mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-05-10 06:18:11 +00:00
Scott McKendry
ef8bbd8c9f
removes the sqlite dependency for tests, also brings back the option for users to run zero persistence instances of tinyauth. adds new mapErr fn for sqlc wrapper gen to prevent sql errors from leaking out of the store implementation.
281 lines
14 KiB
Go
281 lines
14 KiB
Go
package model
|
|
|
|
// Default configuration
|
|
func NewDefaultConfiguration() *Config {
|
|
return &Config{
|
|
Database: DatabaseConfig{
|
|
Driver: "sqlite",
|
|
Path: "./tinyauth.db",
|
|
},
|
|
Analytics: AnalyticsConfig{
|
|
Enabled: true,
|
|
},
|
|
Resources: ResourcesConfig{
|
|
Enabled: true,
|
|
Path: "./resources",
|
|
},
|
|
Server: ServerConfig{
|
|
Port: 3000,
|
|
Address: "0.0.0.0",
|
|
},
|
|
Auth: AuthConfig{
|
|
SubdomainsEnabled: true,
|
|
SessionExpiry: 86400, // 1 day
|
|
SessionMaxLifetime: 0, // disabled
|
|
LoginTimeout: 300, // 5 minutes
|
|
LoginMaxRetries: 3,
|
|
},
|
|
UI: UIConfig{
|
|
Title: "Tinyauth",
|
|
ForgotPasswordMessage: "You can change your password by changing the configuration.",
|
|
BackgroundImage: "/background.jpg",
|
|
WarningsEnabled: true,
|
|
},
|
|
LDAP: LDAPConfig{
|
|
Insecure: false,
|
|
SearchFilter: "(uid=%s)",
|
|
GroupCacheTTL: 900, // 15 minutes
|
|
},
|
|
Log: LogConfig{
|
|
Level: "info",
|
|
Json: false,
|
|
Streams: LogStreams{
|
|
HTTP: LogStreamConfig{
|
|
Enabled: true,
|
|
Level: "",
|
|
},
|
|
App: LogStreamConfig{
|
|
Enabled: true,
|
|
Level: "",
|
|
},
|
|
Audit: LogStreamConfig{
|
|
Enabled: false,
|
|
Level: "",
|
|
},
|
|
},
|
|
},
|
|
OIDC: OIDCConfig{
|
|
PrivateKeyPath: "./tinyauth_oidc_key",
|
|
PublicKeyPath: "./tinyauth_oidc_key.pub",
|
|
},
|
|
Experimental: ExperimentalConfig{
|
|
ConfigFile: "",
|
|
},
|
|
LabelProvider: "auto",
|
|
}
|
|
}
|
|
|
|
type Config struct {
|
|
AppURL string `description:"The base URL where the app is hosted." yaml:"appUrl"`
|
|
Database DatabaseConfig `description:"Database configuration." yaml:"database"`
|
|
Analytics AnalyticsConfig `description:"Analytics configuration." yaml:"analytics"`
|
|
Resources ResourcesConfig `description:"Resources configuration." yaml:"resources"`
|
|
Server ServerConfig `description:"Server configuration." yaml:"server"`
|
|
Auth AuthConfig `description:"Authentication configuration." yaml:"auth"`
|
|
Apps map[string]App `description:"Application ACLs configuration." yaml:"apps"`
|
|
OAuth OAuthConfig `description:"OAuth configuration." yaml:"oauth"`
|
|
OIDC OIDCConfig `description:"OIDC configuration." yaml:"oidc"`
|
|
UI UIConfig `description:"UI customization." yaml:"ui"`
|
|
LDAP LDAPConfig `description:"LDAP configuration." yaml:"ldap"`
|
|
Experimental ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
|
|
LabelProvider string `description:"Label provider to use for ACLs (auto, docker, or kubernetes). auto detects the environment." yaml:"labelProvider"`
|
|
Log LogConfig `description:"Logging configuration." yaml:"log"`
|
|
}
|
|
|
|
type DatabaseConfig struct {
|
|
Driver string `description:"The database driver to use. Valid values: sqlite, memory." yaml:"driver"`
|
|
Path string `description:"The path to the SQLite database, including file name. Only used when driver is sqlite." yaml:"path"`
|
|
}
|
|
|
|
type AnalyticsConfig struct {
|
|
Enabled bool `description:"Enable periodic version information collection." yaml:"enabled"`
|
|
}
|
|
|
|
type ResourcesConfig struct {
|
|
Enabled bool `description:"Enable the resources server." yaml:"enabled"`
|
|
Path string `description:"The directory where resources are stored." yaml:"path"`
|
|
}
|
|
|
|
type ServerConfig struct {
|
|
Port int `description:"The port on which the server listens." yaml:"port"`
|
|
Address string `description:"The address on which the server listens." yaml:"address"`
|
|
SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
|
|
}
|
|
|
|
type AuthConfig struct {
|
|
IP IPConfig `description:"IP whitelisting config options." yaml:"ip"`
|
|
Users []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
|
|
SubdomainsEnabled bool `description:"Enable subdomains support." yaml:"subdomainsEnabled"`
|
|
UserAttributes map[string]UserAttributes `description:"Map of per-user OIDC attributes (username -> attributes)." yaml:"userAttributes"`
|
|
UsersFile string `description:"Path to the users file." yaml:"usersFile"`
|
|
SecureCookie bool `description:"Enable secure cookies." yaml:"secureCookie"`
|
|
SessionExpiry int `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
|
|
SessionMaxLifetime int `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
|
|
LoginTimeout int `description:"Login timeout in seconds." yaml:"loginTimeout"`
|
|
LoginMaxRetries int `description:"Maximum login retries." yaml:"loginMaxRetries"`
|
|
TrustedProxies []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
|
|
}
|
|
|
|
type UserAttributes struct {
|
|
Name string `description:"Full name of the user." yaml:"name"`
|
|
GivenName string `description:"Given (first) name of the user." yaml:"givenName"`
|
|
FamilyName string `description:"Family (last) name of the user." yaml:"familyName"`
|
|
MiddleName string `description:"Middle name of the user." yaml:"middleName"`
|
|
Nickname string `description:"Nickname of the user." yaml:"nickname"`
|
|
Profile string `description:"URL of the user's profile page." yaml:"profile"`
|
|
Picture string `description:"URL of the user's profile picture." yaml:"picture"`
|
|
Website string `description:"URL of the user's website." yaml:"website"`
|
|
Email string `description:"Email address of the user." yaml:"email"`
|
|
Gender string `description:"Gender of the user." yaml:"gender"`
|
|
Birthdate string `description:"Birthdate of the user (YYYY-MM-DD)." yaml:"birthdate"`
|
|
Zoneinfo string `description:"Time zone of the user (e.g. Europe/Athens)." yaml:"zoneinfo"`
|
|
Locale string `description:"Locale of the user (e.g. en-US)." yaml:"locale"`
|
|
PhoneNumber string `description:"Phone number of the user." yaml:"phoneNumber"`
|
|
Address AddressClaim `description:"Address of the user." yaml:"address"`
|
|
}
|
|
|
|
type AddressClaim struct {
|
|
Formatted string `description:"Full mailing address, formatted for display." yaml:"formatted" json:"formatted,omitempty"`
|
|
StreetAddress string `description:"Street address." yaml:"streetAddress" json:"street_address,omitempty"`
|
|
Locality string `description:"City or locality." yaml:"locality" json:"locality,omitempty"`
|
|
Region string `description:"State, province, or region." yaml:"region" json:"region,omitempty"`
|
|
PostalCode string `description:"Zip or postal code." yaml:"postalCode" json:"postal_code,omitempty"`
|
|
Country string `description:"Country." yaml:"country" json:"country,omitempty"`
|
|
}
|
|
|
|
type IPConfig struct {
|
|
Allow []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
|
|
Block []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
|
|
}
|
|
|
|
type OAuthConfig struct {
|
|
Whitelist []string `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
|
|
WhitelistFile string `description:"Path to the OAuth whitelist file." yaml:"whitelistFile"`
|
|
AutoRedirect string `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
|
|
Providers map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
|
|
}
|
|
|
|
type OIDCConfig struct {
|
|
PrivateKeyPath string `description:"Path to the private key file, including file name." yaml:"privateKeyPath"`
|
|
PublicKeyPath string `description:"Path to the public key file, including file name." yaml:"publicKeyPath"`
|
|
Clients map[string]OIDCClientConfig `description:"OIDC clients configuration." yaml:"clients"`
|
|
}
|
|
|
|
type UIConfig struct {
|
|
Title string `description:"The title of the UI." yaml:"title"`
|
|
ForgotPasswordMessage string `description:"Message displayed on the forgot password page." yaml:"forgotPasswordMessage"`
|
|
BackgroundImage string `description:"Path to the background image." yaml:"backgroundImage"`
|
|
WarningsEnabled bool `description:"Enable UI warnings." yaml:"warningsEnabled"`
|
|
}
|
|
|
|
type LDAPConfig struct {
|
|
Address string `description:"LDAP server address." yaml:"address"`
|
|
BindDN string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
|
|
BindPassword string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
|
|
BaseDN string `description:"Base DN for LDAP searches." yaml:"baseDn"`
|
|
Insecure bool `description:"Allow insecure LDAP connections." yaml:"insecure"`
|
|
SearchFilter string `description:"LDAP search filter." yaml:"searchFilter"`
|
|
AuthCert string `description:"Certificate for mTLS authentication." yaml:"authCert"`
|
|
AuthKey string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
|
|
GroupCacheTTL int `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
|
|
}
|
|
|
|
type LogConfig struct {
|
|
Level string `description:"Log level (trace, debug, info, warn, error)." yaml:"level"`
|
|
Json bool `description:"Enable JSON formatted logs." yaml:"json"`
|
|
Streams LogStreams `description:"Configuration for specific log streams." yaml:"streams"`
|
|
}
|
|
|
|
type LogStreams struct {
|
|
HTTP LogStreamConfig `description:"HTTP request logging." yaml:"http"`
|
|
App LogStreamConfig `description:"Application logging." yaml:"app"`
|
|
Audit LogStreamConfig `description:"Audit logging." yaml:"audit"`
|
|
}
|
|
|
|
type LogStreamConfig struct {
|
|
Enabled bool `description:"Enable this log stream." yaml:"enabled"`
|
|
Level string `description:"Log level for this stream. Use global if empty." yaml:"level"`
|
|
}
|
|
|
|
type ExperimentalConfig struct {
|
|
ConfigFile string `description:"Path to config file." yaml:"-"`
|
|
}
|
|
|
|
type OAuthServiceConfig struct {
|
|
ClientID string `description:"OAuth client ID." yaml:"clientId"`
|
|
ClientSecret string `description:"OAuth client secret." yaml:"clientSecret"`
|
|
ClientSecretFile string `description:"Path to the file containing the OAuth client secret." yaml:"clientSecretFile"`
|
|
Scopes []string `description:"OAuth scopes." yaml:"scopes"`
|
|
RedirectURL string `description:"OAuth redirect URL." yaml:"redirectUrl"`
|
|
AuthURL string `description:"OAuth authorization URL." yaml:"authUrl"`
|
|
TokenURL string `description:"OAuth token URL." yaml:"tokenUrl"`
|
|
UserinfoURL string `description:"OAuth userinfo URL." yaml:"userinfoUrl"`
|
|
Insecure bool `description:"Allow insecure OAuth connections." yaml:"insecure"`
|
|
Name string `description:"Provider name in UI." yaml:"name"`
|
|
}
|
|
|
|
type OIDCClientConfig struct {
|
|
ID string `description:"OIDC client ID." yaml:"-"`
|
|
ClientID string `description:"OIDC client ID." yaml:"clientId"`
|
|
ClientSecret string `description:"OIDC client secret." yaml:"clientSecret"`
|
|
ClientSecretFile string `description:"Path to the file containing the OIDC client secret." yaml:"clientSecretFile"`
|
|
TrustedRedirectURIs []string `description:"List of trusted redirect URIs." yaml:"trustedRedirectUris"`
|
|
Name string `description:"Client name in UI." yaml:"name"`
|
|
}
|
|
|
|
// ACLs
|
|
|
|
type Apps struct {
|
|
Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`
|
|
}
|
|
|
|
type App struct {
|
|
Config AppConfig `description:"App configuration." yaml:"config"`
|
|
Users AppUsers `description:"User access configuration." yaml:"users"`
|
|
OAuth AppOAuth `description:"OAuth access configuration." yaml:"oauth"`
|
|
IP AppIP `description:"IP access configuration." yaml:"ip"`
|
|
Response AppResponse `description:"Response customization." yaml:"response"`
|
|
Path AppPath `description:"Path access configuration." yaml:"path"`
|
|
LDAP AppLDAP `description:"LDAP access configuration." yaml:"ldap"`
|
|
}
|
|
|
|
type AppConfig struct {
|
|
Domain string `description:"The domain of the app." yaml:"domain"`
|
|
}
|
|
|
|
type AppUsers struct {
|
|
Allow string `description:"Comma-separated list of allowed users." yaml:"allow"`
|
|
Block string `description:"Comma-separated list of blocked users." yaml:"block"`
|
|
}
|
|
|
|
type AppOAuth struct {
|
|
Whitelist string `description:"Comma-separated list of allowed OAuth groups." yaml:"whitelist"`
|
|
Groups string `description:"Comma-separated list of required OAuth groups." yaml:"groups"`
|
|
}
|
|
|
|
type AppLDAP struct {
|
|
Groups string `description:"Comma-separated list of required LDAP groups." yaml:"groups"`
|
|
}
|
|
|
|
type AppIP struct {
|
|
Allow []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
|
|
Block []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
|
|
Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication." yaml:"bypass"`
|
|
}
|
|
|
|
type AppResponse struct {
|
|
Headers []string `description:"Custom headers to add to the response." yaml:"headers"`
|
|
BasicAuth AppBasicAuth `description:"Basic authentication for the app." yaml:"basicAuth"`
|
|
}
|
|
|
|
type AppBasicAuth struct {
|
|
Username string `description:"Basic auth username." yaml:"username"`
|
|
Password string `description:"Basic auth password." yaml:"password"`
|
|
PasswordFile string `description:"Path to the file containing the basic auth password." yaml:"passwordFile"`
|
|
}
|
|
|
|
type AppPath struct {
|
|
Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
|
|
Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
|
|
}
|