477
1478 static int
1479 configure_http_body_timeout(char *option)
1480 {
1481 int err;
1482
1483 http_body_timeout = kore_strtonum(option, 10, 1, 65535, &err);
1484 if (err != KORE_RESULT_OK) {
1485 kore_log(LOG_ERR, "bad http_body_timeout value '%s'", option);
1486 return (KORE_RESULT_ERROR);
1487 }
1488
1489 return (KORE_RESULT_OK);
1490 }
1491
1492 static int
1493 configure_http_body_disk_offload(char *option)
1494 {
1495 int err;
1496
1497 http_body_disk_offload = kore_strtonum(option, 10, 0, LONG_MAX, &err);
1498 if (err != KORE_RESULT_OK) {
1499 kore_log(LOG_ERR,
1500 "bad http_body_disk_offload value '%s'", option);
1501 return (KORE_RESULT_ERROR);
1502 }
1503
1504 return (KORE_RESULT_OK);
1505 }
1506
1507 static int
1508 configure_http_body_disk_path(char *path)
1509 {
1510 if (strcmp(http_body_disk_path, HTTP_BODY_DISK_PATH))
1511 kore_free(http_body_disk_path);
1512
1513 http_body_disk_path = kore_strdup(path);
1514 return (KORE_RESULT_OK);
1515 }
1516
1517 static int
1518 configure_http_server_version(char *version)
1519 {
1520 http_server_version(version);
1521
1522 return (KORE_RESULT_OK);
1523 }
1524
1525 static int
1526 configure_http_pretty_error(char *yesno)
1527 {
1528 if (!strcmp(yesno, "no")) {
1529 http_pretty_error = 0;
1530 } else if (!strcmp(yesno, "yes")) {
1531 http_pretty_error = 1;
1532 } else {
1533 kore_log(LOG_ERR,
1534 "invalid '%s' for yes|no http_pretty_error option", yesno);
1535 return (KORE_RESULT_ERROR);
1536 }
1537
1538 return (KORE_RESULT_OK);
1539 }
1540
1541 static int
1542 configure_http_hsts_enable(char *option)
1543 {
1544 int err;
1545
1546 http_hsts_enable = kore_strtonum(option, 10, 0, LONG_MAX, &err);
1547 if (err != KORE_RESULT_OK) {
1548 kore_log(LOG_ERR, "bad http_hsts_enable value '%s'", option);
1549 return (KORE_RESULT_ERROR);
1550 }
1551
1552 return (KORE_RESULT_OK);
1553 }
1554
1555 static int
1556 configure_http_keepalive_time(char *option)
1557 {
1558 int err;
1559
1560 http_keepalive_time = kore_strtonum(option, 10, 0, USHRT_MAX, &err);
1561 if (err != KORE_RESULT_OK) {
1562 kore_log(LOG_ERR,
1563 "bad http_keepalive_time value '%s'", option);
1564 return (KORE_RESULT_ERROR);
1565 }
1566
1567 return (KORE_RESULT_OK);
1568 }
1569
1570 static int
1571 configure_http_request_ms(char *option)
1572 {
1573 int err;
1574
1575 http_request_ms = kore_strtonum(option, 10, 0, UINT_MAX, &err);
1576 if (err != KORE_RESULT_OK) {
1577 kore_log(LOG_ERR, "bad http_request_ms value '%s'", option);
1578 return (KORE_RESULT_ERROR);
1579 }
1580
1581 return (KORE_RESULT_OK);
1582 }
1583
1584 static int
1585 configure_http_request_limit(char *option)
1586 {
1587 int err;
1588
1589 http_request_limit = kore_strtonum(option, 10, 0, UINT_MAX, &err);
1590 if (err != KORE_RESULT_OK) {
1591 kore_log(LOG_ERR, "bad http_request_limit value '%s'", option);
1592 return (KORE_RESULT_ERROR);
1593 }
1594
1595 return (KORE_RESULT_OK);
1596 }
1597
1598 static int
1599 configure_validator(char *name)
1600 {
1601 u_int8_t type;
1602 char *tname, *value;
1603
1604 if ((tname = strchr(name, ' ')) == NULL) {
1605 kore_log(LOG_ERR, "missing validator name");
1606 return (KORE_RESULT_ERROR);
1607 }
1608
1609 *(tname)++ = '\0';
1610 tname = kore_text_trim(tname, strlen(tname));
1611 if ((value = strchr(tname, ' ')) == NULL) {
1612 kore_log(LOG_ERR, "missing validator value");
1613 return (KORE_RESULT_ERROR);
1614 }
1615
1616 *(value)++ = '\0';
1617 value = kore_text_trim(value, strlen(value));
1618
1619 if (!strcmp(tname, "regex")) {
1620 type = KORE_VALIDATOR_TYPE_REGEX;
1621 } else if (!strcmp(tname, "function")) {
1622 type = KORE_VALIDATOR_TYPE_FUNCTION;
1623 } else {
1624 kore_log(LOG_ERR,
1625 "bad type '%s' for validator '%s'", tname, name);
1626 return (KORE_RESULT_ERROR);
1627 }
1628
1629 if (!kore_validator_add(name, type, value)) {
1630 kore_log(LOG_ERR, "bad validator specified for '%s'", name);
1631 return (KORE_RESULT_ERROR);
1632 }
1633
1634 return (KORE_RESULT_OK);
1635 }
1636
1637 static int
1638 configure_validate(char *options)
1639 {
1640 struct kore_validator *val;
1641 struct kore_route_params *param;
1642 char *method, *argv[4];
1643 int flags, http_method;
1644
1645 if (kore_split_string(options, " ", argv, 4) != 3) {
1646 kore_log(LOG_ERR,
1647 "validate keyword needs 3 args: method param validator");
1648 return (KORE_RESULT_ERROR);
1649 }
1650
1651 flags = 0;
1652
1653 if ((method = strchr(argv[0], ':')) != NULL) {
1654 *(method)++ = '\0';
1655 if (!strcasecmp(argv[0], "qs")) {
1656 flags = KORE_PARAMS_QUERY_STRING;
1657 } else {
1658 kore_log(LOG_ERR,
1659 "unknown validate method prefix '%s' for '%s'",
1660 argv[0], current_route->path);
1661 return (KORE_RESULT_ERROR);
1662 }
1663 } else {
1664 method = argv[0];
1665 }
1666
1667 if ((val = kore_validator_lookup(argv[2])) == NULL) {
1668 kore_log(LOG_ERR, "unknown validator '%s'", argv[2]);
1669 return (KORE_RESULT_ERROR);
1670 }
1671
1672 if (!strcasecmp(method, "post")) {
1673 http_method = HTTP_METHOD_POST;
1674 } else if (!strcasecmp(method, "get")) {
1675 http_method = HTTP_METHOD_GET;
1676 /* Let params get /foo {} imply qs:get automatically. */
1677 flags |= KORE_PARAMS_QUERY_STRING;
1678 } else if (!strcasecmp(method, "put")) {
1679 http_method = HTTP_METHOD_PUT;
1680 } else if (!strcasecmp(method, "delete")) {
1681 http_method = HTTP_METHOD_DELETE;
1682 } else if (!strcasecmp(method, "head")) {
1683 http_method = HTTP_METHOD_HEAD;
1684 } else if (!strcasecmp(method, "patch")) {
1685 http_method = HTTP_METHOD_PATCH;
1686 } else {
1687 kore_log(LOG_ERR, "unknown method: %s in validator for %s",
1688 method, current_route->path);
1689 return (KORE_RESULT_ERROR);
1690 }
1691
1692 if (!(current_route->methods & http_method)) {
1693 kore_log(LOG_ERR, "method '%s' not enabled for route '%s'",
1694 method, current_route->path);
1695 return (KORE_RESULT_ERROR);
1696 }
1697
1698 param = kore_calloc(1, sizeof(*param));
1699
1700 param->flags = flags;
1701 param->validator = val;
1702 param->method = http_method;
1703 param->name = kore_strdup(argv[1]);
1704
1705 TAILQ_INSERT_TAIL(¤t_route->params, param, list);
1706
1707 return (KORE_RESULT_OK);
1708 }
1709
1710 static int
1711 configure_authentication(char *options)
1712 {
1713 char *argv[3];
1714
1715 if (current_auth != NULL) {
1716 kore_log(LOG_ERR, "previous authentication block not closed");
1717 return (KORE_RESULT_ERROR);
1718 }
1719
1720 kore_split_string(options, " ", argv, 3);
1721 if (argv[1] == NULL) {
1722 kore_log(LOG_ERR, "missing name for authentication block");
1723 return (KORE_RESULT_ERROR);
1724 }
1725
1726 if (strcmp(argv[1], "{")) {
1727 kore_log(LOG_ERR, "missing { for authentication block");
1728 return (KORE_RESULT_ERROR);
1729 }
1730
1731 if (!kore_auth_new(argv[0]))
1732 return (KORE_RESULT_ERROR);
1733
1734 current_auth = kore_auth_lookup(argv[0]);
1735
1736 return (KORE_RESULT_OK);
1737 }
1738
1739 static int
1740 configure_authentication_type(char *option)
1741 {
1742 if (current_auth == NULL) {
1743 kore_log(LOG_ERR,
1744 "authentication_type keyword not in correct context");
1745 return (KORE_RESULT_ERROR);
1746 }
1747
1748 if (!strcmp(option, "cookie")) {
1749 current_auth->type = KORE_AUTH_TYPE_COOKIE;
1750 } else if (!strcmp(option, "header")) {
1751 current_auth->type = KORE_AUTH_TYPE_HEADER;
1752 } else if (!strcmp(option, "request")) {
1753 current_auth->type = KORE_AUTH_TYPE_REQUEST;
1754 } else {
1755 kore_log(LOG_ERR, "unknown authentication type '%s'", option);
1756 return (KORE_RESULT_ERROR);
1757 }
1758
1759 return (KORE_RESULT_OK);
1760 }
1761
1762 static int
1763 configure_authentication_value(char *option)
1764 {
1765 if (current_auth == NULL) {
1766 kore_log(LOG_ERR,
1767 "authentication_value keyword not in correct context");
1768 return (KORE_RESULT_ERROR);
1769 }
1770
1771 if (current_auth->value != NULL)
1772 kore_free(current_auth->value);
1773 current_auth->value = kore_strdup(option);
1774
1775 return (KORE_RESULT_OK);
1776 }
1777
1778 static int
1779 configure_authentication_validator(char *validator)
1780 {
1781 struct kore_validator *val;
1782
1783 if (current_auth == NULL) {
1784 kore_log(LOG_ERR,
1785 "authentication_validator not in correct context");
1786 return (KORE_RESULT_ERROR);
1787 }
1788
1789 if ((val = kore_validator_lookup(validator)) == NULL) {
1790 kore_log(LOG_ERR,
1791 "authentication validator '%s' not found", validator);
1792 return (KORE_RESULT_ERROR);
1793 }
1794
1795 current_auth->validator = val;
1796
1797 return (KORE_RESULT_OK);
1798 }
1799
1800 static int
1801 configure_authentication_uri(char *uri)
1802 {
1803 if (current_auth == NULL) {
1804 kore_log(LOG_ERR,
1805 "authentication_uri keyword not in correct context");
1806 return (KORE_RESULT_ERROR);
1807 }
1808
1809 if (current_auth->redirect != NULL)
1810 kore_free(current_auth->redirect);
1811 current_auth->redirect = kore_strdup(uri);
1812
1813 return (KORE_RESULT_OK);
1814 }
1815
1816 static int
1817 configure_websocket_maxframe(char *option)
1818 {
1819 int err;
1820
1821 kore_websocket_maxframe = kore_strtonum64(option, 1, &err);
1822 if (err != KORE_RESULT_OK) {
1823 kore_log(LOG_ERR,
1824 "bad kore_websocket_maxframe value '%s'", option);
1825 return (KORE_RESULT_ERROR);
1826 }
1827
1828 return (KORE_RESULT_OK);
1829 }
1830
1831 static int
1832 configure_websocket_timeout(char *option)
1833 {
1834 int err;
1835
1836 kore_websocket_timeout = kore_strtonum64(option, 1, &err);
1837 if (err != KORE_RESULT_OK) {
1838 kore_log(LOG_ERR,
1839 "bad kore_websocket_timeout value '%s'", option);
1840 return (KORE_RESULT_ERROR);
1841 }
1842
1843 kore_websocket_timeout = kore_websocket_timeout * 1000;
1844
1845 return (KORE_RESULT_OK);
1846 }
1847
1848 #endif /* !KORE_NO_HTTP */
1849
1850 static int
1851 configure_logfile(char *path)
1852 {
1853 kore_log_file(path);
1854 return (KORE_RESULT_OK);
1855 }
1856
1857 static int
1858 configure_workers(char *option)
1859 {
1860 int err;
1861
1862 worker_count = kore_strtonum(option, 10, 1, KORE_WORKER_MAX, &err);
1863 if (err != KORE_RESULT_OK) {
1864 kore_log(LOG_ERR, "bad value for worker '%s'", option);
1865 return (KORE_RESULT_ERROR);
1866 }
1867
1868 return (KORE_RESULT_OK);
1869 }
1870
1871 static int
1872 configure_pidfile(char *path)
1873 {
1874 if (strcmp(kore_pidfile, KORE_PIDFILE_DEFAULT))
1875 kore_free(kore_pidfile);
1876 kore_pidfile = kore_strdup(path);
1877
1878 return (KORE_RESULT_OK);
1879 }
1880
1881 static int
1882 configure_max_connections(char *option)
1883 {
1884 int err;
1885
1886 worker_max_connections = kore_strtonum(option, 10, 1, UINT_MAX, &err);
1887 if (err != KORE_RESULT_OK) {
1888 kore_log(LOG_ERR,
1889 "bad value for worker_max_connections '%s'", option);
1890 return (KORE_RESULT_ERROR);
1891 }
1892
1893 return (KORE_RESULT_OK);
1894 }
1895
1896 static int
1897 configure_rlimit_nofiles(char *option)
1898 {
1899 int err;
1900
1901 worker_rlimit_nofiles = kore_strtonum(option, 10, 1, UINT_MAX, &err);
1902 if (err != KORE_RESULT_OK) {
1903 kore_log(LOG_ERR,
1904 "bad value for worker_rlimit_nofiles '%s'", option);
1905 return (KORE_RESULT_ERROR);
1906 }
1907
1908 return (KORE_RESULT_OK);
1909 }
1910
1911 static int
1912 configure_accept_threshold(char *option)
1913 {
1914 int err;
1915
1916 worker_accept_threshold = kore_strtonum(option, 0, 1, UINT_MAX, &err);
1917 if (err != KORE_RESULT_OK) {
1918 kore_log(LOG_ERR,
1919 "bad value for worker_accept_threshold '%s'\n", option);
1920 return (KORE_RESULT_ERROR);
1921 }
1922
1923 return (KORE_RESULT_OK);
1924 }
1925
1926 static int
1927 configure_death_policy(char *option)
1928 {
1929 if (!strcmp(option, "restart")) {
1930 worker_policy = KORE_WORKER_POLICY_RESTART;
1931 } else if (!strcmp(option, "terminate")) {
1932 worker_policy = KORE_WORKER_POLICY_TERMINATE;
1933 } else {
1934 kore_log(LOG_ERR,
1935 "bad value for worker_death_policy '%s'\n", option);
1936 return (KORE_RESULT_ERROR);
1937 }
1938
1939 return (KORE_RESULT_OK);
1940 }
1941
1942 static int
1943 configure_set_affinity(char *option)
1944 {
1945 int err;
1946
1947 worker_set_affinity = kore_strtonum(option, 10, 0, 1, &err);
1948 if (err != KORE_RESULT_OK) {
1949 kore_log(LOG_ERR,
1950 "bad value for worker_set_affinity '%s'", option);
1951 return (KORE_RESULT_ERROR);
1952 }
1953
1954 return (KORE_RESULT_OK);
1955 }
1956
1957 static int
1958 configure_socket_backlog(char *option)
1959 {
1960 int err;
1961
1962 kore_socket_backlog = kore_strtonum(option, 10, 0, UINT_MAX, &err);
1963 if (err != KORE_RESULT_OK) {
1964 kore_log(LOG_ERR, "bad socket_backlog value: '%s'", option);
1965 return (KORE_RESULT_ERROR);
1966 }
1967
1968 return (KORE_RESULT_OK);
1969 }
1970
1971 #if defined(KORE_USE_PGSQL)
1972 static int
1973 configure_pgsql_conn_max(char *option)
1974 {
1975 int err;
1976
1977 pgsql_conn_max = kore_strtonum(option, 10, 0, USHRT_MAX, &err);
1978 if (err != KORE_RESULT_OK) {
1979 kore_log(LOG_ERR, "bad value for pgsql_conn_max '%s'", option);
1980 return (KORE_RESULT_ERROR);
1981 }
1982
1983 return (KORE_RESULT_OK);
1984 }
1985
1986 static int
1987 configure_pgsql_queue_limit(char *option)
1988 {
1989 int err;
1990
1991 pgsql_queue_limit = kore_strtonum(option, 10, 0, UINT_MAX, &err);
1992 if (err != KORE_RESULT_OK) {
1993 kore_log(LOG_ERR,
1994 "bad value for pgsql_queue_limit '%s'", option);
1995 return (KORE_RESULT_ERROR);
1996 }
1997
1998 return (KORE_RESULT_OK);
1999 }
2000 #endif
2001
2002 #if defined(KORE_USE_TASKS)
2003 static int
2004 configure_task_threads(char *option)
2005 {
2006 int err;
2007
2008 kore_task_threads = kore_strtonum(option, 10, 0, UCHAR_MAX, &err);
2009 if (err != KORE_RESULT_OK) {
2010 kore_log(LOG_ERR, "bad value for task_threads: '%s'", option);
2011 return (KORE_RESULT_ERROR);
2012 }
2013
2014 return (KORE_RESULT_OK);
2015 }
2016 #endif
2017
2018 #if defined(KORE_USE_PYTHON)
2019 static int
2020 configure_deployment(char *value)
2021 {
2022 if (!strcmp(value, "docker")) {
2023 kore_foreground = 1;
2024 skip_runas = 0;
2025 skip_chroot = 0;
2026 } else if (!strcmp(value, "dev") || !strcmp(value, "development")) {
2027 kore_foreground = 1;
2028 skip_runas = 1;
2029 skip_chroot = 1;
2030 } else if (!strcmp(value, "production")) {
2031 kore_foreground = 0;
2032 skip_runas = 0;
2033 skip_chroot = 0;
2034 } else {
2035 kore_log(LOG_NOTICE,
2036 "kore.config.deployment: bad value '%s'", value);
2037 return (KORE_RESULT_ERROR);
2038 }
2039
2040 return (KORE_RESULT_OK);
2041 }
2042
2043 static int
2044 configure_python_path(char *path)
2045 {
2046 kore_python_path(path);
2047
2048 return (KORE_RESULT_OK);
2049 }
2050
2051 static int
2052 configure_python_import(char *module)
2053 {
2054 char *argv[3];
2055
2056 kore_split_string(module, " ", argv, 3);
2057 if (argv[0] == NULL)
2058 return (KORE_RESULT_ERROR);
2059
2060 kore_module_load(argv[0], argv[1], KORE_MODULE_PYTHON);
2061 return (KORE_RESULT_OK);
2062 }
2063 #endif
2064
2065 #if defined(KORE_USE_PLATFORM_PLEDGE)
2066 static int
2067 configure_add_pledge(char *pledge)
2068 {
2069 kore_platform_add_pledge(pledge);
2070
2071 return (KORE_RESULT_OK);
2072 }
2073 #endif
2074
2075 #if defined(KORE_USE_CURL)
2076 static int
2077 configure_curl_recv_max(char *option)
2078 {
2079 int err;
2080
2081 kore_curl_recv_max = kore_strtonum64(option, 1, &err);
2082 if (err != KORE_RESULT_OK) {
2083 kore_log(LOG_ERR, "bad curl_recv_max value '%s'\n", option);
2084 return (KORE_RESULT_ERROR);
2085 }
2086
2087 return (KORE_RESULT_OK);
2088 }
2089
2090 static int
2091 configure_curl_timeout(char *option)
2092 {
2093 int err;
2094
2095 kore_curl_timeout = kore_strtonum(option, 10, 0, USHRT_MAX, &err);
2096 if (err != KORE_RESULT_OK) {
2097 kore_log(LOG_ERR, "bad kore_curl_timeout value: '%s'", option);
2098 return (KORE_RESULT_ERROR);
2099 }
2100
2101 return (KORE_RESULT_OK);
2102 }
2103 #endif
2104
2105 #if defined(__linux__)
2106 static int
2107 configure_seccomp_tracing(char *opt)
2108 {
2109 if (!strcmp(opt, "yes")) {
2110 kore_seccomp_tracing = 1;
2111 } else if (!strcmp(opt, "no")) {
2112 kore_seccomp_tracing = 0;
2113 } else {
2114 kore_log(LOG_ERR,
2115 "bad seccomp_tracing value '%s' (expected yes|no)\n", opt);
2116 return (KORE_RESULT_ERROR);
2117 }
2118
2119 return (KORE_RESULT_OK);
2120 }
2121 #endif