authelia/internal/configuration/validator/storage.go

package validator

import (
	"errors"
	"fmt"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/utils"
)

// ValidateStorage validates storage configuration.
func ValidateStorage(config schema.StorageConfiguration, validator *schema.StructValidator) {
	if config.Local == nil && config.MySQL == nil && config.PostgreSQL == nil {
		validator.Push(errors.New(errStrStorage))
	}

	switch {
	case config.MySQL != nil:
		validateMySQLConfiguration(config.MySQL, validator)
	case config.PostgreSQL != nil:
		validatePostgreSQLConfiguration(config.PostgreSQL, validator)
	case config.Local != nil:
		validateLocalStorageConfiguration(config.Local, validator)
	}

	if config.EncryptionKey == "" {
		validator.Push(errors.New(errStrStorageEncryptionKeyMustBeProvided))
	} else if len(config.EncryptionKey) < 20 {
		validator.Push(errors.New(errStrStorageEncryptionKeyTooShort))
	}
}

func validateSQLConfiguration(config *schema.SQLStorageConfiguration, validator *schema.StructValidator, provider string) {
	if config.Address == nil {
		if config.Host == "" { //nolint:staticcheck
			validator.Push(fmt.Errorf(errFmtStorageOptionMustBeProvided, provider, "address"))
		} else {
			host := config.Host //nolint:staticcheck
			port := config.Port //nolint:staticcheck

			if address, err := schema.NewAddressFromNetworkValuesDefault(host, port, schema.AddressSchemeTCP, schema.AddressSchemeUnix); err != nil {
				validator.Push(fmt.Errorf(errFmtStorageFailedToConvertHostPortToAddress, provider, err))
			} else {
				config.Address = &schema.AddressTCP{Address: *address}
			}
		}
	} else {
		if config.Host != "" || config.Port != 0 { //nolint:staticcheck
			validator.Push(fmt.Errorf(errFmtStorageOptionAddressConflictWithHostPort, provider))
		}

		var err error

		if err = config.Address.ValidateSQL(); err != nil {
			validator.Push(fmt.Errorf(errFmtServerAddress, config.Address.String(), err))
		}
	}

	if config.Username == "" || config.Password == "" {
		validator.Push(fmt.Errorf(errFmtStorageUserPassMustBeProvided, provider))
	}

	if config.Database == "" {
		validator.Push(fmt.Errorf(errFmtStorageOptionMustBeProvided, provider, "database"))
	}

	if config.Timeout == 0 {
		config.Timeout = schema.DefaultSQLStorageConfiguration.Timeout
	}
}

func validateMySQLConfiguration(config *schema.MySQLStorageConfiguration, validator *schema.StructValidator) {
	validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "mysql")

	if config.TLS != nil {
		configDefaultTLS := &schema.TLSConfig{
			MinimumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MinimumVersion,
			MaximumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MaximumVersion,
		}

		if config.Address != nil {
			configDefaultTLS.ServerName = config.Address.Hostname()
		}

		if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {
			validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "mysql", err))
		}
	}
}

func validatePostgreSQLConfiguration(config *schema.PostgreSQLStorageConfiguration, validator *schema.StructValidator) {
	validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "postgres")

	if config.Schema == "" {
		config.Schema = schema.DefaultPostgreSQLStorageConfiguration.Schema
	}

	switch {
	case config.TLS != nil && config.SSL != nil:
		validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLAndTLSConfig))
	case config.TLS != nil:
		configDefaultTLS := &schema.TLSConfig{
			ServerName:     config.Address.Hostname(),
			MinimumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MinimumVersion,
			MaximumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MaximumVersion,
		}

		if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {
			validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "postgres", err))
		}
	case config.SSL != nil:
		validator.PushWarning(fmt.Errorf(warnFmtStoragePostgreSQLInvalidSSLDeprecated))

		switch {
		case config.SSL.Mode == "":
			config.SSL.Mode = schema.DefaultPostgreSQLStorageConfiguration.SSL.Mode
		case !utils.IsStringInSlice(config.SSL.Mode, validStoragePostgreSQLSSLModes):
			validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLMode, strJoinOr(validStoragePostgreSQLSSLModes), config.SSL.Mode))
		}
	}
}

func validateLocalStorageConfiguration(config *schema.LocalStorageConfiguration, validator *schema.StructValidator) {
	if config.Path == "" {
		validator.Push(fmt.Errorf(errFmtStorageOptionMustBeProvided, "local", "path"))
	}
}
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`package validator`

			`import (`
			`"errors"`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`"fmt"`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`"github.com/authelia/authelia/v4/internal/utils"`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`)`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// ValidateStorage validates storage configuration.`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`func ValidateStorage(config schema.StorageConfiguration, validator *schema.StructValidator) {`
			`if config.Local == nil && config.MySQL == nil && config.PostgreSQL == nil {`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`validator.Push(errors.New(errStrStorage))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`

[CI] Add gocritic linter (#977) * [CI] Add gocritic linter * Implement gocritic recommendations The outstanding recommendations are due to be addressed in #959 and #971 respectively. * Fix implementation tests * Fix remaining linting issues. * Fix tests. Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-06 00:52:06 +00:00			`switch {`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`case config.MySQL != nil:`
feat(storage): tls connection support (#4233) This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options. 2022-10-22 08:27:59 +00:00			`validateMySQLConfiguration(config.MySQL, validator)`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`case config.PostgreSQL != nil:`
			`validatePostgreSQLConfiguration(config.PostgreSQL, validator)`
			`case config.Local != nil:`
			`validateLocalStorageConfiguration(config.Local, validator)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682 2021-11-25 01:56:58 +00:00
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`if config.EncryptionKey == "" {`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`validator.Push(errors.New(errStrStorageEncryptionKeyMustBeProvided))`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`} else if len(config.EncryptionKey) < 20 {`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`validator.Push(errors.New(errStrStorageEncryptionKeyTooShort))`
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682 2021-11-25 01:56:58 +00:00			`}`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`

feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`func validateSQLConfiguration(config schema.SQLStorageConfiguration, validator schema.StructValidator, provider string) {`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`if config.Address == nil {`
			`if config.Host == "" { //nolint:staticcheck`
			`validator.Push(fmt.Errorf(errFmtStorageOptionMustBeProvided, provider, "address"))`
			`} else {`
			`host := config.Host //nolint:staticcheck`
			`port := config.Port //nolint:staticcheck`

			`if address, err := schema.NewAddressFromNetworkValuesDefault(host, port, schema.AddressSchemeTCP, schema.AddressSchemeUnix); err != nil {`
			`validator.Push(fmt.Errorf(errFmtStorageFailedToConvertHostPortToAddress, provider, err))`
			`} else {`
			`config.Address = &schema.AddressTCP{Address: *address}`
			`}`
			`}`
			`} else {`
			`if config.Host != "" \|\| config.Port != 0 { //nolint:staticcheck`
			`validator.Push(fmt.Errorf(errFmtStorageOptionAddressConflictWithHostPort, provider))`
			`}`

			`var err error`
fix(storage): set sane default connection timeout (#2256) This sets a sane default connection timeout for SQL connections. 2021-08-06 05:35:14 +00:00
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`if err = config.Address.ValidateSQL(); err != nil {`
			`validator.Push(fmt.Errorf(errFmtServerAddress, config.Address.String(), err))`
			`}`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`}`

feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`if config.Username == "" \|\| config.Password == "" {`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`validator.Push(fmt.Errorf(errFmtStorageUserPassMustBeProvided, provider))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`

feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`if config.Database == "" {`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`validator.Push(fmt.Errorf(errFmtStorageOptionMustBeProvided, provider, "database"))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00
			`if config.Timeout == 0 {`
			`config.Timeout = schema.DefaultSQLStorageConfiguration.Timeout`
			`}`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`

feat(storage): tls connection support (#4233) This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options. 2022-10-22 08:27:59 +00:00			`func validateMySQLConfiguration(config schema.MySQLStorageConfiguration, validator schema.StructValidator) {`
			`validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "mysql")`

			`if config.TLS != nil {`
			`configDefaultTLS := &schema.TLSConfig{`
			`MinimumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MinimumVersion,`
			`MaximumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MaximumVersion,`
			`}`

feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`if config.Address != nil {`
			`configDefaultTLS.ServerName = config.Address.Hostname()`
			`}`

feat(storage): tls connection support (#4233) This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options. 2022-10-22 08:27:59 +00:00			`if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {`
			`validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "mysql", err))`
			`}`
			`}`
			`}`

feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`func validatePostgreSQLConfiguration(config schema.PostgreSQLStorageConfiguration, validator schema.StructValidator) {`
			`validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "postgres")`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`if config.Schema == "" {`
			`config.Schema = schema.DefaultPostgreSQLStorageConfiguration.Schema`
fix(storage): postgres schema hardcoded for tables query (#2667) This removes the hardcoded schema value from the PostgreSQL existing tables query, making it compatible with the new schema config option. 2021-12-03 06:29:55 +00:00			`}`

feat(storage): tls connection support (#4233) This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options. 2022-10-22 08:27:59 +00:00			`switch {`
			`case config.TLS != nil && config.SSL != nil:`
			`validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLAndTLSConfig))`
			`case config.TLS != nil:`
			`configDefaultTLS := &schema.TLSConfig{`
feat(authentication): suport ldap over unix socket (#5397) This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-07 06:39:17 +00:00			`ServerName: config.Address.Hostname(),`
feat(storage): tls connection support (#4233) This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options. 2022-10-22 08:27:59 +00:00			`MinimumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MinimumVersion,`
			`MaximumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MaximumVersion,`
			`}`

			`if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {`
			`validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "postgres", err))`
			`}`
			`case config.SSL != nil:`
			`validator.PushWarning(fmt.Errorf(warnFmtStoragePostgreSQLInvalidSSLDeprecated))`

			`switch {`
			`case config.SSL.Mode == "":`
			`config.SSL.Mode = schema.DefaultPostgreSQLStorageConfiguration.SSL.Mode`
			`case !utils.IsStringInSlice(config.SSL.Mode, validStoragePostgreSQLSSLModes):`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLMode, strJoinOr(validStoragePostgreSQLSSLModes), config.SSL.Mode))`
feat(storage): tls connection support (#4233) This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options. 2022-10-22 08:27:59 +00:00			`}`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`}`
			`}`

feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`func validateLocalStorageConfiguration(config schema.LocalStorageConfiguration, validator schema.StructValidator) {`
			`if config.Path == "" {`
feat(storage): postgresql schema and ssl options (#2659) Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process. 2021-12-02 05:36:03 +00:00			`validator.Push(fmt.Errorf(errFmtStorageOptionMustBeProvided, "local", "path"))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`
			`}`