Skip to content

Commit

Permalink
Fix LevelDB yaml unmarshall error and update documentation (cesanta#389)
Browse files Browse the repository at this point in the history
In order to ensure the project correctly validates authentication
methods in the config file that can use a token db, this commit modifies
the logic to ensure we check if all of the token methods are nil before
outputting an error. Previously, if the local filesystem token db method
was not nil and the other two (redis and google cloud storage) were nil,
we would return an error and the config would be considered invalid.

Additionally, this commit documents the correct LevelDB settings for the
config file. Prior to the addition of Bcrypt hashing cost, just using
`token_db` was acceptable in the configuration along with a string
representing the path. Given the swap to a struct instead of a string,
we need to update documentation concerning this.
  • Loading branch information
endoze authored Jun 6, 2024
1 parent 4922777 commit 82da6e8
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 13 deletions.
12 changes: 6 additions & 6 deletions auth_server/server/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ type ServerConfig struct {

publicKey libtrust.PublicKey
privateKey libtrust.PrivateKey
sigAlg string
sigAlg string
}

type LetsEncryptConfig struct {
Expand All @@ -87,7 +87,7 @@ type TokenConfig struct {

publicKey libtrust.PublicKey
privateKey libtrust.PrivateKey
sigAlg string
sigAlg string
}

// TLSCipherSuitesValues maps CipherSuite names as strings to the actual values
Expand Down Expand Up @@ -193,7 +193,7 @@ func validate(c *Config) error {
}
gac.ClientSecret = strings.TrimSpace(string(contents))
}
if gac.ClientId == "" || gac.ClientSecret == "" || (gac.LevelTokenDB != nil && (gac.GCSTokenDB == nil && gac.RedisTokenDB == nil)) {
if gac.ClientId == "" || gac.ClientSecret == "" || (gac.LevelTokenDB == nil && (gac.GCSTokenDB == nil && gac.RedisTokenDB == nil)) {
return errors.New("google_auth.{client_id,client_secret,token_db} are required")
}

Expand All @@ -217,7 +217,7 @@ func validate(c *Config) error {
}
ghac.ClientSecret = strings.TrimSpace(string(contents))
}
if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.LevelTokenDB != nil && (ghac.GCSTokenDB == nil && ghac.RedisTokenDB == nil)) {
if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.LevelTokenDB == nil && (ghac.GCSTokenDB == nil && ghac.RedisTokenDB == nil)) {
return errors.New("github_auth.{client_id,client_secret,token_db} are required")
}

Expand Down Expand Up @@ -245,7 +245,7 @@ func validate(c *Config) error {
}
oidc.ClientSecret = strings.TrimSpace(string(contents))
}
if oidc.ClientId == "" || oidc.ClientSecret == "" || oidc.Issuer == "" || oidc.RedirectURL == "" || (oidc.LevelTokenDB != nil && (oidc.GCSTokenDB == nil && oidc.RedisTokenDB == nil)) {
if oidc.ClientId == "" || oidc.ClientSecret == "" || oidc.Issuer == "" || oidc.RedirectURL == "" || (oidc.LevelTokenDB == nil && (oidc.GCSTokenDB == nil && oidc.RedisTokenDB == nil)) {
return errors.New("oidc_auth.{issuer,redirect_url,client_id,client_secret,token_db} are required")
}

Expand Down Expand Up @@ -275,7 +275,7 @@ func validate(c *Config) error {
}
glab.ClientSecret = strings.TrimSpace(string(contents))
}
if glab.ClientId == "" || glab.ClientSecret == "" || (glab.LevelTokenDB != nil && (glab.GCSTokenDB == nil && glab.RedisTokenDB == nil)) {
if glab.ClientId == "" || glab.ClientSecret == "" || (glab.LevelTokenDB == nil && (glab.GCSTokenDB == nil && glab.RedisTokenDB == nil)) {
return errors.New("gitlab_auth.{client_id,client_secret,token_db} are required")
}

Expand Down
5 changes: 4 additions & 1 deletion docs/auth-methods.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,10 @@ github_auth:
organization: "my-org-name"
client_id: "..."
client_secret: "..." # or client_secret_file
token_db: /data/tokens.db
level_token_db:
path: /data/tokens.db
# Optional token hash cost for bcrypt hashing
# token_hash_cost: 5
```

Then specify what teams can do via acls
Expand Down
24 changes: 18 additions & 6 deletions examples/reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,10 @@ google_auth:
# client_secret: "verysecret"
client_secret_file: "/path/to/client_secret.txt"
# Where to store server tokens. Required.
token_db: "/somewhere/to/put/google_tokens.ldb"
level_token_db:
path: "/somewhere/to/put/google_tokens.ldb"
# Optional token hash cost for bcrypt hashing
# token_hash_cost: 5
# How long to wait when talking to Google servers. Optional.
http_timeout: 10

Expand All @@ -135,8 +138,11 @@ github_auth:
# want to have sensitive information checked in.
# client_secret: "verysecret"
client_secret_file: "/path/to/client_secret.txt"
# Either token_db file for storing of server tokens.
token_db: "/somewhere/to/put/github_tokens.ldb"
# Either level_token_db file for storing of server tokens.
level_token_db:
path: "/somewhere/to/put/github_tokens.ldb"
# Optional token hash cost for bcrypt hashing
# token_hash_cost: 5
# or google cloud storage for storing of the sensitive information,
gcs_token_db:
bucket: "tokenBucket"
Expand Down Expand Up @@ -181,7 +187,10 @@ oidc_auth:
# client_secret_file: "/path/to/client_secret.txt"
#
# a file in which the tokens should be stored. Does not have to exist, it will be generated in this case
token_db: "/path/to/tokens.ldb"
level_token_db:
path: "/path/to/tokens.ldb"
# Optional token hash cost for bcrypt hashing
# token_hash_cost: 5
# --- optional ---
# How long to wait when talking to the OIDC provider.
http_timeout: 10
Expand Down Expand Up @@ -210,8 +219,11 @@ gitlab_auth:
# want to have sensitive information checked in.
# client_secret: "verysecret"
client_secret_file: "/path/to/client_secret.txt"
# Either token_db file for storing of server tokens.
token_db: "/somewhere/to/put/gitlab_tokens.ldb"
# Either level_token_db file for storing of server tokens.
level_token_db:
path: "/somewhere/to/put/gitlab_tokens.ldb"
# Optional token hash cost for bcrypt hashing
# token_hash_cost: 5
# or google cloud storage for storing of the sensitive information,
gcs_token_db:
bucket: "tokenBucket"
Expand Down

0 comments on commit 82da6e8

Please sign in to comment.