From b0e74d348a97ec6e7aec9104f986c231e9ab6ec2 Mon Sep 17 00:00:00 2001 From: Marc 'risson' Schmitt Date: Wed, 10 Jan 2024 23:39:27 +0100 Subject: [PATCH] root: fix listen trusted_proxy_cidrs config loading from environment (#8075) Co-authored-by: Jens Langhammer --- go.mod | 2 +- go.sum | 4 +- internal/config/config.go | 9 ++-- internal/config/struct.go | 60 ++++++++++----------- website/docs/installation/configuration.mdx | 4 +- 5 files changed, 41 insertions(+), 38 deletions(-) diff --git a/go.mod b/go.mod index d6caaad34..2c10844e8 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,6 @@ go 1.21 require ( beryju.io/ldap v0.1.0 - github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb github.com/coreos/go-oidc v2.2.1+incompatible github.com/getsentry/sentry-go v0.25.0 github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1 @@ -24,6 +23,7 @@ require ( github.com/pires/go-proxyproto v0.7.0 github.com/prometheus/client_golang v1.18.0 github.com/redis/go-redis/v9 v9.4.0 + github.com/sethvargo/go-envconfig v0.9.0 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 diff --git a/go.sum b/go.sum index 75c2a077e..e444286a4 100644 --- a/go.sum +++ b/go.sum @@ -37,8 +37,6 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb h1:w9IDEB7P1VzNcBpOG7kMpFkZp2DkyJIUt0gDx5MBhRU= -github.com/Netflix/go-env v0.0.0-20210215222557-e437a7e7f9fb/go.mod h1:9XMFaCeRyW7fC9XJOWQ+NdAv8VLG7ys7l3x4ozEGLUQ= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= @@ -264,6 +262,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sethvargo/go-envconfig v0.9.0 h1:Q6FQ6hVEeTECULvkJZakq3dZMeBQ3JUpcKMfPQbKMDE= +github.com/sethvargo/go-envconfig v0.9.0/go.mod h1:Iz1Gy1Sf3T64TQlJSvee81qDhf7YIlt8GMUX6yyNFs0= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= diff --git a/internal/config/config.go b/internal/config/config.go index ac37d277e..a7d3eeb5d 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -1,6 +1,7 @@ package config import ( + "context" _ "embed" "errors" "fmt" @@ -10,10 +11,11 @@ import ( "reflect" "strings" - env "github.com/Netflix/go-env" + env "github.com/sethvargo/go-envconfig" log "github.com/sirupsen/logrus" - "goauthentik.io/authentik/lib" "gopkg.in/yaml.v2" + + "goauthentik.io/authentik/lib" ) var cfg *Config @@ -113,7 +115,8 @@ func (c *Config) LoadConfigFromFile(path string) error { } func (c *Config) fromEnv() error { - _, err := env.UnmarshalFromEnviron(c) + ctx := context.Background() + err := env.Process(ctx, c) if err != nil { return fmt.Errorf("failed to load environment variables: %w", err) } diff --git a/internal/config/struct.go b/internal/config/struct.go index e7be9733e..3ceb775e5 100644 --- a/internal/config/struct.go +++ b/internal/config/struct.go @@ -3,17 +3,17 @@ package config type Config struct { // Core specific config Paths PathsConfig `yaml:"paths"` - LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL"` - ErrorReporting ErrorReportingConfig `yaml:"error_reporting"` - Redis RedisConfig `yaml:"redis"` - Outposts OutpostConfig `yaml:"outposts"` + LogLevel string `yaml:"log_level" env:"AUTHENTIK_LOG_LEVEL, overwrite"` + ErrorReporting ErrorReportingConfig `yaml:"error_reporting" env:", prefix=AUTHENTIK_ERROR_REPORTING__"` + Redis RedisConfig `yaml:"redis" env:", prefix=AUTHENTIK_REDIS__"` + Outposts OutpostConfig `yaml:"outposts" env:", prefix=AUTHENTIK_OUTPOSTS__"` // Config for core and embedded outpost - SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY"` + SecretKey string `yaml:"secret_key" env:"AUTHENTIK_SECRET_KEY, overwrite"` // Config for both core and outposts - Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG"` - Listen ListenConfig `yaml:"listen"` + Debug bool `yaml:"debug" env:"AUTHENTIK_DEBUG, overwrite"` + Listen ListenConfig `yaml:"listen" env:", prefix=AUTHENTIK_LISTEN__"` // Outpost specific config // These are only relevant for proxy/ldap outposts, and cannot be set via YAML @@ -25,24 +25,24 @@ type Config struct { } type RedisConfig struct { - Host string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"` - Port int `yaml:"port" env:"AUTHENTIK_REDIS__PORT"` - DB int `yaml:"db" env:"AUTHENTIK_REDIS__DB"` - Username string `yaml:"username" env:"AUTHENTIK_REDIS__USERNAME"` - Password string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"` - TLS bool `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"` - TLSReqs string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"` + Host string `yaml:"host" env:"HOST, overwrite"` + Port int `yaml:"port" env:"PORT, overwrite"` + DB int `yaml:"db" env:"DB, overwrite"` + Username string `yaml:"username" env:"USERNAME, overwrite"` + Password string `yaml:"password" env:"PASSWORD, overwrite"` + TLS bool `yaml:"tls" env:"TLS, overwrite"` + TLSReqs string `yaml:"tls_reqs" env:"TLS_REQS, overwrite"` } type ListenConfig struct { - HTTP string `yaml:"listen_http" env:"AUTHENTIK_LISTEN__HTTP"` - HTTPS string `yaml:"listen_https" env:"AUTHENTIK_LISTEN__HTTPS"` - LDAP string `yaml:"listen_ldap" env:"AUTHENTIK_LISTEN__LDAP"` - LDAPS string `yaml:"listen_ldaps" env:"AUTHENTIK_LISTEN__LDAPS"` - Radius string `yaml:"listen_radius" env:"AUTHENTIK_LISTEN__RADIUS"` - Metrics string `yaml:"listen_metrics" env:"AUTHENTIK_LISTEN__METRICS"` - Debug string `yaml:"listen_debug" env:"AUTHENTIK_LISTEN__DEBUG"` - TrustedProxyCIDRs []string `yaml:"trusted_proxy_cidrs" env:"AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS"` + HTTP string `yaml:"listen_http" env:"HTTP, overwrite"` + HTTPS string `yaml:"listen_https" env:"HTTPS, overwrite"` + LDAP string `yaml:"listen_ldap" env:"LDAP, overwrite"` + LDAPS string `yaml:"listen_ldaps" env:"LDAPS, overwrite"` + Radius string `yaml:"listen_radius" env:"RADIUS, overwrite"` + Metrics string `yaml:"listen_metrics" env:"METRICS, overwrite"` + Debug string `yaml:"listen_debug" env:"DEBUG, overwrite"` + TrustedProxyCIDRs []string `yaml:"trusted_proxy_cidrs" env:"TRUSTED_PROXY_CIDRS, overwrite"` } type PathsConfig struct { @@ -50,15 +50,15 @@ type PathsConfig struct { } type ErrorReportingConfig struct { - Enabled bool `yaml:"enabled" env:"AUTHENTIK_ERROR_REPORTING__ENABLED"` - SentryDSN string `yaml:"sentry_dsn" env:"AUTHENTIK_ERROR_REPORTING__SENTRY_DSN"` - Environment string `yaml:"environment" env:"AUTHENTIK_ERROR_REPORTING__ENVIRONMENT"` - SendPII bool `yaml:"send_pii" env:"AUTHENTIK_ERROR_REPORTING__SEND_PII"` - SampleRate float64 `yaml:"sample_rate" env:"AUTHENTIK_ERROR_REPORTING__SAMPLE_RATE"` + Enabled bool `yaml:"enabled" env:"ENABLED, overwrite"` + SentryDSN string `yaml:"sentry_dsn" env:"SENTRY_DSN, overwrite"` + Environment string `yaml:"environment" env:"ENVIRONMENT, overwrite"` + SendPII bool `yaml:"send_pii" env:"SEND_PII, overwrite"` + SampleRate float64 `yaml:"sample_rate" env:"SAMPLE_RATE, overwrite"` } type OutpostConfig struct { - ContainerImageBase string `yaml:"container_image_base" env:"AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE"` - Discover bool `yaml:"discover" env:"AUTHENTIK_OUTPOSTS__DISCOVER"` - DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST"` + ContainerImageBase string `yaml:"container_image_base" env:"CONTAINER_IMAGE_BASE, overwrite"` + Discover bool `yaml:"discover" env:"DISCOVER, overwrite"` + DisableEmbeddedOutpost bool `yaml:"disable_embedded_outpost" env:"DISABLE_EMBEDDED_OUTPOST, overwrite"` } diff --git a/website/docs/installation/configuration.mdx b/website/docs/installation/configuration.mdx index 6201467f1..8bb787d6c 100644 --- a/website/docs/installation/configuration.mdx +++ b/website/docs/installation/configuration.mdx @@ -116,7 +116,7 @@ To check if your config has been applied correctly, you can run the following co `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry) to control how long reputation is persisted for. ::: -## Listen Setting +## Listen Settings - `AUTHENTIK_LISTEN__HTTP`: Listening address:port (e.g. `0.0.0.0:9000`) for HTTP (Applies to Server and Proxy outpost) - `AUTHENTIK_LISTEN__HTTPS`: Listening address:port (e.g. `0.0.0.0:9443`) for HTTPS (Applies to Server and Proxy outpost) @@ -124,7 +124,7 @@ To check if your config has been applied correctly, you can run the following co - `AUTHENTIK_LISTEN__LDAPS`: Listening address:port (e.g. `0.0.0.0:6636`) for LDAPS (Applies to LDAP outpost) - `AUTHENTIK_LISTEN__METRICS`: Listening address:port (e.g. `0.0.0.0:9300`) for Prometheus metrics (Applies to All) - `AUTHENTIK_LISTEN__DEBUG`: Listening address:port (e.g. `0.0.0.0:9900`) for Go Debugging metrics (Applies to All) -- `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS`: List of CIDRs that proxy headers should be accepted from (Applies to Server) +- `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS`: List of comma-separated CIDRs that proxy headers should be accepted from (Applies to Server) Defaults to `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `fe80::/10`, `::1/128`.