From d476519fc3cd4be98ff5807a5df7e5dfc8d8694c Mon Sep 17 00:00:00 2001 From: Robby klein Gunnewiek Date: Sun, 19 May 2024 12:31:05 +0200 Subject: [PATCH] Guard against configuration mistakes leading to security issues We should protect a user against config mistakes, where they forget to set auth-type appropriately, while providing authenticator-specific parameters. --- src/main.rs | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/main.rs b/src/main.rs index 16a17b4..3bc58b4 100644 --- a/src/main.rs +++ b/src/main.rs @@ -99,6 +99,28 @@ fn make_auth( Some("json") => make_json_auth(m), unknown_type => Err(format!("unknown auth type: {}", unknown_type.unwrap())), }?; + + if m.value_of(args::AUTH_TYPE) != Some("pam") { + if m.is_present(args::AUTH_PAM_SERVICE) { + return Err(format!( + "parameter {} set while auth_type is set to {}", args::AUTH_PAM_SERVICE, m.value_of(args::AUTH_TYPE).unwrap())); + } + } + + if m.value_of(args::AUTH_TYPE) != Some("json") { + if m.is_present(args::AUTH_JSON_PATH) { + return Err(format!( + "parameter {} set while auth_type is set to {}", args::AUTH_JSON_PATH, m.value_of(args::AUTH_TYPE).unwrap())); + } + } + + if m.value_of(args::AUTH_TYPE) != Some("rest") { + if [args::AUTH_REST_URL, args::AUTH_REST_REGEX, args::AUTH_REST_SELECTOR].iter().any(|&arg| m.is_present(arg)) { + return Err(format!( + "REST auth parameter(s) set while auth_type is set to {}", m.value_of(args::AUTH_TYPE).unwrap())); + } + } + auth.set_usr_detail(match m.value_of(args::USR_JSON_PATH) { Some(path) => { let json: String = load_user_file(path)