2020-04-23 08:47:27 +07:00
package validator
2021-03-22 16:04:09 +07:00
const (
errFmtSessionSecretRedisProvider = "The session secret must be set when using the %s session provider"
errFmtSessionRedisPortRange = "The port must be between 1 and 65535 for the %s session provider"
errFmtSessionRedisHostRequired = "The host must be provided when using the %s session provider"
errFmtSessionRedisHostOrNodesRequired = "Either the host or a node must be provided when using the %s session provider"
2021-04-16 08:44:37 +07:00
errFmtReplacedConfigurationKey = "invalid configuration key '%s' was replaced by '%s'"
2021-03-22 16:04:09 +07:00
2021-05-05 05:06:05 +07:00
errOAuthOIDCServerClientRedirectURIFmt = "OIDC Server Client redirect URI %s has an invalid scheme %s, should be http or https"
errOAuthOIDCServerClientRedirectURICantBeParsedFmt = "OIDC Client with ID '%s' has an invalid redirect URI '%s' could not be parsed: %v"
errIdentityProvidersOIDCServerClientInvalidPolicyFmt = "OIDC Client with ID '%s' has an invalid policy '%s', should be either 'one_factor' or 'two_factor'"
errIdentityProvidersOIDCServerClientInvalidSecFmt = "OIDC Client with ID '%s' has an empty secret"
2021-03-22 16:04:09 +07:00
errFileHashing = "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password"
errFilePHashing = "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password"
errFilePOptions = "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password"
2021-04-14 17:53:23 +07:00
bypassPolicy = "bypass"
oneFactorPolicy = "one_factor"
twoFactorPolicy = "two_factor"
denyPolicy = "deny"
2021-03-22 16:04:09 +07:00
argon2id = "argon2id"
sha512 = "sha512"
schemeLDAP = "ldap"
schemeLDAPS = "ldaps"
testBadTimer = "-1"
testInvalidPolicy = "invalid"
testJWTSecret = "a_secret"
testLDAPBaseDN = "base_dn"
testLDAPPassword = "password"
testLDAPURL = "ldap://ldap"
testLDAPUser = "user"
testModeDisabled = "disable"
testTLSCert = "/tmp/cert.pem"
testTLSKey = "/tmp/key.pem"
2021-04-14 17:53:23 +07:00
errAccessControlInvalidPolicyWithSubjects = "Policy [bypass] for rule #%d domain %s with subjects %s is invalid. It is " +
2021-03-22 16:04:09 +07:00
"not supported to configure both policy bypass and subjects. For more information see: " +
"https://www.authelia.com/docs/configuration/access-control.html#combining-subjects-and-the-bypass-policy"
)
2021-03-05 11:18:31 +07:00
var validRequestMethods = [ ] string { "GET" , "HEAD" , "POST" , "PUT" , "PATCH" , "DELETE" , "TRACE" , "CONNECT" , "OPTIONS" }
2021-03-22 16:04:09 +07:00
// SecretNames contains a map of secret names.
var SecretNames = map [ string ] string {
2021-05-05 05:06:05 +07:00
"JWTSecret" : "jwt_secret" ,
"SessionSecret" : "session.secret" ,
"DUOSecretKey" : "duo_api.secret_key" ,
"RedisPassword" : "session.redis.password" ,
"RedisSentinelPassword" : "session.redis.high_availability.sentinel_password" ,
"LDAPPassword" : "authentication_backend.ldap.password" ,
"SMTPPassword" : "notifier.smtp.password" ,
"MySQLPassword" : "storage.mysql.password" ,
"PostgreSQLPassword" : "storage.postgres.password" ,
"OpenIDConnectHMACSecret" : "identity_providers.oidc.hmac_secret" ,
"OpenIDConnectIssuerPrivateKey" : "identity_providers.oidc.issuer_private_key" ,
2021-03-22 16:04:09 +07:00
}
// validKeys is a list of valid keys that are not secret names. For the sake of consistency please place any secret in
// the secret names map and reuse it in relevant sections.
2020-04-23 08:47:27 +07:00
var validKeys = [ ] string {
// Root Keys.
"host" ,
"port" ,
"log_level" ,
2020-11-25 06:46:41 +07:00
"log_format" ,
2020-04-23 08:47:27 +07:00
"log_file_path" ,
"default_redirection_url" ,
2021-01-20 19:07:40 +07:00
"theme" ,
2020-04-23 08:47:27 +07:00
"tls_key" ,
"tls_cert" ,
2021-01-04 17:28:55 +07:00
"certificates_directory" ,
2020-04-23 08:47:27 +07:00
2020-04-30 09:03:05 +07:00
// Server Keys.
"server.read_buffer_size" ,
"server.write_buffer_size" ,
2020-05-21 09:20:55 +07:00
"server.path" ,
2020-04-30 09:03:05 +07:00
2020-05-16 06:41:42 +07:00
// TOTP Keys.
2020-04-23 08:47:27 +07:00
"totp.issuer" ,
"totp.period" ,
"totp.skew" ,
2020-05-16 06:41:42 +07:00
// Access Control Keys.
2020-04-23 08:47:27 +07:00
"access_control.rules" ,
"access_control.default_policy" ,
2021-01-04 17:55:23 +07:00
"access_control.networks" ,
2020-04-23 08:47:27 +07:00
// Session Keys.
"session.name" ,
2021-04-18 07:02:04 +07:00
"session.domain" ,
"session.same_site" ,
2020-04-23 08:47:27 +07:00
"session.expiration" ,
"session.inactivity" ,
"session.remember_me_duration" ,
// Redis Session Keys.
"session.redis.host" ,
"session.redis.port" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-10 06:03:05 +07:00
"session.redis.username" ,
2020-04-23 08:47:27 +07:00
"session.redis.database_index" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-10 06:03:05 +07:00
"session.redis.maximum_active_connections" ,
"session.redis.minimum_idle_connections" ,
"session.redis.tls.minimum_version" ,
"session.redis.tls.skip_verify" ,
"session.redis.tls.server_name" ,
"session.redis.high_availability.sentinel_name" ,
"session.redis.high_availability.nodes" ,
"session.redis.high_availability.route_by_latency" ,
"session.redis.high_availability.route_randomly" ,
"session.redis.timeouts.dial" ,
"session.redis.timeouts.idle" ,
"session.redis.timeouts.pool" ,
"session.redis.timeouts.read" ,
"session.redis.timeouts.write" ,
2020-04-23 08:47:27 +07:00
// Local Storage Keys.
"storage.local.path" ,
// MySQL Storage Keys.
"storage.mysql.host" ,
"storage.mysql.port" ,
"storage.mysql.database" ,
"storage.mysql.username" ,
// PostgreSQL Storage Keys.
"storage.postgres.host" ,
"storage.postgres.port" ,
"storage.postgres.database" ,
"storage.postgres.username" ,
"storage.postgres.sslmode" ,
// FileSystem Notifier Keys.
"notifier.filesystem.filename" ,
"notifier.disable_startup_check" ,
// SMTP Notifier Keys.
"notifier.smtp.username" ,
"notifier.smtp.host" ,
"notifier.smtp.port" ,
2020-11-05 06:22:10 +07:00
"notifier.smtp.identifier" ,
2020-04-23 08:47:27 +07:00
"notifier.smtp.sender" ,
"notifier.smtp.subject" ,
"notifier.smtp.startup_check_address" ,
"notifier.smtp.disable_require_tls" ,
2020-08-21 09:16:23 +07:00
"notifier.smtp.disable_html_emails" ,
2021-01-04 17:28:55 +07:00
"notifier.smtp.tls.minimum_version" ,
"notifier.smtp.tls.skip_verify" ,
"notifier.smtp.tls.server_name" ,
2020-04-23 08:47:27 +07:00
// Regulation Keys.
"regulation.max_retries" ,
"regulation.find_time" ,
"regulation.ban_time" ,
// DUO API Keys.
"duo_api.hostname" ,
"duo_api.integration_key" ,
// Authentication Backend Keys.
"authentication_backend.disable_reset_password" ,
2020-05-05 02:39:25 +07:00
"authentication_backend.refresh_interval" ,
2020-04-23 08:47:27 +07:00
// LDAP Authentication Backend Keys.
2020-11-27 16:59:22 +07:00
"authentication_backend.ldap.implementation" ,
2020-04-23 08:47:27 +07:00
"authentication_backend.ldap.url" ,
"authentication_backend.ldap.base_dn" ,
"authentication_backend.ldap.username_attribute" ,
"authentication_backend.ldap.additional_users_dn" ,
"authentication_backend.ldap.users_filter" ,
"authentication_backend.ldap.additional_groups_dn" ,
"authentication_backend.ldap.groups_filter" ,
"authentication_backend.ldap.group_name_attribute" ,
"authentication_backend.ldap.mail_attribute" ,
2020-06-19 17:50:21 +07:00
"authentication_backend.ldap.display_name_attribute" ,
2020-04-23 08:47:27 +07:00
"authentication_backend.ldap.user" ,
2021-01-04 17:28:55 +07:00
"authentication_backend.ldap.start_tls" ,
"authentication_backend.ldap.tls.minimum_version" ,
"authentication_backend.ldap.tls.skip_verify" ,
"authentication_backend.ldap.tls.server_name" ,
2020-04-23 08:47:27 +07:00
// File Authentication Backend Keys.
"authentication_backend.file.path" ,
"authentication_backend.file.password.algorithm" ,
"authentication_backend.file.password.iterations" ,
"authentication_backend.file.password.key_length" ,
"authentication_backend.file.password.salt_length" ,
"authentication_backend.file.password.memory" ,
"authentication_backend.file.password.parallelism" ,
2021-05-05 05:06:05 +07:00
// Identity Provider Keys.
"identity_providers.oidc.clients" ,
2020-04-23 08:47:27 +07:00
}
2021-04-16 08:44:37 +07:00
var replacedKeys = map [ string ] string {
"authentication_backend.ldap.skip_verify" : "authentication_backend.ldap.tls.skip_verify" ,
"authentication_backend.ldap.minimum_tls_version" : "authentication_backend.ldap.tls.minimum_version" ,
"notifier.smtp.disable_verify_cert" : "notifier.smtp.tls.skip_verify" ,
"logs_file_path" : "log_file" ,
"logs_level" : "log_level" ,
}
2020-04-23 08:47:27 +07:00
var specificErrorKeys = map [ string ] string {
2020-05-16 06:41:42 +07:00
"google_analytics" : "config key removed: google_analytics - this functionality has been deprecated" ,
2021-04-16 08:44:37 +07:00
"notifier.smtp.trusted_cert" : "invalid configuration key `notifier.smtp.trusted_cert` it has been removed, " +
"option has been replaced by the global option `certificates_directory`" ,
2021-03-22 16:04:09 +07:00
"authentication_backend.file.password_options.algorithm" : errFilePOptions ,
"authentication_backend.file.password_options.iterations" : errFilePOptions ,
"authentication_backend.file.password_options.key_length" : errFilePOptions ,
"authentication_backend.file.password_options.salt_length" : errFilePOptions ,
"authentication_backend.file.password_options.memory" : errFilePOptions ,
"authentication_backend.file.password_options.parallelism" : errFilePOptions ,
"authentication_backend.file.password_hashing.algorithm" : errFilePHashing ,
"authentication_backend.file.password_hashing.iterations" : errFilePHashing ,
"authentication_backend.file.password_hashing.key_length" : errFilePHashing ,
"authentication_backend.file.password_hashing.salt_length" : errFilePHashing ,
"authentication_backend.file.password_hashing.memory" : errFilePHashing ,
"authentication_backend.file.password_hashing.parallelism" : errFilePHashing ,
"authentication_backend.file.hashing.algorithm" : errFileHashing ,
"authentication_backend.file.hashing.iterations" : errFileHashing ,
"authentication_backend.file.hashing.key_length" : errFileHashing ,
"authentication_backend.file.hashing.salt_length" : errFileHashing ,
"authentication_backend.file.hashing.memory" : errFileHashing ,
"authentication_backend.file.hashing.parallelism" : errFileHashing ,
2020-04-23 08:47:27 +07:00
}