2019-04-24 21:52:08 +00:00
|
|
|
package validator
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2021-01-04 10:28:55 +00:00
|
|
|
"os"
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2019-12-24 02:14:52 +00:00
|
|
|
"github.com/authelia/authelia/internal/configuration/schema"
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
"github.com/authelia/authelia/internal/utils"
|
2019-04-24 21:52:08 +00:00
|
|
|
)
|
|
|
|
|
2021-03-22 09:04:09 +00:00
|
|
|
var defaultPort = 9091
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2020-04-23 01:11:32 +00:00
|
|
|
// ValidateConfiguration and adapt the configuration read from file.
|
2021-01-04 10:28:55 +00:00
|
|
|
//nolint:gocyclo // This function is likely to always have lots of if/else statements, as long as we keep the flow clean it should be understandable.
|
2020-04-23 01:11:32 +00:00
|
|
|
func ValidateConfiguration(configuration *schema.Configuration, validator *schema.StructValidator) {
|
2019-12-06 20:45:59 +00:00
|
|
|
if configuration.Host == "" {
|
|
|
|
configuration.Host = "0.0.0.0"
|
|
|
|
}
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
if configuration.Port == 0 {
|
|
|
|
configuration.Port = defaultPort
|
|
|
|
}
|
|
|
|
|
2020-03-03 07:18:25 +00:00
|
|
|
if configuration.TLSKey != "" && configuration.TLSCert == "" {
|
|
|
|
validator.Push(fmt.Errorf("No TLS certificate provided, please check the \"tls_cert\" which has been configured"))
|
|
|
|
} else if configuration.TLSKey == "" && configuration.TLSCert != "" {
|
|
|
|
validator.Push(fmt.Errorf("No TLS key provided, please check the \"tls_key\" which has been configured"))
|
|
|
|
}
|
|
|
|
|
2021-01-04 10:28:55 +00:00
|
|
|
if configuration.CertificatesDirectory != "" {
|
|
|
|
info, err := os.Stat(configuration.CertificatesDirectory)
|
|
|
|
if err != nil {
|
|
|
|
validator.Push(fmt.Errorf("Error checking certificate directory: %v", err))
|
|
|
|
} else if !info.IsDir() {
|
|
|
|
validator.Push(fmt.Errorf("The path %s specified for certificate_directory is not a directory", configuration.CertificatesDirectory))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-05 12:37:21 +00:00
|
|
|
if configuration.JWTSecret == "" {
|
|
|
|
validator.Push(fmt.Errorf("Provide a JWT secret using \"jwt_secret\" key"))
|
|
|
|
}
|
|
|
|
|
2020-02-01 12:54:50 +00:00
|
|
|
if configuration.DefaultRedirectionURL != "" {
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
err := utils.IsStringAbsURL(configuration.DefaultRedirectionURL)
|
2020-02-01 12:54:50 +00:00
|
|
|
if err != nil {
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
validator.Push(fmt.Errorf("Value for \"default_redirection_url\" is invalid: %+v", err))
|
2020-02-01 12:54:50 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-20 12:07:40 +00:00
|
|
|
ValidateTheme(configuration, validator)
|
|
|
|
|
2020-04-05 12:37:21 +00:00
|
|
|
if configuration.TOTP == nil {
|
2020-04-30 02:03:05 +00:00
|
|
|
configuration.TOTP = &schema.DefaultTOTPConfiguration
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-06-01 04:09:50 +00:00
|
|
|
ValidateLogging(configuration, validator)
|
|
|
|
|
2020-04-05 12:37:21 +00:00
|
|
|
ValidateTOTP(configuration.TOTP, validator)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
|
|
|
ValidateAuthenticationBackend(&configuration.AuthenticationBackend, validator)
|
2020-04-05 12:37:21 +00:00
|
|
|
|
2021-06-01 04:09:50 +00:00
|
|
|
ValidateAccessControl(&configuration.AccessControl, validator)
|
2021-01-04 10:55:23 +00:00
|
|
|
|
2021-04-14 10:53:23 +00:00
|
|
|
ValidateRules(configuration.AccessControl, validator)
|
2021-01-04 10:55:23 +00:00
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
ValidateSession(&configuration.Session, validator)
|
|
|
|
|
2020-04-05 12:37:21 +00:00
|
|
|
if configuration.Regulation == nil {
|
2020-04-30 02:03:05 +00:00
|
|
|
configuration.Regulation = &schema.DefaultRegulationConfiguration
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2020-04-05 12:37:21 +00:00
|
|
|
ValidateRegulation(configuration.Regulation, validator)
|
|
|
|
|
2020-04-30 02:03:05 +00:00
|
|
|
ValidateServer(&configuration.Server, validator)
|
|
|
|
|
2020-04-05 12:37:21 +00:00
|
|
|
ValidateStorage(configuration.Storage, validator)
|
2019-11-16 19:50:58 +00:00
|
|
|
|
2020-01-21 20:15:40 +00:00
|
|
|
if configuration.Notifier == nil {
|
|
|
|
validator.Push(fmt.Errorf("A notifier configuration must be provided"))
|
|
|
|
} else {
|
|
|
|
ValidateNotifier(configuration.Notifier, validator)
|
|
|
|
}
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
ValidateIdentityProviders(&configuration.IdentityProviders, validator)
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|