2020-04-30 02:03:05 +00:00
|
|
|
package validator
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2023-05-15 00:32:10 +00:00
|
|
|
"os"
|
2020-05-21 02:20:55 +00:00
|
|
|
"path"
|
2023-01-25 09:36:40 +00:00
|
|
|
"sort"
|
2020-05-21 02:20:55 +00:00
|
|
|
"strings"
|
2020-04-30 02:03:05 +00:00
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
|
|
|
"github.com/authelia/authelia/v4/internal/utils"
|
2020-04-30 02:03:05 +00:00
|
|
|
)
|
|
|
|
|
2022-04-04 23:57:47 +00:00
|
|
|
// ValidateServerTLS checks a server TLS configuration is correct.
|
|
|
|
func ValidateServerTLS(config *schema.Configuration, validator *schema.StructValidator) {
|
|
|
|
if config.Server.TLS.Key != "" && config.Server.TLS.Certificate == "" {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerTLSCert))
|
|
|
|
} else if config.Server.TLS.Key == "" && config.Server.TLS.Certificate != "" {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerTLSKey))
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.Server.TLS.Key != "" {
|
2023-05-15 00:32:10 +00:00
|
|
|
validateServerTLSFileExists("key", config.Server.TLS.Key, validator)
|
2022-04-04 23:57:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if config.Server.TLS.Certificate != "" {
|
2023-05-15 00:32:10 +00:00
|
|
|
validateServerTLSFileExists("certificate", config.Server.TLS.Certificate, validator)
|
2022-04-04 23:57:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if config.Server.TLS.Key == "" && config.Server.TLS.Certificate == "" &&
|
|
|
|
len(config.Server.TLS.ClientCertificates) > 0 {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerTLSClientAuthNoAuth))
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, clientCertPath := range config.Server.TLS.ClientCertificates {
|
2023-05-15 00:32:10 +00:00
|
|
|
validateServerTLSFileExists("client_certificates", clientCertPath, validator)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// validateServerTLSFileExists checks whether a file exist.
|
|
|
|
func validateServerTLSFileExists(name, path string, validator *schema.StructValidator) {
|
|
|
|
var (
|
|
|
|
info os.FileInfo
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
switch info, err = os.Stat(path); {
|
|
|
|
case os.IsNotExist(err):
|
|
|
|
validator.Push(fmt.Errorf("server: tls: option '%s' with path '%s' refers to a file that doesn't exist", name, path))
|
|
|
|
case err != nil:
|
|
|
|
validator.Push(fmt.Errorf("server: tls: option '%s' with path '%s' could not be verified due to a file system error: %w", name, path, err))
|
|
|
|
case info.IsDir():
|
|
|
|
validator.Push(fmt.Errorf("server: tls: option '%s' with path '%s' refers to a directory but it should refer to a file", name, path))
|
2022-04-04 23:57:47 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-05-07 05:48:26 +00:00
|
|
|
// ValidateServer checks the server configuration is correct.
|
2022-02-28 03:15:01 +00:00
|
|
|
func ValidateServer(config *schema.Configuration, validator *schema.StructValidator) {
|
2023-05-07 05:48:26 +00:00
|
|
|
ValidateServerAddress(config, validator)
|
2022-04-04 23:57:47 +00:00
|
|
|
ValidateServerTLS(config, validator)
|
2021-08-02 11:55:30 +00:00
|
|
|
|
2020-05-21 02:20:55 +00:00
|
|
|
switch {
|
2022-02-28 03:15:01 +00:00
|
|
|
case strings.Contains(config.Server.Path, "/"):
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerPathNoForwardSlashes))
|
|
|
|
case !utils.IsStringAlphaNumeric(config.Server.Path):
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerPathAlphaNum))
|
|
|
|
case config.Server.Path == "": // Don't do anything if it's blank.
|
|
|
|
break
|
2020-05-21 02:20:55 +00:00
|
|
|
default:
|
2022-02-28 03:15:01 +00:00
|
|
|
config.Server.Path = path.Clean("/" + config.Server.Path)
|
2020-05-21 02:20:55 +00:00
|
|
|
}
|
|
|
|
|
2022-08-08 21:50:12 +00:00
|
|
|
if config.Server.Buffers.Read <= 0 {
|
|
|
|
config.Server.Buffers.Read = schema.DefaultServerConfiguration.Buffers.Read
|
2020-04-30 02:03:05 +00:00
|
|
|
}
|
|
|
|
|
2022-08-08 21:50:12 +00:00
|
|
|
if config.Server.Buffers.Write <= 0 {
|
|
|
|
config.Server.Buffers.Write = schema.DefaultServerConfiguration.Buffers.Write
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.Server.Timeouts.Read <= 0 {
|
|
|
|
config.Server.Timeouts.Read = schema.DefaultServerConfiguration.Timeouts.Read
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.Server.Timeouts.Write <= 0 {
|
|
|
|
config.Server.Timeouts.Write = schema.DefaultServerConfiguration.Timeouts.Write
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.Server.Timeouts.Idle <= 0 {
|
|
|
|
config.Server.Timeouts.Idle = schema.DefaultServerConfiguration.Timeouts.Idle
|
2020-04-30 02:03:05 +00:00
|
|
|
}
|
2023-01-25 09:36:40 +00:00
|
|
|
|
|
|
|
ValidateServerEndpoints(config, validator)
|
|
|
|
}
|
|
|
|
|
2023-05-07 05:48:26 +00:00
|
|
|
// ValidateServerAddress checks the configured server address is correct.
|
|
|
|
func ValidateServerAddress(config *schema.Configuration, validator *schema.StructValidator) {
|
|
|
|
if config.Server.Address == nil {
|
|
|
|
if config.Server.Host == "" && config.Server.Port == 0 { //nolint:staticcheck
|
|
|
|
config.Server.Address = schema.DefaultServerConfiguration.Address
|
|
|
|
} else {
|
|
|
|
host := config.Server.Host //nolint:staticcheck
|
|
|
|
port := config.Server.Port //nolint:staticcheck
|
|
|
|
|
|
|
|
if host == "" {
|
|
|
|
host = schema.DefaultServerConfiguration.Address.Hostname()
|
|
|
|
}
|
|
|
|
|
|
|
|
if port == 0 {
|
|
|
|
port = schema.DefaultServerConfiguration.Address.Port()
|
|
|
|
}
|
|
|
|
|
|
|
|
config.Server.Address = &schema.AddressTCP{Address: schema.NewAddressFromNetworkValues(schema.AddressSchemeTCP, host, port)}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if config.Server.Host != "" || config.Server.Port != 0 { //nolint:staticcheck
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerAddressLegacyAndModern))
|
|
|
|
}
|
|
|
|
|
|
|
|
var err error
|
|
|
|
|
|
|
|
if err = config.Server.Address.ValidateHTTP(); err != nil {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerAddress, config.Server.Address.String(), err))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-25 09:36:40 +00:00
|
|
|
// ValidateServerEndpoints configures the default endpoints and checks the configuration of custom endpoints.
|
|
|
|
func ValidateServerEndpoints(config *schema.Configuration, validator *schema.StructValidator) {
|
|
|
|
if config.Server.Endpoints.EnableExpvars {
|
|
|
|
validator.PushWarning(fmt.Errorf("server: endpoints: option 'enable_expvars' should not be enabled in production"))
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.Server.Endpoints.EnablePprof {
|
|
|
|
validator.PushWarning(fmt.Errorf("server: endpoints: option 'enable_pprof' should not be enabled in production"))
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(config.Server.Endpoints.Authz) == 0 {
|
|
|
|
config.Server.Endpoints.Authz = schema.DefaultServerConfiguration.Endpoints.Authz
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
authzs := make([]string, 0, len(config.Server.Endpoints.Authz))
|
|
|
|
|
|
|
|
for name := range config.Server.Endpoints.Authz {
|
|
|
|
authzs = append(authzs, name)
|
|
|
|
}
|
|
|
|
|
|
|
|
sort.Strings(authzs)
|
|
|
|
|
|
|
|
for _, name := range authzs {
|
|
|
|
endpoint := config.Server.Endpoints.Authz[name]
|
|
|
|
|
|
|
|
validateServerEndpointsAuthzEndpoint(config, name, endpoint, validator)
|
|
|
|
|
|
|
|
for _, oName := range authzs {
|
|
|
|
oEndpoint := config.Server.Endpoints.Authz[oName]
|
|
|
|
|
|
|
|
if oName == name || oName == legacy {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
switch oEndpoint.Implementation {
|
|
|
|
case authzImplementationLegacy, authzImplementationExtAuthz:
|
|
|
|
if strings.HasPrefix(name, oName+"/") {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzPrefixDuplicate, name, oName, oEndpoint.Implementation))
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
validateServerEndpointsAuthzStrategies(name, endpoint.AuthnStrategies, validator)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func validateServerEndpointsAuthzEndpoint(config *schema.Configuration, name string, endpoint schema.ServerAuthzEndpoint, validator *schema.StructValidator) {
|
|
|
|
if name == legacy {
|
|
|
|
switch endpoint.Implementation {
|
|
|
|
case authzImplementationLegacy:
|
|
|
|
break
|
|
|
|
case "":
|
|
|
|
endpoint.Implementation = authzImplementationLegacy
|
|
|
|
|
|
|
|
config.Server.Endpoints.Authz[name] = endpoint
|
|
|
|
default:
|
|
|
|
if !utils.IsStringInSlice(endpoint.Implementation, validAuthzImplementations) {
|
2023-04-13 10:58:18 +00:00
|
|
|
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzImplementation, name, strJoinOr(validAuthzImplementations), endpoint.Implementation))
|
2023-01-25 09:36:40 +00:00
|
|
|
} else {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzLegacyInvalidImplementation, name))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else if !utils.IsStringInSlice(endpoint.Implementation, validAuthzImplementations) {
|
2023-04-13 10:58:18 +00:00
|
|
|
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzImplementation, name, strJoinOr(validAuthzImplementations), endpoint.Implementation))
|
2023-01-25 09:36:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if !reAuthzEndpointName.MatchString(name) {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzInvalidName, name))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func validateServerEndpointsAuthzStrategies(name string, strategies []schema.ServerAuthzEndpointAuthnStrategy, validator *schema.StructValidator) {
|
|
|
|
names := make([]string, len(strategies))
|
|
|
|
|
|
|
|
for _, strategy := range strategies {
|
|
|
|
if utils.IsStringInSlice(strategy.Name, names) {
|
|
|
|
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzStrategyDuplicate, name, strategy.Name))
|
|
|
|
}
|
|
|
|
|
|
|
|
names = append(names, strategy.Name)
|
|
|
|
|
|
|
|
if !utils.IsStringInSlice(strategy.Name, validAuthzAuthnStrategies) {
|
2023-04-13 10:58:18 +00:00
|
|
|
validator.Push(fmt.Errorf(errFmtServerEndpointsAuthzStrategy, name, strJoinOr(validAuthzAuthnStrategies), strategy.Name))
|
2023-01-25 09:36:40 +00:00
|
|
|
}
|
|
|
|
}
|
2020-04-30 02:03:05 +00:00
|
|
|
}
|