def validate_radius_client_config(config): """Validate radius client config by ensuring that a host ip is provided and valid. A radius secret is given. Args: config: ConfigDict Returns: ConfigCheckResult with any config problems """ problems = [] try: config.get_protected_str('secret_protected', 'secret') except ConfigError: problems.append(MissingConfigKeyProblem('secret / secret_protected')) try: addrs = util.get_addr_port_pairs(config) except ConfigError: problems.append(MissingConfigKeyProblem('host')) return ConfigCheckResult(problems) for host, port in addrs: valid_ip = ip_util.is_valid_single_ip(host) if not valid_ip: problems.append(InvalidConfigKeyProblem('radius_ip', host)) return ConfigCheckResult(problems)
def _log_section_summaries(self, config_results, connectivity_results, logger, filtering_predicate): """ Logs the summaries for each config section that has warnings or errors. Args: config_results (dict): map of section name to section result for the config validation connectivity_results (dict): map of section name to section result for the connectivity validation logger (Logger): the Twisted logger to write to filtering_predicate (ILogFilterPredicate): Predicate used to filter the output to only include warnings and errors """ config_sections = list(config_results.keys()) # If the config was validated, remove the cross-config key from the # set of keys to iterate. This method prints out the results for real # config sections. Cross-config results are logged in _log_summary_for_results. if self.validate_config: config_sections.remove(self.CROSS_CONFIG_KEY) tested_sections = set().union(config_sections, connectivity_results.keys()) for section in tested_sections: # Default to empty successful result objects so we can unconditionally # call to_log_output on config_result and connectivity_result config_result = config_results.get(section, ConfigCheckResult([])) connectivity_result = connectivity_results.get( section, SkippedSectionResult()) if self._has_summary_to_print(config_result) \ or self._has_summary_to_print(connectivity_result): header = "Section [{section}]".format(section=section) section_results = [config_result, connectivity_result] self._log_section_summary(section_results, logger, filtering_predicate, header)
def validate_radius_server_config(config): """ Check the configuration of a radius_server module: Make sure required keys are present (ikey, skey or skey_protected, api_host, radius_ip_1, radius_secret_1) All radius_ip entries are valid IPs. Args: config: the ConfigDict for the module Returns: ConfigCheckResult with any config problems """ problems = [] for required_key in ['ikey', 'api_host']: if required_key not in config: problems.append(MissingConfigKeyProblem(required_key)) if not ('skey' in config or 'skey_protected' in config): problems.append(MissingConfigKeyProblem('skey / skey_protected')) for radius_ip_key in [x for x in config.keys() if x.lower().startswith('radius_ip')]: radius_ip_value = config[radius_ip_key] if not ip_util.is_valid_ip(radius_ip_value): problems.append(InvalidConfigKeyProblem(radius_ip_key, radius_ip_value)) return ConfigCheckResult(problems)
def check_main(config, toolbox=STANDARD_CONFIG_TOOLBOX): """ Validates the [main] section of the auth proxy config. Args: config (ConfigDict): The radius server auto config to check toolbox (ConfigTestToolbox): Toolbox used to execute the tests Returns: ConfigCheckResult containing any configuration errors """ problems = check_config_values(config, toolbox) problems += check_config_dependencies(config) return ConfigCheckResult(problems)
def check_cloud(config, toolbox=STANDARD_CONFIG_TOOLBOX): """ Validates the [cloud] section of the auth proxy config. Args: config (ConfigDict): The cloud config to check toolbox (ConfigTestToolbox): Toolbox used to execute the tests Returns: ConfigCheckResult containing any configuration errors """ problems = (check_required_keys(config, toolbox) + check_optional_keys(config, toolbox) + check_config_values(config, toolbox)) return ConfigCheckResult(problems)
def check_ad_client(config, toolbox=STANDARD_CONFIG_TOOLBOX): """ Validates the [ad_client] section of the auth proxy config. Args: config (ConfigDict): The ad_client section config to check toolbox (ConfigTestToolbox): Toolbox used to execute the tests Returns: ConfigCheckResult containing any configuration errors """ problems = check_required_keys(config, toolbox) problems += check_config_values(config, toolbox) problems += check_config_dependencies(config, toolbox) return ConfigCheckResult(problems)
def check_duo_only_client(config, toolbox=STANDARD_CONFIG_TOOLBOX): """Validates a [duo_only_client] section of an authproxy config. It should have no key-value pairs, other than possibly anything passed down from [main]. Args: config (ConfigDict): The ad_client section config to check toolbox (ConfigTestToolbox): Toolbox used to execute the tests Returns: ConfigCheckResult """ problems = [] config_test_resolver = base.get_basic_config_resolver(toolbox) problems += base.check_for_unexpected_keys(config, toolbox, config_test_resolver) problems += base.run_config_value_checks(config, config_test_resolver) return ConfigCheckResult(problems)
def check_cross_config(config): """ Validates across sections of the auth proxy config. Args: config (ConfigDict): The full config toolbox (ConfigTestToolbox): Toolbox used to execute the tests Returns: ConfigCheckResult containing any configuration errors """ problems = (check_http_proxy_cross_config(config) + check_network_contention(config) + check_server_client_mapping(config) + check_port_contention_for_ldap(config) + check_pass_through_attrs(config) + check_minimum_tls_version_with_fips_mode(config)) return ConfigCheckResult(problems)
def check_ldap_server_auto(config, toolbox=STANDARD_CONFIG_TOOLBOX): """ Validates an [ldap_server_auto] section config Args: config (ConfigDict): The section config toolbox (ConfigTestToolbox): the toolbox of tester methods Returns: ConfigCheckResult with all config problems """ problems = [] problems += _check_required_keys(config, toolbox) problems += _check_config_values(config, toolbox) problems += _check_config_dependencies(config, toolbox) return ConfigCheckResult(problems)
def check_sso(config, toolbox=STANDARD_CONFIG_TOOLBOX): """ Validates the [sso] section of the auth proxy config. Args: config (ConfigDict): The cloud config to check toolbox (ConfigTestToolbox): Toolbox used to execute the tests Returns: ConfigCheckResult containing any configuration errors """ problems = (check_required_keys(config, toolbox) + check_optional_keys(config, toolbox) + check_config_values(config, toolbox)) if not toolbox.test_secrets_file(): problems.append( ConfigErrorProblem( 'The authproxy_update_sso_enrollment_code script does not appear to have been run.' )) return ConfigCheckResult(problems)
def validate_http_proxy_config(config): """ Validate an 'http_proxy' configuration, checking that 1) All required values are present (currently only 'api_host' is required) 2) Any IPs provided in 'client_ip' are valid Args: config: A ConfigDict for an http_proxy module Returns: ConfigCheckResult with any config problems """ problems = [] if "api_host" not in config: problems.append(MissingConfigKeyProblem("api_host")) for client_ip in util.parse_delimited_set(config.get_str("client_ip", "")): is_valid = ip_util.is_valid_ip(client_ip) if not is_valid: problems.append(InvalidConfigKeyProblem("client_ip", client_ip)) return ConfigCheckResult(problems)