authelia/internal/configuration/validator/configuration.go

104 lines
2.8 KiB
Go
Raw Normal View History

package validator
import (
"fmt"
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
"os"
"strings"
"github.com/authelia/authelia/v4/internal/configuration/schema"
"github.com/authelia/authelia/v4/internal/utils"
)
// ValidateConfiguration and adapt the configuration read from file.
func ValidateConfiguration(config *schema.Configuration, validator *schema.StructValidator) {
var err error
if config.CertificatesDirectory != "" {
var info os.FileInfo
if info, err = os.Stat(config.CertificatesDirectory); err != nil {
validator.Push(fmt.Errorf("the location 'certificates_directory' could not be inspected: %w", err))
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
} else if !info.IsDir() {
validator.Push(fmt.Errorf("the location 'certificates_directory' refers to '%s' is not a directory", config.CertificatesDirectory))
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
}
}
if config.JWTSecret == "" {
validator.Push(fmt.Errorf("option 'jwt_secret' is required"))
}
if config.DefaultRedirectionURL != "" {
if err = utils.IsStringAbsURL(config.DefaultRedirectionURL); err != nil {
validator.Push(fmt.Errorf("option 'default_redirection_url' is invalid: %s", strings.ReplaceAll(err.Error(), "like 'http://' or 'https://'", "like 'ldap://' or 'ldaps://'")))
}
}
validateDefault2FAMethod(config, validator)
ValidateTheme(config, validator)
ValidateLog(config, validator)
ValidateDuo(config, validator)
ValidateTOTP(config, validator)
ValidateWebAuthn(config, validator)
ValidateAuthenticationBackend(&config.AuthenticationBackend, validator)
ValidateAccessControl(config, validator)
ValidateRules(config, validator)
ValidateSession(&config.Session, validator)
ValidateRegulation(config, validator)
ValidateServer(config, validator)
ValidateTelemetry(config, validator)
ValidateStorage(config.Storage, validator)
ValidateNotifier(&config.Notifier, validator)
2019-11-16 19:50:58 +00:00
ValidateIdentityProviders(&config.IdentityProviders, validator)
ValidateNTP(config, validator)
ValidatePasswordPolicy(&config.PasswordPolicy, validator)
ValidatePrivacyPolicy(&config.PrivacyPolicy, validator)
}
func validateDefault2FAMethod(config *schema.Configuration, validator *schema.StructValidator) {
if config.Default2FAMethod == "" {
return
}
if !utils.IsStringInSlice(config.Default2FAMethod, validDefault2FAMethods) {
validator.Push(fmt.Errorf(errFmtInvalidDefault2FAMethod, config.Default2FAMethod, strings.Join(validDefault2FAMethods, "', '")))
return
}
var enabledMethods []string
if !config.TOTP.Disable {
enabledMethods = append(enabledMethods, "totp")
}
if !config.WebAuthn.Disable {
enabledMethods = append(enabledMethods, "webauthn")
}
if !config.DuoAPI.Disable {
enabledMethods = append(enabledMethods, "mobile_push")
}
if !utils.IsStringInSlice(config.Default2FAMethod, enabledMethods) {
validator.Push(fmt.Errorf(errFmtInvalidDefault2FAMethodDisabled, config.Default2FAMethod, strings.Join(enabledMethods, "', '")))
}
}