Merge pull request #151145 from zhaofengli/unifi5-log4j-new-mitigation

unifi5: Follow new mitigation guidelines
This commit is contained in:
0x4A6F 2021-12-18 13:00:28 +01:00 committed by GitHub
commit 0b738b87db
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 49 additions and 6 deletions

View file

@ -7,7 +7,6 @@ let
@${cfg.jrePackage}/bin/java java \
${optionalString (cfg.initialJavaHeapSize != null) "-Xms${(toString cfg.initialJavaHeapSize)}m"} \
${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \
${optionalString (lib.versionOlder cfg.unifiPackage.version "6.5.54") "-Dlog4j2.formatMsgNoLookups=true"} \
-jar ${stateDir}/lib/ace.jar
'';
in

View file

@ -485,6 +485,7 @@ in
ucarp = handleTest ./ucarp.nix {};
udisks2 = handleTest ./udisks2.nix {};
unbound = handleTest ./unbound.nix {};
unifi = handleTest ./unifi.nix {};
unit-php = handleTest ./web-servers/unit-php.nix {};
upnp = handleTest ./upnp.nix {};
usbguard = handleTest ./usbguard.nix {};

35
nixos/tests/unifi.nix Normal file
View file

@ -0,0 +1,35 @@
# Test UniFi controller
{ system ? builtins.currentSystem
, config ? { allowUnfree = true; }
, pkgs ? import ../.. { inherit system config; }
}:
with import ../lib/testing-python.nix { inherit system pkgs; };
with pkgs.lib;
let
makeAppTest = unifi: makeTest {
name = "unifi-controller-${unifi.version}";
meta = with pkgs.lib.maintainers; {
maintainers = [ zhaofengli ];
};
nodes.server = {
services.unifi = {
enable = true;
unifiPackage = unifi;
openFirewall = false;
};
};
testScript = ''
server.wait_for_unit("unifi.service")
server.wait_until_succeeds("curl -Lk https://localhost:8443 >&2", timeout=300)
'';
};
in with pkgs; {
unifiLTS = makeAppTest unifiLTS;
unifi5 = makeAppTest unifi5;
unifi6 = makeAppTest unifi6;
}

View file

@ -1,10 +1,9 @@
{ lib, stdenv, dpkg, fetchurl }:
{ lib, stdenv, dpkg, fetchurl, zip, nixosTests }:
let
generic = { version, sha256, suffix ? "" }:
stdenv.mkDerivation {
generic = { version, sha256, suffix ? "", ... } @ args:
stdenv.mkDerivation (args // {
pname = "unifi-controller";
inherit version;
src = fetchurl {
url = "https://dl.ubnt.com/unifi/${version}${suffix}/unifi_sysvinit_all.deb";
@ -29,6 +28,10 @@ let
runHook postInstall
'';
passthru.tests = {
unifi = nixosTests.unifi;
};
meta = with lib; {
homepage = "http://www.ubnt.com/";
description = "Controller for Ubiquiti UniFi access points";
@ -36,7 +39,7 @@ let
platforms = platforms.unix;
maintainers = with maintainers; [ erictapen globin patryk27 pennae ];
};
};
});
in rec {
# see https://community.ui.com/releases / https://www.ui.com/download/unifi
@ -49,6 +52,11 @@ in rec {
unifi5 = generic {
version = "5.14.23";
sha256 = "1aar05yjm3z5a30x505w4kakbyz35i7mk7xyg0wm4ml6h94d84pv";
postInstall = ''
# Remove when log4j is updated to 2.12.2 or 2.16.0.
${zip}/bin/zip -q -d $out/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
'';
};
unifi6 = generic {