2020-04-23 01:47:27 +00:00
package validator
2022-02-28 03:15:01 +00:00
import (
"regexp"
2022-03-03 23:46:38 +00:00
"github.com/go-webauthn/webauthn/protocol"
2022-03-03 11:20:43 +00:00
2022-02-28 03:15:01 +00:00
"github.com/authelia/authelia/v4/internal/oidc"
)
2021-08-03 09:55:21 +00:00
2021-07-15 11:02:03 +00:00
const (
loopback = "127.0.0.1"
oauth2InstalledApp = "urn:ietf:wg:oauth:2.0:oob"
)
2021-08-03 09:55:21 +00:00
// Policy constants.
2021-03-22 09:04:09 +00:00
const (
2021-08-03 09:55:21 +00:00
policyBypass = "bypass"
policyOneFactor = "one_factor"
policyTwoFactor = "two_factor"
policyDeny = "deny"
)
2021-03-22 09:04:09 +00:00
2021-08-03 09:55:21 +00:00
// Hashing constants.
const (
hashArgon2id = "argon2id"
hashSHA512 = "sha512"
)
2021-03-22 09:04:09 +00:00
2021-08-03 09:55:21 +00:00
// Scheme constants.
const (
2021-03-22 09:04:09 +00:00
schemeLDAP = "ldap"
schemeLDAPS = "ldaps"
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
schemeHTTP = "http"
schemeHTTPS = "https"
2021-08-03 09:55:21 +00:00
)
2021-03-22 09:04:09 +00:00
2021-08-03 09:55:21 +00:00
// Test constants.
const (
2021-03-22 09:04:09 +00:00
testInvalidPolicy = "invalid"
testJWTSecret = "a_secret"
testLDAPBaseDN = "base_dn"
testLDAPPassword = "password"
testLDAPURL = "ldap://ldap"
testLDAPUser = "user"
testModeDisabled = "disable"
2021-11-25 01:56:58 +00:00
testEncryptionKey = "a_not_so_secure_encryption_key"
2021-08-03 09:55:21 +00:00
)
2021-08-07 03:58:08 +00:00
// Notifier Error constants.
const (
2022-02-28 03:15:01 +00:00
errFmtNotifierMultipleConfigured = "notifier: please ensure only one of the 'smtp' or 'filesystem' notifier is configured"
errFmtNotifierNotConfigured = "notifier: you must ensure either the 'smtp' or 'filesystem' notifier " +
2021-08-07 03:58:08 +00:00
"is configured"
2022-04-03 12:24:51 +00:00
errFmtNotifierTemplatePathNotExist = "notifier: option 'template_path' refers to location '%s' which does not exist"
errFmtNotifierTemplatePathUnknownError = "notifier: option 'template_path' refers to location '%s' which couldn't be opened: %w"
errFmtNotifierTemplateLoad = "notifier: error loading template '%s': %w"
2022-02-28 03:15:01 +00:00
errFmtNotifierFileSystemFileNameNotConfigured = "notifier: filesystem: option 'filename' is required "
errFmtNotifierSMTPNotConfigured = "notifier: smtp: option '%s' is required"
)
// Authentication Backend Error constants.
const (
errFmtAuthBackendNotConfigured = "authentication_backend: you must ensure either the 'file' or 'ldap' " +
"authentication backend is configured"
errFmtAuthBackendMultipleConfigured = "authentication_backend: please ensure only one of the 'file' or 'ldap' " +
"backend is configured"
errFmtAuthBackendRefreshInterval = "authentication_backend: option 'refresh_interval' is configured to '%s' but " +
"it must be either a duration notation or one of 'disable', or 'always': %w"
2022-04-04 07:46:55 +00:00
errFmtAuthBackendPasswordResetCustomURLScheme = "authentication_backend: password_reset: option 'custom_url' is" +
" configured to '%s' which has the scheme '%s' but the scheme must be either 'http' or 'https'"
2022-02-28 03:15:01 +00:00
errFmtFileAuthBackendPathNotConfigured = "authentication_backend: file: option 'path' is required"
errFmtFileAuthBackendPasswordSaltLength = "authentication_backend: file: password: option 'salt_length' " +
"must be 2 or more but it is configured a '%d'"
errFmtFileAuthBackendPasswordUnknownAlg = "authentication_backend: file: password: option 'algorithm' " +
"must be either 'argon2id' or 'sha512' but it is configured as '%s'"
errFmtFileAuthBackendPasswordInvalidIterations = "authentication_backend: file: password: option " +
"'iterations' must be 1 or more but it is configured as '%d'"
errFmtFileAuthBackendPasswordArgon2idInvalidKeyLength = "authentication_backend: file: password: option " +
"'key_length' must be 16 or more when using algorithm 'argon2id' but it is configured as '%d'"
errFmtFileAuthBackendPasswordArgon2idInvalidParallelism = "authentication_backend: file: password: option " +
"'parallelism' must be 1 or more when using algorithm 'argon2id' but it is configured as '%d'"
errFmtFileAuthBackendPasswordArgon2idInvalidMemory = "authentication_backend: file: password: option 'memory' " +
"must at least be parallelism multiplied by 8 when using algorithm 'argon2id' " +
"with parallelism %d it should be at least %d but it is configured as '%d'"
errFmtLDAPAuthBackendMissingOption = "authentication_backend: ldap: option '%s' is required"
errFmtLDAPAuthBackendTLSMinVersion = "authentication_backend: ldap: tls: option " +
"'minimum_tls_version' is invalid: %s: %w"
errFmtLDAPAuthBackendImplementation = "authentication_backend: ldap: option 'implementation' " +
"is configured as '%s' but must be one of the following values: '%s'"
errFmtLDAPAuthBackendFilterReplacedPlaceholders = "authentication_backend: ldap: option " +
"'%s' has an invalid placeholder: '%s' has been removed, please use '%s' instead"
errFmtLDAPAuthBackendURLNotParsable = "authentication_backend: ldap: option " +
"'url' could not be parsed: %w"
errFmtLDAPAuthBackendURLInvalidScheme = "authentication_backend: ldap: option " +
"'url' must have either the 'ldap' or 'ldaps' scheme but it is configured as '%s'"
errFmtLDAPAuthBackendFilterEnclosingParenthesis = "authentication_backend: ldap: option " +
"'%s' must contain enclosing parenthesis: '%s' should probably be '(%s)'"
errFmtLDAPAuthBackendFilterMissingPlaceholder = "authentication_backend: ldap: option " +
"'%s' must contain the placeholder '{%s}' but it is required"
2021-08-07 03:58:08 +00:00
)
2021-12-01 12:11:29 +00:00
// TOTP Error constants.
const (
2022-04-07 23:01:01 +00:00
errFmtTOTPInvalidAlgorithm = "totp: option 'algorithm' must be one of '%s' but it is configured as '%s'"
errFmtTOTPInvalidPeriod = "totp: option 'period' option must be 15 or more but it is configured as '%d'"
errFmtTOTPInvalidDigits = "totp: option 'digits' must be 6 or 8 but it is configured as '%d'"
errFmtTOTPInvalidSecretSize = "totp: option 'secret_size' must be %d or higher but it is configured as '%d'" //nolint:gosec
2021-12-01 12:11:29 +00:00
)
2021-12-02 05:36:03 +00:00
// Storage Error constants.
const (
errStrStorage = "storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided"
2022-02-28 03:15:01 +00:00
errStrStorageEncryptionKeyMustBeProvided = "storage: option 'encryption_key' must is required"
errStrStorageEncryptionKeyTooShort = "storage: option 'encryption_key' must be 20 characters or longer"
2022-04-07 23:01:01 +00:00
errFmtStorageUserPassMustBeProvided = "storage: %s: option 'username' and 'password' are required" //nolint:gosec
2022-02-28 03:15:01 +00:00
errFmtStorageOptionMustBeProvided = "storage: %s: option '%s' is required"
errFmtStoragePostgreSQLInvalidSSLMode = "storage: postgres: ssl: option 'mode' must be one of '%s' but it is configured as '%s'"
2021-12-02 05:36:03 +00:00
)
2021-08-03 09:55:21 +00:00
// OpenID Error constants.
const (
2022-02-28 03:15:01 +00:00
errFmtOIDCNoClientsConfigured = "identity_providers: oidc: option 'clients' must have one or " +
"more clients configured"
2022-04-07 00:58:51 +00:00
errFmtOIDCNoPrivateKey = "identity_providers: oidc: option 'issuer_private_key' is required"
2022-03-02 04:44:05 +00:00
errFmtOIDCEnforcePKCEInvalidValue = "identity_providers: oidc: option 'enforce_pkce' must be 'never', " +
"'public_clients_only' or 'always', but it is configured as '%s'"
2022-04-07 00:58:51 +00:00
errFmtOIDCCORSInvalidOrigin = "identity_providers: oidc: cors: option 'allowed_origins' contains an invalid value '%s' as it has a %s: origins must only be scheme, hostname, and an optional port"
errFmtOIDCCORSInvalidOriginWildcard = "identity_providers: oidc: cors: option 'allowed_origins' contains the wildcard origin '*' with more than one origin but the wildcard origin must be defined by itself"
errFmtOIDCCORSInvalidOriginWildcardWithClients = "identity_providers: oidc: cors: option 'allowed_origins' contains the wildcard origin '*' cannot be specified with option 'allowed_origins_from_client_redirect_uris' enabled"
errFmtOIDCCORSInvalidEndpoint = "identity_providers: oidc: cors: option 'endpoints' contains an invalid value '%s': must be one of '%s'"
2022-02-28 03:15:01 +00:00
errFmtOIDCClientsDuplicateID = "identity_providers: oidc: one or more clients have the same id but all client" +
"id's must be unique"
errFmtOIDCClientsWithEmptyID = "identity_providers: oidc: one or more clients have been configured with " +
"an empty id"
errFmtOIDCClientInvalidSecret = "identity_providers: oidc: client '%s': option 'secret' is required"
errFmtOIDCClientPublicInvalidSecret = "identity_providers: oidc: client '%s': option 'secret' is " +
"required to be empty when option 'public' is true"
errFmtOIDCClientRedirectURI = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " +
"invalid value: redirect uri '%s' must have a scheme of 'http' or 'https' but '%s' is configured"
errFmtOIDCClientRedirectURICantBeParsed = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " +
"invalid value: redirect uri '%s' could not be parsed: %v"
errFmtOIDCClientRedirectURIPublic = "identity_providers: oidc: client '%s': option 'redirect_uris' has the" +
"redirect uri '%s' when option 'public' is false but this is invalid as this uri is not valid " +
"for the openid connect confidential client type"
errFmtOIDCClientRedirectURIAbsolute = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " +
"invalid value: redirect uri '%s' must have the scheme 'http' or 'https' but it has no scheme"
errFmtOIDCClientInvalidPolicy = "identity_providers: oidc: client '%s': option 'policy' must be 'one_factor' " +
"or 'two_factor' but it is configured as '%s'"
errFmtOIDCClientInvalidEntry = "identity_providers: oidc: client '%s': option '%s' must only have the values " +
"'%s' but one option is configured as '%s'"
errFmtOIDCClientInvalidUserinfoAlgorithm = "identity_providers: oidc: client '%s': option " +
"'userinfo_signing_algorithm' must be one of '%s' but it is configured as '%s'"
2022-04-07 06:13:01 +00:00
errFmtOIDCClientInvalidSectorIdentifier = "identity_providers: oidc: client '%s': option " +
"'sector_identifier' with value '%s': must be a URL with only the host component for example '%s' but it has a %s with the value '%s'"
errFmtOIDCClientInvalidSectorIdentifierWithoutValue = "identity_providers: oidc: client '%s': option " +
"'sector_identifier' with value '%s': must be a URL with only the host component for example '%s' but it has a %s"
errFmtOIDCClientInvalidSectorIdentifierHost = "identity_providers: oidc: client '%s': option " +
"'sector_identifier' with value '%s': must be a URL with only the host component but appears to be invalid"
2021-08-03 09:55:21 +00:00
errFmtOIDCServerInsecureParameterEntropy = "openid connect provider: SECURITY ISSUE - minimum parameter entropy is " +
"configured to an unsafe value, it should be above 8 but it's configured to %d"
)
2022-03-03 11:20:43 +00:00
// Webauthn Error constants.
const (
errFmtWebauthnConveyancePreference = "webauthn: option 'attestation_conveyance_preference' must be one of '%s' but it is configured as '%s'"
errFmtWebauthnUserVerification = "webauthn: option 'user_verification' must be one of 'discouraged', 'preferred', 'required' but it is configured as '%s'"
)
2022-02-28 03:15:01 +00:00
// Access Control error constants.
const (
errFmtAccessControlDefaultPolicyValue = "access control: option 'default_policy' must be one of '%s' but it is " +
"configured as '%s'"
errFmtAccessControlDefaultPolicyWithoutRules = "access control: 'default_policy' option '%s' is invalid: when " +
"no rules are specified it must be 'two_factor' or 'one_factor'"
errFmtAccessControlNetworkGroupIPCIDRInvalid = "access control: networks: network group '%s' is invalid: the " +
"network '%s' is not a valid IP or CIDR notation"
errFmtAccessControlWarnNoRulesDefaultPolicy = "access control: no rules have been specified so the " +
"'default_policy' of '%s' is going to be applied to all requests"
errFmtAccessControlRuleNoDomains = "access control: rule %s: rule is invalid: must have the option " +
2022-04-01 11:38:49 +00:00
"'domain' or 'domain_regex' configured"
2022-02-28 03:15:01 +00:00
errFmtAccessControlRuleInvalidPolicy = "access control: rule %s: rule 'policy' option '%s' " +
"is invalid: must be one of 'deny', 'two_factor', 'one_factor' or 'bypass'"
errAccessControlRuleBypassPolicyInvalidWithSubjects = "access control: rule %s: 'policy' option 'bypass' is " +
"not supported when 'subject' option is configured: see " +
"https://www.authelia.com/docs/configuration/access-control.html#bypass"
2022-04-01 11:38:49 +00:00
errAccessControlRuleBypassPolicyInvalidWithSubjectsWithGroupDomainRegex = "access control: rule %s: 'policy' option 'bypass' is " +
"not supported when 'domain_regex' option contains the user or group named matches. For more information see: " +
"https://www.authelia.com/docs/configuration/access-control.html#bypass-and-user-identity"
2022-02-28 03:15:01 +00:00
errFmtAccessControlRuleNetworksInvalid = "access control: rule %s: the network '%s' is not a " +
"valid Group Name, IP, or CIDR notation"
errFmtAccessControlRuleSubjectInvalid = "access control: rule %s: 'subject' option '%s' is " +
"invalid: must start with 'user:' or 'group:'"
errFmtAccessControlRuleMethodInvalid = "access control: rule %s: 'methods' option '%s' is " +
"invalid: must be one of '%s'"
)
// Theme Error constants.
const (
errFmtThemeName = "option 'theme' must be one of '%s' but it is configured as '%s'"
)
// NTP Error constants.
const (
2022-03-02 06:40:26 +00:00
errFmtNTPVersion = "ntp: option 'version' must be either 3 or 4 but it is configured as '%d'"
2022-02-28 03:15:01 +00:00
)
// Session error constants.
const (
errFmtSessionOptionRequired = "session: option '%s' is required"
errFmtSessionDomainMustBeRoot = "session: option 'domain' must be the domain you wish to protect not a wildcard domain but it is configured as '%s'"
errFmtSessionSameSite = "session: option 'same_site' must be one of '%s' but is configured as '%s'"
errFmtSessionSecretRequired = "session: option 'secret' is required when using the '%s' provider"
errFmtSessionRedisPortRange = "session: redis: option 'port' must be between 1 and 65535 but is configured as '%d'"
errFmtSessionRedisHostRequired = "session: redis: option 'host' is required"
errFmtSessionRedisHostOrNodesRequired = "session: redis: option 'host' or the 'high_availability' option 'nodes' is required"
errFmtSessionRedisSentinelMissingName = "session: redis: high_availability: option 'sentinel_name' is required"
errFmtSessionRedisSentinelNodeHostMissing = "session: redis: high_availability: option 'nodes': option 'host' is required for each node but one or more nodes are missing this"
)
// Regulation Error Consts.
const (
errFmtRegulationFindTimeGreaterThanBanTime = "regulation: option 'find_time' must be less than or equal to option 'ban_time'"
)
// Server Error constants.
const (
2022-04-04 23:57:47 +00:00
errFmtServerTLSCert = "server: tls: option 'key' must also be accompanied by option 'certificate'"
errFmtServerTLSKey = "server: tls: option 'certificate' must also be accompanied by option 'key'"
errFmtServerTLSCertFileDoesNotExist = "server: tls: file path %s provided in 'certificate' does not exist"
errFmtServerTLSKeyFileDoesNotExist = "server: tls: file path %s provided in 'key' does not exist"
errFmtServerTLSClientAuthCertFileDoesNotExist = "server: tls: client_certificates: certificates: file path %s does not exist"
errFmtServerTLSClientAuthNoAuth = "server: tls: client authentication cannot be configured if no server certificate and key are provided"
2022-02-28 03:15:01 +00:00
errFmtServerPathNoForwardSlashes = "server: option 'path' must not contain any forward slashes"
errFmtServerPathAlphaNum = "server: option 'path' must only contain alpha numeric characters"
errFmtServerBufferSize = "server: option '%s_buffer_size' must be above 0 but it is configured as '%d'"
)
2021-08-03 09:55:21 +00:00
// Error constants.
const (
2021-12-01 13:01:32 +00:00
/ *
errFmtDeprecatedConfigurationKey = "the %s configuration option is deprecated and will be " +
"removed in %s, please use %s instead"
Uncomment for use when deprecating keys .
TODO : Create a method from within Koanf to automatically remap deprecated keys and produce warnings .
TODO ( cont ) : The main consideration is making sure we do not overwrite the destination key name if it already exists .
* /
2021-08-03 09:55:21 +00:00
errFmtReplacedConfigurationKey = "invalid configuration key '%s' was replaced by '%s'"
2021-03-22 09:04:09 +00:00
2022-02-28 03:15:01 +00:00
errFmtLoggingLevelInvalid = "log: option 'level' must be one of '%s' but it is configured as '%s'"
2021-08-03 09:55:21 +00:00
errFileHashing = "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password"
errFilePHashing = "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password"
errFilePOptions = "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password"
2021-03-22 09:04:09 +00:00
)
2022-02-28 03:15:01 +00:00
var validStoragePostgreSQLSSLModes = [ ] string { testModeDisabled , "require" , "verify-ca" , "verify-full" }
var validThemeNames = [ ] string { "light" , "dark" , "grey" , "auto" }
var validSessionSameSiteValues = [ ] string { "none" , "lax" , "strict" }
var validLoLevels = [ ] string { "trace" , "debug" , "info" , "warn" , "error" }
2022-03-03 11:20:43 +00:00
var validWebauthnConveyancePreferences = [ ] string { string ( protocol . PreferNoAttestation ) , string ( protocol . PreferIndirectAttestation ) , string ( protocol . PreferDirectAttestation ) }
var validWebauthnUserVerificationRequirement = [ ] string { string ( protocol . VerificationDiscouraged ) , string ( protocol . VerificationPreferred ) , string ( protocol . VerificationRequired ) }
2022-04-01 10:53:10 +00:00
var validRFC7231HTTPMethodVerbs = [ ] string { "GET" , "HEAD" , "POST" , "PUT" , "PATCH" , "DELETE" , "TRACE" , "CONNECT" , "OPTIONS" }
var validRFC4918HTTPMethodVerbs = [ ] string { "COPY" , "LOCK" , "MKCOL" , "MOVE" , "PROPFIND" , "PROPPATCH" , "UNLOCK" }
var validACLHTTPMethodVerbs = append ( validRFC7231HTTPMethodVerbs , validRFC4918HTTPMethodVerbs ... )
2022-02-28 03:15:01 +00:00
var validACLRulePolicies = [ ] string { policyBypass , policyOneFactor , policyTwoFactor , policyDeny }
2021-07-10 04:56:33 +00:00
2022-02-28 03:15:01 +00:00
var validOIDCScopes = [ ] string { oidc . ScopeOpenID , oidc . ScopeEmail , oidc . ScopeProfile , oidc . ScopeGroups , "offline_access" }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
var validOIDCGrantTypes = [ ] string { "implicit" , "refresh_token" , "authorization_code" , "password" , "client_credentials" }
var validOIDCResponseModes = [ ] string { "form_post" , "query" , "fragment" }
2021-07-10 04:56:33 +00:00
var validOIDCUserinfoAlgorithms = [ ] string { "none" , "RS256" }
2022-04-07 00:58:51 +00:00
var validOIDCCORSEndpoints = [ ] string { oidc . AuthorizationEndpoint , oidc . TokenEndpoint , oidc . IntrospectionEndpoint , oidc . RevocationEndpoint , oidc . UserinfoEndpoint }
2021-03-05 04:18:31 +00:00
2021-08-03 09:55:21 +00:00
var reKeyReplacer = regexp . MustCompile ( ` \[\d+] ` )
2021-03-22 09:04:09 +00:00
2021-08-03 09:55:21 +00:00
// ValidKeys is a list of valid keys that are not secret names. For the sake of consistency please place any secret in
2021-03-22 09:04:09 +00:00
// the secret names map and reuse it in relevant sections.
2021-08-03 09:55:21 +00:00
var ValidKeys = [ ] string {
2020-04-23 01:47:27 +00:00
// Root Keys.
2021-01-04 10:28:55 +00:00
"certificates_directory" ,
2021-08-02 11:55:30 +00:00
"theme" ,
"default_redirection_url" ,
2021-08-03 09:55:21 +00:00
"jwt_secret" ,
2020-04-23 01:47:27 +00:00
2021-06-08 13:15:43 +00:00
// Log keys.
"log.level" ,
"log.format" ,
"log.file_path" ,
"log.keep_stdout" ,
2021-06-01 04:09:50 +00:00
2020-04-30 02:03:05 +00:00
// Server Keys.
2021-08-02 11:55:30 +00:00
"server.host" ,
"server.port" ,
2020-04-30 02:03:05 +00:00
"server.read_buffer_size" ,
"server.write_buffer_size" ,
2020-05-21 02:20:55 +00:00
"server.path" ,
2021-11-15 08:37:58 +00:00
"server.asset_path" ,
2021-06-01 04:09:50 +00:00
"server.enable_pprof" ,
"server.enable_expvars" ,
2021-08-05 04:02:07 +00:00
"server.disable_healthcheck" ,
2021-08-02 11:55:30 +00:00
"server.tls.key" ,
"server.tls.certificate" ,
2022-02-20 23:14:09 +00:00
"server.headers.csp_template" ,
2020-04-30 02:03:05 +00:00
2020-05-15 23:41:42 +00:00
// TOTP Keys.
2022-03-03 11:20:43 +00:00
"totp.disable" ,
2020-04-23 01:47:27 +00:00
"totp.issuer" ,
2021-12-01 12:11:29 +00:00
"totp.algorithm" ,
"totp.digits" ,
2020-04-23 01:47:27 +00:00
"totp.period" ,
"totp.skew" ,
2022-04-07 23:01:01 +00:00
"totp.secret_size" ,
2020-04-23 01:47:27 +00:00
2022-03-03 11:20:43 +00:00
// Webauthn Keys.
"webauthn.disable" ,
"webauthn.display_name" ,
"webauthn.attestation_conveyance_preference" ,
"webauthn.user_verification" ,
"webauthn.timeout" ,
2021-08-03 09:55:21 +00:00
// DUO API Keys.
"duo_api.hostname" ,
2021-12-01 03:32:58 +00:00
"duo_api.enable_self_enrollment" ,
2021-08-03 09:55:21 +00:00
"duo_api.secret_key" ,
"duo_api.integration_key" ,
2020-05-15 23:41:42 +00:00
// Access Control Keys.
2020-04-23 01:47:27 +00:00
"access_control.default_policy" ,
2021-01-04 10:55:23 +00:00
"access_control.networks" ,
2022-03-17 12:20:49 +00:00
"access_control.networks[].name" ,
"access_control.networks[].networks" ,
2021-08-03 09:55:21 +00:00
"access_control.rules" ,
"access_control.rules[].domain" ,
2022-04-01 11:38:49 +00:00
"access_control.rules[].domain_regex" ,
2021-08-03 09:55:21 +00:00
"access_control.rules[].methods" ,
"access_control.rules[].networks" ,
"access_control.rules[].subject" ,
"access_control.rules[].policy" ,
"access_control.rules[].resources" ,
2020-04-23 01:47:27 +00:00
// Session Keys.
"session.name" ,
2021-04-18 00:02:04 +00:00
"session.domain" ,
2021-08-03 09:55:21 +00:00
"session.secret" ,
2021-04-18 00:02:04 +00:00
"session.same_site" ,
2020-04-23 01:47:27 +00:00
"session.expiration" ,
"session.inactivity" ,
"session.remember_me_duration" ,
// Redis Session Keys.
"session.redis.host" ,
"session.redis.port" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
"session.redis.username" ,
2021-08-03 09:55:21 +00:00
"session.redis.password" ,
2020-04-23 01:47:27 +00:00
"session.redis.database_index" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
"session.redis.maximum_active_connections" ,
"session.redis.minimum_idle_connections" ,
"session.redis.tls.minimum_version" ,
"session.redis.tls.skip_verify" ,
"session.redis.tls.server_name" ,
"session.redis.high_availability.sentinel_name" ,
2022-03-17 03:01:31 +00:00
"session.redis.high_availability.sentinel_username" ,
2021-08-03 09:55:21 +00:00
"session.redis.high_availability.sentinel_password" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
"session.redis.high_availability.nodes" ,
2022-03-17 12:20:49 +00:00
"session.redis.high_availability.nodes[].host" ,
"session.redis.high_availability.nodes[].port" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
"session.redis.high_availability.route_by_latency" ,
"session.redis.high_availability.route_randomly" ,
2020-04-23 01:47:27 +00:00
2022-03-17 12:20:49 +00:00
// Storage Keys.
2021-11-25 01:56:58 +00:00
"storage.encryption_key" ,
2020-04-23 01:47:27 +00:00
// Local Storage Keys.
"storage.local.path" ,
// MySQL Storage Keys.
"storage.mysql.host" ,
"storage.mysql.port" ,
"storage.mysql.database" ,
"storage.mysql.username" ,
2021-08-03 09:55:21 +00:00
"storage.mysql.password" ,
2021-08-06 05:35:14 +00:00
"storage.mysql.timeout" ,
2020-04-23 01:47:27 +00:00
// PostgreSQL Storage Keys.
"storage.postgres.host" ,
"storage.postgres.port" ,
"storage.postgres.database" ,
"storage.postgres.username" ,
2021-08-03 09:55:21 +00:00
"storage.postgres.password" ,
2021-08-06 05:35:14 +00:00
"storage.postgres.timeout" ,
2021-12-02 05:36:03 +00:00
"storage.postgres.schema" ,
"storage.postgres.ssl.mode" ,
"storage.postgres.ssl.root_certificate" ,
"storage.postgres.ssl.certificate" ,
"storage.postgres.ssl.key" ,
"storage.postgres.sslmode" , // Deprecated. TODO: Remove in v4.36.0.
2020-04-23 01:47:27 +00:00
// FileSystem Notifier Keys.
"notifier.filesystem.filename" ,
"notifier.disable_startup_check" ,
// SMTP Notifier Keys.
"notifier.smtp.host" ,
"notifier.smtp.port" ,
2021-08-10 00:52:41 +00:00
"notifier.smtp.timeout" ,
2021-08-03 09:55:21 +00:00
"notifier.smtp.username" ,
"notifier.smtp.password" ,
2020-11-04 23:22:10 +00:00
"notifier.smtp.identifier" ,
2020-04-23 01:47:27 +00:00
"notifier.smtp.sender" ,
"notifier.smtp.subject" ,
"notifier.smtp.startup_check_address" ,
"notifier.smtp.disable_require_tls" ,
2020-08-21 02:16:23 +00:00
"notifier.smtp.disable_html_emails" ,
2021-01-04 10:28:55 +00:00
"notifier.smtp.tls.minimum_version" ,
"notifier.smtp.tls.skip_verify" ,
"notifier.smtp.tls.server_name" ,
2022-04-03 12:24:51 +00:00
"notifier.template_path" ,
2020-04-23 01:47:27 +00:00
// Regulation Keys.
"regulation.max_retries" ,
"regulation.find_time" ,
"regulation.ban_time" ,
// Authentication Backend Keys.
"authentication_backend.disable_reset_password" ,
2022-04-04 07:46:55 +00:00
"authentication_backend.password_reset.custom_url" ,
2020-05-04 19:39:25 +00:00
"authentication_backend.refresh_interval" ,
2020-04-23 01:47:27 +00:00
// LDAP Authentication Backend Keys.
2020-11-27 09:59:22 +00:00
"authentication_backend.ldap.implementation" ,
2020-04-23 01:47:27 +00:00
"authentication_backend.ldap.url" ,
2021-08-05 23:28:52 +00:00
"authentication_backend.ldap.timeout" ,
2020-04-23 01:47:27 +00:00
"authentication_backend.ldap.base_dn" ,
"authentication_backend.ldap.username_attribute" ,
"authentication_backend.ldap.additional_users_dn" ,
"authentication_backend.ldap.users_filter" ,
"authentication_backend.ldap.additional_groups_dn" ,
"authentication_backend.ldap.groups_filter" ,
"authentication_backend.ldap.group_name_attribute" ,
"authentication_backend.ldap.mail_attribute" ,
2020-06-19 10:50:21 +00:00
"authentication_backend.ldap.display_name_attribute" ,
2020-04-23 01:47:27 +00:00
"authentication_backend.ldap.user" ,
2021-08-03 09:55:21 +00:00
"authentication_backend.ldap.password" ,
2021-01-04 10:28:55 +00:00
"authentication_backend.ldap.start_tls" ,
"authentication_backend.ldap.tls.minimum_version" ,
"authentication_backend.ldap.tls.skip_verify" ,
"authentication_backend.ldap.tls.server_name" ,
2020-04-23 01:47:27 +00:00
// File Authentication Backend Keys.
"authentication_backend.file.path" ,
"authentication_backend.file.password.algorithm" ,
"authentication_backend.file.password.iterations" ,
"authentication_backend.file.password.key_length" ,
"authentication_backend.file.password.salt_length" ,
"authentication_backend.file.password.memory" ,
"authentication_backend.file.password.parallelism" ,
2021-05-04 22:06:05 +00:00
// Identity Provider Keys.
2021-08-03 09:55:21 +00:00
"identity_providers.oidc.hmac_secret" ,
"identity_providers.oidc.issuer_private_key" ,
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
"identity_providers.oidc.id_token_lifespan" ,
"identity_providers.oidc.access_token_lifespan" ,
"identity_providers.oidc.refresh_token_lifespan" ,
"identity_providers.oidc.authorize_code_lifespan" ,
2022-03-04 05:46:05 +00:00
"identity_providers.oidc.enforce_pkce" ,
"identity_providers.oidc.enable_pkce_plain_challenge" ,
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
"identity_providers.oidc.enable_client_debug_messages" ,
2021-08-05 07:19:17 +00:00
"identity_providers.oidc.minimum_parameter_entropy" ,
2022-04-07 00:58:51 +00:00
"identity_providers.oidc.cors.endpoints" ,
"identity_providers.oidc.cors.allowed_origins" ,
"identity_providers.oidc.cors.enable_origins_from_clients" ,
2021-08-03 09:55:21 +00:00
"identity_providers.oidc.clients" ,
"identity_providers.oidc.clients[].id" ,
"identity_providers.oidc.clients[].description" ,
"identity_providers.oidc.clients[].secret" ,
2022-04-07 06:13:01 +00:00
"identity_providers.oidc.clients[].sector_identifier" ,
"identity_providers.oidc.clients[].public" ,
2021-08-03 09:55:21 +00:00
"identity_providers.oidc.clients[].redirect_uris" ,
"identity_providers.oidc.clients[].authorization_policy" ,
"identity_providers.oidc.clients[].scopes" ,
2022-03-17 12:20:49 +00:00
"identity_providers.oidc.clients[].audience" ,
2021-08-03 09:55:21 +00:00
"identity_providers.oidc.clients[].grant_types" ,
"identity_providers.oidc.clients[].response_types" ,
2022-03-17 12:20:49 +00:00
"identity_providers.oidc.clients[].response_modes" ,
"identity_providers.oidc.clients[].userinfo_signing_algorithm" ,
2021-09-17 04:44:35 +00:00
// NTP keys.
"ntp.address" ,
"ntp.version" ,
"ntp.max_desync" ,
"ntp.disable_startup_check" ,
"ntp.disable_failure" ,
2022-04-02 22:32:57 +00:00
// Password Policy keys.
"password_policy.standard.enabled" ,
"password_policy.standard.min_length" ,
"password_policy.standard.max_length" ,
"password_policy.standard.require_uppercase" ,
"password_policy.standard.require_lowercase" ,
"password_policy.standard.require_number" ,
"password_policy.standard.require_special" ,
"password_policy.zxcvbn.enabled" ,
"password_policy.zxcvbn.min_score" ,
2020-04-23 01:47:27 +00:00
}
2021-04-16 01:44:37 +00:00
var replacedKeys = map [ string ] string {
"authentication_backend.ldap.skip_verify" : "authentication_backend.ldap.tls.skip_verify" ,
"authentication_backend.ldap.minimum_tls_version" : "authentication_backend.ldap.tls.minimum_version" ,
"notifier.smtp.disable_verify_cert" : "notifier.smtp.tls.skip_verify" ,
2021-06-08 13:15:43 +00:00
"logs_level" : "log.level" ,
2021-12-01 13:01:32 +00:00
"logs_file_path" : "log.file_path" ,
"log_level" : "log.level" ,
"log_file_path" : "log.file_path" ,
"log_format" : "log.format" ,
"host" : "server.host" ,
"port" : "server.port" ,
"tls_key" : "server.tls.key" ,
"tls_cert" : "server.tls.certificate" ,
2021-04-16 01:44:37 +00:00
}
2020-04-23 01:47:27 +00:00
var specificErrorKeys = map [ string ] string {
2020-05-15 23:41:42 +00:00
"google_analytics" : "config key removed: google_analytics - this functionality has been deprecated" ,
2021-08-03 09:55:21 +00:00
"notifier.smtp.trusted_cert" : "invalid configuration key 'notifier.smtp.trusted_cert' it has been removed, " +
"option has been replaced by the global option 'certificates_directory'" ,
2021-04-16 01:44:37 +00:00
2021-03-22 09:04:09 +00:00
"authentication_backend.file.password_options.algorithm" : errFilePOptions ,
"authentication_backend.file.password_options.iterations" : errFilePOptions ,
"authentication_backend.file.password_options.key_length" : errFilePOptions ,
"authentication_backend.file.password_options.salt_length" : errFilePOptions ,
"authentication_backend.file.password_options.memory" : errFilePOptions ,
"authentication_backend.file.password_options.parallelism" : errFilePOptions ,
"authentication_backend.file.password_hashing.algorithm" : errFilePHashing ,
"authentication_backend.file.password_hashing.iterations" : errFilePHashing ,
"authentication_backend.file.password_hashing.key_length" : errFilePHashing ,
"authentication_backend.file.password_hashing.salt_length" : errFilePHashing ,
"authentication_backend.file.password_hashing.memory" : errFilePHashing ,
"authentication_backend.file.password_hashing.parallelism" : errFilePHashing ,
"authentication_backend.file.hashing.algorithm" : errFileHashing ,
"authentication_backend.file.hashing.iterations" : errFileHashing ,
"authentication_backend.file.hashing.key_length" : errFileHashing ,
"authentication_backend.file.hashing.salt_length" : errFileHashing ,
"authentication_backend.file.hashing.memory" : errFileHashing ,
"authentication_backend.file.hashing.parallelism" : errFileHashing ,
2020-04-23 01:47:27 +00:00
}