Guard against configuration mistakes leading to security issues

We should protect a user against config mistakes, where they forget to set auth-type appropriately, while providing authenticator-specific parameters.
bolcom · May 19, 2024 · d476519 · d476519
1 parent b76ec5e
commit d476519
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/src/main.rs b/src/main.rs
@@ -99,6 +99,28 @@ fn make_auth(
         Some("json") => make_json_auth(m),
         unknown_type => Err(format!("unknown auth type: {}", unknown_type.unwrap())),
     }?;
+
+    if m.value_of(args::AUTH_TYPE) != Some("pam") {
+        if m.is_present(args::AUTH_PAM_SERVICE) {
+                return Err(format!(
+                    "parameter {} set while auth_type is set to {}", args::AUTH_PAM_SERVICE, m.value_of(args::AUTH_TYPE).unwrap()));
+        }
+    }
+
+    if m.value_of(args::AUTH_TYPE) != Some("json") {
+        if m.is_present(args::AUTH_JSON_PATH) {
+                return Err(format!(
+                    "parameter {} set while auth_type is set to {}", args::AUTH_JSON_PATH, m.value_of(args::AUTH_TYPE).unwrap()));
+        }
+    }
+
+    if m.value_of(args::AUTH_TYPE) != Some("rest") {
+        if [args::AUTH_REST_URL, args::AUTH_REST_REGEX, args::AUTH_REST_SELECTOR].iter().any(|&arg| m.is_present(arg)) {
+                return Err(format!(
+                    "REST auth parameter(s) set while auth_type is set to {}", m.value_of(args::AUTH_TYPE).unwrap()));
+        }
+    }
+
     auth.set_usr_detail(match m.value_of(args::USR_JSON_PATH) {
         Some(path) => {
             let json: String = load_user_file(path)