fix: harden login for MLPS requirements
This commit is contained in:
@@ -28,6 +28,7 @@ type Config struct {
|
||||
RabbitMQ sharedconfig.RabbitMQConfig `mapstructure:"rabbitmq"`
|
||||
Log sharedconfig.LogConfig `mapstructure:"log"`
|
||||
JWT JWTConfig `mapstructure:"jwt"`
|
||||
Auth sharedconfig.AuthConfig `mapstructure:"auth"`
|
||||
DefaultAdmin DefaultAdminConfig `mapstructure:"default_admin"`
|
||||
AdminUsers AdminUsersConfig `mapstructure:"admin_users"`
|
||||
IPRegion IPRegionConfig `mapstructure:"ip_region"`
|
||||
@@ -245,6 +246,9 @@ func Diff(previous, current *Config) []FieldChange {
|
||||
if previous.JWT != current.JWT {
|
||||
add("jwt", true)
|
||||
}
|
||||
if previous.Auth != current.Auth {
|
||||
add("auth", false)
|
||||
}
|
||||
if previous.AdminUsers != current.AdminUsers {
|
||||
add("admin_users", true)
|
||||
}
|
||||
@@ -310,6 +314,11 @@ func load(path string) (*Config, error) {
|
||||
}
|
||||
|
||||
func applySharedDefaults(settings map[string]any) {
|
||||
serverSettings := ensureMapSetting(settings, "server")
|
||||
securityHeadersSettings := ensureMapSetting(serverSettings, "security_headers")
|
||||
if _, ok := securityHeadersSettings["enabled"]; !ok {
|
||||
securityHeadersSettings["enabled"] = true
|
||||
}
|
||||
cacheSettings := ensureMapSetting(settings, "cache")
|
||||
if _, ok := cacheSettings["metrics_enabled"]; !ok {
|
||||
cacheSettings["metrics_enabled"] = true
|
||||
@@ -429,12 +438,46 @@ func applyEnvOverrides(cfg *Config) error {
|
||||
if v := os.Getenv("OPS_SERVER_TRUSTED_PROXIES"); v != "" {
|
||||
cfg.Server.TrustedProxies = strings.Split(v, ",")
|
||||
}
|
||||
if v := os.Getenv("OPS_SERVER_ALLOWED_ORIGINS"); v != "" {
|
||||
cfg.Server.AllowedOrigins = strings.Split(v, ",")
|
||||
}
|
||||
if v := os.Getenv("OPS_SERVER_SECURITY_HEADERS_ENABLED"); v != "" {
|
||||
enabled, err := parseBoolEnv("OPS_SERVER_SECURITY_HEADERS_ENABLED", v)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cfg.Server.SecurityHeaders.Enabled = enabled
|
||||
}
|
||||
if v := os.Getenv("OPS_AUTH_PASSWORD_CIPHER_ENABLED"); v != "" {
|
||||
enabled, err := parseBoolEnv("OPS_AUTH_PASSWORD_CIPHER_ENABLED", v)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
cfg.Auth.PasswordCipher.Enabled = enabled
|
||||
}
|
||||
if v := os.Getenv("OPS_AUTH_PASSWORD_CIPHER_KEY_ID"); v != "" {
|
||||
cfg.Auth.PasswordCipher.KeyID = v
|
||||
}
|
||||
if v := os.Getenv("OPS_AUTH_PASSWORD_CIPHER_PRIVATE_KEY_PEM"); v != "" {
|
||||
cfg.Auth.PasswordCipher.PrivateKeyPEM = v
|
||||
}
|
||||
if v := os.Getenv("OPS_RABBITMQ_URL"); v != "" {
|
||||
cfg.RabbitMQ.URL = v
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func parseBoolEnv(name, value string) (bool, error) {
|
||||
switch strings.ToLower(strings.TrimSpace(value)) {
|
||||
case "1", "true", "yes", "y", "on":
|
||||
return true, nil
|
||||
case "0", "false", "no", "n", "off":
|
||||
return false, nil
|
||||
default:
|
||||
return false, fmt.Errorf("%s must be a boolean", name)
|
||||
}
|
||||
}
|
||||
|
||||
func normalizeOpsRabbitMQConfig(cfg *sharedconfig.RabbitMQConfig) {
|
||||
if cfg == nil {
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user