diff --git a/examples/config-files/template.toml b/examples/config-files/template.toml index 0da1f975..bc21d894 100644 --- a/examples/config-files/template.toml +++ b/examples/config-files/template.toml @@ -11,7 +11,12 @@ host = "127.0.0.1" # The IP address to which you want sdb to bind to port = 2003 # The port to which you want sdb to bind to noart = false # Set `noart` to true if you want to disable terminal artwork maxcon = 50000 # set the maximum number of clients that the server can accept -mode = "dev" # Set this to `prod` when you're running in production and `dev` when in development +mode = "dev" # Set this to `prod` when you're running in production and `dev` when in development + +# This is an optional key +[auth] +# the origin key to be used to claim the root account +origin_key = "4527387f92a381cbe804593f33991d327d456a97" # This key is *OPTIONAL* [bgsave] diff --git a/server/src/config/definitions.rs b/server/src/config/definitions.rs index 60841676..b00121f5 100644 --- a/server/src/config/definitions.rs +++ b/server/src/config/definitions.rs @@ -199,6 +199,9 @@ impl PortConfig { pub const fn insecure_only(&self) -> bool { matches!(self, Self::InsecureOnly { .. }) } + pub const fn secure_only(&self) -> bool { + matches!(self, Self::SecureOnly { .. }) + } } #[derive(Deserialize, Debug, PartialEq)] @@ -392,6 +395,12 @@ impl AuthSettings { pub const fn default() -> Self { Self { origin_key: None } } + #[cfg(test)] + pub fn new(origin: AuthkeyWrapper) -> Self { + Self { + origin_key: Some(origin), + } + } } struct AuthSettingsVisitor; diff --git a/server/src/config/feedback.rs b/server/src/config/feedback.rs index d35e5f59..3793dd17 100644 --- a/server/src/config/feedback.rs +++ b/server/src/config/feedback.rs @@ -247,6 +247,9 @@ pub(super) fn evaluate_prod_settings(cfg: &ConfigurationSet) -> Result<(), Confi if cfg.ports.insecure_only() { estack.push("Either multi-socket (TCP and TLS) or TLS only must be enabled"); } + if cfg.auth.origin_key.is_some() && !cfg.ports.secure_only() { + estack.push("When authn+authz is enabled, TLS-only mode must be enabled"); + } check_rlimit_or_err(cfg.maxcon, &mut estack)?; if estack.is_empty() { Ok(()) diff --git a/server/src/config/tests.rs b/server/src/config/tests.rs index 3db75066..5976dcfe 100644 --- a/server/src/config/tests.rs +++ b/server/src/config/tests.rs @@ -349,6 +349,7 @@ fn get_toml_from_examples_dir(filename: &str) -> TResult { mod cfg_file_tests { use super::get_toml_from_examples_dir; + use crate::config::AuthkeyWrapper; use crate::config::{ cfgfile, AuthSettings, BGSave, Configset, ConfigurationSet, Modeset, PortConfig, SnapshotConfig, SnapshotPref, SslOpts, DEFAULT_IPV4, DEFAULT_PORT, @@ -380,6 +381,8 @@ mod cfg_file_tests { Some("/path/to/cert/passphrase.txt".to_owned()), ), ); + expected.auth.origin_key = + Some(AuthkeyWrapper::try_new(crate::TEST_AUTH_ORIGIN_KEY).unwrap()); // check assert_eq!(cfg_from_file.cfg, expected); } @@ -451,7 +454,7 @@ mod cfg_file_tests { ), MAXIMUM_CONNECTION_LIMIT, Modeset::Dev, - AuthSettings::default(), + AuthSettings::new(AuthkeyWrapper::try_new(crate::TEST_AUTH_ORIGIN_KEY).unwrap()) ) ); }