156 lines
6 KiB
Python
156 lines
6 KiB
Python
import logging
|
|
|
|
import peewee
|
|
|
|
from app import app, get_app_url
|
|
from auth.auth_context import get_authenticated_user
|
|
from data.database import validate_database_url
|
|
from data.users import LDAP_CERT_FILENAME
|
|
from oauth.services.github import GithubOAuthService
|
|
from oauth.services.gitlab import GitLabOAuthService
|
|
|
|
from util.config.validators.validate_database import DatabaseValidator
|
|
from util.config.validators.validate_redis import RedisValidator
|
|
from util.config.validators.validate_storage import StorageValidator
|
|
from util.config.validators.validate_email import EmailValidator
|
|
from util.config.validators.validate_ldap import LDAPValidator
|
|
from util.config.validators.validate_keystone import KeystoneValidator
|
|
from util.config.validators.validate_jwt import JWTAuthValidator
|
|
from util.config.validators.validate_secscan import SecurityScannerValidator
|
|
from util.config.validators.validate_signer import SignerValidator
|
|
from util.config.validators.validate_torrent import BittorrentValidator
|
|
from util.config.validators.validate_ssl import SSLValidator, SSL_FILENAMES
|
|
from util.config.validators.validate_google_login import GoogleLoginValidator
|
|
from util.config.validators.validate_bitbucket_trigger import BitbucketTriggerValidator
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
class ConfigValidationException(Exception):
|
|
""" Exception raised when the configuration fails to validate for a known reason. """
|
|
pass
|
|
|
|
|
|
# Note: Only add files required for HTTPS to the SSL_FILESNAMES list.
|
|
DB_SSL_FILENAMES = ['database.pem']
|
|
JWT_FILENAMES = ['jwt-authn.cert']
|
|
ACI_CERT_FILENAMES = ['signing-public.gpg', 'signing-private.gpg']
|
|
LDAP_FILENAMES = [LDAP_CERT_FILENAME]
|
|
CONFIG_FILENAMES = (SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES +
|
|
LDAP_FILENAMES)
|
|
EXTRA_CA_DIRECTORY = 'extra_ca_certs'
|
|
|
|
|
|
def validate_service_for_config(service, config, password=None):
|
|
""" Attempts to validate the configuration for the given service. """
|
|
if not service in VALIDATORS:
|
|
return {
|
|
'status': False
|
|
}
|
|
|
|
try:
|
|
VALIDATORS[service](config, get_authenticated_user(), password)
|
|
return {
|
|
'status': True
|
|
}
|
|
except Exception as ex:
|
|
logger.exception('Validation exception')
|
|
return {
|
|
'status': False,
|
|
'reason': str(ex)
|
|
}
|
|
|
|
|
|
def _validate_database(config, user_obj, _):
|
|
""" Validates connecting to the database. """
|
|
try:
|
|
validate_database_url(config['DB_URI'], config.get('DB_CONNECTION_ARGS', {}))
|
|
except peewee.OperationalError as ex:
|
|
if ex.args and len(ex.args) > 1:
|
|
raise ConfigValidationException(ex.args[1])
|
|
else:
|
|
raise ex
|
|
|
|
|
|
def _validate_gitlab(config, user_obj, _):
|
|
""" Validates the OAuth credentials and API endpoint for a GitLab service. """
|
|
github_config = config.get('GITLAB_TRIGGER_CONFIG')
|
|
if not github_config:
|
|
raise ConfigValidationException('Missing GitLab client id and client secret')
|
|
|
|
endpoint = github_config.get('GITLAB_ENDPOINT')
|
|
if not endpoint:
|
|
raise ConfigValidationException('Missing GitLab Endpoint')
|
|
|
|
if endpoint.find('http://') != 0 and endpoint.find('https://') != 0:
|
|
raise ConfigValidationException('GitLab Endpoint must start with http:// or https://')
|
|
|
|
if not github_config.get('CLIENT_ID'):
|
|
raise ConfigValidationException('Missing Client ID')
|
|
|
|
if not github_config.get('CLIENT_SECRET'):
|
|
raise ConfigValidationException('Missing Client Secret')
|
|
|
|
client = app.config['HTTPCLIENT']
|
|
oauth = GitLabOAuthService(config, 'GITLAB_TRIGGER_CONFIG')
|
|
result = oauth.validate_client_id_and_secret(client, app.config)
|
|
if not result:
|
|
raise ConfigValidationException('Invalid client id or client secret')
|
|
|
|
|
|
def _validate_github(config_key):
|
|
return lambda config, user_obj, _: _validate_github_with_key(config_key, config)
|
|
|
|
|
|
def _validate_github_with_key(config_key, config):
|
|
""" Validates the OAuth credentials and API endpoint for a Github service. """
|
|
github_config = config.get(config_key)
|
|
if not github_config:
|
|
raise ConfigValidationException('Missing GitHub client id and client secret')
|
|
|
|
endpoint = github_config.get('GITHUB_ENDPOINT')
|
|
if not endpoint:
|
|
raise ConfigValidationException('Missing GitHub Endpoint')
|
|
|
|
if endpoint.find('http://') != 0 and endpoint.find('https://') != 0:
|
|
raise ConfigValidationException('Github Endpoint must start with http:// or https://')
|
|
|
|
if not github_config.get('CLIENT_ID'):
|
|
raise ConfigValidationException('Missing Client ID')
|
|
|
|
if not github_config.get('CLIENT_SECRET'):
|
|
raise ConfigValidationException('Missing Client Secret')
|
|
|
|
if github_config.get('ORG_RESTRICT') and not github_config.get('ALLOWED_ORGANIZATIONS'):
|
|
raise ConfigValidationException('Organization restriction must have at least one allowed ' +
|
|
'organization')
|
|
|
|
client = app.config['HTTPCLIENT']
|
|
oauth = GithubOAuthService(config, config_key)
|
|
result = oauth.validate_client_id_and_secret(client, app.config)
|
|
if not result:
|
|
raise ConfigValidationException('Invalid client id or client secret')
|
|
|
|
if github_config.get('ALLOWED_ORGANIZATIONS'):
|
|
for org_id in github_config.get('ALLOWED_ORGANIZATIONS'):
|
|
if not oauth.validate_organization(org_id, client):
|
|
raise ConfigValidationException('Invalid organization: %s' % org_id)
|
|
|
|
|
|
VALIDATORS = {
|
|
DatabaseValidator.name: DatabaseValidator.validate,
|
|
RedisValidator.name: RedisValidator.validate,
|
|
StorageValidator.name: StorageValidator.validate,
|
|
EmailValidator.name: EmailValidator.validate,
|
|
'github-login': _validate_github('GITHUB_LOGIN_CONFIG'),
|
|
'github-trigger': _validate_github('GITHUB_TRIGGER_CONFIG'),
|
|
'gitlab-trigger': _validate_gitlab,
|
|
BitbucketTriggerValidator.name: BittorrentValidator.validate,
|
|
GoogleLoginValidator.name: GoogleLoginValidator.validate,
|
|
SSLValidator.name: SSLValidator.validate,
|
|
LDAPValidator.name: LDAPValidator.validate,
|
|
JWTAuthValidator.name: JWTAuthValidator.validate,
|
|
KeystoneValidator.name: KeystoneValidator.validate,
|
|
SignerValidator.name: SignerValidator.validate,
|
|
SecurityScannerValidator.name: SecurityScannerValidator.validate,
|
|
BittorrentValidator.name: BittorrentValidator.validate,
|
|
}
|