MINOR: cfgparse: implement experimental config keywords

Add a new flag to mark a keyword as experimental. An experimental keyword cannot be used if the global 'expose-experimental-directives' is not present first. Only keywords parsed through a standard cfg_keywords lists in global/proxies section will be automatically detected if declared experimental. To support a keyword outside of these lists, check_kw_experimental must be called manually during its parsing. If an experimental keyword is present in the config, the tainted flag is updated. For the moment, no keyword is marked as experimental.
2025-04-01 22:48:25 +00:00 · 2021-05-06 16:21:39 +02:00 · 2021-05-06 16:21:39 +02:00 · d2e53cd47e
commit d2e53cd47e
parent fae9edf470
6 changed files with 45 additions and 2 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -969,6 +969,7 @@ The following keywords are supported in the "global" section :
   - deviceatlas-log-level
   - deviceatlas-separator
   - deviceatlas-properties-cookie
+   - expose-experimental-directives
   - external-check
   - gid
   - group
@ -1274,6 +1275,10 @@ deviceatlas-properties-cookie <name>
  Client-side component was used during the request. This directive is optional
  and set to DAPROPS by default if not set.

+expose-experimental-directives
+  This statement must appear before using directives tagged as experimental or
+  the config file will be rejected.
+
 external-check
  Allows the use of an external agent to perform health checks. This is
  disabled by default as a security precaution, and even when enabled, checks
--- a/include/haproxy/cfgparse.h
+++ b/include/haproxy/cfgparse.h
@ -43,7 +43,7 @@ enum kw_mod {
 };

 enum cfg_keyword_flags {
-	KWF_UNIMPLEMENTED,  // TO REMOVE once an enum value is implemented
+	KWF_EXPERIMENTAL = 0x1,
 };

 struct cfg_keyword {
--- a/include/haproxy/global.h
+++ b/include/haproxy/global.h
@ -98,11 +98,17 @@ static inline unsigned long thread_mask(unsigned long mask)

 /* handle 'tainted' status */
 enum tainted_flags {
-	TAINTED_UNIMPLEMENTED,  // TO REMOVE once an enum value is implemented
+	TAINTED_CONFIG_EXP_KW_DECLARED = 0x1,
 };
 void mark_tainted(const enum tainted_flags flag);
 unsigned int get_tainted();

+extern unsigned int experimental_directives_allowed;
+
+struct cfg_keyword;
+int check_kw_experimental(struct cfg_keyword *kw, const char *file, int linenum,
+                          char **errmsg);
+
 /* simplified way to declare static build options in a file */
 #define REGISTER_BUILD_OPTS(str) \
 	INITCALL2(STG_REGISTER, hap_register_build_opts, (str), 0)
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@ -70,6 +70,9 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 		alertif_too_many_args(0, file, linenum, args, &err_code);
 		goto out;
 	}
+	else if (strcmp(args[0], "expose-experimental-directives") == 0) {
+		experimental_directives_allowed = 1;
+	}
 	else if (strcmp(args[0], "daemon") == 0) {
 		if (alertif_too_many_args(0, file, linenum, args, &err_code))
 			goto out;
@ -1306,6 +1309,12 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 				if (kwl->kw[index].section != CFG_GLOBAL)
 					continue;
 				if (strcmp(kwl->kw[index].kw, args[0]) == 0) {
+					if (check_kw_experimental(&kwl->kw[index], file, linenum, &errmsg)) {
+						ha_alert(errmsg);
+						err_code |= ERR_ALERT | ERR_FATAL;
+						goto out;
+					}
+
 					rc = kwl->kw[index].parse(args, CFG_GLOBAL, NULL, NULL, file, linenum, &errmsg);
 					if (rc < 0) {
 						ha_alert("parsing [%s:%d] : %s\n", file, linenum, errmsg);
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@ -3040,6 +3040,12 @@ stats_error_parsing:
 				if (kwl->kw[index].section != CFG_LISTEN)
 					continue;
 				if (strcmp(kwl->kw[index].kw, args[0]) == 0) {
+					if (check_kw_experimental(&kwl->kw[index], file, linenum, &errmsg)) {
+						ha_alert(errmsg);
+						err_code |= ERR_ALERT | ERR_FATAL;
+						goto out;
+					}
+
 					/* prepare error message just in case */
 					rc = kwl->kw[index].parse(args, CFG_LISTEN, curproxy, curr_defproxy, file, linenum, &errmsg);
 					if (rc < 0) {
--- a/src/haproxy.c
+++ b/src/haproxy.c
@ -262,6 +262,23 @@ unsigned int warned = 0;
 /* set if experimental features have been used for the current process */
 static unsigned int tainted = 0;

+unsigned int experimental_directives_allowed = 0;
+
+int check_kw_experimental(struct cfg_keyword *kw, const char *file, int linenum,
+                          char **errmsg)
+{
+	if (kw->flags & KWF_EXPERIMENTAL) {
+		if (!experimental_directives_allowed) {
+			memprintf(errmsg, "parsing [%s:%d] : '%s' directive is experimental, must be allowed via a global 'expose-experimental-directives'\n",
+			          file, linenum, kw->kw);
+			return 1;
+		}
+		mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+	}
+
+	return 0;
+}
+
 /* master CLI configuration (-S flag) */
 struct list mworker_cli_conf = LIST_HEAD_INIT(mworker_cli_conf);