mirror of
https://github.com/h44z/wg-portal
synced 2025-02-26 05:49:14 +00:00
193 lines
6.8 KiB
Go
193 lines
6.8 KiB
Go
package config
|
|
|
|
import (
|
|
"regexp"
|
|
"time"
|
|
|
|
"github.com/go-ldap/ldap/v3"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
type Auth struct {
|
|
OpenIDConnect []OpenIDConnectProvider `yaml:"oidc"`
|
|
OAuth []OAuthProvider `yaml:"oauth"`
|
|
Ldap []LdapProvider `yaml:"ldap"`
|
|
}
|
|
|
|
type BaseFields struct {
|
|
UserIdentifier string `yaml:"user_identifier"`
|
|
Email string `yaml:"email"`
|
|
Firstname string `yaml:"firstname"`
|
|
Lastname string `yaml:"lastname"`
|
|
Phone string `yaml:"phone"`
|
|
Department string `yaml:"department"`
|
|
}
|
|
|
|
type OauthFields struct {
|
|
BaseFields `yaml:",inline"`
|
|
IsAdmin string `yaml:"is_admin"` // If the value is "true", the user is an admin.
|
|
UserGroups string `yaml:"user_groups"` // This value specifies the claim name that contains the users groups.
|
|
}
|
|
|
|
// OauthAdminMapping contains all necessary information to extract information about administrative privileges
|
|
// from the user info fields.
|
|
//
|
|
// WgPortal can grant a user admin rights by matching the value of the `is_admin` claim against a regular expression.
|
|
// Alternatively, a regular expression can be used to check if a user is member of a specific group listed in the
|
|
// `user_group` claim.
|
|
// If one of the cases evaluates to true, the user is granted admin rights.
|
|
type OauthAdminMapping struct {
|
|
// If the regex specified in that field matches the contents of the is_admin field, the user is an admin.
|
|
AdminValueRegex string `yaml:"admin_value_regex"`
|
|
|
|
// If any of the groups listed in the groups field matches the group specified in the admin_group_regex field, ]
|
|
// the user is an admin.
|
|
AdminGroupRegex string `yaml:"admin_group_regex"`
|
|
|
|
// internal cache fields
|
|
|
|
adminValueRegex *regexp.Regexp
|
|
adminGroupRegex *regexp.Regexp
|
|
}
|
|
|
|
func (o *OauthAdminMapping) GetAdminValueRegex() *regexp.Regexp {
|
|
if o.adminValueRegex != nil {
|
|
return o.adminValueRegex // return cached value
|
|
}
|
|
|
|
if o.AdminValueRegex == "" {
|
|
o.adminValueRegex = regexp.MustCompile("^true$") // default value is "true"
|
|
return o.adminValueRegex
|
|
}
|
|
|
|
adminRegex, err := regexp.Compile(o.AdminValueRegex)
|
|
if err != nil {
|
|
logrus.Fatalf("failed to compile admin_value_regex: %v", err)
|
|
}
|
|
o.adminValueRegex = adminRegex
|
|
|
|
return o.adminValueRegex
|
|
}
|
|
|
|
func (o *OauthAdminMapping) GetAdminGroupRegex() *regexp.Regexp {
|
|
if o.adminGroupRegex != nil {
|
|
return o.adminGroupRegex // return cached value
|
|
}
|
|
|
|
if o.AdminGroupRegex == "" {
|
|
o.adminGroupRegex = regexp.MustCompile("^wg_portal_default_admin_group$") // default value is "wg_portal_default_admin_group"
|
|
return o.adminGroupRegex
|
|
}
|
|
|
|
groupRegex, err := regexp.Compile(o.AdminGroupRegex)
|
|
if err != nil {
|
|
logrus.Fatalf("failed to compile admin_group_regex: %v", err)
|
|
}
|
|
o.adminGroupRegex = groupRegex
|
|
|
|
return o.adminGroupRegex
|
|
}
|
|
|
|
type LdapFields struct {
|
|
BaseFields `yaml:",inline"`
|
|
GroupMembership string `yaml:"memberof"`
|
|
}
|
|
|
|
type LdapProvider struct {
|
|
// ProviderName is an internal name that is used to distinguish LDAP servers. It must not contain spaces or special characters.
|
|
ProviderName string `yaml:"provider_name"`
|
|
|
|
URL string `yaml:"url"`
|
|
StartTLS bool `yaml:"start_tls"`
|
|
CertValidation bool `yaml:"cert_validation"`
|
|
TlsCertificatePath string `yaml:"tls_certificate_path"`
|
|
TlsKeyPath string `yaml:"tls_key_path"`
|
|
|
|
BaseDN string `yaml:"base_dn"`
|
|
BindUser string `yaml:"bind_user"`
|
|
BindPass string `yaml:"bind_pass"`
|
|
|
|
FieldMap LdapFields `yaml:"field_map"`
|
|
|
|
LoginFilter string `yaml:"login_filter"` // {{login_identifier}} gets replaced with the login email address / username
|
|
AdminGroupDN string `yaml:"admin_group"` // Members of this group receive admin rights in WG-Portal
|
|
ParsedAdminGroupDN *ldap.DN `yaml:"-"`
|
|
|
|
// If DisableMissing is true, missing users will be deactivated
|
|
DisableMissing bool `yaml:"disable_missing"`
|
|
SyncFilter string `yaml:"sync_filter"`
|
|
SyncInterval time.Duration `yaml:"sync_interval"`
|
|
|
|
// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
|
|
RegistrationEnabled bool `yaml:"registration_enabled"`
|
|
|
|
// If LogUserInfo is set to true, the user info retrieved from the LDAP provider will be logged in trace level.
|
|
LogUserInfo bool `yaml:"log_user_info"`
|
|
}
|
|
|
|
type OpenIDConnectProvider struct {
|
|
// ProviderName is an internal name that is used to distinguish oauth endpoints. It must not contain spaces or special characters.
|
|
ProviderName string `yaml:"provider_name"`
|
|
|
|
// DisplayName is shown to the user on the login page. If it is empty, ProviderName will be displayed.
|
|
DisplayName string `yaml:"display_name"`
|
|
|
|
BaseUrl string `yaml:"base_url"`
|
|
|
|
// ClientID is the application's ID.
|
|
ClientID string `yaml:"client_id"`
|
|
|
|
// ClientSecret is the application's secret.
|
|
ClientSecret string `yaml:"client_secret"`
|
|
|
|
// ExtraScopes specifies optional requested permissions.
|
|
ExtraScopes []string `yaml:"extra_scopes"`
|
|
|
|
// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
|
|
FieldMap OauthFields `yaml:"field_map"`
|
|
|
|
// AdminMapping contains all necessary information to extract information about administrative privileges
|
|
// from the user info fields.
|
|
AdminMapping OauthAdminMapping `yaml:"admin_mapping"`
|
|
|
|
// If RegistrationEnabled is set to true, missing users will be created in the database
|
|
RegistrationEnabled bool `yaml:"registration_enabled"`
|
|
|
|
// If LogUserInfo is set to true, the user info retrieved from the OIDC provider will be logged in trace level.
|
|
LogUserInfo bool `yaml:"log_user_info"`
|
|
}
|
|
|
|
type OAuthProvider struct {
|
|
// ProviderName is an internal name that is used to distinguish oauth endpoints. It must not contain spaces or special characters.
|
|
ProviderName string `yaml:"provider_name"`
|
|
|
|
// DisplayName is shown to the user on the login page. If it is empty, ProviderName will be displayed.
|
|
DisplayName string `yaml:"display_name"`
|
|
|
|
// ClientID is the application's ID.
|
|
ClientID string `yaml:"client_id"`
|
|
|
|
// ClientSecret is the application's secret.
|
|
ClientSecret string `yaml:"client_secret"`
|
|
|
|
AuthURL string `yaml:"auth_url"`
|
|
TokenURL string `yaml:"token_url"`
|
|
UserInfoURL string `yaml:"user_info_url"`
|
|
|
|
// Scope specifies optional requested permissions.
|
|
Scopes []string `yaml:"scopes"`
|
|
|
|
// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
|
|
FieldMap OauthFields `yaml:"field_map"`
|
|
|
|
// AdminMapping contains all necessary information to extract information about administrative privileges
|
|
// from the user info fields.
|
|
AdminMapping OauthAdminMapping `yaml:"admin_mapping"`
|
|
|
|
// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
|
|
RegistrationEnabled bool `yaml:"registration_enabled"`
|
|
|
|
// If LogUserInfo is set to true, the user info retrieved from the OAuth provider will be logged in trace level.
|
|
LogUserInfo bool `yaml:"log_user_info"`
|
|
}
|