2020-04-23 08:47:27 +07:00
package validator
2021-03-05 11:18:31 +07:00
var validRequestMethods = [ ] string { "GET" , "HEAD" , "POST" , "PUT" , "PATCH" , "DELETE" , "TRACE" , "CONNECT" , "OPTIONS" }
2020-04-23 08:47:27 +07:00
var validKeys = [ ] string {
// Root Keys.
"host" ,
"port" ,
"log_level" ,
2020-11-25 06:46:41 +07:00
"log_format" ,
2020-04-23 08:47:27 +07:00
"log_file_path" ,
"default_redirection_url" ,
"jwt_secret" ,
2021-01-20 19:07:40 +07:00
"theme" ,
2020-04-23 08:47:27 +07:00
"tls_key" ,
"tls_cert" ,
2021-01-04 17:28:55 +07:00
"certificates_directory" ,
2020-04-23 08:47:27 +07:00
2020-04-30 09:03:05 +07:00
// Server Keys.
"server.read_buffer_size" ,
"server.write_buffer_size" ,
2020-05-21 09:20:55 +07:00
"server.path" ,
2020-04-30 09:03:05 +07:00
2020-05-16 06:41:42 +07:00
// TOTP Keys.
2020-04-23 08:47:27 +07:00
"totp.issuer" ,
"totp.period" ,
"totp.skew" ,
2020-05-16 06:41:42 +07:00
// Access Control Keys.
2020-04-23 08:47:27 +07:00
"access_control.rules" ,
"access_control.default_policy" ,
2021-01-04 17:55:23 +07:00
"access_control.networks" ,
2020-04-23 08:47:27 +07:00
// Session Keys.
"session.name" ,
"session.secret" ,
"session.expiration" ,
"session.inactivity" ,
"session.remember_me_duration" ,
"session.domain" ,
// Redis Session Keys.
"session.redis.host" ,
"session.redis.port" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-10 06:03:05 +07:00
"session.redis.username" ,
2020-04-23 08:47:27 +07:00
"session.redis.password" ,
"session.redis.database_index" ,
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-10 06:03:05 +07:00
"session.redis.maximum_active_connections" ,
"session.redis.minimum_idle_connections" ,
"session.redis.tls.minimum_version" ,
"session.redis.tls.skip_verify" ,
"session.redis.tls.server_name" ,
"session.redis.high_availability.sentinel_name" ,
"session.redis.high_availability.sentinel_password" ,
"session.redis.high_availability.nodes" ,
"session.redis.high_availability.route_by_latency" ,
"session.redis.high_availability.route_randomly" ,
"session.redis.timeouts.dial" ,
"session.redis.timeouts.idle" ,
"session.redis.timeouts.pool" ,
"session.redis.timeouts.read" ,
"session.redis.timeouts.write" ,
2020-04-23 08:47:27 +07:00
// Local Storage Keys.
"storage.local.path" ,
// MySQL Storage Keys.
"storage.mysql.host" ,
"storage.mysql.port" ,
"storage.mysql.database" ,
"storage.mysql.username" ,
"storage.mysql.password" ,
// PostgreSQL Storage Keys.
"storage.postgres.host" ,
"storage.postgres.port" ,
"storage.postgres.database" ,
"storage.postgres.username" ,
"storage.postgres.password" ,
"storage.postgres.sslmode" ,
// FileSystem Notifier Keys.
"notifier.filesystem.filename" ,
"notifier.disable_startup_check" ,
// SMTP Notifier Keys.
"notifier.smtp.username" ,
"notifier.smtp.password" ,
"notifier.smtp.host" ,
"notifier.smtp.port" ,
2020-11-05 06:22:10 +07:00
"notifier.smtp.identifier" ,
2020-04-23 08:47:27 +07:00
"notifier.smtp.sender" ,
"notifier.smtp.subject" ,
"notifier.smtp.startup_check_address" ,
"notifier.smtp.disable_require_tls" ,
2021-01-04 17:28:55 +07:00
"notifier.smtp.trusted_cert" , // TODO: Deprecated: Remove in 4.28.
2020-08-21 09:16:23 +07:00
"notifier.smtp.disable_html_emails" ,
2021-01-04 17:28:55 +07:00
"notifier.smtp.tls.minimum_version" ,
"notifier.smtp.tls.skip_verify" ,
"notifier.smtp.tls.server_name" ,
"notifier.smtp.disable_verify_cert" , // TODO: Deprecated: Remove in 4.28.
2020-04-23 08:47:27 +07:00
// Regulation Keys.
"regulation.max_retries" ,
"regulation.find_time" ,
"regulation.ban_time" ,
// DUO API Keys.
"duo_api.hostname" ,
"duo_api.integration_key" ,
"duo_api.secret_key" ,
// Authentication Backend Keys.
"authentication_backend.disable_reset_password" ,
2020-05-05 02:39:25 +07:00
"authentication_backend.refresh_interval" ,
2020-04-23 08:47:27 +07:00
// LDAP Authentication Backend Keys.
2020-11-27 16:59:22 +07:00
"authentication_backend.ldap.implementation" ,
2020-04-23 08:47:27 +07:00
"authentication_backend.ldap.url" ,
"authentication_backend.ldap.base_dn" ,
"authentication_backend.ldap.username_attribute" ,
"authentication_backend.ldap.additional_users_dn" ,
"authentication_backend.ldap.users_filter" ,
"authentication_backend.ldap.additional_groups_dn" ,
"authentication_backend.ldap.groups_filter" ,
"authentication_backend.ldap.group_name_attribute" ,
"authentication_backend.ldap.mail_attribute" ,
2020-06-19 17:50:21 +07:00
"authentication_backend.ldap.display_name_attribute" ,
2020-04-23 08:47:27 +07:00
"authentication_backend.ldap.user" ,
"authentication_backend.ldap.password" ,
2021-01-04 17:28:55 +07:00
"authentication_backend.ldap.start_tls" ,
"authentication_backend.ldap.tls.minimum_version" ,
"authentication_backend.ldap.tls.skip_verify" ,
"authentication_backend.ldap.tls.server_name" ,
"authentication_backend.ldap.skip_verify" , // TODO: Deprecated: Remove in 4.28.
"authentication_backend.ldap.minimum_tls_version" , // TODO: Deprecated: Remove in 4.28.
2020-04-23 08:47:27 +07:00
// File Authentication Backend Keys.
"authentication_backend.file.path" ,
"authentication_backend.file.password.algorithm" ,
"authentication_backend.file.password.iterations" ,
"authentication_backend.file.password.key_length" ,
"authentication_backend.file.password.salt_length" ,
"authentication_backend.file.password.memory" ,
"authentication_backend.file.password.parallelism" ,
// Secret Keys.
"authelia.jwt_secret" ,
"authelia.duo_api.secret_key" ,
"authelia.session.secret" ,
"authelia.authentication_backend.ldap.password" ,
"authelia.notifier.smtp.password" ,
"authelia.session.redis.password" ,
"authelia.storage.mysql.password" ,
"authelia.storage.postgres.password" ,
"authelia.jwt_secret.file" ,
"authelia.duo_api.secret_key.file" ,
"authelia.session.secret.file" ,
"authelia.authentication_backend.ldap.password.file" ,
"authelia.notifier.smtp.password.file" ,
"authelia.session.redis.password.file" ,
"authelia.storage.mysql.password.file" ,
"authelia.storage.postgres.password.file" ,
}
var specificErrorKeys = map [ string ] string {
2020-05-16 06:41:42 +07:00
"logs_file_path" : "config key replaced: logs_file is now log_file" ,
"logs_level" : "config key replaced: logs_level is now log_level" ,
"google_analytics" : "config key removed: google_analytics - this functionality has been deprecated" ,
2020-04-23 08:47:27 +07:00
"authentication_backend.file.password_options.algorithm" : "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password" ,
"authentication_backend.file.password_options.iterations" : "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password" ,
"authentication_backend.file.password_options.key_length" : "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password" ,
"authentication_backend.file.password_options.salt_length" : "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password" ,
"authentication_backend.file.password_options.memory" : "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password" ,
"authentication_backend.file.password_options.parallelism" : "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password" ,
"authentication_backend.file.password_hashing.algorithm" : "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password" ,
"authentication_backend.file.password_hashing.iterations" : "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password" ,
"authentication_backend.file.password_hashing.key_length" : "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password" ,
"authentication_backend.file.password_hashing.salt_length" : "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password" ,
"authentication_backend.file.password_hashing.memory" : "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password" ,
"authentication_backend.file.password_hashing.parallelism" : "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password" ,
"authentication_backend.file.hashing.algorithm" : "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password" ,
"authentication_backend.file.hashing.iterations" : "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password" ,
"authentication_backend.file.hashing.key_length" : "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password" ,
"authentication_backend.file.hashing.salt_length" : "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password" ,
"authentication_backend.file.hashing.memory" : "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password" ,
"authentication_backend.file.hashing.parallelism" : "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password" ,
}
2020-05-02 23:20:40 +07:00
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider
* refactor(session): use int for ports as per go standards
* refactor(configuration): adjust tests and validation
* refactor(configuration): add err format consts
* refactor(configuration): explicitly map redis structs
* refactor(session): merge redis/redis sentinel providers
* refactor(session): add additional checks to redis providers
* feat(session): add redis cluster provider
* fix: update config for new values
* fix: provide nil certpool to affected tests/mocks
* test: add additional tests to cover uncovered code
* docs: expand explanation of host and nodes relation for redis
* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum
* fix(session): sentinel password
* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config
* test: make entrypoint.sh executable, fix entrypoint.sh if/elif
* test: add redis failover tests
* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging
* test: add sentinel integration test
* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep
* feat: use sentinel failover cluster
* fix: renamed addrs to sentineladdrs upstream
* test(session): sentinel failover
* test: add redis standard back into testing
* test: move redis standalone test to traefik2
* fix/docs: apply suggestions from code review
2021-03-10 06:03:05 +07:00
const errFmtSessionSecretRedisProvider = "The session secret must be set when using the %s session provider"
const errFmtSessionRedisPortRange = "The port must be between 1 and 65535 for the %s session provider"
const errFmtSessionRedisHostRequired = "The host must be provided when using the %s session provider"
const errFmtSessionRedisHostOrNodesRequired = "Either the host or a node must be provided when using the %s session provider"
2021-01-04 17:55:23 +07:00
const denyPolicy = "deny"
2021-03-05 11:18:31 +07:00
const bypassPolicy = "bypass"
2021-01-04 17:55:23 +07:00
2020-05-02 23:20:40 +07:00
const argon2id = "argon2id"
const sha512 = "sha512"
const schemeLDAP = "ldap"
const schemeLDAPS = "ldaps"
const testBadTimer = "-1"
2021-01-20 19:07:40 +07:00
const testInvalidPolicy = "invalid"
2020-05-02 23:20:40 +07:00
const testJWTSecret = "a_secret"
2020-12-03 14:06:42 +07:00
const testLDAPBaseDN = "base_dn"
const testLDAPPassword = "password"
const testLDAPURL = "ldap://ldap"
const testLDAPUser = "user"
const testModeDisabled = "disable"
2020-05-02 23:20:40 +07:00
const testTLSCert = "/tmp/cert.pem"
const testTLSKey = "/tmp/key.pem"
2021-03-05 11:18:31 +07:00
const errAccessControlInvalidPolicyWithSubjects = "Policy [bypass] for domain %s with subjects %s is invalid. It is not supported to configure both policy bypass and subjects. For more information see: https://www.authelia.com/docs/configuration/access-control.html#combining-subjects-and-the-bypass-policy"