From 00648c9940d779a9b164d9e5f16c9d063c507549 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Mon, 18 Nov 2024 11:30:16 +0300 Subject: [PATCH] treewide: improve template expansion --- image-entry.d/00-common.envsh | 56 +++++++++++++++++++--------- image-entry.d/01-defaults.envsh | 8 ++++ image-entry.d/73-expand-templates.sh | 28 ++++++++++++++ j2cfg/j2cfg/settings.py | 7 +++- scripts/envsubst-args.sh | 6 ++- 5 files changed, 84 insertions(+), 21 deletions(-) diff --git a/image-entry.d/00-common.envsh b/image-entry.d/00-common.envsh index 339f558..b4b9a5f 100644 --- a/image-entry.d/00-common.envsh +++ b/image-entry.d/00-common.envsh @@ -128,28 +128,39 @@ expand_dir_envsubst() { __template_list=$(mktemp) || return - find "$@" -follow -type f -name '*.in' \ + find "$@" -follow -name '*.in' -type f \ + | { + if [ -n "${NGX_TEMPLATE_EXCLUDE_REGEX:-}" ] ; then + grep -Ev -e "${NGX_TEMPLATE_EXCLUDE_REGEX}" + elif [ -n "${NGX_TEMPLATE_INCLUDE_REGEX:-}" ] ; then + grep -E -e "${NGX_TEMPLATE_INCLUDE_REGEX}" + else + cat + fi + } \ | sort -uV > "${__template_list}" - __have_args="${ENVSUBST_ARGS:+1}" - if [ -z "${__have_args}" ] ; then - ## optimize envsubst.sh invocation by caching argument list - ## ref: envsubst.sh - ENVSUBST_ARGS=$(mktemp) || return - envsubst-args.sh > "${ENVSUBST_ARGS}" - export ENVSUBST_ARGS - fi - __ret=0 - while read -r __orig_file ; do - [ -n "${__orig_file}" ] || continue - expand_file_envsubst "${__orig_file}" || __ret=1 - done < "${__template_list}" + if [ -s "${__template_list}" ] ; then + __have_args="${ENVSUBST_ARGS:+1}" + if [ -z "${__have_args}" ] ; then + ## optimize envsubst.sh invocation by caching argument list + ## ref: envsubst.sh + ENVSUBST_ARGS=$(mktemp) || return + envsubst-args.sh > "${ENVSUBST_ARGS}" + export ENVSUBST_ARGS + fi - if [ -z "${__have_args}" ] ; then - rm -f "${ENVSUBST_ARGS}" ; unset ENVSUBST_ARGS + while read -r __orig_file ; do + [ -n "${__orig_file}" ] || continue + expand_file_envsubst "${__orig_file}" || __ret=1 + done < "${__template_list}" + + if [ -z "${__have_args}" ] ; then + rm -f "${ENVSUBST_ARGS}" ; unset ENVSUBST_ARGS + fi + unset __have_args fi - unset __have_args rm -f "${__template_list}" ; unset __template_list @@ -161,7 +172,16 @@ expand_dir_j2cfg() { __template_list=$(mktemp) || return - find "$@" -follow -type f -name '*.j2' -printf '%p\0' \ + find "$@" -follow -name '*.j2' -type f -printf '%p\0' \ + | { + if [ -n "${NGX_TEMPLATE_EXCLUDE_REGEX:-}" ] ; then + grep -zEv -e "${NGX_TEMPLATE_EXCLUDE_REGEX}" + elif [ -n "${NGX_TEMPLATE_INCLUDE_REGEX:-}" ] ; then + grep -zE -e "${NGX_TEMPLATE_INCLUDE_REGEX}" + else + cat + fi + } \ | sort -zuV > "${__template_list}" __ret=0 diff --git a/image-entry.d/01-defaults.envsh b/image-entry.d/01-defaults.envsh index b020dc7..a037d08 100755 --- a/image-entry.d/01-defaults.envsh +++ b/image-entry.d/01-defaults.envsh @@ -44,6 +44,10 @@ for i in ${NGX_DIRS_MERGE:-} ; do log_always "NGX_DIRS_MERGE: dir '$i' is not legal, skipping" continue ;; + j2cfg | j2cfg/* ) + log_always "NGX_DIRS_MERGE: '$i' is reserved for internal use, skipping" + continue + ;; esac dirs=$(append_list "${dirs}" "$i") @@ -59,6 +63,10 @@ for i in ${NGX_DIRS_LINK:-} ; do log_always "NGX_DIRS_LINK: dir '$i' is not legal, skipping" continue ;; + j2cfg | j2cfg/* ) + log_always "NGX_DIRS_MERGE: '$i' is reserved for internal use, skipping" + continue + ;; esac if list_have_item "${NGX_DIRS_MERGE}" "$i" ; then diff --git a/image-entry.d/73-expand-templates.sh b/image-entry.d/73-expand-templates.sh index 016f040..6633061 100755 --- a/image-entry.d/73-expand-templates.sh +++ b/image-entry.d/73-expand-templates.sh @@ -38,10 +38,13 @@ for n in ${NGX_DIRS_MERGE} ; do done set -a +ENVSUBST_ARGS="${volume_root}/diag.envsubst.txt" J2CFG_PATH="${merged_root}/j2cfg" J2CFG_SEARCH_PATH="${merged_root}" set +a +envsubst-args.sh > "${ENVSUBST_ARGS}" + ## expand j2cfg templates first expand_dir_envsubst j2cfg/ || expand_error @@ -60,4 +63,29 @@ export J2CFG_CONFIG="${j2cfg_dump}" expand_dir_j2cfg ${merge_dirs} || expand_error +## remove template sources in order to avoid leaking sensitive data +if [ "${NGX_PROCESS_STATIC}" = 1 ] ; then + __template_list=$(mktemp) + + find static/ -follow -type f -printf '%p\0' \ + | grep -zE '\.(in|j2)$' \ + | { + if [ -n "${NGX_TEMPLATE_EXCLUDE_REGEX:-}" ] ; then + grep -zEv -e "${NGX_TEMPLATE_EXCLUDE_REGEX}" + elif [ -n "${NGX_TEMPLATE_INCLUDE_REGEX:-}" ] ; then + grep -zE -e "${NGX_TEMPLATE_INCLUDE_REGEX}" + else + cat + fi + } \ + | sort -zuV > "${__template_list}" + + if [ -s "${__template_list}" ] ; then + xargs -0r -n 1000 -a "${__template_list}" \ + rm -fv < /dev/null + fi + + rm -f "${__template_list}" ; unset __template_list +fi + exit 0 diff --git a/j2cfg/j2cfg/settings.py b/j2cfg/j2cfg/settings.py index 03e1481..d7483ce 100644 --- a/j2cfg/j2cfg/settings.py +++ b/j2cfg/j2cfg/settings.py @@ -29,8 +29,11 @@ J2CFG_JINJA_EXTENSIONS = [ ] J2CFG_BANNED_ENVS = [ - r'ANGIE(=|$)', - r'ANGIE_BPF_MAPS(=|$)' + r'__IEP_', r'IEP_', + r'NGX_TEMPLATE_(EX|IN)CLUDE', + r'ENVSUBST_', + r'J2CFG_', + r'ANGIE(|_BPF_MAPS)(=|$)', ] J2CFG_PRESERVE_ENVS = [ diff --git a/scripts/envsubst-args.sh b/scripts/envsubst-args.sh index 7e780c8..32d3604 100755 --- a/scripts/envsubst-args.sh +++ b/scripts/envsubst-args.sh @@ -3,8 +3,12 @@ set -f sed -znE '/^([^=]+)=.*$/s,,\1,p' /proc/$$/environ \ | sed -zE \ - -e '/^_$/d;/^ENVSUBST_/d;' \ + -e '/^_$/d' \ -e '/^__IEP_/d;/^IEP_$/d' \ + -e '/^NGX_TEMPLATE_(EX|IN)CLUDE/d' \ + -e '/^ENVSUBST_/d' \ + -e '/^J2CFG_/d' \ + -e '/^ANGIE(|_BPF_MAPS)$/d' \ | { if [ -n "${ENVSUBST_EXCLUDE_REGEX:-}" ] ; then grep -zEv -e "${ENVSUBST_EXCLUDE_REGEX}"