RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/configuration/validator/server.go

187 lines
6.2 KiB
Go
Raw Normal View History

[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
package validator
import (
"fmt"
[FEATURE] Allow Authelia to listen on a specified path (#1027) * [FEATURE] Allow Authelia to listen on a specified path * Fix linting and add a couple typescript types * Template index.html to support base_url * Update docs and configuration template * Access base path from body attribute. * Update CSP * Fix unit test Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful. * Template index.html with ${PUBLIC_URL} * Define PUBLIC_URL in .env(s) * Add docs clarification Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 02:20:55 +00:00
"path"
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
"sort"
[FEATURE] Allow Authelia to listen on a specified path (#1027) * [FEATURE] Allow Authelia to listen on a specified path * Fix linting and add a couple typescript types * Template index.html to support base_url * Update docs and configuration template * Access base path from body attribute. * Update CSP * Fix unit test Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful. * Template index.html with ${PUBLIC_URL} * Define PUBLIC_URL in .env(s) * Add docs clarification Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 02:20:55 +00:00
"strings"
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
"github.com/authelia/authelia/v4/internal/utils"
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
)
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041
2022-04-04 23:57:47 +00:00
// validateFileExists checks whether a file exist.
func validateFileExists(path string, validator *schema.StructValidator, errTemplate string) {
exist, err := utils.FileExists(path)
if err != nil {
validator.Push(fmt.Errorf("tls: unable to check if file %s exists: %s", path, err))
}
if !exist {
validator.Push(fmt.Errorf(errTemplate, path))
}
}
// ValidateServerTLS checks a server TLS configuration is correct.
func ValidateServerTLS(config *schema.Configuration, validator *schema.StructValidator) {
if config.Server.TLS.Key != "" && config.Server.TLS.Certificate == "" {
validator.Push(fmt.Errorf(errFmtServerTLSCert))
} else if config.Server.TLS.Key == "" && config.Server.TLS.Certificate != "" {
validator.Push(fmt.Errorf(errFmtServerTLSKey))
}
if config.Server.TLS.Key != "" {
validateFileExists(config.Server.TLS.Key, validator, errFmtServerTLSKeyFileDoesNotExist)
}
if config.Server.TLS.Certificate != "" {
validateFileExists(config.Server.TLS.Certificate, validator, errFmtServerTLSCertFileDoesNotExist)
}
if config.Server.TLS.Key == "" && config.Server.TLS.Certificate == "" &&
len(config.Server.TLS.ClientCertificates) > 0 {
validator.Push(fmt.Errorf(errFmtServerTLSClientAuthNoAuth))
}
for _, clientCertPath := range config.Server.TLS.ClientCertificates {
validateFileExists(clientCertPath, validator, errFmtServerTLSClientAuthCertFileDoesNotExist)
}
}
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
// ValidateServer checks a server configuration is correct.
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
func ValidateServer(config *schema.Configuration, validator *schema.StructValidator) {
if config.Server.Host == "" {
config.Server.Host = schema.DefaultServerConfiguration.Host
feat(configuration): replace several configuration options (#2209) This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration. BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 11:55:30 +00:00
}
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
if config.Server.Port == 0 {
config.Server.Port = schema.DefaultServerConfiguration.Port
feat(configuration): replace several configuration options (#2209) This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration. BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 11:55:30 +00:00
}
feat: implement mutual tls in the web server (#3065) Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface. Fixes #3041
2022-04-04 23:57:47 +00:00
ValidateServerTLS(config, validator)
feat(configuration): replace several configuration options (#2209) This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration. BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 11:55:30 +00:00
[FEATURE] Allow Authelia to listen on a specified path (#1027) * [FEATURE] Allow Authelia to listen on a specified path * Fix linting and add a couple typescript types * Template index.html to support base_url * Update docs and configuration template * Access base path from body attribute. * Update CSP * Fix unit test Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful. * Template index.html with ${PUBLIC_URL} * Define PUBLIC_URL in .env(s) * Add docs clarification Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 02:20:55 +00:00
switch {
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
case strings.Contains(config.Server.Path, "/"):
validator.Push(fmt.Errorf(errFmtServerPathNoForwardSlashes))
case !utils.IsStringAlphaNumeric(config.Server.Path):
validator.Push(fmt.Errorf(errFmtServerPathAlphaNum))
case config.Server.Path == "": // Don't do anything if it's blank.
break
[FEATURE] Allow Authelia to listen on a specified path (#1027) * [FEATURE] Allow Authelia to listen on a specified path * Fix linting and add a couple typescript types * Template index.html to support base_url * Update docs and configuration template * Access base path from body attribute. * Update CSP * Fix unit test Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful. * Template index.html with ${PUBLIC_URL} * Define PUBLIC_URL in .env(s) * Add docs clarification Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 02:20:55 +00:00
default:
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
config.Server.Path = path.Clean("/" + config.Server.Path)
[FEATURE] Allow Authelia to listen on a specified path (#1027) * [FEATURE] Allow Authelia to listen on a specified path * Fix linting and add a couple typescript types * Template index.html to support base_url * Update docs and configuration template * Access base path from body attribute. * Update CSP * Fix unit test Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful. * Template index.html with ${PUBLIC_URL} * Define PUBLIC_URL in .env(s) * Add docs clarification Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 02:20:55 +00:00
}
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc.
2022-08-08 21:50:12 +00:00
if config.Server.Buffers.Read <= 0 {
config.Server.Buffers.Read = schema.DefaultServerConfiguration.Buffers.Read
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
}
refactor(server): use errgroup to supervise services (#3755) Uses the errgroup package and pattern for supervising services like servers etc.
2022-08-08 21:50:12 +00:00
if config.Server.Buffers.Write <= 0 {
config.Server.Buffers.Write = schema.DefaultServerConfiguration.Buffers.Write
}
if config.Server.Timeouts.Read <= 0 {
config.Server.Timeouts.Read = schema.DefaultServerConfiguration.Timeouts.Read
}
if config.Server.Timeouts.Write <= 0 {
config.Server.Timeouts.Write = schema.DefaultServerConfiguration.Timeouts.Write
}
if config.Server.Timeouts.Idle <= 0 {
config.Server.Timeouts.Idle = schema.DefaultServerConfiguration.Timeouts.Idle
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 09:36:40 +00:00
ValidateServerEndpoints(config, validator)
}
// ValidateServerEndpoints configures the default endpoints and checks the configuration of custom endpoints.
func ValidateServerEndpoints(config *schema.Configuration, validator *schema.StructValidator) {
if config.Server.Endpoints.EnableExpvars {
validator.PushWarning(fmt.Errorf("server: endpoints: option 'enable_expvars' should not be enabled in production"))
}
if config.Server.Endpoints.EnablePprof {
validator.PushWarning(fmt.Errorf("server: endpoints: option 'enable_pprof' should not be enabled in production"))
}
if len(config.Server.Endpoints.Authz) == 0 {
config.Server.Endpoints.Authz = schema.DefaultServerConfiguration.Endpoints.Authz
return
}
authzs := make([]string, 0, len(config.Server.Endpoints.Authz))
for name := range config.Server.Endpoints.Authz {
authzs = append(authzs, name)
}
sort.Strings(authzs)
for _, name := range authzs {
endpoint := config.Server.Endpoints.Authz[name]
validateServerEndpointsAuthzEndpoint(config, name, endpoint, validator)
for _, oName := range authzs {
oEndpoint := config.Server.Endpoints.Authz[oName]
if oName == name || oName == legacy {
continue
}
switch oEndpoint.Implementation {
case authzImplementationLegacy, authzImplementationExtAuthz:
if strings.HasPrefix(name, oName+"/") {
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzPrefixDuplicate, name, oName, oEndpoint.Implementation))
}
default:
continue
}
}
validateServerEndpointsAuthzStrategies(name, endpoint.AuthnStrategies, validator)
}
}
func validateServerEndpointsAuthzEndpoint(config *schema.Configuration, name string, endpoint schema.ServerAuthzEndpoint, validator *schema.StructValidator) {
if name == legacy {
switch endpoint.Implementation {
case authzImplementationLegacy:
break
case "":
endpoint.Implementation = authzImplementationLegacy
config.Server.Endpoints.Authz[name] = endpoint
default:
if !utils.IsStringInSlice(endpoint.Implementation, validAuthzImplementations) {
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzImplementation, name, strings.Join(validAuthzImplementations, "', '"), endpoint.Implementation))
} else {
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzLegacyInvalidImplementation, name))
}
}
} else if !utils.IsStringInSlice(endpoint.Implementation, validAuthzImplementations) {
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzImplementation, name, strings.Join(validAuthzImplementations, "', '"), endpoint.Implementation))
}
if !reAuthzEndpointName.MatchString(name) {
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzInvalidName, name))
}
}
func validateServerEndpointsAuthzStrategies(name string, strategies []schema.ServerAuthzEndpointAuthnStrategy, validator *schema.StructValidator) {
names := make([]string, len(strategies))
for _, strategy := range strategies {
if utils.IsStringInSlice(strategy.Name, names) {
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzStrategyDuplicate, name, strategy.Name))
}
names = append(names, strategy.Name)
if !utils.IsStringInSlice(strategy.Name, validAuthzAuthnStrategies) {
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzStrategy, name, strings.Join(validAuthzAuthnStrategies, "', '"), strategy.Name))
}
}
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
}