Add task for filtering non-whitelisted configs

Signed-off-by: nicole mikołajczyk <git@mkljczk.pl>

changelog.d/database-config-whitelist.add

@@ -0,0 +1 @@
+Add reasonable defaults for :database_config_whitelist

docs/administration/CLI_tasks/config.md

@@ -170,3 +170,17 @@ This forcibly removes any enabled MRF that does not exist and will fix the abili
     ```sh
     mix pleroma.config fix_mrf_policies
     ```
+
+## Remove non-whitelisted configs from the database
+
+This removes any configuration value that is not explicitly whitelisted by `:pleroma, :database_config_whitelist`. Might be useful after updating the whitelist.
+
+=== "OTP"
+    ```sh
+    ./bin/pleroma_ctl config filter_whitelisted
+    ```
+
+=== "From Source"
+    ```sh
+    mix pleroma.config filter_whitelisted
+    ```

lib/mix/tasks/pleroma/config.ex

@@ -234,6 +234,57 @@ defmodule Mix.Tasks.Pleroma.Config do
     end)
   end
 
+  # Removes non-whitelisted configuration sections
+  def run(["filter_whitelisted" | rest]) do
+    {options, [], []} =
+      OptionParser.parse(
+        rest,
+        strict: [force: :boolean],
+        aliases: [f: :force]
+      )
+
+    force = Keyword.get(options, :force, false)
+
+    start_pleroma()
+
+    whitelisted_configs = Pleroma.Config.get(:database_config_whitelist)
+
+    whitelisted_groups =
+      whitelisted_configs
+      |> Enum.filter(fn
+        {_group} -> true
+        _ -> false
+      end)
+      |> Enum.map(fn {group} -> group end)
+
+    whitelisted_keys =
+      whitelisted_configs
+      |> Enum.filter(fn
+        {_group, _key} -> true
+        _ -> false
+      end)
+
+    filtered =
+      from(c in ConfigDB)
+      |> Repo.all()
+      |> Enum.filter(&not_whitelisted?(&1, whitelisted_groups, whitelisted_keys))
+
+    if not Enum.empty?(filtered) do
+      shell_info("The following settings will be removed from ConfigDB:\n")
+      Enum.each(filtered, &dump(&1))
+
+      if force or shell_prompt("Are you sure you want to continue?", "n") in ~w(Yn Y y) do
+        filtered_ids = Enum.map(filtered, fn %{id: id} -> id end)
+
+        Repo.delete_all(from(c in ConfigDB, where: c.id in ^filtered_ids))
+      else
+        shell_error("No changes made.")
+      end
+    else
+      shell_error("No unwanted settings in ConfigDB. No changes made.")
+    end
+  end
+
   @spec migrate_to_db(Path.t() | nil) :: any()
   def migrate_to_db(file_path \\ nil) do
     with :ok <- Pleroma.Config.DeprecationWarnings.warn() do
@@ -434,4 +485,9 @@ defmodule Mix.Tasks.Pleroma.Config do
     Ecto.Adapters.SQL.query!(Repo, "TRUNCATE config;")
     Ecto.Adapters.SQL.query!(Repo, "ALTER SEQUENCE config_id_seq RESTART;")
   end
+
+  defp not_whitelisted?(%{group: group, key: key}, whitelisted_groups, whitelisted_keys) do
+    not Enum.member?(whitelisted_groups, group) and
+      not Enum.member?(whitelisted_keys, {group, key})
+  end
 end

test/mix/tasks/pleroma/config_test.exs

@@ -329,5 +329,23 @@ defmodule Mix.Tasks.Pleroma.ConfigTest do
 
       assert config_records() == []
     end
+
+    test "filters non-whitelisted settings" do
+      clear_config(:database_config_whitelist, [
+        {:pleroma},
+        {:web_push_encryption, :vapid_details}
+      ])
+
+      insert_config_record(:web_push_encryption, :non_whitelisted_key, a: 1)
+      insert_config_record(:web_push_encryption, :vapid_details, b: 1)
+
+      MixTask.run(["filter_whitelisted", "--force"])
+
+      assert [
+               %ConfigDB{group: :pleroma, key: :instance},
+               %ConfigDB{group: :pleroma, key: Pleroma.Captcha},
+               %ConfigDB{group: :web_push_encryption, key: :vapid_details}
+             ] = config_records()
+    end
   end
 end