def check_config_values(config, toolbox):
"""
Validates the values for provided config in the [cloud] section
Args:
config (ConfigDict): The config object to check the optional config for
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of BaseResult
"""
config_test_resolver = base.get_basic_config_resolver(toolbox)
config_test_resolver.update({
'ikey': toolbox.test_is_ikey,
'skey': toolbox.test_is_skey,
'skey_protected': toolbox.test_is_string,
'api_host': toolbox.test_is_string,
'service_account_username': toolbox.test_is_string,
'service_account_password': toolbox.test_is_string,
'service_account_password_protected': toolbox.test_is_string,
'http_proxy_host': toolbox.test_is_string,
'http_proxy_port': toolbox.test_valid_port,
})
return (
base.run_config_value_checks(config, config_test_resolver) +
base.check_for_unexpected_keys(config, toolbox, config_test_resolver) +
base.check_protected_usage(config, toolbox, ['skey_protected', 'service_account_password_protected'])
)
def check_config_values(config, toolbox):
"""
Validates the values for provided config in the [http_proxy]
section
Args:
config (ConfigDict): The config object to check the optional config for
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of ConfigResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
# Add http proxy specific keys
config_test_resolver.update({
"api_host": toolbox.test_is_string,
"port": toolbox.test_valid_port,
"client_ip": toolbox.test_ip_range,
"interface": toolbox.test_is_valid_single_ip,
})
problems += base.run_config_value_checks(config, config_test_resolver)
problems += base.check_for_unexpected_keys(config, toolbox,
config_test_resolver)
return problems
def check_config_values(config, toolbox):
config_test_resolver = base.get_basic_config_resolver(toolbox)
config_test_resolver.update({
'rikey': toolbox.test_is_rikey,
'service_account_username': toolbox.test_is_string,
'service_account_password': toolbox.test_is_string,
'service_account_password_protected': toolbox.test_is_string,
'http_proxy_host': toolbox.test_is_string,
'http_proxy_port': toolbox.test_valid_port,
})
return (
base.run_config_value_checks(config, config_test_resolver) +
base.check_for_unexpected_keys(config, toolbox, config_test_resolver) +
base.check_protected_usage(config, toolbox,
['service_account_password_protected']))
def check_duo_only_client(config, toolbox=STANDARD_CONFIG_TOOLBOX):
"""Validates a [duo_only_client] section of an authproxy config.
It should have no key-value pairs, other than possibly anything
passed down from [main].
Args:
config (ConfigDict): The ad_client section config to check
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
ConfigCheckResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
problems += base.check_for_unexpected_keys(config, toolbox, config_test_resolver)
problems += base.run_config_value_checks(config, config_test_resolver)
return ConfigCheckResult(problems)
def _check_config_values(config, toolbox):
config_value_tests = base.get_basic_config_resolver(toolbox)
config_value_tests.update({
'ikey': toolbox.test_is_ikey,
'skey': toolbox.test_is_skey,
'skey_protected': toolbox.test_is_string,
'api_host': toolbox.test_is_string,
'api_timeout': toolbox.test_is_positive_int,
'client': toolbox.test_is_string,
'factors': functools.partial(toolbox.test_valid_permutation,
enum=['auto', 'push', 'phone', 'passcode'], separator=',', repeats=False),
'failmode': functools.partial(toolbox.test_valid_enum,
enum=['safe', 'secure'], transform=str.lower),
'port': toolbox.test_valid_port,
'interface': toolbox.test_is_valid_single_ip,
'ssl_port': toolbox.test_valid_port,
'ssl_key_path': toolbox.test_file_readable,
'ssl_cert_path': toolbox.test_file_readable,
'exempt_primary_bind': toolbox.test_is_bool,
'delimiter': toolbox.test_is_string,
'allow_concat': toolbox.test_is_bool,
'allow_searches_after_bind': toolbox.test_is_bool,
'allow_unlimited_binds': toolbox.test_is_bool,
'minimum_tls_version': toolbox.test_is_tls_version,
'cipher_list': toolbox.test_is_cipher_list,
'network_timeout': toolbox.test_is_positive_int,
'idle_timeout': toolbox.test_is_positive_int,
'api_port': toolbox.test_valid_port,
'http_proxy_host': toolbox.test_is_string,
'http_proxy_port': toolbox.test_valid_port,
'delimited_password_length': toolbox.test_is_positive_int,
})
dynamic_key_tests = {
'exempt_ou': toolbox.test_dn,
}
base.add_dynamic_keys_to_test_resolver(config, config_value_tests, dynamic_key_tests)
problems = base.run_config_value_checks(config, config_value_tests)
problems += base.check_for_unexpected_keys(config, toolbox, config_value_tests)
problems += base.check_protected_usage(config, toolbox, ['skey_protected'])
return problems
def check_config_values(config, toolbox):
""" Validates the values for provided config in the [radius_client] section
Args:
config (ConfigDict): The config object to check the optional config for
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of BaseResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
config_test_resolver.update({
"secret": toolbox.test_is_string,
"secret_protected": toolbox.test_is_string,
"retries": toolbox.test_is_positive_int,
"retry_wait": toolbox.test_is_positive_int,
"nas_ip": toolbox.test_is_valid_single_ip,
"pass_through_attr_names": toolbox.test_is_string,
"pass_through_all": toolbox.test_is_bool,
"pw_codec": toolbox.test_is_codec,
})
dynamic_test_resolver = {
"host": toolbox.test_is_valid_single_ip,
"port": toolbox.test_valid_port,
}
base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
dynamic_test_resolver)
problems += base.run_config_value_checks(config, config_test_resolver)
problems += base.check_for_unexpected_keys(config, toolbox,
config_test_resolver)
possible_protected_keys = ["secret_protected"]
problems += base.check_protected_usage(config, toolbox,
possible_protected_keys)
return problems
def check_config_values(config, toolbox):
"""
Validates the values for provided config in the [ad_client] section
Args:
config (ConfigDict): The config object to check the optional config for
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of BaseResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
config_dict = {
"service_account_username":
toolbox.test_is_string,
"service_account_password":
toolbox.test_is_string,
"service_account_password_protected":
toolbox.test_is_string,
"search_dn":
toolbox.test_dn,
"security_group_dn":
toolbox.test_dn,
"ldap_filter":
toolbox.test_ldap_filter,
"timeout":
toolbox.test_is_int,
"ssl_ca_certs_file":
toolbox.test_file_readable,
"ssl_verify_hostname":
toolbox.test_is_bool,
"bind_dn":
toolbox.test_dn,
"ntlm_domain":
toolbox.test_is_string,
"ntlm_workstation":
toolbox.test_is_string,
"port":
toolbox.test_valid_port,
"transport":
functools.partial(toolbox.test_valid_enum,
enum=const.AD_TRANSPORTS,
transform=str.lower),
"username_attribute":
toolbox.test_is_string,
"at_attribute":
toolbox.test_is_string,
}
if util.is_windows_os():
config_dict["auth_type"] = functools.partial(
toolbox.test_valid_enum,
enum=const.AD_AUTH_TYPES_WIN,
transform=str.lower)
config_test_resolver.update(config_dict)
else:
config_dict["auth_type"] = functools.partial(
toolbox.test_valid_enum,
enum=const.AD_AUTH_TYPES_NIX,
transform=str.lower)
config_test_resolver.update(config_dict)
dynamic_test_resolver = {
"host": toolbox.test_is_string,
}
base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
dynamic_test_resolver)
problems += base.run_config_value_checks(config, config_test_resolver)
problems += base.check_for_unexpected_keys(config, toolbox,
config_test_resolver)
possible_protected_keys = ["service_account_password_protected"]
problems += base.check_protected_usage(config, toolbox,
possible_protected_keys)
return problems
def check_config_values(config, toolbox):
"""
Validates the values for provided config in the [ad_client] section
Args:
config (ConfigDict): The config object to check the optional config for
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of BaseResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
config_test_resolver.update({
'service_account_username':
toolbox.test_is_string,
'service_account_password':
toolbox.test_is_string,
'service_account_password_protected':
toolbox.test_is_string,
'search_dn':
toolbox.test_dn,
'security_group_dn':
toolbox.test_dn,
'ldap_filter':
toolbox.test_ldap_filter,
'timeout':
toolbox.test_is_int,
'ssl_ca_certs_file':
toolbox.test_file_readable,
'ssl_verify_hostname':
toolbox.test_is_bool,
'bind_dn':
toolbox.test_dn,
'ntlm_domain':
toolbox.test_is_string,
'ntlm_workstation':
toolbox.test_is_string,
'port':
toolbox.test_valid_port,
'transport':
functools.partial(toolbox.test_valid_enum,
enum=const.AD_TRANSPORTS,
transform=str.lower),
'auth_type':
functools.partial(toolbox.test_valid_enum,
enum=const.AD_AUTH_TYPES,
transform=str.lower),
'username_attribute':
toolbox.test_is_string,
'at_attribute':
toolbox.test_is_string,
'domain_discovery':
toolbox.test_is_bool,
})
dynamic_test_resolver = {
'host': toolbox.test_is_string,
}
base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
dynamic_test_resolver)
problems += base.run_config_value_checks(config, config_test_resolver)
problems += base.check_for_unexpected_keys(config, toolbox,
config_test_resolver)
possible_protected_keys = ['service_account_password_protected']
problems += base.check_protected_usage(config, toolbox,
possible_protected_keys)
return problems
def check_config_values(config, toolbox):
"""
Validates the values for provided config in the [radius_server_eap]
section
Args:
config (ConfigDict): The config object to check the optional config for
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of ConfigResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
# Add radius server eap specific keys
config_test_resolver.update({
'ikey':
toolbox.test_is_ikey,
'skey':
toolbox.test_is_skey,
'skey_protected':
toolbox.test_is_string,
'api_host':
toolbox.test_is_string,
'client':
toolbox.test_is_string,
'certs':
toolbox.test_file_readable,
'pkey':
toolbox.test_file_readable,
'port':
toolbox.test_valid_port,
'interface':
toolbox.test_is_valid_single_ip,
'factors':
functools.partial(toolbox.test_valid_permutation,
enum=['auto', 'push', 'phone', 'passcode'],
separator=',',
repeats=False),
'failmode':
functools.partial(toolbox.test_valid_enum,
enum=['safe', 'secure'],
transform=str.lower),
'minimum_tls_version':
toolbox.test_is_tls_version,
'cipher_list':
toolbox.test_is_cipher_list,
'prompt':
toolbox.test_is_string,
'allow_concat':
toolbox.test_is_bool,
'delimiter':
toolbox.test_is_string,
'delimited_password_length':
toolbox.test_is_positive_int,
'pass_through_attr_names':
toolbox.test_is_string,
'pw_codec':
toolbox.test_is_codec,
'client_ip_attr':
toolbox.test_is_string,
'http_proxy_host':
toolbox.test_is_string,
'http_proxy_port':
toolbox.test_valid_port,
'pass_through_all':
toolbox.test_is_bool,
})
dynamic_test_resolver = {
'radius_ip': toolbox.test_is_valid_ip,
'radius_secret': toolbox.test_is_string,
'radius_secret_protected': toolbox.test_is_string,
}
base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
dynamic_test_resolver)
problems += base.run_config_value_checks(config, config_test_resolver)
problems += base.check_for_unexpected_keys(config, toolbox,
config_test_resolver)
problems += base.check_basic_radius_server_protected_usage(config, toolbox)
return problems
def _check_config_values(config, toolbox):
config_value_tests = base.get_basic_config_resolver(toolbox)
config_value_tests.update({
"ikey":
toolbox.test_is_ikey,
"skey":
toolbox.test_is_skey,
"skey_protected":
toolbox.test_is_string,
"api_host":
toolbox.test_is_string,
"api_timeout":
toolbox.test_is_positive_int,
"client":
toolbox.test_is_string,
"factors":
functools.partial(
toolbox.test_valid_permutation,
enum=["auto", "push", "phone", "passcode"],
separator=",",
repeats=False,
),
"failmode":
functools.partial(toolbox.test_valid_enum,
enum=["safe", "secure"],
transform=str.lower),
"port":
toolbox.test_valid_port,
"interface":
toolbox.test_is_valid_single_ip,
"ssl_port":
toolbox.test_valid_port,
"ssl_key_path":
toolbox.test_file_readable,
"ssl_cert_path":
toolbox.test_file_readable,
"exempt_primary_bind":
toolbox.test_is_bool,
"delimiter":
toolbox.test_is_string,
"allow_concat":
toolbox.test_is_bool,
"allow_searches_after_bind":
toolbox.test_is_bool,
"allow_unlimited_binds":
toolbox.test_is_bool,
"minimum_tls_version":
toolbox.test_is_tls_version,
"cipher_list":
toolbox.test_is_cipher_list,
"network_timeout":
toolbox.test_is_positive_int,
"idle_timeout":
toolbox.test_is_positive_int,
"api_port":
toolbox.test_valid_port,
"http_proxy_host":
toolbox.test_is_string,
"http_proxy_port":
toolbox.test_valid_port,
"delimited_password_length":
toolbox.test_is_positive_int,
})
dynamic_key_tests = {
"exempt_ou": toolbox.test_dn,
}
base.add_dynamic_keys_to_test_resolver(config, config_value_tests,
dynamic_key_tests)
problems = base.run_config_value_checks(config, config_value_tests)
problems += base.check_for_unexpected_keys(config, toolbox,
config_value_tests)
problems += base.check_protected_usage(config, toolbox, ["skey_protected"])
return problems