MCPcopy
hub / github.com/oauth2-proxy/oauth2-proxy / Validate

Function Validate

pkg/validation/options.go:23–104  ·  view source on GitHub ↗

Validate checks that required options are set and validates those that they are of the correct format

(o *options.Options)

Source from the content-addressed store, hash-verified

21// Validate checks that required options are set and validates those that they
22// are of the correct format
23func Validate(o *options.Options) error {
24 msgs := validateCookie(o.Cookie)
25 msgs = append(msgs, validateSessionCookieMinimal(o)...)
26 msgs = append(msgs, validateRedisSessionStore(o)...)
27 msgs = append(msgs, prefixValues("injectRequestHeaders: ", validateHeaders(o.InjectRequestHeaders)...)...)
28 msgs = append(msgs, prefixValues("injectResponseHeaders: ", validateHeaders(o.InjectResponseHeaders)...)...)
29 msgs = append(msgs, validateProviders(o)...)
30 msgs = append(msgs, validateAPIRoutes(o)...)
31 msgs = configureLogger(o.Logging, msgs)
32 msgs = parseSignatureKey(o, msgs)
33
34 if o.SSLInsecureSkipVerify {
35 transport := requests.DefaultTransport.(*http.Transport)
36 transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec G402 -- InsecureSkipVerify is a configurable option we allow
37 } else if len(o.Providers[0].CAFiles) > 0 {
38 pool, err := util.GetCertPool(o.Providers[0].CAFiles, ptr.Deref(o.Providers[0].UseSystemTrustStore, options.DefaultUseSystemTrustStore))
39 if err == nil {
40 transport := requests.DefaultTransport.(*http.Transport)
41 transport.TLSClientConfig = &tls.Config{
42 RootCAs: pool,
43 MinVersion: tls.VersionTLS12,
44 }
45 } else {
46 msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err))
47 }
48 }
49
50 if o.AuthenticatedEmailsFile == "" && len(o.EmailDomains) == 0 && o.HtpasswdFile == "" {
51 msgs = append(msgs, "missing setting for email validation: email-domain or authenticated-emails-file required."+
52 "\n use email-domain=* to authorize all email addresses")
53 }
54
55 if o.SkipJwtBearerTokens {
56 // Configure extra issuers
57 if len(o.ExtraJwtIssuers) > 0 {
58 var jwtIssuers []jwtIssuer
59 jwtIssuers, msgs = parseJwtIssuers(o.ExtraJwtIssuers, msgs)
60 for _, jwtIssuer := range jwtIssuers {
61 verifier, err := newVerifierFromJwtIssuer(
62 o.Providers[0].OIDCConfig.AudienceClaims,
63 o.Providers[0].OIDCConfig.ExtraAudiences,
64 jwtIssuer,
65 )
66 if err != nil {
67 msgs = append(msgs, fmt.Sprintf("error building verifiers: %s", err))
68 }
69 o.SetJWTBearerVerifiers(append(o.GetJWTBearerVerifiers(), verifier))
70 }
71 }
72 }
73
74 var redirectURL *url.URL
75 redirectURL, msgs = parseURL(o.RawRedirectURL, "redirect", msgs)
76 o.SetRedirectURL(redirectURL)
77 if o.RawRedirectURL == "" && !o.Cookie.Secure && !o.ReverseProxy {
78 logger.Print("WARNING: no explicit redirect URL: redirects will default to insecure HTTP")
79 }
80

Callers 15

main_test.goFile · 0.92
TestRobotsTxtFunction · 0.92
Test_redeemCodeFunction · 0.92
Test_enrichSessionFunction · 0.92
TestBasicAuthPasswordFunction · 0.92
NewPassAccessTokenTestFunction · 0.92
NewSignInPageTestFunction · 0.92
NewProcessCookieTestFunction · 0.92

Calls 15

GetCertPoolFunction · 0.92
DerefFunction · 0.92
PrintFunction · 0.92
GetRealClientIPParserFunction · 0.92
SetGetClientFuncFunction · 0.92
GetClientStringFunction · 0.92
validateCookieFunction · 0.85
prefixValuesFunction · 0.85
validateHeadersFunction · 0.85
validateProvidersFunction · 0.85