Skip to content

Commit

Permalink
Add config validation with captcha type & alias checking
Browse files Browse the repository at this point in the history
  • Loading branch information
@pkong-ds
pkong-ds committed Jun 18, 2024
1 parent 5ae8e6b commit 59aface
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 1 deletion.
24 changes: 24 additions & 0 deletions pkg/lib/config/secret.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,29 @@ func (c *SecretConfig) validateConfidentialClients(ctx *validation.Context, conf
}
}

func (c *SecretConfig) validateCaptchaSecrets(ctx *validation.Context, captchaProviders []*CaptchaProvider) {
c.validateRequire(ctx, CaptchaProvidersCredentialsKey, "captcha provider credentials")
_, data, _ := c.LookupDataWithIndex(CaptchaProvidersCredentialsKey)
captcha, ok := data.(*CaptchaProvidersCredentials)
if ok {
for _, p := range captchaProviders {
matched := false
for index := range captcha.Items {
item := captcha.Items[index]
if p.Alias == item.Alias && string(p.Type) == string(item.Type) {
matched = true
break
}
}
if !matched {
ctx.EmitErrorMessage(fmt.Sprintf("captcha provider credentials (type='%s',alias='%s') is required", p.Type, p.Alias))
} else {
// keys are validated by the jsonschema
}
}
}
}

func (c *SecretConfig) Validate(appConfig *AppConfig) error {
ctx := &validation.Context{}

Expand Down Expand Up @@ -232,6 +255,7 @@ func (c *SecretConfig) Validate(appConfig *AppConfig) error {
}
if appConfig.Captcha.Enabled || len(appConfig.Captcha.Providers) > 0 {
c.validateRequire(ctx, CaptchaProvidersCredentialsKey, "captcha key materials")
c.validateCaptchaSecrets(ctx, appConfig.Captcha.Providers)
}

return ctx.Error("invalid secrets")
Expand Down
34 changes: 33 additions & 1 deletion pkg/lib/config/testdata/secret_config_validate_tests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,7 @@ error: |-
<root>: OAuth key materials (secret 'oauth') is required
<root>: CSRF key materials (secret 'csrf') is required
<root>: captcha key materials (secret 'captcha.providers') is required
<root>: captcha provider credentials (secret 'captcha.providers') is required
app_config:
id: app
http:
Expand Down Expand Up @@ -337,4 +338,35 @@ secret_config:
secrets:
- key: captcha.cloudflare
data:
secret: some secret
secret: some secret
---
name: captcha_secrets/mismatching-secret
error: |-
invalid secrets:
<root>: database credentials (secret 'db') is required
<root>: redis credentials (secret 'redis') is required
<root>: admin API auth key materials (secret 'admin-api.auth') is required
<root>: OAuth key materials (secret 'oauth') is required
<root>: CSRF key materials (secret 'csrf') is required
<root>: captcha provider credentials (type='recaptchav2',alias='recaptchav2-alias-abc') is required
app_config:
id: app
http:
public_origin: "http://test"
captcha:
enabled: true
providers:
- type: recaptchav2
alias: recaptchav2-alias-abc
site_key: blahblahblah
secret_config:
secrets:
- key: captcha.providers
data:
items:
- type: recaptchav2
alias: recaptchav2-alias-xyz # mismatch with above
secret_key: very_secret
- type: cloudflare
alias: recaptchav2-alias-abc # match alias, but mismatch type
secret_key: very_secret

0 comments on commit 59aface

Please sign in to comment.