commit: remove classic/soft mode

2018-08-12 16:47:12 +01:00 · 2018-08-12 16:47:12 +01:00 · cd68ae3126
commit cd68ae3126
--- a/demo.d/example.tconf
+++ b/demo.d/example.tconf
@ -39,18 +39,16 @@
 #
 # set hardcoded_endpoint_csv /path,stringvalue ...

-# ---- HARD-MODE ----
+# ---- PRESERVE_CSV ----

-# hard-mode is an experimental but very powerful brute-force
-# search-and-replace strategy for editing content on the fly; it
-# changes the way the nginx.conf works to rewrite HTML/other
-# content. One side-effect of this is that some instances of domain
-# names may be rewritten unwantedly (eg: foo@facebook.com ->
-# foo@facebookcorewwwi.onion) which is reason for `preserve_csv` which
-# uses a very simple heuristic to try and protect plaintext domain
-# names from being rewritten.
+# EOTK uses a search-and-replace strategy for editing content on the
+# fly; one side-effect of this is that some instances of domain names
+# may be rewritten unwantedly (eg: email addresses like
+# foo@facebook.com become foo@facebookcorewwwi.onion)
+
+# `preserve_csv` uses a very simple heuristic to try and protect
+# plaintext domain names from being rewritten.

-# set hard_mode 1
 # set preserve_csv uniquetoken,regexp,regexpcaseflag,replacement ...

 # eg: `set preserve_csv fbtld,facebook\\.com,i,facebook.com` ... will
--- a/demo.d/wikipedia.tconf
+++ b/demo.d/wikipedia.tconf
@ -1,9 +1,6 @@
 # -*- conf -*-
 # eotk (c) 2017 Alec Muffett

-# use brute-force "search and replace" strategy
-set hard_mode 1
-
 # CSVs of canonical domains (eg: email) to preserve (todo: more here?)
 # nb: you must explicitly list all domains that are of preservation;
 # "foo.com" & "www.foo.com" are treated as separate, for this purpose
--- a/lib.d/do-configure.pl
+++ b/lib.d/do-configure.pl
@ -433,7 +433,7 @@ sub DoProject {
 # default-set values
 &SetEnv("block_err", "This action is not supported over Onion yet, sorry.");
 &SetEnv("force_https", 1);
-&SetEnv("hard_mode", 0);
+&SetEnv("hard_mode", 1);
 &SetEnv("nginx_action_abort", "return 500");
 &SetEnv("nginx_block_busy_size", "16k");
 &SetEnv("nginx_block_count", 8);
--- a/lib.d/lint.pl
+++ b/lib.d/lint.pl
@ -40,7 +40,6 @@ my %known =
     'FORCE_HTTPS' => 1,
     'FOREIGNMAP_CSV' => 1,
     'HARDCODED_ENDPOINT_CSV' => 1,
-     'HARD_MODE' => 1,
     'HOST_BLACKLIST' => 1,
     'HOST_BLACKLIST_RE' => 1,
     'HOST_WHITELIST' => 1,
--- a/templates.d/nginx-hard.conf.txt
+++ b/templates.d/nginx-hard.conf.txt
@ -1,14 +0,0 @@
-# -*- awk -*-
-# eotk (c) 2017 Alec Muffett
-
-"nginx-hard.conf" has been deprecated & merged into the "classic" config,
-in order to simplify future development. If you are seeing this message,
-please remove the following line:
-
-    set nginx_template templates.d/nginx-hard.conf.txt
-
-...from your configuration, and replace it with:
-
-    set hard_mode 1
-
-Apologies for the inconvenience.
--- a/templates.d/nginx.conf.txt
+++ b/templates.d/nginx.conf.txt
@ -3,16 +3,6 @@

 # EMACS awk mode works quite well for nginx configs

-# ---- BEGIN HARD/CLASSIC SWITCH ----
-%%IF %HARD_MODE%
-# *HARD* configuration
-# swap domain names for onions via brute-force, with whitelisted repairs...
-%%ELSE
-# *CLASSIC* configuration
-# swap domain names for onions via targeted regular expressions...
-%%ENDIF
-# ---- END HARD/CLASSIC SWITCH ----
-
 # logs and pids
 pid %PROJECT_DIR%/nginx.pid;
 error_log %LOG_DIR%/nginx-error.log %NGINX_SYSLOG%;
@ -123,9 +113,6 @@ http {
  %%ENDIF
  ;

-  #==================================================================
-  %%IF %HARD_MODE%
-  # ---- BEGIN HARD MODE CODE ----
  %%IF %PRESERVE_CSV%
  # preserve subs (save-phase): 1=description,2=re,3=i_or_empty,4=replacement
  %%CSV %PRESERVE_CSV%
@ -141,14 +128,14 @@ http {
  %%ENDIF

  %%BEGIN
-  # HARD-MODE: %DNS_DOMAIN% -> %ONION_ADDRESS%
+  # map: %DNS_DOMAIN% -> %ONION_ADDRESS%
  subs_filter
  \\b%DNS_DOMAIN_RE2%\\b
  %ONION_ADDRESS%
  gir
  ;
  %%IF %HARD_MODE% > 1
-  # HARD-MODE-EXTRA: %DNS_DOMAIN_RE% -> %ONION_ADDRESS_RE%
+  # extra map: %DNS_DOMAIN_RE% -> %ONION_ADDRESS_RE%
  subs_filter
  \\b%DNS_DOMAIN_RERE2%\\b
  %ONION_ADDRESS_RE2%
@ -184,77 +171,6 @@ http {
  %%ELSE
  # no preserve subs (restore-phase)
  %%ENDIF
-  # ---- END HARD MODE CODE ----
-  #------------------------------------------------------------------
-  %%ELSE
-  #------------------------------------------------------------------
-  # ---- BEGIN CLASSIC MODE CODE ----
-
-  # subs_filter: these patterns bear some explanation; the goal is to
-  # work regular expressions really hard in order to minimise the
-  # number of expressions which are used in the basic config, so the
-  # basic pattern is to capture zero/more "sub." in "//sub.foo.com"
-  # and interpolate that into "//sub.xxxxxxxx.onion"; so far?
-
-  # but it turns out that some JSON libraries like to "escape" the
-  # forward slashes in JSON content, leading to input like (literal)
-  # "http:\/\/sub.foo.com\/foo.html" - so you need to add the
-  # backslashes, but then you need to escape the backslashes, except
-  # they need double-escaping in the regexp because of string
-  # interpolation; hence 4x backslash -> 1x matched character
-
-  # likewise we use the "_RE2" form of the re-escaped domain name in
-  # order to coerce the regexp to match literal dots, not wildcards.
-
-  # there seems to be some sort of shortcut at play here; the trailing
-  # "\\b" also seems to work as "\b" however that would apparently
-  # break the double-escaping that is necessary/works everywhere else
-  # in subs_filter.
-
-  # also, regrettably, named capture groups appear not to work, we're
-  # fortunate that there appear not to be more than 9 capture groups
-  # by default, lest "$1" bleed into the subsequent digits of an onion
-  # address: $1234567abcdefghij.onion
-
-  # finally: some sites encode // with %-encoded "2F" in URIs...
-
-  %%BEGIN
-  # for %DNS_DOMAIN% -> %ONION_ADDRESS% anchored by // or \/\/
-  subs_filter
-  (/|\\\\/\\\\)/(([-0-9a-z]+\\.)+)?%DNS_DOMAIN_RE2%\\b
-  $1/$2%ONION_ADDRESS%
-  gir
-  ;
-  # for %DNS_DOMAIN% -> %ONION_ADDRESS% anchored with hex-encoded slashes
-  subs_filter
-  %%2F%%2F(([-0-9a-z]+\\.)+)?%DNS_DOMAIN_RE2%\\b
-  %%2F%%2F$1%ONION_ADDRESS%
-  gir
-  ;
-  %%END
-
-  %%IF %FOREIGNMAP_CSV%
-  # foreignmap subs: 1=onion,2=re,3=re2,4=dns,5=re,6=re2
-  %%CSV %FOREIGNMAP_CSV%
-  # for %4% -> %1% anchored by // or \/\/
-  subs_filter
-  (/|\\\\/\\\\)/(([-0-9a-z]+\\.)+)?%6%\\b
-  $1/$2%1%
-  gir
-  ;
-  # for %4% -> %1% anchored with hex-encoded slashes
-  subs_filter
-  %%2F%%2F(([-0-9a-z]+\\.)+)?%6%\\b
-  %%2F%%2F$1%1%
-  gir
-  ;
-  %%ENDCSV
-  %%ELSE
-  # no foreignmap subs
-  %%ENDIF
-  # ---- END CLASSIC MODE CODE ----
-  %%ENDIF
-  #==================================================================

  # o_to_d_lookup -> if cannot remap, return input.  note: old versions
  # of lua-plugin cannot cope with code like o_to_d_mappings[o[1]]
@ -350,39 +266,6 @@ http {
  # filter the response headers en-route back to the user
  header_filter_by_lua_block {
    local k, v
-    -- ==================================================================
-    %%IF ! %HARD_MODE%
-    -- ---- BEGIN CLASSIC MODE CODE ----
-    -- is this javascript/json? if so, extra processing:
-    -- 1) set a processing flag to pick up in body_filter_by_lua_block
-    -- 2) invalidate content-length, because we will change it
-    k = "Content-Type"
-    v = ngx.header[k]
-    if v == "application/javascript" or
-      v == "application/json" or
-      v == "application/x-javascript" or
-      v == "text/css" or
-      v == "text/javascript" then
-      ngx.ctx.needs_extra_processing = 1
-      ngx.header.content_length = nil
-    end
-    %%IF %EXTRA_PROCESSING_CSV%
-    -- run on `v` for further extra_processing_csv checks
-    %%CSV %EXTRA_PROCESSING_CSV%
-    if v == "%1%" then
-    local m, err = ngx.re.match(ngx.var.uri, "%2%", "io")
-      if m then
-        ngx.ctx.needs_extra_processing = 1
-        ngx.header.content_length = nil
-      end
-    end
-    %%ENDCSV
-    %%ELSE
-    -- no extra_processing_csv checks
-    %%ENDIF
-    -- ---- END CLASSIC MODE CODE ----
-    %%ENDIF
-    -- ==================================================================

    local origin_rewrites = {
      "Access-Control-Allow-Origin",
@ -408,26 +291,6 @@ http {

  # filter the response body en-route back to the user
  body_filter_by_lua_block {
-    -- ==================================================================
-    %%IF ! %HARD_MODE%
-    -- ---- BEGIN CLASSIC MODE CODE ----
-    -- rather than blindly replacing "foo.com" with "foo.onion" everywhere,
-    -- instead we restrict such brute-force replacement to content that was
-    -- flagged in header_filter_by_lua_block
-    if ngx.ctx.needs_extra_processing == 1 then
-      -- the flag was set; this content deserves brute-force search & replace
-      local chunk = ngx.arg[1]
-      -- subs_filter picked up the "//"-anchored strings; now we sub the rest
-      chunk = dns_to_onion(chunk)
-      -- and we sub the basic "foo\.com" regular-expressions, too
-      chunk = dnsre_to_onionre(chunk)
-      -- more complex regular expressions are out of scope.
-      ngx.arg[1] = chunk
-    end
-    -- ---- END CLASSIC MODE CODE ----
-    %%ENDIF
-    -- ==================================================================
-
    %%IF %DEBUG_TRAP%
    -- debug traps
    local i = ngx.arg[1]