Guard against configuration mistakes leading to security issues

We should protect a user against config mistakes, where they forget to set auth-type appropriately, while providing authenticator-specific parameters.
bolcom · May 19, 2024 · 62221d3 · 62221d3
1 parent b76ec5e
commit 62221d3
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/src/main.rs b/src/main.rs
@@ -99,6 +99,36 @@ fn make_auth(
         Some("json") => make_json_auth(m),
         unknown_type => Err(format!("unknown auth type: {}", unknown_type.unwrap())),
     }?;
+
+    let auth_type = m.value_of(args::AUTH_TYPE);
+
+    if auth_type != Some("pam") && m.is_present(args::AUTH_PAM_SERVICE) {
+        return Err(format!(
+            "parameter {} set while auth_type is set to {}",
+            args::AUTH_PAM_SERVICE,
+            m.value_of(args::AUTH_TYPE).unwrap()
+        ));
+    } else if auth_type != Some("json") && m.is_present(args::AUTH_JSON_PATH) {
+        return Err(format!(
+            "parameter {} set while auth_type is set to {}",
+            args::AUTH_JSON_PATH,
+            m.value_of(args::AUTH_TYPE).unwrap()
+        ));
+    } else if auth_type != Some("rest")
+        && [
+            args::AUTH_REST_URL,
+            args::AUTH_REST_REGEX,
+            args::AUTH_REST_SELECTOR,
+        ]
+        .iter()
+        .any(|&arg| m.is_present(arg))
+    {
+        return Err(format!(
+            "REST auth parameter(s) set while auth_type is set to {}",
+            m.value_of(args::AUTH_TYPE).unwrap()
+        ));
+    }
+
     auth.set_usr_detail(match m.value_of(args::USR_JSON_PATH) {
         Some(path) => {
             let json: String = load_user_file(path)