Validate checks that required options are set and validates those that they are of the correct format
(o *options.Options)
| 21 | // Validate checks that required options are set and validates those that they |
| 22 | // are of the correct format |
| 23 | func Validate(o *options.Options) error { |
| 24 | msgs := validateCookie(o.Cookie) |
| 25 | msgs = append(msgs, validateSessionCookieMinimal(o)...) |
| 26 | msgs = append(msgs, validateRedisSessionStore(o)...) |
| 27 | msgs = append(msgs, prefixValues("injectRequestHeaders: ", validateHeaders(o.InjectRequestHeaders)...)...) |
| 28 | msgs = append(msgs, prefixValues("injectResponseHeaders: ", validateHeaders(o.InjectResponseHeaders)...)...) |
| 29 | msgs = append(msgs, validateProviders(o)...) |
| 30 | msgs = append(msgs, validateAPIRoutes(o)...) |
| 31 | msgs = configureLogger(o.Logging, msgs) |
| 32 | msgs = parseSignatureKey(o, msgs) |
| 33 | |
| 34 | if o.SSLInsecureSkipVerify { |
| 35 | transport := requests.DefaultTransport.(*http.Transport) |
| 36 | transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec G402 -- InsecureSkipVerify is a configurable option we allow |
| 37 | } else if len(o.Providers[0].CAFiles) > 0 { |
| 38 | pool, err := util.GetCertPool(o.Providers[0].CAFiles, ptr.Deref(o.Providers[0].UseSystemTrustStore, options.DefaultUseSystemTrustStore)) |
| 39 | if err == nil { |
| 40 | transport := requests.DefaultTransport.(*http.Transport) |
| 41 | transport.TLSClientConfig = &tls.Config{ |
| 42 | RootCAs: pool, |
| 43 | MinVersion: tls.VersionTLS12, |
| 44 | } |
| 45 | } else { |
| 46 | msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err)) |
| 47 | } |
| 48 | } |
| 49 | |
| 50 | if o.AuthenticatedEmailsFile == "" && len(o.EmailDomains) == 0 && o.HtpasswdFile == "" { |
| 51 | msgs = append(msgs, "missing setting for email validation: email-domain or authenticated-emails-file required."+ |
| 52 | "\n use email-domain=* to authorize all email addresses") |
| 53 | } |
| 54 | |
| 55 | if o.SkipJwtBearerTokens { |
| 56 | // Configure extra issuers |
| 57 | if len(o.ExtraJwtIssuers) > 0 { |
| 58 | var jwtIssuers []jwtIssuer |
| 59 | jwtIssuers, msgs = parseJwtIssuers(o.ExtraJwtIssuers, msgs) |
| 60 | for _, jwtIssuer := range jwtIssuers { |
| 61 | verifier, err := newVerifierFromJwtIssuer( |
| 62 | o.Providers[0].OIDCConfig.AudienceClaims, |
| 63 | o.Providers[0].OIDCConfig.ExtraAudiences, |
| 64 | jwtIssuer, |
| 65 | ) |
| 66 | if err != nil { |
| 67 | msgs = append(msgs, fmt.Sprintf("error building verifiers: %s", err)) |
| 68 | } |
| 69 | o.SetJWTBearerVerifiers(append(o.GetJWTBearerVerifiers(), verifier)) |
| 70 | } |
| 71 | } |
| 72 | } |
| 73 | |
| 74 | var redirectURL *url.URL |
| 75 | redirectURL, msgs = parseURL(o.RawRedirectURL, "redirect", msgs) |
| 76 | o.SetRedirectURL(redirectURL) |
| 77 | if o.RawRedirectURL == "" && !o.Cookie.Secure && !o.ReverseProxy { |
| 78 | logger.Print("WARNING: no explicit redirect URL: redirects will default to insecure HTTP") |
| 79 | } |
| 80 |