mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
347bd1be77
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
293 lines
14 KiB
Go
293 lines
14 KiB
Go
package configuration
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"runtime"
|
|
"sort"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
|
"github.com/authelia/authelia/v4/internal/configuration/validator"
|
|
"github.com/authelia/authelia/v4/internal/utils"
|
|
)
|
|
|
|
func TestShouldErrorSecretNotExist(t *testing.T) {
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-test-secret-not-exist")
|
|
assert.NoError(t, err)
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET_FILE", filepath.Join(dir, "jwt")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"DUO_API_SECRET_KEY_FILE", filepath.Join(dir, "duo")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET_FILE", filepath.Join(dir, "session")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE", filepath.Join(dir, "authentication")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"NOTIFIER_SMTP_PASSWORD_FILE", filepath.Join(dir, "notifier")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_REDIS_PASSWORD_FILE", filepath.Join(dir, "redis")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE", filepath.Join(dir, "redis-sentinel")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD_FILE", filepath.Join(dir, "mysql")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_POSTGRES_PASSWORD_FILE", filepath.Join(dir, "postgres")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"TLS_KEY_FILE", filepath.Join(dir, "tls")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE", filepath.Join(dir, "oidc-key")))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE", filepath.Join(dir, "oidc-hmac")))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewEnvironmentSource(DefaultEnvPrefix, DefaultEnvDelimiter), NewSecretsSource(DefaultEnvPrefix, DefaultEnvDelimiter))
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
errs := val.Errors()
|
|
require.Len(t, errs, 12)
|
|
|
|
sort.Sort(utils.ErrSliceSortAlphabetical(errs))
|
|
|
|
errFmt := utils.GetExpectedErrTxt("filenotfound")
|
|
|
|
// ignore the errors before this as they are checked by the valdator.
|
|
assert.EqualError(t, errs[0], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "authentication"), "authentication_backend.ldap.password", fmt.Sprintf(errFmt, filepath.Join(dir, "authentication"))))
|
|
assert.EqualError(t, errs[1], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "duo"), "duo_api.secret_key", fmt.Sprintf(errFmt, filepath.Join(dir, "duo"))))
|
|
assert.EqualError(t, errs[2], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "jwt"), "jwt_secret", fmt.Sprintf(errFmt, filepath.Join(dir, "jwt"))))
|
|
assert.EqualError(t, errs[3], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "mysql"), "storage.mysql.password", fmt.Sprintf(errFmt, filepath.Join(dir, "mysql"))))
|
|
assert.EqualError(t, errs[4], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "notifier"), "notifier.smtp.password", fmt.Sprintf(errFmt, filepath.Join(dir, "notifier"))))
|
|
assert.EqualError(t, errs[5], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "oidc-hmac"), "identity_providers.oidc.hmac_secret", fmt.Sprintf(errFmt, filepath.Join(dir, "oidc-hmac"))))
|
|
assert.EqualError(t, errs[6], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "oidc-key"), "identity_providers.oidc.issuer_private_key", fmt.Sprintf(errFmt, filepath.Join(dir, "oidc-key"))))
|
|
assert.EqualError(t, errs[7], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "postgres"), "storage.postgres.password", fmt.Sprintf(errFmt, filepath.Join(dir, "postgres"))))
|
|
assert.EqualError(t, errs[8], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "redis"), "session.redis.password", fmt.Sprintf(errFmt, filepath.Join(dir, "redis"))))
|
|
assert.EqualError(t, errs[9], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "redis-sentinel"), "session.redis.high_availability.sentinel_password", fmt.Sprintf(errFmt, filepath.Join(dir, "redis-sentinel"))))
|
|
assert.EqualError(t, errs[10], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "session"), "session.secret", fmt.Sprintf(errFmt, filepath.Join(dir, "session"))))
|
|
assert.EqualError(t, errs[11], fmt.Sprintf(errFmtSecretIOIssue, filepath.Join(dir, "tls"), "tls_key", fmt.Sprintf(errFmt, filepath.Join(dir, "tls"))))
|
|
}
|
|
|
|
func TestLoadShouldReturnErrWithoutValidator(t *testing.T) {
|
|
_, _, err := Load(nil, NewEnvironmentSource(DefaultEnvPrefix, DefaultEnvDelimiter))
|
|
assert.EqualError(t, err, "no validator provided")
|
|
}
|
|
|
|
func TestLoadShouldReturnErrWithoutSources(t *testing.T) {
|
|
_, _, err := Load(schema.NewStructValidator())
|
|
assert.EqualError(t, err, "no sources provided")
|
|
}
|
|
|
|
func TestShouldHaveNotifier(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "abc"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Errors(), 0)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
assert.NotNil(t, config.Notifier)
|
|
}
|
|
|
|
func TestShouldValidateConfigurationWithEnv(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "abc"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Errors(), 0)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
}
|
|
|
|
func TestShouldNotIgnoreInvalidEnvs(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "an env session secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "an env storage mysql password"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL", "a bad env"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "an env jwt secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "an env authentication backend ldap password"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_URL", "an env authentication backend ldap password"))
|
|
|
|
val := schema.NewStructValidator()
|
|
keys, _, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
validator.ValidateKeys(keys, DefaultEnvPrefix, val)
|
|
|
|
require.Len(t, val.Warnings(), 1)
|
|
assert.Len(t, val.Errors(), 0)
|
|
|
|
assert.EqualError(t, val.Warnings()[0], fmt.Sprintf("configuration environment variable not expected: %sSTORAGE_MYSQL", DefaultEnvPrefix))
|
|
}
|
|
|
|
func TestShouldValidateAndRaiseErrorsOnNormalConfigurationAndSecret(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "an env session secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "an env storage mysql password"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "an env authentication backend ldap password"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_ENCRYPTION_KEY", "a_very_bad_encryption_key"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
assert.EqualError(t, val.Errors()[0], "secrets: error loading secret into key 'session.secret': it's already defined in other configuration sources")
|
|
|
|
assert.Equal(t, "example_secret value", config.JWTSecret)
|
|
assert.Equal(t, "example_secret value", config.Session.Secret)
|
|
assert.Equal(t, "an env storage mysql password", config.Storage.MySQL.Password)
|
|
assert.Equal(t, "an env authentication backend ldap password", config.AuthenticationBackend.LDAP.Password)
|
|
assert.Equal(t, "a_very_bad_encryption_key", config.Storage.EncryptionKey)
|
|
}
|
|
|
|
func TestShouldRaiseIOErrOnUnreadableFile(t *testing.T) {
|
|
if runtime.GOOS == constWindows {
|
|
t.Skip("skipping test due to being on windows")
|
|
}
|
|
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-conf")
|
|
assert.NoError(t, err)
|
|
|
|
assert.NoError(t, os.WriteFile(filepath.Join(dir, "myconf.yml"), []byte("server:\n port: 9091\n"), 0000))
|
|
|
|
cfg := filepath.Join(dir, "myconf.yml")
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewYAMLFileSource(cfg))
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
assert.EqualError(t, val.Errors()[0], fmt.Sprintf("failed to load configuration from yaml file(%s) source: open %s: permission denied", cfg, cfg))
|
|
}
|
|
|
|
func TestShouldValidateConfigurationWithEnvSecrets(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE", "./test_resources/example_secret"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_ENCRYPTION_KEY_FILE", "./test_resources/example_secret"))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
assert.Len(t, val.Errors(), 0)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
assert.Equal(t, "example_secret value", config.JWTSecret)
|
|
assert.Equal(t, "example_secret value", config.Session.Secret)
|
|
assert.Equal(t, "example_secret value", config.AuthenticationBackend.LDAP.Password)
|
|
assert.Equal(t, "example_secret value", config.Storage.MySQL.Password)
|
|
assert.Equal(t, "example_secret value", config.Storage.EncryptionKey)
|
|
}
|
|
|
|
func TestShouldValidateAndRaiseErrorsOnBadConfiguration(t *testing.T) {
|
|
testReset()
|
|
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"SESSION_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"STORAGE_MYSQL_PASSWORD", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"JWT_SECRET", "abc"))
|
|
assert.NoError(t, os.Setenv(DefaultEnvPrefix+"AUTHENTICATION_BACKEND_LDAP_PASSWORD", "abc"))
|
|
|
|
val := schema.NewStructValidator()
|
|
keys, _, err := Load(val, NewDefaultSources([]string{"./test_resources/config_bad_keys.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
validator.ValidateKeys(keys, DefaultEnvPrefix, val)
|
|
|
|
require.Len(t, val.Errors(), 2)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
assert.EqualError(t, val.Errors()[0], "configuration key not expected: loggy_file")
|
|
assert.EqualError(t, val.Errors()[1], "invalid configuration key 'logs_level' was replaced by 'log.level'")
|
|
}
|
|
|
|
func TestShouldNotReadConfigurationOnFSAccessDenied(t *testing.T) {
|
|
if runtime.GOOS == constWindows {
|
|
t.Skip("skipping test due to being on windows")
|
|
}
|
|
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-config")
|
|
assert.NoError(t, err)
|
|
|
|
cfg := filepath.Join(dir, "config.yml")
|
|
assert.NoError(t, testCreateFile(filepath.Join(dir, "config.yml"), "port: 9091\n", 0000))
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewYAMLFileSource(cfg))
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
|
|
assert.EqualError(t, val.Errors()[0], fmt.Sprintf("failed to load configuration from yaml file(%s) source: open %s: permission denied", cfg, cfg))
|
|
}
|
|
|
|
func TestShouldNotLoadDirectoryConfiguration(t *testing.T) {
|
|
testReset()
|
|
|
|
dir, err := ioutil.TempDir("", "authelia-config")
|
|
assert.NoError(t, err)
|
|
|
|
val := schema.NewStructValidator()
|
|
_, _, err = Load(val, NewYAMLFileSource(dir))
|
|
|
|
assert.NoError(t, err)
|
|
require.Len(t, val.Errors(), 1)
|
|
assert.Len(t, val.Warnings(), 0)
|
|
|
|
expectedErr := fmt.Sprintf(utils.GetExpectedErrTxt("yamlisdir"), dir)
|
|
assert.EqualError(t, val.Errors()[0], fmt.Sprintf("failed to load configuration from yaml file(%s) source: %s", dir, expectedErr))
|
|
}
|
|
|
|
func testReset() {
|
|
testUnsetEnvName("STORAGE_MYSQL")
|
|
testUnsetEnvName("JWT_SECRET")
|
|
testUnsetEnvName("DUO_API_SECRET_KEY")
|
|
testUnsetEnvName("SESSION_SECRET")
|
|
testUnsetEnvName("AUTHENTICATION_BACKEND_LDAP_PASSWORD")
|
|
testUnsetEnvName("AUTHENTICATION_BACKEND_LDAP_URL")
|
|
testUnsetEnvName("NOTIFIER_SMTP_PASSWORD")
|
|
testUnsetEnvName("SESSION_REDIS_PASSWORD")
|
|
testUnsetEnvName("SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD")
|
|
testUnsetEnvName("STORAGE_MYSQL_PASSWORD")
|
|
testUnsetEnvName("STORAGE_POSTGRES_PASSWORD")
|
|
testUnsetEnvName("TLS_KEY")
|
|
testUnsetEnvName("PORT")
|
|
testUnsetEnvName("IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY")
|
|
testUnsetEnvName("IDENTITY_PROVIDERS_OIDC_HMAC_SECRET")
|
|
testUnsetEnvName("STORAGE_ENCRYPTION_KEY")
|
|
}
|
|
|
|
func testUnsetEnvName(name string) {
|
|
_ = os.Unsetenv(DefaultEnvPrefix + name)
|
|
_ = os.Unsetenv(DefaultEnvPrefix + name + constSecretSuffix)
|
|
}
|
|
|
|
func testCreateFile(path, value string, perm os.FileMode) (err error) {
|
|
return os.WriteFile(path, []byte(value), perm)
|
|
}
|