2019-04-24 21:52:08 +00:00
|
|
|
package validator
|
|
|
|
|
|
|
|
import (
|
|
|
|
"errors"
|
2019-12-06 08:15:54 +00:00
|
|
|
"fmt"
|
|
|
|
"net/url"
|
2019-12-08 22:21:55 +00:00
|
|
|
"strings"
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2019-11-17 10:47:07 +00:00
|
|
|
"github.com/clems4ever/authelia/internal/configuration/schema"
|
2019-04-24 21:52:08 +00:00
|
|
|
)
|
|
|
|
|
2019-10-29 20:16:38 +00:00
|
|
|
var ldapProtocolPrefix = "ldap://"
|
2019-12-06 08:15:54 +00:00
|
|
|
var ldapsProtocolPrefix = "ldaps://"
|
2019-10-29 20:16:38 +00:00
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
func validateFileAuthenticationBackend(configuration *schema.FileAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
|
|
|
if configuration.Path == "" {
|
|
|
|
validator.Push(errors.New("Please provide a `path` for the users database in `authentication_backend`"))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-12-06 08:15:54 +00:00
|
|
|
func validateLdapURL(ldapURL string, validator *schema.StructValidator) string {
|
|
|
|
u, err := url.Parse(ldapURL)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
validator.Push(errors.New("Unable to parse URL to ldap server. The scheme is probably missing: ldap:// or ldaps://"))
|
|
|
|
return ""
|
2019-10-29 20:16:38 +00:00
|
|
|
}
|
|
|
|
|
2019-12-06 08:15:54 +00:00
|
|
|
if !(u.Scheme == "ldap" || u.Scheme == "ldaps") {
|
|
|
|
validator.Push(errors.New("Unknown scheme for ldap url, should be ldap:// or ldaps://"))
|
|
|
|
return ""
|
|
|
|
}
|
2019-10-29 20:16:38 +00:00
|
|
|
|
2019-12-06 08:15:54 +00:00
|
|
|
if u.Scheme == "ldap" && u.Port() == "" {
|
|
|
|
u.Host += ":389"
|
|
|
|
} else if u.Scheme == "ldaps" && u.Port() == "" {
|
|
|
|
u.Host += ":636"
|
2019-10-29 20:16:38 +00:00
|
|
|
}
|
2019-12-06 08:15:54 +00:00
|
|
|
|
|
|
|
if !u.IsAbs() {
|
|
|
|
validator.Push(fmt.Errorf("URL to LDAP %s is still not absolute, it should be something like ldap://127.0.0.1:389", u.String()))
|
|
|
|
}
|
|
|
|
|
|
|
|
return u.String()
|
2019-10-29 20:16:38 +00:00
|
|
|
}
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
func validateLdapAuthenticationBackend(configuration *schema.LDAPAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
|
|
|
if configuration.URL == "" {
|
|
|
|
validator.Push(errors.New("Please provide a URL to the LDAP server"))
|
2019-10-29 20:16:38 +00:00
|
|
|
} else {
|
|
|
|
configuration.URL = validateLdapURL(configuration.URL, validator)
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if configuration.User == "" {
|
|
|
|
validator.Push(errors.New("Please provide a user name to connect to the LDAP server"))
|
|
|
|
}
|
|
|
|
|
|
|
|
if configuration.Password == "" {
|
|
|
|
validator.Push(errors.New("Please provide a password to connect to the LDAP server"))
|
|
|
|
}
|
|
|
|
|
|
|
|
if configuration.BaseDN == "" {
|
|
|
|
validator.Push(errors.New("Please provide a base DN to connect to the LDAP server"))
|
|
|
|
}
|
|
|
|
|
|
|
|
if configuration.UsersFilter == "" {
|
2019-10-29 20:16:38 +00:00
|
|
|
configuration.UsersFilter = "(cn={0})"
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
2019-12-08 22:21:55 +00:00
|
|
|
if !strings.HasPrefix(configuration.UsersFilter, "(") || !strings.HasSuffix(configuration.UsersFilter, ")") {
|
|
|
|
validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})"))
|
|
|
|
}
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
if configuration.GroupsFilter == "" {
|
2019-10-29 20:16:38 +00:00
|
|
|
configuration.GroupsFilter = "(member={dn})"
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
2019-12-08 22:21:55 +00:00
|
|
|
if !strings.HasPrefix(configuration.GroupsFilter, "(") || !strings.HasSuffix(configuration.GroupsFilter, ")") {
|
|
|
|
validator.Push(errors.New("The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})"))
|
|
|
|
}
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
if configuration.GroupNameAttribute == "" {
|
|
|
|
configuration.GroupNameAttribute = "cn"
|
|
|
|
}
|
|
|
|
|
|
|
|
if configuration.MailAttribute == "" {
|
|
|
|
configuration.MailAttribute = "mail"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ValidateAuthenticationBackend validates and update authentication backend configuration.
|
|
|
|
func ValidateAuthenticationBackend(configuration *schema.AuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
|
|
|
if configuration.Ldap == nil && configuration.File == nil {
|
|
|
|
validator.Push(errors.New("Please provide `ldap` or `file` object in `authentication_backend`"))
|
|
|
|
}
|
|
|
|
|
|
|
|
if configuration.Ldap != nil && configuration.File != nil {
|
|
|
|
validator.Push(errors.New("You cannot provide both `ldap` and `file` objects in `authentication_backend`"))
|
|
|
|
}
|
|
|
|
|
|
|
|
if configuration.File != nil {
|
|
|
|
validateFileAuthenticationBackend(configuration.File, validator)
|
|
|
|
} else if configuration.Ldap != nil {
|
|
|
|
validateLdapAuthenticationBackend(configuration.Ldap, validator)
|
|
|
|
}
|
|
|
|
}
|