Document trusted-server.example.toml and restore supported config sections#870
Draft
aram356 wants to merge 2 commits into
Draft
Document trusted-server.example.toml and restore supported config sections#870aram356 wants to merge 2 commits into
aram356 wants to merge 2 commits into
Conversation
a9331e7 to
387aa14
Compare
…tions Rework the app-config template so the required minimum (publisher, ec passphrase, admin handler) is active and documented, while every optional section and integration is commented out with a one-line description. Restore sections that still map to live config structs but had been dropped from the template: tester_cookie, rewrite, consent, image_optimizer, tinybird, osano, publisher.max_buffered_body_bytes, sourcepoint.auth_cookie_name, datadome protection fields, and prebid override rules. All example hosts stay on example.com. Keep the gpt, didomi, datadome, and google_tag_manager sections active with enabled = false so the ts audit CLI can still flip them in place.
387aa14 to
edd7250
Compare
Extend deploy-time validation (`ts config validate`/`push`, via `validate_settings_for_deploy`) to reject template placeholder values that previously validated OK and only failed later at runtime: - publisher.domain / cookie_domain / origin_url left as the example.com template defaults (deploy-only, in reject_placeholder_secrets, so the embedded example config still parses via Settings::from_toml) - request_signing.config_store_id / secret_store_id when the block is enabled (empty or the <management-...> placeholders) - integrations.aps.pub_id when APS is enabled: non-empty is enforced with the built-in validator `length(min = 1)`, and a custom validator rejects the reserved "your-aps-publisher-id" placeholder (no built-in expresses a reserved-value check). Integration configs validate lazily via get_typed, so this is naturally enabled-gated. Publisher and request_signing checks stay imperative because they are parse-time-sensitive or cross-field (gated on a sibling `enabled`) and cannot be expressed as single-field validator attributes. Closes #871
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #869. Closes #871.
Two related commits on the config surface.
1. Document
trusted-server.example.tomland restore supported sectionsReworks the app-config template (source-controlled starter, also embedded into the Cloudflare/Spin adapters via
include_str!and text-patched byts audit).[[handlers]](admin),[publisher],[ec].[tester_cookie],[rewrite],[consent],[image_optimizer],[tinybird],[integrations.osano],publisher.max_buffered_body_bytes,sourcepoint.auth_cookie_name, DataDome protection fields, Prebid override rules.gpt/didomi/datadome/google_tag_manageras activeenabled = falsestubs sots auditcan flip them in place. All hosts areexample.com.2. Reject fail-open placeholder config values at deploy validation
ts config validate/pushroute throughTrustedServerAppConfig::validate→validate_settings_for_deploy. That path now rejects template placeholders that previously validated OK and only failed at runtime:publisher.domain/cookie_domain/origin_urlleft at theexample.comtemplate defaults.request_signing.config_store_id/secret_store_idwhen the block is enabled (empty or<management-...>placeholders).integrations.aps.pub_idwhen APS is enabled — non-empty via the built-inlength(min = 1)validator, plus a custom validator for the reservedyour-aps-publisher-idplaceholder.Why some checks use the validator crate and some don't
validatorcrate: integration configs validate lazily throughget_typed(enabled-gated), so#[validate(length(min = 1), custom(...))]fires only when APS is on.reject_placeholder_secrets:Publisher::validate()runs at parse time on the embeddedexample.comtemplate (a#[validate]rule would reject the template itself), and request_signing rejection must be gated on the siblingenabledflag — neither is expressible as a single-field attribute. This mirrors how the existing placeholder-secret rejection already works.Verification
cargo test -p trusted-server-core --lib— 1628 pass (incl. 4 new deploy-validation tests + an enabled-gating test).cargo test --package trusted-server-cli ... audit— pass.Settings::from_tomlon the template — pass (deploy rejection is separate from parse).cargo clippy -p trusted-server-core --libwith-D warnings— clean.Follow-up (not in this PR)
A validator-usage audit across all config structs found two pre-existing hand-rolled validators that reimplement a built-in — GTM
validate_container_idand Prebidvalidate_external_bundle_sha256could become#[validate(regex(...))]. Deferred:#[validate(regex)]is used nowhere in the repo yet (validator pulled with only thederivefeature), so swapping pre-existing code carries compile/behavior risk best handled on its own.