-
Notifications
You must be signed in to change notification settings - Fork 124
/
conf.go
132 lines (111 loc) · 4.07 KB
/
conf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
// Copyright 2021 Zenauth Ltd.
// SPDX-License-Identifier: Apache-2.0
package server
import (
"encoding/base64"
"errors"
"fmt"
"time"
"go.uber.org/multierr"
"github.com/cerbos/cerbos/internal/util"
)
const (
confKey = "server"
defaultHTTPListenAddr = ":3592"
defaultGRPCListenAddr = ":3593"
defaultAdminUsername = "cerbos"
defaultRawAdminPasswordHash = "$2y$10$VlPwcwpgcGZ5KjTaN1Pzk.vpFiQVG6F2cSWzQa9RtrNo3IacbzsEi" //nolint:gosec
)
var (
defaultAdminPasswordHash = base64.StdEncoding.EncodeToString([]byte(defaultRawAdminPasswordHash))
errAdminCredsUndefined = errors.New("admin credentials not defined")
)
// Conf holds configuration pertaining to the server.
type Conf struct {
// HTTPListenAddr is the dedicated HTTP address.
HTTPListenAddr string `yaml:"httpListenAddr"`
// GRPCListenAddr is the dedicated GRPC address.
GRPCListenAddr string `yaml:"grpcListenAddr"`
// TLS defines the TLS configuration for the server.
TLS *TLSConf `yaml:"tls"`
// CORS defines the CORS configuration for the server.
CORS CORSConf `yaml:"cors"`
// MetricsEnabled defines whether the metrics endpoint is enabled.
MetricsEnabled bool `yaml:"metricsEnabled"`
// LogRequestPayloads defines whether the request payloads should be logged.
LogRequestPayloads bool `yaml:"logRequestPayloads"`
// PlaygroundEnabled defines whether the playground API is enabled.
PlaygroundEnabled bool `yaml:"playgroundEnabled"`
// AdminAPI defines the admin API configuration.
AdminAPI AdminAPIConf `yaml:"adminAPI"`
}
// TLSConf holds TLS configuration.
type TLSConf struct {
// Cert is the path to the TLS certificate file.
Cert string `yaml:"cert"`
// Key is the path to the TLS private key file.
Key string `yaml:"key"`
// CACert is the path to the optional CA certificate for verifying client requests.
CACert string `yaml:"caCert"`
}
type CORSConf struct {
// Disabled sets whether CORS is disabled.
Disabled bool `yaml:"disabled"`
// AllowedOrigins is the contents of the allowed-origins header.
AllowedOrigins []string `yaml:"allowedOrigins"`
// AllowedHeaders is the contents of the allowed-headers header.
AllowedHeaders []string `yaml:"allowedHeaders"`
// MaxAge is the max age of the CORS preflight check.kk
MaxAge time.Duration `yaml:"maxAge"`
}
type AdminAPIConf struct {
// Enabled defines whether the admin API is enabled.
Enabled bool `yaml:"enabled"`
// AdminCredentials defines the admin user credentials.
AdminCredentials *AdminCredentialsConf `yaml:"adminCredentials"`
}
type AdminCredentialsConf struct {
// Username is the hardcoded username to use for authentication.
Username string `yaml:"username"`
// PasswordHash is the base64-encoded bcrypt hash of the password to use for authentication.
PasswordHash string `yaml:"passwordHash"`
}
func (a *AdminCredentialsConf) isUnsafe() bool {
if a == nil {
return false
}
return a.Username == defaultAdminUsername || a.PasswordHash == defaultAdminPasswordHash
}
func (a *AdminCredentialsConf) usernameAndPasswordHash() (string, []byte, error) {
if a == nil {
return "", nil, errAdminCredsUndefined
}
passwordHashBytes, err := base64.StdEncoding.DecodeString(a.PasswordHash)
if err != nil {
return "", nil, fmt.Errorf("failed to base64 decode admin passwordHash: %w", err)
}
return a.Username, passwordHashBytes, nil
}
func (c *Conf) Key() string {
return confKey
}
func (c *Conf) SetDefaults() {
c.HTTPListenAddr = defaultHTTPListenAddr
c.GRPCListenAddr = defaultGRPCListenAddr
c.MetricsEnabled = true
if c.AdminAPI.AdminCredentials == nil {
c.AdminAPI.AdminCredentials = &AdminCredentialsConf{
Username: defaultAdminUsername,
PasswordHash: defaultAdminPasswordHash,
}
}
}
func (c *Conf) Validate() (errs error) {
if _, _, err := util.ParseListenAddress(c.HTTPListenAddr); err != nil {
errs = multierr.Append(errs, fmt.Errorf("invalid httpListenAddr '%s': %w", c.HTTPListenAddr, err))
}
if _, _, err := util.ParseListenAddress(c.GRPCListenAddr); err != nil {
errs = multierr.Append(errs, fmt.Errorf("invalid grpcListenAddr '%s': %w", c.GRPCListenAddr, err))
}
return errs
}