RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[FIX] File Notifier Default Permissions (#902) 

* [FIX] File Notifier Default Permissions

* set to 0600 for security
* recreate file if it exists with correct perms
* remove named return vars from notifier
pull/904/head
James Elliott 2020-04-23 12:01:24 +10:00 committed by GitHub
parent c1ac25a15b
commit e89e040949
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/notification/const.go
View File

@ -1,3 +1,3 @@
package notification package notification
const fileNotifierMode = 0755 const fileNotifierMode = 0600

35
internal/notification/file_notifier.go
View File

@ -23,36 +23,29 @@ func NewFileNotifier(configuration schema.FileSystemNotifierConfiguration) *File
} }
// StartupCheck checks the file provider can write to the specified file // StartupCheck checks the file provider can write to the specified file
func (n *FileNotifier) StartupCheck() (ok bool, err error) { func (n *FileNotifier) StartupCheck() (bool, error) {
ok = true
dir := filepath.Dir(n.path) dir := filepath.Dir(n.path)
if _, err = os.Stat(dir); err != nil { if _, err := os.Stat(dir); err != nil {
if os.IsNotExist(err) { if os.IsNotExist(err) {
if err = os.MkdirAll(dir, fileNotifierMode); err != nil { if err = os.MkdirAll(dir, fileNotifierMode); err != nil {
ok = false return false, err
return
}
if err = ioutil.WriteFile(n.path, []byte(""), fileNotifierMode); err != nil {
ok = false
return
} }
} else { } else {
ok = false return false, err
return
} }
} else if _, err = os.Stat(n.path); err != nil { } else if _, err = os.Stat(n.path); err != nil {
if os.IsNotExist(err) { if !os.IsNotExist(err) {
if err = ioutil.WriteFile(n.path, []byte(""), fileNotifierMode); err != nil { return false, err
ok = false }
return } else {
} if err = os.Remove(n.path); err != nil {
} else { return false, err
ok = false
return
} }
} }
err = nil if err := ioutil.WriteFile(n.path, []byte(""), fileNotifierMode); err != nil {
return return false, err
}
return true, nil
} }
// Send send a identity verification link to a user. // Send send a identity verification link to a user.

58
internal/notification/smtp_notifier.go
View File

@ -91,20 +91,19 @@ func (n *SMTPNotifier) initializeTLSConfig() {
} }
// Do startTLS if available (some servers only provide the auth extension after, and encryption is preferred). // Do startTLS if available (some servers only provide the auth extension after, and encryption is preferred).
func (n *SMTPNotifier) startTLS() (err error) { func (n *SMTPNotifier) startTLS() error {
// Only start if not already encrypted // Only start if not already encrypted
if _, ok := n.client.TLSConnectionState(); ok { if _, ok := n.client.TLSConnectionState(); ok {
log.Debugf("Notifier SMTP connection is already encrypted, skipping STARTTLS") log.Debugf("Notifier SMTP connection is already encrypted, skipping STARTTLS")
return return nil
} }
ok, _ := n.client.Extension("STARTTLS") ok, _ := n.client.Extension("STARTTLS")
if ok { if ok {
log.Debugf("Notifier SMTP server supports STARTTLS (disableVerifyCert: %t, ServerName: %s), attempting", n.tlsConfig.InsecureSkipVerify, n.tlsConfig.ServerName) log.Debugf("Notifier SMTP server supports STARTTLS (disableVerifyCert: %t, ServerName: %s), attempting", n.tlsConfig.InsecureSkipVerify, n.tlsConfig.ServerName)
err = n.client.StartTLS(n.tlsConfig) if err := n.client.StartTLS(n.tlsConfig); err != nil {
if err != nil { return err
return
} }
log.Debug("Notifier SMTP STARTTLS completed without error") log.Debug("Notifier SMTP STARTTLS completed without error")
} else if n.disableRequireTLS { } else if n.disableRequireTLS {
@ -112,11 +111,11 @@ func (n *SMTPNotifier) startTLS() (err error) {
} else { } else {
return errors.New("Notifier SMTP server does not support TLS and it is required by default (see documentation if you want to disable this highly recommended requirement)") return errors.New("Notifier SMTP server does not support TLS and it is required by default (see documentation if you want to disable this highly recommended requirement)")
} }
return return nil
} }
// Attempt Authentication. // Attempt Authentication.
func (n *SMTPNotifier) auth() (err error) { func (n *SMTPNotifier) auth() error {
// Attempt AUTH if password is specified only. // Attempt AUTH if password is specified only.
if n.password != "" { if n.password != "" {
_, ok := n.client.TLSConnectionState() _, ok := n.client.TLSConnectionState()
@ -146,9 +145,8 @@ func (n *SMTPNotifier) auth() (err error) {
} }
// Authenticate. // Authenticate.
err = n.client.Auth(auth) if err := n.client.Auth(auth); err != nil {
if err != nil { return err
return
} }
log.Debug("Notifier SMTP client authenticated successfully with the server") log.Debug("Notifier SMTP client authenticated successfully with the server")
return nil return nil
@ -159,7 +157,7 @@ func (n *SMTPNotifier) auth() (err error) {
return nil return nil
} }
func (n *SMTPNotifier) compose(recipient, subject, body string) (err error) { func (n *SMTPNotifier) compose(recipient, subject, body string) error {
log.Debugf("Notifier SMTP client attempting to send email body to %s", recipient) log.Debugf("Notifier SMTP client attempting to send email body to %s", recipient)
if !n.disableRequireTLS { if !n.disableRequireTLS {
_, ok := n.client.TLSConnectionState() _, ok := n.client.TLSConnectionState()
@ -194,7 +192,7 @@ func (n *SMTPNotifier) compose(recipient, subject, body string) (err error) {
} }
// Dial the SMTP server with the SMTPNotifier config. // Dial the SMTP server with the SMTPNotifier config.
func (n *SMTPNotifier) dial() (err error) { func (n *SMTPNotifier) dial() error {
log.Debugf("Notifier SMTP client attempting connection to %s", n.address) log.Debugf("Notifier SMTP client attempting connection to %s", n.address)
if n.port == 465 { if n.port == 465 {
log.Warnf("Notifier SMTP client configured to connect to a SMTPS server. It's highly recommended you use a non SMTPS port and STARTTLS instead of SMTPS, as the protocol is long deprecated.") log.Warnf("Notifier SMTP client configured to connect to a SMTPS server. It's highly recommended you use a non SMTPS port and STARTTLS instead of SMTPS, as the protocol is long deprecated.")
@ -227,42 +225,34 @@ func (n *SMTPNotifier) cleanup() {
} }
// StartupCheck checks the server is functioning correctly and the configuration is correct. // StartupCheck checks the server is functioning correctly and the configuration is correct.
func (n *SMTPNotifier) StartupCheck() (ok bool, err error) { func (n *SMTPNotifier) StartupCheck() (bool, error) {
ok = true if err := n.dial(); err != nil {
return false, err
if err = n.dial(); err != nil {
ok = false
return
} }
defer n.cleanup() defer n.cleanup()
if err = n.startTLS(); err != nil { if err := n.startTLS(); err != nil {
ok = false return false, err
return
} }
if err = n.auth(); err != nil { if err := n.auth(); err != nil {
ok = false return false, err
return
} }
if err = n.client.Mail(n.sender); err != nil { if err := n.client.Mail(n.sender); err != nil {
ok = false return false, err
return
} }
if err = n.client.Rcpt(n.startupCheckAddress); err != nil { if err := n.client.Rcpt(n.startupCheckAddress); err != nil {
ok = false return false, err
return
} }
if err = n.client.Reset(); err != nil { if err := n.client.Reset(); err != nil {
ok = false return false, err
return
} }
return return true, nil
} }
// Send is used to send an email to a recipient. // Send is used to send an email to a recipient.