Ensure TLS-only mode in prod when authn is enabled

Also updated configuration template
3 years ago · 3cbe7c981c
parent 426948f8d5
commit 3cbe7c981c
4 changed files with 22 additions and 2 deletions
--- a/examples/config-files/template.toml
+++ b/examples/config-files/template.toml
@ -11,7 +11,12 @@ host = "127.0.0.1" # The IP address to which you want sdb to bind to
 port = 2003        # The port to which you want sdb to bind to
 noart = false      # Set `noart` to true if you want to disable terminal artwork
 maxcon = 50000     # set the maximum number of clients that the server can accept
-mode = "dev"      # Set this to `prod` when you're running in production and `dev` when in development
+mode = "dev"       # Set this to `prod` when you're running in production and `dev` when in development
+
+# This is an optional key
+[auth]
+# the origin key to be used to claim the root account
+origin_key = "4527387f92a381cbe804593f33991d327d456a97"

 # This key is *OPTIONAL*
 [bgsave]
--- a/server/src/config/definitions.rs
+++ b/server/src/config/definitions.rs
@ -199,6 +199,9 @@ impl PortConfig {
    pub const fn insecure_only(&self) -> bool {
        matches!(self, Self::InsecureOnly { .. })
    }
+    pub const fn secure_only(&self) -> bool {
+        matches!(self, Self::SecureOnly { .. })
+    }
 }

 #[derive(Deserialize, Debug, PartialEq)]
@ -392,6 +395,12 @@ impl AuthSettings {
    pub const fn default() -> Self {
        Self { origin_key: None }
    }
+    #[cfg(test)]
+    pub fn new(origin: AuthkeyWrapper) -> Self {
+        Self {
+            origin_key: Some(origin),
+        }
+    }
 }

 struct AuthSettingsVisitor;
--- a/server/src/config/feedback.rs
+++ b/server/src/config/feedback.rs
@ -247,6 +247,9 @@ pub(super) fn evaluate_prod_settings(cfg: &ConfigurationSet) -> Result<(), Confi
    if cfg.ports.insecure_only() {
        estack.push("Either multi-socket (TCP and TLS) or TLS only must be enabled");
    }
+    if cfg.auth.origin_key.is_some() && !cfg.ports.secure_only() {
+        estack.push("When authn+authz is enabled, TLS-only mode must be enabled");
+    }
    check_rlimit_or_err(cfg.maxcon, &mut estack)?;
    if estack.is_empty() {
        Ok(())
--- a/server/src/config/tests.rs
+++ b/server/src/config/tests.rs
@ -349,6 +349,7 @@ fn get_toml_from_examples_dir(filename: &str) -> TResult<String> {

 mod cfg_file_tests {
    use super::get_toml_from_examples_dir;
+    use crate::config::AuthkeyWrapper;
    use crate::config::{
        cfgfile, AuthSettings, BGSave, Configset, ConfigurationSet, Modeset, PortConfig,
        SnapshotConfig, SnapshotPref, SslOpts, DEFAULT_IPV4, DEFAULT_PORT,
@ -380,6 +381,8 @@ mod cfg_file_tests {
                Some("/path/to/cert/passphrase.txt".to_owned()),
            ),
        );
+        expected.auth.origin_key =
+            Some(AuthkeyWrapper::try_new(crate::TEST_AUTH_ORIGIN_KEY).unwrap());
        // check
        assert_eq!(cfg_from_file.cfg, expected);
    }
@ -451,7 +454,7 @@ mod cfg_file_tests {
                ),
                MAXIMUM_CONNECTION_LIMIT,
                Modeset::Dev,
-                AuthSettings::default(),
+                AuthSettings::new(AuthkeyWrapper::try_new(crate::TEST_AUTH_ORIGIN_KEY).unwrap())
            )
        );
    }