mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
4710de33a4
This adds to the ongoing effort to remove all pointers to structs in the configuration without breaking backwards compatibility.
574 lines
28 KiB
Go
574 lines
28 KiB
Go
package validator
|
|
|
|
import (
|
|
"regexp"
|
|
|
|
"github.com/go-webauthn/webauthn/protocol"
|
|
|
|
"github.com/authelia/authelia/v4/internal/oidc"
|
|
)
|
|
|
|
const (
|
|
loopback = "127.0.0.1"
|
|
oauth2InstalledApp = "urn:ietf:wg:oauth:2.0:oob"
|
|
)
|
|
|
|
// Policy constants.
|
|
const (
|
|
policyBypass = "bypass"
|
|
policyOneFactor = "one_factor"
|
|
policyTwoFactor = "two_factor"
|
|
policyDeny = "deny"
|
|
)
|
|
|
|
// Hashing constants.
|
|
const (
|
|
hashArgon2id = "argon2id"
|
|
hashSHA512 = "sha512"
|
|
)
|
|
|
|
// Scheme constants.
|
|
const (
|
|
schemeLDAP = "ldap"
|
|
schemeLDAPS = "ldaps"
|
|
schemeHTTP = "http"
|
|
schemeHTTPS = "https"
|
|
)
|
|
|
|
// Test constants.
|
|
const (
|
|
testInvalidPolicy = "invalid"
|
|
testJWTSecret = "a_secret"
|
|
testLDAPBaseDN = "base_dn"
|
|
testLDAPPassword = "password"
|
|
testLDAPURL = "ldap://ldap"
|
|
testLDAPUser = "user"
|
|
testModeDisabled = "disable"
|
|
testEncryptionKey = "a_not_so_secure_encryption_key"
|
|
)
|
|
|
|
// Notifier Error constants.
|
|
const (
|
|
errFmtNotifierMultipleConfigured = "notifier: please ensure only one of the 'smtp' or 'filesystem' notifier is configured"
|
|
errFmtNotifierNotConfigured = "notifier: you must ensure either the 'smtp' or 'filesystem' notifier " +
|
|
"is configured"
|
|
errFmtNotifierTemplatePathNotExist = "notifier: option 'template_path' refers to location '%s' which does not exist"
|
|
errFmtNotifierTemplatePathUnknownError = "notifier: option 'template_path' refers to location '%s' which couldn't be opened: %w"
|
|
errFmtNotifierTemplateLoad = "notifier: error loading template '%s': %w"
|
|
errFmtNotifierFileSystemFileNameNotConfigured = "notifier: filesystem: option 'filename' is required "
|
|
errFmtNotifierSMTPNotConfigured = "notifier: smtp: option '%s' is required"
|
|
)
|
|
|
|
// Authentication Backend Error constants.
|
|
const (
|
|
errFmtAuthBackendNotConfigured = "authentication_backend: you must ensure either the 'file' or 'ldap' " +
|
|
"authentication backend is configured"
|
|
errFmtAuthBackendMultipleConfigured = "authentication_backend: please ensure only one of the 'file' or 'ldap' " +
|
|
"backend is configured"
|
|
errFmtAuthBackendRefreshInterval = "authentication_backend: option 'refresh_interval' is configured to '%s' but " +
|
|
"it must be either a duration notation or one of 'disable', or 'always': %w"
|
|
errFmtAuthBackendPasswordResetCustomURLScheme = "authentication_backend: password_reset: option 'custom_url' is" +
|
|
" configured to '%s' which has the scheme '%s' but the scheme must be either 'http' or 'https'"
|
|
|
|
errFmtFileAuthBackendPathNotConfigured = "authentication_backend: file: option 'path' is required"
|
|
errFmtFileAuthBackendPasswordSaltLength = "authentication_backend: file: password: option 'salt_length' " +
|
|
"must be 2 or more but it is configured a '%d'"
|
|
errFmtFileAuthBackendPasswordUnknownAlg = "authentication_backend: file: password: option 'algorithm' " +
|
|
"must be either 'argon2id' or 'sha512' but it is configured as '%s'"
|
|
errFmtFileAuthBackendPasswordInvalidIterations = "authentication_backend: file: password: option " +
|
|
"'iterations' must be 1 or more but it is configured as '%d'"
|
|
errFmtFileAuthBackendPasswordArgon2idInvalidKeyLength = "authentication_backend: file: password: option " +
|
|
"'key_length' must be 16 or more when using algorithm 'argon2id' but it is configured as '%d'"
|
|
errFmtFileAuthBackendPasswordArgon2idInvalidParallelism = "authentication_backend: file: password: option " +
|
|
"'parallelism' must be 1 or more when using algorithm 'argon2id' but it is configured as '%d'"
|
|
errFmtFileAuthBackendPasswordArgon2idInvalidMemory = "authentication_backend: file: password: option 'memory' " +
|
|
"must at least be parallelism multiplied by 8 when using algorithm 'argon2id' " +
|
|
"with parallelism %d it should be at least %d but it is configured as '%d'"
|
|
|
|
errFmtLDAPAuthBackendMissingOption = "authentication_backend: ldap: option '%s' is required"
|
|
errFmtLDAPAuthBackendTLSMinVersion = "authentication_backend: ldap: tls: option " +
|
|
"'minimum_tls_version' is invalid: %s: %w"
|
|
errFmtLDAPAuthBackendImplementation = "authentication_backend: ldap: option 'implementation' " +
|
|
"is configured as '%s' but must be one of the following values: '%s'"
|
|
errFmtLDAPAuthBackendFilterReplacedPlaceholders = "authentication_backend: ldap: option " +
|
|
"'%s' has an invalid placeholder: '%s' has been removed, please use '%s' instead"
|
|
errFmtLDAPAuthBackendURLNotParsable = "authentication_backend: ldap: option " +
|
|
"'url' could not be parsed: %w"
|
|
errFmtLDAPAuthBackendURLInvalidScheme = "authentication_backend: ldap: option " +
|
|
"'url' must have either the 'ldap' or 'ldaps' scheme but it is configured as '%s'"
|
|
errFmtLDAPAuthBackendFilterEnclosingParenthesis = "authentication_backend: ldap: option " +
|
|
"'%s' must contain enclosing parenthesis: '%s' should probably be '(%s)'"
|
|
errFmtLDAPAuthBackendFilterMissingPlaceholder = "authentication_backend: ldap: option " +
|
|
"'%s' must contain the placeholder '{%s}' but it is required"
|
|
)
|
|
|
|
// TOTP Error constants.
|
|
const (
|
|
errFmtTOTPInvalidAlgorithm = "totp: option 'algorithm' must be one of '%s' but it is configured as '%s'"
|
|
errFmtTOTPInvalidPeriod = "totp: option 'period' option must be 15 or more but it is configured as '%d'"
|
|
errFmtTOTPInvalidDigits = "totp: option 'digits' must be 6 or 8 but it is configured as '%d'"
|
|
errFmtTOTPInvalidSecretSize = "totp: option 'secret_size' must be %d or higher but it is configured as '%d'" //nolint:gosec
|
|
)
|
|
|
|
// Storage Error constants.
|
|
const (
|
|
errStrStorage = "storage: configuration for a 'local', 'mysql' or 'postgres' database must be provided"
|
|
errStrStorageEncryptionKeyMustBeProvided = "storage: option 'encryption_key' must is required"
|
|
errStrStorageEncryptionKeyTooShort = "storage: option 'encryption_key' must be 20 characters or longer"
|
|
errFmtStorageUserPassMustBeProvided = "storage: %s: option 'username' and 'password' are required" //nolint:gosec
|
|
errFmtStorageOptionMustBeProvided = "storage: %s: option '%s' is required"
|
|
errFmtStoragePostgreSQLInvalidSSLMode = "storage: postgres: ssl: option 'mode' must be one of '%s' but it is configured as '%s'"
|
|
)
|
|
|
|
// OpenID Error constants.
|
|
const (
|
|
errFmtOIDCNoClientsConfigured = "identity_providers: oidc: option 'clients' must have one or " +
|
|
"more clients configured"
|
|
errFmtOIDCNoPrivateKey = "identity_providers: oidc: option 'issuer_private_key' is required"
|
|
errFmtOIDCEnforcePKCEInvalidValue = "identity_providers: oidc: option 'enforce_pkce' must be 'never', " +
|
|
"'public_clients_only' or 'always', but it is configured as '%s'"
|
|
|
|
errFmtOIDCCORSInvalidOrigin = "identity_providers: oidc: cors: option 'allowed_origins' contains an invalid value '%s' as it has a %s: origins must only be scheme, hostname, and an optional port"
|
|
errFmtOIDCCORSInvalidOriginWildcard = "identity_providers: oidc: cors: option 'allowed_origins' contains the wildcard origin '*' with more than one origin but the wildcard origin must be defined by itself"
|
|
errFmtOIDCCORSInvalidOriginWildcardWithClients = "identity_providers: oidc: cors: option 'allowed_origins' contains the wildcard origin '*' cannot be specified with option 'allowed_origins_from_client_redirect_uris' enabled"
|
|
errFmtOIDCCORSInvalidEndpoint = "identity_providers: oidc: cors: option 'endpoints' contains an invalid value '%s': must be one of '%s'"
|
|
|
|
errFmtOIDCClientsDuplicateID = "identity_providers: oidc: one or more clients have the same id but all client" +
|
|
"id's must be unique"
|
|
errFmtOIDCClientsWithEmptyID = "identity_providers: oidc: one or more clients have been configured with " +
|
|
"an empty id"
|
|
|
|
errFmtOIDCClientInvalidSecret = "identity_providers: oidc: client '%s': option 'secret' is required"
|
|
errFmtOIDCClientPublicInvalidSecret = "identity_providers: oidc: client '%s': option 'secret' is " +
|
|
"required to be empty when option 'public' is true"
|
|
errFmtOIDCClientRedirectURI = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " +
|
|
"invalid value: redirect uri '%s' must have a scheme of 'http' or 'https' but '%s' is configured"
|
|
errFmtOIDCClientRedirectURICantBeParsed = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " +
|
|
"invalid value: redirect uri '%s' could not be parsed: %v"
|
|
errFmtOIDCClientRedirectURIPublic = "identity_providers: oidc: client '%s': option 'redirect_uris' has the" +
|
|
"redirect uri '%s' when option 'public' is false but this is invalid as this uri is not valid " +
|
|
"for the openid connect confidential client type"
|
|
errFmtOIDCClientRedirectURIAbsolute = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " +
|
|
"invalid value: redirect uri '%s' must have the scheme 'http' or 'https' but it has no scheme"
|
|
errFmtOIDCClientInvalidPolicy = "identity_providers: oidc: client '%s': option 'policy' must be 'one_factor' " +
|
|
"or 'two_factor' but it is configured as '%s'"
|
|
errFmtOIDCClientInvalidEntry = "identity_providers: oidc: client '%s': option '%s' must only have the values " +
|
|
"'%s' but one option is configured as '%s'"
|
|
errFmtOIDCClientInvalidUserinfoAlgorithm = "identity_providers: oidc: client '%s': option " +
|
|
"'userinfo_signing_algorithm' must be one of '%s' but it is configured as '%s'"
|
|
errFmtOIDCClientInvalidSectorIdentifier = "identity_providers: oidc: client '%s': option " +
|
|
"'sector_identifier' with value '%s': must be a URL with only the host component for example '%s' but it has a %s with the value '%s'"
|
|
errFmtOIDCClientInvalidSectorIdentifierWithoutValue = "identity_providers: oidc: client '%s': option " +
|
|
"'sector_identifier' with value '%s': must be a URL with only the host component for example '%s' but it has a %s"
|
|
errFmtOIDCClientInvalidSectorIdentifierHost = "identity_providers: oidc: client '%s': option " +
|
|
"'sector_identifier' with value '%s': must be a URL with only the host component but appears to be invalid"
|
|
errFmtOIDCServerInsecureParameterEntropy = "openid connect provider: SECURITY ISSUE - minimum parameter entropy is " +
|
|
"configured to an unsafe value, it should be above 8 but it's configured to %d"
|
|
)
|
|
|
|
// Webauthn Error constants.
|
|
const (
|
|
errFmtWebauthnConveyancePreference = "webauthn: option 'attestation_conveyance_preference' must be one of '%s' but it is configured as '%s'"
|
|
errFmtWebauthnUserVerification = "webauthn: option 'user_verification' must be one of 'discouraged', 'preferred', 'required' but it is configured as '%s'"
|
|
)
|
|
|
|
// Access Control error constants.
|
|
const (
|
|
errFmtAccessControlDefaultPolicyValue = "access control: option 'default_policy' must be one of '%s' but it is " +
|
|
"configured as '%s'"
|
|
errFmtAccessControlDefaultPolicyWithoutRules = "access control: 'default_policy' option '%s' is invalid: when " +
|
|
"no rules are specified it must be 'two_factor' or 'one_factor'"
|
|
errFmtAccessControlNetworkGroupIPCIDRInvalid = "access control: networks: network group '%s' is invalid: the " +
|
|
"network '%s' is not a valid IP or CIDR notation"
|
|
errFmtAccessControlWarnNoRulesDefaultPolicy = "access control: no rules have been specified so the " +
|
|
"'default_policy' of '%s' is going to be applied to all requests"
|
|
errFmtAccessControlRuleNoDomains = "access control: rule %s: rule is invalid: must have the option " +
|
|
"'domain' or 'domain_regex' configured"
|
|
errFmtAccessControlRuleInvalidPolicy = "access control: rule %s: rule 'policy' option '%s' " +
|
|
"is invalid: must be one of 'deny', 'two_factor', 'one_factor' or 'bypass'"
|
|
errAccessControlRuleBypassPolicyInvalidWithSubjects = "access control: rule %s: 'policy' option 'bypass' is " +
|
|
"not supported when 'subject' option is configured: see " +
|
|
"https://www.authelia.com/docs/configuration/access-control.html#bypass"
|
|
errAccessControlRuleBypassPolicyInvalidWithSubjectsWithGroupDomainRegex = "access control: rule %s: 'policy' option 'bypass' is " +
|
|
"not supported when 'domain_regex' option contains the user or group named matches. For more information see: " +
|
|
"https://www.authelia.com/docs/configuration/access-control.html#bypass-and-user-identity"
|
|
errFmtAccessControlRuleNetworksInvalid = "access control: rule %s: the network '%s' is not a " +
|
|
"valid Group Name, IP, or CIDR notation"
|
|
errFmtAccessControlRuleSubjectInvalid = "access control: rule %s: 'subject' option '%s' is " +
|
|
"invalid: must start with 'user:' or 'group:'"
|
|
errFmtAccessControlRuleMethodInvalid = "access control: rule %s: 'methods' option '%s' is " +
|
|
"invalid: must be one of '%s'"
|
|
)
|
|
|
|
// Theme Error constants.
|
|
const (
|
|
errFmtThemeName = "option 'theme' must be one of '%s' but it is configured as '%s'"
|
|
)
|
|
|
|
// NTP Error constants.
|
|
const (
|
|
errFmtNTPVersion = "ntp: option 'version' must be either 3 or 4 but it is configured as '%d'"
|
|
)
|
|
|
|
// Session error constants.
|
|
const (
|
|
errFmtSessionOptionRequired = "session: option '%s' is required"
|
|
errFmtSessionDomainMustBeRoot = "session: option 'domain' must be the domain you wish to protect not a wildcard domain but it is configured as '%s'"
|
|
errFmtSessionSameSite = "session: option 'same_site' must be one of '%s' but is configured as '%s'"
|
|
errFmtSessionSecretRequired = "session: option 'secret' is required when using the '%s' provider"
|
|
errFmtSessionRedisPortRange = "session: redis: option 'port' must be between 1 and 65535 but is configured as '%d'"
|
|
errFmtSessionRedisHostRequired = "session: redis: option 'host' is required"
|
|
errFmtSessionRedisHostOrNodesRequired = "session: redis: option 'host' or the 'high_availability' option 'nodes' is required"
|
|
|
|
errFmtSessionRedisSentinelMissingName = "session: redis: high_availability: option 'sentinel_name' is required"
|
|
errFmtSessionRedisSentinelNodeHostMissing = "session: redis: high_availability: option 'nodes': option 'host' is required for each node but one or more nodes are missing this"
|
|
)
|
|
|
|
// Regulation Error Consts.
|
|
const (
|
|
errFmtRegulationFindTimeGreaterThanBanTime = "regulation: option 'find_time' must be less than or equal to option 'ban_time'"
|
|
)
|
|
|
|
// Server Error constants.
|
|
const (
|
|
errFmtServerTLSCert = "server: tls: option 'key' must also be accompanied by option 'certificate'"
|
|
errFmtServerTLSKey = "server: tls: option 'certificate' must also be accompanied by option 'key'"
|
|
errFmtServerTLSCertFileDoesNotExist = "server: tls: file path %s provided in 'certificate' does not exist"
|
|
errFmtServerTLSKeyFileDoesNotExist = "server: tls: file path %s provided in 'key' does not exist"
|
|
errFmtServerTLSClientAuthCertFileDoesNotExist = "server: tls: client_certificates: certificates: file path %s does not exist"
|
|
errFmtServerTLSClientAuthNoAuth = "server: tls: client authentication cannot be configured if no server certificate and key are provided"
|
|
|
|
errFmtServerPathNoForwardSlashes = "server: option 'path' must not contain any forward slashes"
|
|
errFmtServerPathAlphaNum = "server: option 'path' must only contain alpha numeric characters"
|
|
errFmtServerBufferSize = "server: option '%s_buffer_size' must be above 0 but it is configured as '%d'"
|
|
)
|
|
|
|
const (
|
|
errPasswordPolicyMultipleDefined = "password_policy: only a single password policy mechanism can be specified"
|
|
errFmtPasswordPolicyStandardMinLengthNotGreaterThanZero = "password_policy: standard: option 'min_length' must be greater than 0 but is configured as %d"
|
|
errFmtPasswordPolicyZXCVBNMinScoreInvalid = "password_policy: zxcvbn: option 'min_score' is invalid: must be between 1 and 4 but it's configured as %d"
|
|
)
|
|
|
|
const (
|
|
errFmtDuoMissingOption = "duo_api: option '%s' is required when duo is enabled but it is missing"
|
|
)
|
|
|
|
// Error constants.
|
|
const (
|
|
/*
|
|
errFmtDeprecatedConfigurationKey = "the %s configuration option is deprecated and will be " +
|
|
"removed in %s, please use %s instead"
|
|
|
|
Uncomment for use when deprecating keys.
|
|
|
|
TODO: Create a method from within Koanf to automatically remap deprecated keys and produce warnings.
|
|
TODO (cont): The main consideration is making sure we do not overwrite the destination key name if it already exists.
|
|
*/
|
|
|
|
errFmtReplacedConfigurationKey = "invalid configuration key '%s' was replaced by '%s'"
|
|
|
|
errFmtLoggingLevelInvalid = "log: option 'level' must be one of '%s' but it is configured as '%s'"
|
|
|
|
errFileHashing = "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password"
|
|
errFilePHashing = "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password"
|
|
errFilePOptions = "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password"
|
|
)
|
|
|
|
var validStoragePostgreSQLSSLModes = []string{testModeDisabled, "require", "verify-ca", "verify-full"}
|
|
|
|
var validThemeNames = []string{"light", "dark", "grey", "auto"}
|
|
|
|
var validSessionSameSiteValues = []string{"none", "lax", "strict"}
|
|
|
|
var validLoLevels = []string{"trace", "debug", "info", "warn", "error"}
|
|
|
|
var validWebauthnConveyancePreferences = []string{string(protocol.PreferNoAttestation), string(protocol.PreferIndirectAttestation), string(protocol.PreferDirectAttestation)}
|
|
var validWebauthnUserVerificationRequirement = []string{string(protocol.VerificationDiscouraged), string(protocol.VerificationPreferred), string(protocol.VerificationRequired)}
|
|
|
|
var validRFC7231HTTPMethodVerbs = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
|
|
var validRFC4918HTTPMethodVerbs = []string{"COPY", "LOCK", "MKCOL", "MOVE", "PROPFIND", "PROPPATCH", "UNLOCK"}
|
|
|
|
var validACLHTTPMethodVerbs = append(validRFC7231HTTPMethodVerbs, validRFC4918HTTPMethodVerbs...)
|
|
|
|
var validACLRulePolicies = []string{policyBypass, policyOneFactor, policyTwoFactor, policyDeny}
|
|
|
|
var validOIDCScopes = []string{oidc.ScopeOpenID, oidc.ScopeEmail, oidc.ScopeProfile, oidc.ScopeGroups, "offline_access"}
|
|
var validOIDCGrantTypes = []string{"implicit", "refresh_token", "authorization_code", "password", "client_credentials"}
|
|
var validOIDCResponseModes = []string{"form_post", "query", "fragment"}
|
|
var validOIDCUserinfoAlgorithms = []string{"none", "RS256"}
|
|
var validOIDCCORSEndpoints = []string{oidc.AuthorizationEndpoint, oidc.TokenEndpoint, oidc.IntrospectionEndpoint, oidc.RevocationEndpoint, oidc.UserinfoEndpoint}
|
|
|
|
var reKeyReplacer = regexp.MustCompile(`\[\d+]`)
|
|
|
|
// ValidKeys is a list of valid keys that are not secret names. For the sake of consistency please place any secret in
|
|
// the secret names map and reuse it in relevant sections.
|
|
var ValidKeys = []string{
|
|
// Root Keys.
|
|
"certificates_directory",
|
|
"theme",
|
|
"default_redirection_url",
|
|
"jwt_secret",
|
|
|
|
// Log keys.
|
|
"log.level",
|
|
"log.format",
|
|
"log.file_path",
|
|
"log.keep_stdout",
|
|
|
|
// Server Keys.
|
|
"server.host",
|
|
"server.port",
|
|
"server.read_buffer_size",
|
|
"server.write_buffer_size",
|
|
"server.path",
|
|
"server.asset_path",
|
|
"server.enable_pprof",
|
|
"server.enable_expvars",
|
|
"server.disable_healthcheck",
|
|
"server.tls.key",
|
|
"server.tls.certificate",
|
|
"server.headers.csp_template",
|
|
|
|
// TOTP Keys.
|
|
"totp.disable",
|
|
"totp.issuer",
|
|
"totp.algorithm",
|
|
"totp.digits",
|
|
"totp.period",
|
|
"totp.skew",
|
|
"totp.secret_size",
|
|
|
|
// Webauthn Keys.
|
|
"webauthn.disable",
|
|
"webauthn.display_name",
|
|
"webauthn.attestation_conveyance_preference",
|
|
"webauthn.user_verification",
|
|
"webauthn.timeout",
|
|
|
|
// DUO API Keys.
|
|
"duo_api.hostname",
|
|
"duo_api.enable_self_enrollment",
|
|
"duo_api.secret_key",
|
|
"duo_api.integration_key",
|
|
|
|
// Access Control Keys.
|
|
"access_control.default_policy",
|
|
"access_control.networks",
|
|
"access_control.networks[].name",
|
|
"access_control.networks[].networks",
|
|
"access_control.rules",
|
|
"access_control.rules[].domain",
|
|
"access_control.rules[].domain_regex",
|
|
"access_control.rules[].methods",
|
|
"access_control.rules[].networks",
|
|
"access_control.rules[].subject",
|
|
"access_control.rules[].policy",
|
|
"access_control.rules[].resources",
|
|
|
|
// Session Keys.
|
|
"session.name",
|
|
"session.domain",
|
|
"session.secret",
|
|
"session.same_site",
|
|
"session.expiration",
|
|
"session.inactivity",
|
|
"session.remember_me_duration",
|
|
|
|
// Redis Session Keys.
|
|
"session.redis.host",
|
|
"session.redis.port",
|
|
"session.redis.username",
|
|
"session.redis.password",
|
|
"session.redis.database_index",
|
|
"session.redis.maximum_active_connections",
|
|
"session.redis.minimum_idle_connections",
|
|
"session.redis.tls.minimum_version",
|
|
"session.redis.tls.skip_verify",
|
|
"session.redis.tls.server_name",
|
|
"session.redis.high_availability.sentinel_name",
|
|
"session.redis.high_availability.sentinel_username",
|
|
"session.redis.high_availability.sentinel_password",
|
|
"session.redis.high_availability.nodes",
|
|
"session.redis.high_availability.nodes[].host",
|
|
"session.redis.high_availability.nodes[].port",
|
|
"session.redis.high_availability.route_by_latency",
|
|
"session.redis.high_availability.route_randomly",
|
|
|
|
// Storage Keys.
|
|
"storage.encryption_key",
|
|
|
|
// Local Storage Keys.
|
|
"storage.local.path",
|
|
|
|
// MySQL Storage Keys.
|
|
"storage.mysql.host",
|
|
"storage.mysql.port",
|
|
"storage.mysql.database",
|
|
"storage.mysql.username",
|
|
"storage.mysql.password",
|
|
"storage.mysql.timeout",
|
|
|
|
// PostgreSQL Storage Keys.
|
|
"storage.postgres.host",
|
|
"storage.postgres.port",
|
|
"storage.postgres.database",
|
|
"storage.postgres.username",
|
|
"storage.postgres.password",
|
|
"storage.postgres.timeout",
|
|
"storage.postgres.schema",
|
|
"storage.postgres.ssl.mode",
|
|
"storage.postgres.ssl.root_certificate",
|
|
"storage.postgres.ssl.certificate",
|
|
"storage.postgres.ssl.key",
|
|
|
|
"storage.postgres.sslmode", // Deprecated. TODO: Remove in v4.36.0.
|
|
|
|
// FileSystem Notifier Keys.
|
|
"notifier.filesystem.filename",
|
|
"notifier.disable_startup_check",
|
|
|
|
// SMTP Notifier Keys.
|
|
"notifier.smtp.host",
|
|
"notifier.smtp.port",
|
|
"notifier.smtp.timeout",
|
|
"notifier.smtp.username",
|
|
"notifier.smtp.password",
|
|
"notifier.smtp.identifier",
|
|
"notifier.smtp.sender",
|
|
"notifier.smtp.subject",
|
|
"notifier.smtp.startup_check_address",
|
|
"notifier.smtp.disable_require_tls",
|
|
"notifier.smtp.disable_html_emails",
|
|
"notifier.smtp.tls.minimum_version",
|
|
"notifier.smtp.tls.skip_verify",
|
|
"notifier.smtp.tls.server_name",
|
|
"notifier.template_path",
|
|
|
|
// Regulation Keys.
|
|
"regulation.max_retries",
|
|
"regulation.find_time",
|
|
"regulation.ban_time",
|
|
|
|
// Authentication Backend Keys.
|
|
"authentication_backend.disable_reset_password",
|
|
"authentication_backend.password_reset.custom_url",
|
|
"authentication_backend.refresh_interval",
|
|
|
|
// LDAP Authentication Backend Keys.
|
|
"authentication_backend.ldap.implementation",
|
|
"authentication_backend.ldap.url",
|
|
"authentication_backend.ldap.timeout",
|
|
"authentication_backend.ldap.base_dn",
|
|
"authentication_backend.ldap.username_attribute",
|
|
"authentication_backend.ldap.additional_users_dn",
|
|
"authentication_backend.ldap.users_filter",
|
|
"authentication_backend.ldap.additional_groups_dn",
|
|
"authentication_backend.ldap.groups_filter",
|
|
"authentication_backend.ldap.group_name_attribute",
|
|
"authentication_backend.ldap.mail_attribute",
|
|
"authentication_backend.ldap.display_name_attribute",
|
|
"authentication_backend.ldap.user",
|
|
"authentication_backend.ldap.password",
|
|
"authentication_backend.ldap.start_tls",
|
|
"authentication_backend.ldap.tls.minimum_version",
|
|
"authentication_backend.ldap.tls.skip_verify",
|
|
"authentication_backend.ldap.tls.server_name",
|
|
|
|
// File Authentication Backend Keys.
|
|
"authentication_backend.file.path",
|
|
"authentication_backend.file.password.algorithm",
|
|
"authentication_backend.file.password.iterations",
|
|
"authentication_backend.file.password.key_length",
|
|
"authentication_backend.file.password.salt_length",
|
|
"authentication_backend.file.password.memory",
|
|
"authentication_backend.file.password.parallelism",
|
|
|
|
// Identity Provider Keys.
|
|
"identity_providers.oidc.hmac_secret",
|
|
"identity_providers.oidc.issuer_private_key",
|
|
"identity_providers.oidc.id_token_lifespan",
|
|
"identity_providers.oidc.access_token_lifespan",
|
|
"identity_providers.oidc.refresh_token_lifespan",
|
|
"identity_providers.oidc.authorize_code_lifespan",
|
|
"identity_providers.oidc.enforce_pkce",
|
|
"identity_providers.oidc.enable_pkce_plain_challenge",
|
|
"identity_providers.oidc.enable_client_debug_messages",
|
|
"identity_providers.oidc.minimum_parameter_entropy",
|
|
"identity_providers.oidc.cors.endpoints",
|
|
"identity_providers.oidc.cors.allowed_origins",
|
|
"identity_providers.oidc.cors.enable_origins_from_clients",
|
|
"identity_providers.oidc.clients",
|
|
"identity_providers.oidc.clients[].id",
|
|
"identity_providers.oidc.clients[].description",
|
|
"identity_providers.oidc.clients[].secret",
|
|
"identity_providers.oidc.clients[].sector_identifier",
|
|
"identity_providers.oidc.clients[].public",
|
|
"identity_providers.oidc.clients[].redirect_uris",
|
|
"identity_providers.oidc.clients[].authorization_policy",
|
|
"identity_providers.oidc.clients[].pre_configured_consent_duration",
|
|
"identity_providers.oidc.clients[].scopes",
|
|
"identity_providers.oidc.clients[].audience",
|
|
"identity_providers.oidc.clients[].grant_types",
|
|
"identity_providers.oidc.clients[].response_types",
|
|
"identity_providers.oidc.clients[].response_modes",
|
|
"identity_providers.oidc.clients[].userinfo_signing_algorithm",
|
|
|
|
// NTP keys.
|
|
"ntp.address",
|
|
"ntp.version",
|
|
"ntp.max_desync",
|
|
"ntp.disable_startup_check",
|
|
"ntp.disable_failure",
|
|
|
|
// Password Policy keys.
|
|
"password_policy.standard.enabled",
|
|
"password_policy.standard.min_length",
|
|
"password_policy.standard.max_length",
|
|
"password_policy.standard.require_uppercase",
|
|
"password_policy.standard.require_lowercase",
|
|
"password_policy.standard.require_number",
|
|
"password_policy.standard.require_special",
|
|
"password_policy.zxcvbn.enabled",
|
|
"password_policy.zxcvbn.min_score",
|
|
}
|
|
|
|
var replacedKeys = map[string]string{
|
|
"authentication_backend.ldap.skip_verify": "authentication_backend.ldap.tls.skip_verify",
|
|
"authentication_backend.ldap.minimum_tls_version": "authentication_backend.ldap.tls.minimum_version",
|
|
"notifier.smtp.disable_verify_cert": "notifier.smtp.tls.skip_verify",
|
|
"logs_level": "log.level",
|
|
"logs_file_path": "log.file_path",
|
|
"log_level": "log.level",
|
|
"log_file_path": "log.file_path",
|
|
"log_format": "log.format",
|
|
"host": "server.host",
|
|
"port": "server.port",
|
|
"tls_key": "server.tls.key",
|
|
"tls_cert": "server.tls.certificate",
|
|
}
|
|
|
|
var specificErrorKeys = map[string]string{
|
|
"google_analytics": "config key removed: google_analytics - this functionality has been deprecated",
|
|
"notifier.smtp.trusted_cert": "invalid configuration key 'notifier.smtp.trusted_cert' it has been removed, " +
|
|
"option has been replaced by the global option 'certificates_directory'",
|
|
|
|
"authentication_backend.file.password_options.algorithm": errFilePOptions,
|
|
"authentication_backend.file.password_options.iterations": errFilePOptions,
|
|
"authentication_backend.file.password_options.key_length": errFilePOptions,
|
|
"authentication_backend.file.password_options.salt_length": errFilePOptions,
|
|
"authentication_backend.file.password_options.memory": errFilePOptions,
|
|
"authentication_backend.file.password_options.parallelism": errFilePOptions,
|
|
"authentication_backend.file.password_hashing.algorithm": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.iterations": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.key_length": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.salt_length": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.memory": errFilePHashing,
|
|
"authentication_backend.file.password_hashing.parallelism": errFilePHashing,
|
|
"authentication_backend.file.hashing.algorithm": errFileHashing,
|
|
"authentication_backend.file.hashing.iterations": errFileHashing,
|
|
"authentication_backend.file.hashing.key_length": errFileHashing,
|
|
"authentication_backend.file.hashing.salt_length": errFileHashing,
|
|
"authentication_backend.file.hashing.memory": errFileHashing,
|
|
"authentication_backend.file.hashing.parallelism": errFileHashing,
|
|
}
|