fix: redis sentinel secret missing (#1839)

* fix: redis sentinel secret missing

* refactor: use consts for authentication_backend.file.password errs

* fix: unit test for new default port

* test: cover additional misses

* test: fix windows/linux specific test error

* test: more windows specific tests

* test: remove superfluous url.IsAbs

* test: validator 100% coverage

1 files changed, 68 insertions, 72 deletions

diff --git a/internal/configuration/validator/const.go b/internal/configuration/validator/const.go
index fbd0af721..c06484c8d 100644
--- a/internal/configuration/validator/const.go
+++ b/internal/configuration/validator/const.go
@@ -1,7 +1,57 @@
 package validator
 
+const (
+	errFmtSessionSecretRedisProvider      = "The session secret must be set when using the %s session provider"
+	errFmtSessionRedisPortRange           = "The port must be between 1 and 65535 for the %s session provider"
+	errFmtSessionRedisHostRequired        = "The host must be provided when using the %s session provider"
+	errFmtSessionRedisHostOrNodesRequired = "Either the host or a node must be provided when using the %s session provider"
+
+	errFileHashing  = "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password"
+	errFilePHashing = "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password"
+	errFilePOptions = "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password"
+
+	denyPolicy   = "deny"
+	bypassPolicy = "bypass"
+
+	argon2id = "argon2id"
+	sha512   = "sha512"
+
+	schemeLDAP  = "ldap"
+	schemeLDAPS = "ldaps"
+
+	testBadTimer      = "-1"
+	testInvalidPolicy = "invalid"
+	testJWTSecret     = "a_secret"
+	testLDAPBaseDN    = "base_dn"
+	testLDAPPassword  = "password"
+	testLDAPURL       = "ldap://ldap"
+	testLDAPUser      = "user"
+	testModeDisabled  = "disable"
+	testTLSCert       = "/tmp/cert.pem"
+	testTLSKey        = "/tmp/key.pem"
+
+	errAccessControlInvalidPolicyWithSubjects = "Policy [bypass] for domain %s with subjects %s is invalid. It is " +
+		"not supported to configure both policy bypass and subjects. For more information see: " +
+		"https://www.authelia.com/docs/configuration/access-control.html#combining-subjects-and-the-bypass-policy"
+)
+
 var validRequestMethods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
 
+// SecretNames contains a map of secret names.
+var SecretNames = map[string]string{
+	"JWTSecret":             "jwt_secret",
+	"SessionSecret":         "session.secret",
+	"DUOSecretKey":          "duo_api.secret_key",
+	"RedisPassword":         "session.redis.password",
+	"RedisSentinelPassword": "session.redis.high_availability.sentinel_password",
+	"LDAPPassword":          "authentication_backend.ldap.password",
+	"SMTPPassword":          "notifier.smtp.password",
+	"MySQLPassword":         "storage.mysql.password",
+	"PostgreSQLPassword":    "storage.postgres.password",
+}
+
+// validKeys is a list of valid keys that are not secret names. For the sake of consistency please place any secret in
+// the secret names map and reuse it in relevant sections.
 var validKeys = []string{
 	// Root Keys.
 	"host",
@@ -10,7 +60,6 @@ var validKeys = []string{
 	"log_format",
 	"log_file_path",
 	"default_redirection_url",
-	"jwt_secret",
 	"theme",
 	"tls_key",
 	"tls_cert",
@@ -33,7 +82,6 @@ var validKeys = []string{
 
 	// Session Keys.
 	"session.name",
-	"session.secret",
 	"session.expiration",
 	"session.inactivity",
 	"session.remember_me_duration",
@@ -43,7 +91,6 @@ var validKeys = []string{
 	"session.redis.host",
 	"session.redis.port",
 	"session.redis.username",
-	"session.redis.password",
 	"session.redis.database_index",
 	"session.redis.maximum_active_connections",
 	"session.redis.minimum_idle_connections",
@@ -51,7 +98,6 @@ var validKeys = []string{
 	"session.redis.tls.skip_verify",
 	"session.redis.tls.server_name",
 	"session.redis.high_availability.sentinel_name",
-	"session.redis.high_availability.sentinel_password",
 	"session.redis.high_availability.nodes",
 	"session.redis.high_availability.route_by_latency",
 	"session.redis.high_availability.route_randomly",
@@ -69,14 +115,12 @@ var validKeys = []string{
 	"storage.mysql.port",
 	"storage.mysql.database",
 	"storage.mysql.username",
-	"storage.mysql.password",
 
 	// PostgreSQL Storage Keys.
 	"storage.postgres.host",
 	"storage.postgres.port",
 	"storage.postgres.database",
 	"storage.postgres.username",
-	"storage.postgres.password",
 	"storage.postgres.sslmode",
 
 	// FileSystem Notifier Keys.
@@ -85,7 +129,6 @@ var validKeys = []string{
 
 	// SMTP Notifier Keys.
 	"notifier.smtp.username",
-	"notifier.smtp.password",
 	"notifier.smtp.host",
 	"notifier.smtp.port",
 	"notifier.smtp.identifier",
@@ -108,7 +151,6 @@ var validKeys = []string{
 	// DUO API Keys.
 	"duo_api.hostname",
 	"duo_api.integration_key",
-	"duo_api.secret_key",
 
 	// Authentication Backend Keys.
 	"authentication_backend.disable_reset_password",
@@ -127,7 +169,6 @@ var validKeys = []string{
 	"authentication_backend.ldap.mail_attribute",
 	"authentication_backend.ldap.display_name_attribute",
 	"authentication_backend.ldap.user",
-	"authentication_backend.ldap.password",
 	"authentication_backend.ldap.start_tls",
 	"authentication_backend.ldap.tls.minimum_version",
 	"authentication_backend.ldap.tls.skip_verify",
@@ -143,73 +184,28 @@ var validKeys = []string{
 	"authentication_backend.file.password.salt_length",
 	"authentication_backend.file.password.memory",
 	"authentication_backend.file.password.parallelism",
-
-	// Secret Keys.
-	"authelia.jwt_secret",
-	"authelia.duo_api.secret_key",
-	"authelia.session.secret",
-	"authelia.authentication_backend.ldap.password",
-	"authelia.notifier.smtp.password",
-	"authelia.session.redis.password",
-	"authelia.storage.mysql.password",
-	"authelia.storage.postgres.password",
-	"authelia.jwt_secret.file",
-	"authelia.duo_api.secret_key.file",
-	"authelia.session.secret.file",
-	"authelia.authentication_backend.ldap.password.file",
-	"authelia.notifier.smtp.password.file",
-	"authelia.session.redis.password.file",
-	"authelia.storage.mysql.password.file",
-	"authelia.storage.postgres.password.file",
 }
 
 var specificErrorKeys = map[string]string{
 	"logs_file_path":   "config key replaced: logs_file is now log_file",
 	"logs_level":       "config key replaced: logs_level is now log_level",
 	"google_analytics": "config key removed: google_analytics - this functionality has been deprecated",
-	"authentication_backend.file.password_options.algorithm":   "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
-	"authentication_backend.file.password_options.iterations":  "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
-	"authentication_backend.file.password_options.key_length":  "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
-	"authentication_backend.file.password_options.salt_length": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
-	"authentication_backend.file.password_options.memory":      "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
-	"authentication_backend.file.password_options.parallelism": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
-	"authentication_backend.file.password_hashing.algorithm":   "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
-	"authentication_backend.file.password_hashing.iterations":  "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
-	"authentication_backend.file.password_hashing.key_length":  "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
-	"authentication_backend.file.password_hashing.salt_length": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
-	"authentication_backend.file.password_hashing.memory":      "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
-	"authentication_backend.file.password_hashing.parallelism": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
-	"authentication_backend.file.hashing.algorithm":            "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
-	"authentication_backend.file.hashing.iterations":           "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
-	"authentication_backend.file.hashing.key_length":           "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
-	"authentication_backend.file.hashing.salt_length":          "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
-	"authentication_backend.file.hashing.memory":               "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
-	"authentication_backend.file.hashing.parallelism":          "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
+	"authentication_backend.file.password_options.algorithm":   errFilePOptions,
+	"authentication_backend.file.password_options.iterations":  errFilePOptions,
+	"authentication_backend.file.password_options.key_length":  errFilePOptions,
+	"authentication_backend.file.password_options.salt_length": errFilePOptions,
+	"authentication_backend.file.password_options.memory":      errFilePOptions,
+	"authentication_backend.file.password_options.parallelism": errFilePOptions,
+	"authentication_backend.file.password_hashing.algorithm":   errFilePHashing,
+	"authentication_backend.file.password_hashing.iterations":  errFilePHashing,
+	"authentication_backend.file.password_hashing.key_length":  errFilePHashing,
+	"authentication_backend.file.password_hashing.salt_length": errFilePHashing,
+	"authentication_backend.file.password_hashing.memory":      errFilePHashing,
+	"authentication_backend.file.password_hashing.parallelism": errFilePHashing,
+	"authentication_backend.file.hashing.algorithm":            errFileHashing,
+	"authentication_backend.file.hashing.iterations":           errFileHashing,
+	"authentication_backend.file.hashing.key_length":           errFileHashing,
+	"authentication_backend.file.hashing.salt_length":          errFileHashing,
+	"authentication_backend.file.hashing.memory":               errFileHashing,
+	"authentication_backend.file.hashing.parallelism":          errFileHashing,
 }
-
-const errFmtSessionSecretRedisProvider = "The session secret must be set when using the %s session provider"
-const errFmtSessionRedisPortRange = "The port must be between 1 and 65535 for the %s session provider"
-const errFmtSessionRedisHostRequired = "The host must be provided when using the %s session provider"
-const errFmtSessionRedisHostOrNodesRequired = "Either the host or a node must be provided when using the %s session provider"
-
-const denyPolicy = "deny"
-const bypassPolicy = "bypass"
-
-const argon2id = "argon2id"
-const sha512 = "sha512"
-
-const schemeLDAP = "ldap"
-const schemeLDAPS = "ldaps"
-
-const testBadTimer = "-1"
-const testInvalidPolicy = "invalid"
-const testJWTSecret = "a_secret"
-const testLDAPBaseDN = "base_dn"
-const testLDAPPassword = "password"
-const testLDAPURL = "ldap://ldap"
-const testLDAPUser = "user"
-const testModeDisabled = "disable"
-const testTLSCert = "/tmp/cert.pem"
-const testTLSKey = "/tmp/key.pem"
-
-const errAccessControlInvalidPolicyWithSubjects = "Policy [bypass] for domain %s with subjects %s is invalid. It is not supported to configure both policy bypass and subjects. For more information see: https://www.authelia.com/docs/configuration/access-control.html#combining-subjects-and-the-bypass-policy"