def validate_radius_client_config(config):
"""Validate radius client config by ensuring that
a host ip is provided and valid. A radius secret is given.
Args:
config: ConfigDict
Returns:
ConfigCheckResult with any config problems
"""
problems = []
try:
config.get_protected_str('secret_protected', 'secret')
except ConfigError:
problems.append(MissingConfigKeyProblem('secret / secret_protected'))
try:
addrs = util.get_addr_port_pairs(config)
except ConfigError:
problems.append(MissingConfigKeyProblem('host'))
return ConfigCheckResult(problems)
for host, port in addrs:
valid_ip = ip_util.is_valid_single_ip(host)
if not valid_ip:
problems.append(InvalidConfigKeyProblem('radius_ip', host))
return ConfigCheckResult(problems)
def _log_section_summaries(self, config_results, connectivity_results,
logger, filtering_predicate):
"""
Logs the summaries for each config section that has warnings or errors.
Args:
config_results (dict): map of section name to section result for the config validation
connectivity_results (dict): map of section name to section result for the connectivity validation
logger (Logger): the Twisted logger to write to
filtering_predicate (ILogFilterPredicate): Predicate used to filter
the output to only include warnings and errors
"""
config_sections = list(config_results.keys())
# If the config was validated, remove the cross-config key from the
# set of keys to iterate. This method prints out the results for real
# config sections. Cross-config results are logged in _log_summary_for_results.
if self.validate_config:
config_sections.remove(self.CROSS_CONFIG_KEY)
tested_sections = set().union(config_sections,
connectivity_results.keys())
for section in tested_sections:
# Default to empty successful result objects so we can unconditionally
# call to_log_output on config_result and connectivity_result
config_result = config_results.get(section, ConfigCheckResult([]))
connectivity_result = connectivity_results.get(
section, SkippedSectionResult())
if self._has_summary_to_print(config_result) \
or self._has_summary_to_print(connectivity_result):
header = "Section [{section}]".format(section=section)
section_results = [config_result, connectivity_result]
self._log_section_summary(section_results, logger,
filtering_predicate, header)
def validate_radius_server_config(config):
"""
Check the configuration of a radius_server module:
Make sure required keys are present (ikey, skey or skey_protected, api_host, radius_ip_1, radius_secret_1)
All radius_ip entries are valid IPs.
Args:
config: the ConfigDict for the module
Returns:
ConfigCheckResult with any config problems
"""
problems = []
for required_key in ['ikey', 'api_host']:
if required_key not in config:
problems.append(MissingConfigKeyProblem(required_key))
if not ('skey' in config or 'skey_protected' in config):
problems.append(MissingConfigKeyProblem('skey / skey_protected'))
for radius_ip_key in [x for x in config.keys() if x.lower().startswith('radius_ip')]:
radius_ip_value = config[radius_ip_key]
if not ip_util.is_valid_ip(radius_ip_value):
problems.append(InvalidConfigKeyProblem(radius_ip_key, radius_ip_value))
return ConfigCheckResult(problems)
def check_main(config, toolbox=STANDARD_CONFIG_TOOLBOX):
"""
Validates the [main] section of the auth proxy config.
Args:
config (ConfigDict): The radius server auto config to check
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
ConfigCheckResult containing any configuration errors
"""
problems = check_config_values(config, toolbox)
problems += check_config_dependencies(config)
return ConfigCheckResult(problems)
def check_cloud(config, toolbox=STANDARD_CONFIG_TOOLBOX):
"""
Validates the [cloud] section of the auth proxy config.
Args:
config (ConfigDict): The cloud config to check
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
ConfigCheckResult containing any configuration errors
"""
problems = (check_required_keys(config, toolbox) +
check_optional_keys(config, toolbox) +
check_config_values(config, toolbox))
return ConfigCheckResult(problems)
def check_ad_client(config, toolbox=STANDARD_CONFIG_TOOLBOX):
"""
Validates the [ad_client] section of the auth proxy config.
Args:
config (ConfigDict): The ad_client section config to check
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
ConfigCheckResult containing any configuration errors
"""
problems = check_required_keys(config, toolbox)
problems += check_config_values(config, toolbox)
problems += check_config_dependencies(config, toolbox)
return ConfigCheckResult(problems)
def check_duo_only_client(config, toolbox=STANDARD_CONFIG_TOOLBOX):
"""Validates a [duo_only_client] section of an authproxy config.
It should have no key-value pairs, other than possibly anything
passed down from [main].
Args:
config (ConfigDict): The ad_client section config to check
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
ConfigCheckResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
problems += base.check_for_unexpected_keys(config, toolbox, config_test_resolver)
problems += base.run_config_value_checks(config, config_test_resolver)
return ConfigCheckResult(problems)
def check_cross_config(config):
"""
Validates across sections of the auth proxy config.
Args:
config (ConfigDict): The full config
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
ConfigCheckResult containing any configuration errors
"""
problems = (check_http_proxy_cross_config(config) +
check_network_contention(config) +
check_server_client_mapping(config) +
check_port_contention_for_ldap(config) +
check_pass_through_attrs(config) +
check_minimum_tls_version_with_fips_mode(config))
return ConfigCheckResult(problems)
def check_ldap_server_auto(config, toolbox=STANDARD_CONFIG_TOOLBOX):
"""
Validates an [ldap_server_auto] section config
Args:
config (ConfigDict): The section config
toolbox (ConfigTestToolbox): the toolbox of tester methods
Returns:
ConfigCheckResult with all config problems
"""
problems = []
problems += _check_required_keys(config, toolbox)
problems += _check_config_values(config, toolbox)
problems += _check_config_dependencies(config, toolbox)
return ConfigCheckResult(problems)
def check_sso(config, toolbox=STANDARD_CONFIG_TOOLBOX):
"""
Validates the [sso] section of the auth proxy config.
Args:
config (ConfigDict): The cloud config to check
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
ConfigCheckResult containing any configuration errors
"""
problems = (check_required_keys(config, toolbox) +
check_optional_keys(config, toolbox) +
check_config_values(config, toolbox))
if not toolbox.test_secrets_file():
problems.append(
ConfigErrorProblem(
'The authproxy_update_sso_enrollment_code script does not appear to have been run.'
))
return ConfigCheckResult(problems)
def validate_http_proxy_config(config):
"""
Validate an 'http_proxy' configuration, checking that
1) All required values are present (currently only 'api_host' is required)
2) Any IPs provided in 'client_ip' are valid
Args:
config: A ConfigDict for an http_proxy module
Returns:
ConfigCheckResult with any config problems
"""
problems = []
if "api_host" not in config:
problems.append(MissingConfigKeyProblem("api_host"))
for client_ip in util.parse_delimited_set(config.get_str("client_ip", "")):
is_valid = ip_util.is_valid_ip(client_ip)
if not is_valid:
problems.append(InvalidConfigKeyProblem("client_ip", client_ip))
return ConfigCheckResult(problems)
