Merging upstream version 1.30.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

8 files changed, 37 insertions, 9 deletions

diff --git a/registry/README.md b/registry/README.md
index 968292c0..1544a57d 100644
--- a/registry/README.md
+++ b/registry/README.md
@@ -176,6 +176,17 @@ There can be up to 2 files:
 
 Both files are machine readable text files.
 
+### How can I disable the SameSite and Secure cookies?
+
+Beginning with `v1.30.0`, when the Netdata Agent's web server processes a request, it delivers the `SameSite=none`
+and `Secure` cookies. If you have problems accessing the local Agent dashboard or Netdata Cloud, disable these
+cookies by [editing `netdata.conf`](/docs/configure/nodes.md#use-edit-config-to-edit-configuration-files):
+
+```conf
+[registry]
+    enable cookies SameSite and Secure = no
+```
+
 ## The future
 
 The registry opens a whole world of new possibilities for Netdata. Check here what we think:
diff --git a/registry/registry.c b/registry/registry.c
index b14f4ee4..8148745f 100644
--- a/registry/registry.c
+++ b/registry/registry.c
@@ -23,7 +23,7 @@ static inline void registry_unlock(void) {
 // COOKIES
 
 static void registry_set_cookie(struct web_client *w, const char *guid) {
-    char edate[100];
+    char edate[100], domain[512];
     time_t et = now_realtime_sec() + registry.persons_expiration;
     struct tm etmbuf, *etm = gmtime_r(&et, &etmbuf);
     strftime(edate, sizeof(edate), "%a, %d %b %Y %H:%M:%S %Z", etm);
@@ -31,7 +31,22 @@ static void registry_set_cookie(struct web_client *w, const char *guid) {
     snprintfz(w->cookie1, NETDATA_WEB_REQUEST_COOKIE_SIZE, NETDATA_REGISTRY_COOKIE_NAME "=%s; Expires=%s", guid, edate);
 
     if(registry.registry_domain && registry.registry_domain[0])
-        snprintfz(w->cookie2, NETDATA_WEB_REQUEST_COOKIE_SIZE, NETDATA_REGISTRY_COOKIE_NAME "=%s; Domain=%s; Expires=%s", guid, registry.registry_domain, edate);
+        snprintfz(domain, 511, "Domain=%s", registry.registry_domain);
+    else
+        domain[0]='\0';
+
+    int length = snprintfz(w->cookie2, NETDATA_WEB_REQUEST_COOKIE_SIZE,
+                           NETDATA_REGISTRY_COOKIE_NAME "=%s; Expires=%s; %s",
+                           guid, edate, domain);
+
+    size_t remaining_length = NETDATA_WEB_REQUEST_COOKIE_SIZE - length;
+    // 25 is the necessary length to add new cookies
+    if (registry.enable_cookies_samesite_secure) {
+        if (length > 0 && remaining_length > 25)
+            snprintfz(&w->cookie2[length], remaining_length, "; SameSite=None; Secure");
+        else
+            error("Netdata does not have enough space to store cookies SameSite and Secure");
+    }
 }
 
 static inline void registry_set_person_cookie(struct web_client *w, REGISTRY_PERSON *p) {
diff --git a/registry/registry_init.c b/registry/registry_init.c
index ffdb83f3..36673ff0 100644
--- a/registry/registry_init.c
+++ b/registry/registry_init.c
@@ -39,6 +39,7 @@ int registry_init(void) {
     registry.registry_to_announce = config_get(CONFIG_SECTION_REGISTRY, "registry to announce", "https://registry.my-netdata.io");
     registry.hostname = config_get(CONFIG_SECTION_REGISTRY, "registry hostname", netdata_configured_hostname);
     registry.verify_cookies_redirects = config_get_boolean(CONFIG_SECTION_REGISTRY, "verify browser cookies support", 1);
+    registry.enable_cookies_samesite_secure = config_get_boolean(CONFIG_SECTION_REGISTRY, "enable cookies SameSite and Secure", 1);
 
     registry_update_cloud_base_url();
     setenv("NETDATA_REGISTRY_HOSTNAME", registry.hostname, 1);
diff --git a/registry/registry_internals.h b/registry/registry_internals.h
index 0eb83a43..3caf0aad 100644
--- a/registry/registry_internals.h
+++ b/registry/registry_internals.h
@@ -40,6 +40,7 @@ struct registry {
     char *cloud_base_url;
     time_t persons_expiration; // seconds to expire idle persons
     int verify_cookies_redirects;
+    int enable_cookies_samesite_secure;
 
     size_t max_url_length;
     size_t max_name_length;
diff --git a/registry/registry_person.c b/registry/registry_person.c
index 268b0bd1..fae1520c 100644
--- a/registry/registry_person.c
+++ b/registry/registry_person.c
@@ -32,7 +32,7 @@ inline REGISTRY_PERSON_URL *registry_person_url_index_find(REGISTRY_PERSON *p, c
 
 inline REGISTRY_PERSON_URL *registry_person_url_index_add(REGISTRY_PERSON *p, REGISTRY_PERSON_URL *pu) {
     debug(D_REGISTRY, "Registry: registry_person_url_index_add('%s', '%s')", p->guid, pu->url->url);
-    REGISTRY_PERSON_URL *tpu = (REGISTRY_PERSON_URL *)avl_insert(&(p->person_urls), (avl *)(pu));
+    REGISTRY_PERSON_URL *tpu = (REGISTRY_PERSON_URL *)avl_insert(&(p->person_urls), (avl_t *)(pu));
     if(tpu != pu)
         error("Registry: registry_person_url_index_add('%s', '%s') already exists as '%s'", p->guid, pu->url->url, tpu->url->url);
 
@@ -41,7 +41,7 @@ inline REGISTRY_PERSON_URL *registry_person_url_index_add(REGISTRY_PERSON *p, RE
 
 inline REGISTRY_PERSON_URL *registry_person_url_index_del(REGISTRY_PERSON *p, REGISTRY_PERSON_URL *pu) {
     debug(D_REGISTRY, "Registry: registry_person_url_index_del('%s', '%s')", p->guid, pu->url->url);
-    REGISTRY_PERSON_URL *tpu = (REGISTRY_PERSON_URL *)avl_remove(&(p->person_urls), (avl *)(pu));
+    REGISTRY_PERSON_URL *tpu = (REGISTRY_PERSON_URL *)avl_remove(&(p->person_urls), (avl_t *)(pu));
     if(!tpu)
         error("Registry: registry_person_url_index_del('%s', '%s') deleted nothing", p->guid, pu->url->url);
     else if(tpu != pu)
diff --git a/registry/registry_person.h b/registry/registry_person.h
index 9a4aa959..42419bfe 100644
--- a/registry/registry_person.h
+++ b/registry/registry_person.h
@@ -10,7 +10,7 @@
 
 // for each PERSON-URL pair we keep this
 struct registry_person_url {
-    avl avl;                    // binary tree node
+    avl_t avl;                  // binary tree node
 
     REGISTRY_URL *url;          // de-duplicated URL
     REGISTRY_MACHINE *machine;  // link the MACHINE of this URL
diff --git a/registry/registry_url.c b/registry/registry_url.c
index 9ac3ce10..559799d8 100644
--- a/registry/registry_url.c
+++ b/registry/registry_url.c
@@ -13,11 +13,11 @@ int registry_url_compare(void *a, void *b) {
 }
 
 inline REGISTRY_URL *registry_url_index_add(REGISTRY_URL *u) {
-    return (REGISTRY_URL *)avl_insert(&(registry.registry_urls_root_index), (avl *)(u));
+    return (REGISTRY_URL *)avl_insert(&(registry.registry_urls_root_index), (avl_t *)(u));
 }
 
 inline REGISTRY_URL *registry_url_index_del(REGISTRY_URL *u) {
-    return (REGISTRY_URL *)avl_remove(&(registry.registry_urls_root_index), (avl *)(u));
+    return (REGISTRY_URL *)avl_remove(&(registry.registry_urls_root_index), (avl_t *)(u));
 }
 
 REGISTRY_URL *registry_url_get(const char *url, size_t urllen) {
@@ -33,7 +33,7 @@ REGISTRY_URL *registry_url_get(const char *url, size_t urllen) {
     strncpyz(n->url, url, n->len);
     n->hash = simple_hash(n->url);
 
-    REGISTRY_URL *u = (REGISTRY_URL *)avl_search(&(registry.registry_urls_root_index), (avl *)n);
+    REGISTRY_URL *u = (REGISTRY_URL *)avl_search(&(registry.registry_urls_root_index), (avl_t *)n);
     if(!u) {
         debug(D_REGISTRY, "Registry: registry_url_get('%s', %zu): allocating %zu bytes", url, urllen, sizeof(REGISTRY_URL) + urllen);
         u = callocz(1, sizeof(REGISTRY_URL) + urllen); // no need for +1, 1 is already in REGISTRY_URL
diff --git a/registry/registry_url.h b/registry/registry_url.h
index c684f1c3..0cc364fd 100644
--- a/registry/registry_url.h
+++ b/registry/registry_url.h
@@ -12,7 +12,7 @@
 // we store them here and we keep pointers elsewhere
 
 struct registry_url {
-    avl avl;
+    avl_t avl;
     uint32_t hash;  // the index hash
 
     uint32_t links; // the number of links to this URL - when none is left, we free it