mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
143db66445
This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
276 lines
11 KiB
Go
276 lines
11 KiB
Go
package validator
|
|
|
|
const (
|
|
errFmtDeprecatedConfigurationKey = "[DEPRECATED] The %s configuration option is deprecated and will be " +
|
|
"removed in %s, please use %s instead"
|
|
errFmtReplacedConfigurationKey = "invalid configuration key '%s' was replaced by '%s'"
|
|
|
|
errFmtLoggingLevelInvalid = "the log level '%s' is invalid, must be one of: %s"
|
|
|
|
errFmtSessionSecretRedisProvider = "The session secret must be set when using the %s session provider"
|
|
errFmtSessionRedisPortRange = "The port must be between 1 and 65535 for the %s session provider"
|
|
errFmtSessionRedisHostRequired = "The host must be provided when using the %s session provider"
|
|
errFmtSessionRedisHostOrNodesRequired = "Either the host or a node must be provided when using the %s session provider"
|
|
|
|
errFmtOIDCServerClientRedirectURI = "OIDC client with ID '%s' redirect URI %s has an invalid scheme '%s', " +
|
|
"should be http or https"
|
|
errFmtOIDCServerClientRedirectURICantBeParsed = "OIDC client with ID '%s' has an invalid redirect URI '%s' " +
|
|
"could not be parsed: %v"
|
|
errFmtOIDCServerClientInvalidPolicy = "OIDC client with ID '%s' has an invalid policy '%s', " +
|
|
"should be either 'one_factor' or 'two_factor'"
|
|
errFmtOIDCServerClientInvalidSecret = "OIDC client with ID '%s' has an empty secret" //nolint:gosec
|
|
errFmtOIDCServerClientInvalidScope = "OIDC client with ID '%s' has an invalid scope '%s', " +
|
|
"must be one of: '%s'"
|
|
errFmtOIDCServerClientInvalidGrantType = "OIDC client with ID '%s' has an invalid grant type '%s', " +
|
|
"must be one of: '%s'"
|
|
errFmtOIDCServerClientInvalidResponseMode = "OIDC client with ID '%s' has an invalid response mode '%s', " +
|
|
"must be one of: '%s'"
|
|
errFmtOIDCServerClientInvalidUserinfoAlgorithm = "OIDC client with ID '%s' has an invalid userinfo signing " +
|
|
"algorithm '%s', must be one of: '%s'"
|
|
errFmtOIDCServerInsecureParameterEntropy = "SECURITY ISSUE: OIDC minimum parameter entropy is configured to an " +
|
|
"unsafe value, it should be above 8 but it's configured to %d."
|
|
|
|
errFileHashing = "config key incorrect: authentication_backend.file.hashing should be " +
|
|
"authentication_backend.file.password"
|
|
errFilePHashing = "config key incorrect: authentication_backend.file.password_hashing should be " +
|
|
"authentication_backend.file.password"
|
|
errFilePOptions = "config key incorrect: authentication_backend.file.password_options should be " +
|
|
"authentication_backend.file.password"
|
|
|
|
bypassPolicy = "bypass"
|
|
oneFactorPolicy = "one_factor"
|
|
twoFactorPolicy = "two_factor"
|
|
denyPolicy = "deny"
|
|
|
|
argon2id = "argon2id"
|
|
sha512 = "sha512"
|
|
|
|
schemeLDAP = "ldap"
|
|
schemeLDAPS = "ldaps"
|
|
schemeHTTP = "http"
|
|
schemeHTTPS = "https"
|
|
|
|
testBadTimer = "-1"
|
|
testInvalidPolicy = "invalid"
|
|
testJWTSecret = "a_secret"
|
|
testLDAPBaseDN = "base_dn"
|
|
testLDAPPassword = "password"
|
|
testLDAPURL = "ldap://ldap"
|
|
testLDAPUser = "user"
|
|
testModeDisabled = "disable"
|
|
testTLSCert = "/tmp/cert.pem"
|
|
testTLSKey = "/tmp/key.pem"
|
|
|
|
errAccessControlInvalidPolicyWithSubjects = "Policy [bypass] for rule #%d domain %s with subjects %s is invalid. " +
|
|
"It is not supported to configure both policy bypass and subjects. For more information see: " +
|
|
"https://www.authelia.com/docs/configuration/access-control.html#combining-subjects-and-the-bypass-policy"
|
|
)
|
|
|
|
var validLoggingLevels = []string{"trace", "debug", "info", "warn", "error"}
|
|
var validHTTPRequestMethods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
|
|
|
|
var validOIDCScopes = []string{"openid", "email", "profile", "groups", "offline_access"}
|
|
var validOIDCGrantTypes = []string{"implicit", "refresh_token", "authorization_code", "password", "client_credentials"}
|
|
var validOIDCResponseModes = []string{"form_post", "query", "fragment"}
|
|
var validOIDCUserinfoAlgorithms = []string{"none", "RS256"}
|
|
|
|
// SecretNames contains a map of secret names.
|
|
var SecretNames = map[string]string{
|
|
"JWTSecret": "jwt_secret",
|
|
"SessionSecret": "session.secret",
|
|
"DUOSecretKey": "duo_api.secret_key",
|
|
"RedisPassword": "session.redis.password",
|
|
"RedisSentinelPassword": "session.redis.high_availability.sentinel_password",
|
|
"LDAPPassword": "authentication_backend.ldap.password",
|
|
"SMTPPassword": "notifier.smtp.password",
|
|
"MySQLPassword": "storage.mysql.password",
|
|
"PostgreSQLPassword": "storage.postgres.password",
|
|
"OpenIDConnectHMACSecret": "identity_providers.oidc.hmac_secret",
|
|
"OpenIDConnectIssuerPrivateKey": "identity_providers.oidc.issuer_private_key",
|
|
}
|
|
|
|
// validKeys is a list of valid keys that are not secret names. For the sake of consistency please place any secret in
|
|
// the secret names map and reuse it in relevant sections.
|
|
var validKeys = []string{
|
|
// Root Keys.
|
|
"host",
|
|
"port",
|
|
"default_redirection_url",
|
|
"theme",
|
|
"tls_key",
|
|
"tls_cert",
|
|
"certificates_directory",
|
|
|
|
// Log keys.
|
|
"log.level",
|
|
"log.format",
|
|
"log.file_path",
|
|
"log.keep_stdout",
|
|
|
|
// TODO: DEPRECATED START. Remove in 4.33.0.
|
|
"log_level",
|
|
"log_format",
|
|
"log_file_path",
|
|
// TODO: DEPRECATED END. Remove in 4.33.0.
|
|
|
|
// Server Keys.
|
|
"server.read_buffer_size",
|
|
"server.write_buffer_size",
|
|
"server.path",
|
|
"server.enable_pprof",
|
|
"server.enable_expvars",
|
|
|
|
// TOTP Keys.
|
|
"totp.issuer",
|
|
"totp.period",
|
|
"totp.skew",
|
|
|
|
// Access Control Keys.
|
|
"access_control.rules",
|
|
"access_control.default_policy",
|
|
"access_control.networks",
|
|
|
|
// Session Keys.
|
|
"session.name",
|
|
"session.domain",
|
|
"session.same_site",
|
|
"session.expiration",
|
|
"session.inactivity",
|
|
"session.remember_me_duration",
|
|
|
|
// Redis Session Keys.
|
|
"session.redis.host",
|
|
"session.redis.port",
|
|
"session.redis.username",
|
|
"session.redis.database_index",
|
|
"session.redis.maximum_active_connections",
|
|
"session.redis.minimum_idle_connections",
|
|
"session.redis.tls.minimum_version",
|
|
"session.redis.tls.skip_verify",
|
|
"session.redis.tls.server_name",
|
|
"session.redis.high_availability.sentinel_name",
|
|
"session.redis.high_availability.nodes",
|
|
"session.redis.high_availability.route_by_latency",
|
|
"session.redis.high_availability.route_randomly",
|
|
"session.redis.timeouts.dial",
|
|
"session.redis.timeouts.idle",
|
|
"session.redis.timeouts.pool",
|
|
"session.redis.timeouts.read",
|
|
"session.redis.timeouts.write",
|
|
|
|
// Local Storage Keys.
|
|
"storage.local.path",
|
|
|
|
// MySQL Storage Keys.
|
|
"storage.mysql.host",
|
|
"storage.mysql.port",
|
|
"storage.mysql.database",
|
|
"storage.mysql.username",
|
|
|
|
// PostgreSQL Storage Keys.
|
|
"storage.postgres.host",
|
|
"storage.postgres.port",
|
|
"storage.postgres.database",
|
|
"storage.postgres.username",
|
|
"storage.postgres.sslmode",
|
|
|
|
// FileSystem Notifier Keys.
|
|
"notifier.filesystem.filename",
|
|
"notifier.disable_startup_check",
|
|
|
|
// SMTP Notifier Keys.
|
|
"notifier.smtp.username",
|
|
"notifier.smtp.host",
|
|
"notifier.smtp.port",
|
|
"notifier.smtp.identifier",
|
|
"notifier.smtp.sender",
|
|
"notifier.smtp.subject",
|
|
"notifier.smtp.startup_check_address",
|
|
"notifier.smtp.disable_require_tls",
|
|
"notifier.smtp.disable_html_emails",
|
|
"notifier.smtp.tls.minimum_version",
|
|
"notifier.smtp.tls.skip_verify",
|
|
"notifier.smtp.tls.server_name",
|
|
|
|
// Regulation Keys.
|
|
"regulation.max_retries",
|
|
"regulation.find_time",
|
|
"regulation.ban_time",
|
|
|
|
// DUO API Keys.
|
|
"duo_api.hostname",
|
|
"duo_api.integration_key",
|
|
|
|
// Authentication Backend Keys.
|
|
"authentication_backend.disable_reset_password",
|
|
"authentication_backend.refresh_interval",
|
|
|
|
// LDAP Authentication Backend Keys.
|
|
"authentication_backend.ldap.implementation",
|
|
"authentication_backend.ldap.url",
|
|
"authentication_backend.ldap.base_dn",
|
|
"authentication_backend.ldap.username_attribute",
|
|
"authentication_backend.ldap.additional_users_dn",
|
|
"authentication_backend.ldap.users_filter",
|
|
"authentication_backend.ldap.additional_groups_dn",
|
|
"authentication_backend.ldap.groups_filter",
|
|
"authentication_backend.ldap.group_name_attribute",
|
|
"authentication_backend.ldap.mail_attribute",
|
|
"authentication_backend.ldap.display_name_attribute",
|
|
"authentication_backend.ldap.user",
|
|
"authentication_backend.ldap.start_tls",
|
|
"authentication_backend.ldap.tls.minimum_version",
|
|
"authentication_backend.ldap.tls.skip_verify",
|
|
"authentication_backend.ldap.tls.server_name",
|
|
|
|
// File Authentication Backend Keys.
|
|
"authentication_backend.file.path",
|
|
"authentication_backend.file.password.algorithm",
|
|
"authentication_backend.file.password.iterations",
|
|
"authentication_backend.file.password.key_length",
|
|
"authentication_backend.file.password.salt_length",
|
|
"authentication_backend.file.password.memory",
|
|
"authentication_backend.file.password.parallelism",
|
|
|
|
// Identity Provider Keys.
|
|
"identity_providers.oidc.clients",
|
|
"identity_providers.oidc.id_token_lifespan",
|
|
"identity_providers.oidc.access_token_lifespan",
|
|
"identity_providers.oidc.refresh_token_lifespan",
|
|
"identity_providers.oidc.authorize_code_lifespan",
|
|
"identity_providers.oidc.enable_client_debug_messages",
|
|
}
|
|
|
|
var replacedKeys = map[string]string{
|
|
"authentication_backend.ldap.skip_verify": "authentication_backend.ldap.tls.skip_verify",
|
|
"authentication_backend.ldap.minimum_tls_version": "authentication_backend.ldap.tls.minimum_version",
|
|
"notifier.smtp.disable_verify_cert": "notifier.smtp.tls.skip_verify",
|
|
"logs_file_path": "log.file_path",
|
|
"logs_level": "log.level",
|
|
}
|
|
|
|
var specificErrorKeys = map[string]string{
|
|
"google_analytics": "config key removed: google_analytics - this functionality has been deprecated",
|
|
"notifier.smtp.trusted_cert": "invalid configuration key `notifier.smtp.trusted_cert` it has been removed, " +
|
|
"option has been replaced by the global option `certificates_directory`",
|
|
|
|
"authentication_backend.file.password_options.algorithm": errFilePOptions,
|
|
"authentication_backend.file.password_options.iterations": errFilePOptions,
|
|
"authentication_backend.file.password_options.key_length": errFilePOptions,
|
|
"authentication_backend.file.password_options.salt_length": errFilePOptions,
|
|
"authentication_backend.file.password_options.memory": errFilePOptions,
|
|
"authentication_backend.file.password_options.parallelism": errFilePOptions,
|
|
"authentication_backend.file.password_hashing.algorithm": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.iterations": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.key_length": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.salt_length": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.memory": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.parallelism": errFilePHashing,
|
|
"authentication_backend.file.hashing.algorithm": errFileHashing,
|
|
"authentication_backend.file.hashing.iterations": errFileHashing,
|
|
"authentication_backend.file.hashing.key_length": errFileHashing,
|
|
"authentication_backend.file.hashing.salt_length": errFileHashing,
|
|
"authentication_backend.file.hashing.memory": errFileHashing,
|
|
"authentication_backend.file.hashing.parallelism": errFileHashing,
|
|
}
|