summaryrefslogtreecommitdiff
path: root/internal/configuration/validator/access_control.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/configuration/validator/access_control.go')
-rw-r--r--internal/configuration/validator/access_control.go25
1 files changed, 17 insertions, 8 deletions
diff --git a/internal/configuration/validator/access_control.go b/internal/configuration/validator/access_control.go
index 994d7559c..93f1efa4c 100644
--- a/internal/configuration/validator/access_control.go
+++ b/internal/configuration/validator/access_control.go
@@ -59,7 +59,7 @@ func ValidateAccessControl(config *schema.Configuration, validator *schema.Struc
}
if !IsPolicyValid(config.AccessControl.DefaultPolicy) {
- validator.Push(fmt.Errorf(errFmtAccessControlDefaultPolicyValue, strings.Join(validACLRulePolicies, "', '"), config.AccessControl.DefaultPolicy))
+ validator.Push(fmt.Errorf(errFmtAccessControlDefaultPolicyValue, strJoinOr(validACLRulePolicies), config.AccessControl.DefaultPolicy))
}
if config.AccessControl.Networks != nil {
@@ -92,8 +92,13 @@ func ValidateRules(config *schema.Configuration, validator *schema.StructValidat
validateDomains(rulePosition, rule, validator)
- if !IsPolicyValid(rule.Policy) {
- validator.Push(fmt.Errorf(errFmtAccessControlRuleInvalidPolicy, ruleDescriptor(rulePosition, rule), rule.Policy))
+ switch rule.Policy {
+ case "":
+ validator.Push(fmt.Errorf(errFmtAccessControlRuleNoPolicy, ruleDescriptor(rulePosition, rule)))
+ default:
+ if !IsPolicyValid(rule.Policy) {
+ validator.Push(fmt.Errorf(errFmtAccessControlRuleInvalidPolicy, ruleDescriptor(rulePosition, rule), strJoinOr(validACLRulePolicies), rule.Policy))
+ }
}
validateNetworks(rulePosition, rule, config.AccessControl, validator)
@@ -156,10 +161,14 @@ func validateSubjects(rulePosition int, rule schema.ACLRule, validator *schema.S
}
func validateMethods(rulePosition int, rule schema.ACLRule, validator *schema.StructValidator) {
- for _, method := range rule.Methods {
- if !utils.IsStringInSliceFold(method, validACLHTTPMethodVerbs) {
- validator.Push(fmt.Errorf(errFmtAccessControlRuleMethodInvalid, ruleDescriptor(rulePosition, rule), method, strings.Join(validACLHTTPMethodVerbs, "', '")))
- }
+ invalid, duplicates := validateList(rule.Methods, validACLHTTPMethodVerbs, true)
+
+ if len(invalid) != 0 {
+ validator.Push(fmt.Errorf(errFmtAccessControlRuleInvalidEntries, ruleDescriptor(rulePosition, rule), "methods", strJoinOr(validACLHTTPMethodVerbs), strJoinAnd(invalid)))
+ }
+
+ if len(duplicates) != 0 {
+ validator.Push(fmt.Errorf(errFmtAccessControlRuleInvalidDuplicates, ruleDescriptor(rulePosition, rule), "methods", strJoinAnd(duplicates)))
}
}
@@ -177,7 +186,7 @@ func validateQuery(i int, rule schema.ACLRule, config *schema.Configuration, val
}
}
} else if !utils.IsStringInSliceFold(config.AccessControl.Rules[i].Query[j][k].Operator, validACLRuleOperators) {
- validator.Push(fmt.Errorf(errFmtAccessControlRuleQueryInvalid, ruleDescriptor(i+1, rule), config.AccessControl.Rules[i].Query[j][k].Operator, strings.Join(validACLRuleOperators, "', '")))
+ validator.Push(fmt.Errorf(errFmtAccessControlRuleQueryInvalid, ruleDescriptor(i+1, rule), strJoinOr(validACLRuleOperators), config.AccessControl.Rules[i].Query[j][k].Operator))
}
if config.AccessControl.Rules[i].Query[j][k].Key == "" {