mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-15 19:38:35 +00:00
4ffd4ef381
<!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved A customer reached out that after an upgrade, actions would always fail with the error "host is denied" when calling an external API. This is due to a security fix (https://github.com/zitadel/zitadel/security/advisories/GHSA-6cf5-w9h3-4rqv), where a DNS lookup was added to check whether the host name resolves to a denied IP or subnet. If the lookup fails due to the internal DNS setup, the action fails as well. Additionally, the lookup was also performed when the deny list was empty. # How the Problems Are Solved - Prevent DNS lookup when deny list is empty - Properly initiate deny list and prevent empty entries # Additional Changes - Log the reason for blocked address (domain, IP, subnet) # Additional Context - reported by a customer - needs backport to 2.70.x, 2.71.x and 3.0.0 rc
140 lines
5.0 KiB
Go
140 lines
5.0 KiB
Go
package start
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/mitchellh/mapstructure"
|
|
"github.com/spf13/viper"
|
|
"github.com/zitadel/logging"
|
|
|
|
"github.com/zitadel/zitadel/cmd/encryption"
|
|
"github.com/zitadel/zitadel/cmd/hooks"
|
|
"github.com/zitadel/zitadel/internal/actions"
|
|
admin_es "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing"
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/api/http/middleware"
|
|
"github.com/zitadel/zitadel/internal/api/oidc"
|
|
"github.com/zitadel/zitadel/internal/api/saml"
|
|
scim_config "github.com/zitadel/zitadel/internal/api/scim/config"
|
|
"github.com/zitadel/zitadel/internal/api/ui/console"
|
|
"github.com/zitadel/zitadel/internal/api/ui/login"
|
|
auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
|
|
"github.com/zitadel/zitadel/internal/cache/connector"
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/config/hook"
|
|
"github.com/zitadel/zitadel/internal/config/network"
|
|
"github.com/zitadel/zitadel/internal/config/systemdefaults"
|
|
"github.com/zitadel/zitadel/internal/database"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/execution"
|
|
"github.com/zitadel/zitadel/internal/id"
|
|
"github.com/zitadel/zitadel/internal/logstore"
|
|
"github.com/zitadel/zitadel/internal/notification/handlers"
|
|
"github.com/zitadel/zitadel/internal/query/projection"
|
|
static_config "github.com/zitadel/zitadel/internal/static/config"
|
|
metrics "github.com/zitadel/zitadel/internal/telemetry/metrics/config"
|
|
profiler "github.com/zitadel/zitadel/internal/telemetry/profiler/config"
|
|
tracing "github.com/zitadel/zitadel/internal/telemetry/tracing/config"
|
|
)
|
|
|
|
type Config struct {
|
|
Log *logging.Config
|
|
Port uint16
|
|
ExternalPort uint16
|
|
ExternalDomain string
|
|
ExternalSecure bool
|
|
TLS network.TLS
|
|
InstanceHostHeaders []string
|
|
PublicHostHeaders []string
|
|
HTTP2HostHeader string
|
|
HTTP1HostHeader string
|
|
WebAuthNName string
|
|
Database database.Config
|
|
Caches *connector.CachesConfig
|
|
Tracing tracing.Config
|
|
Metrics metrics.Config
|
|
Profiler profiler.Config
|
|
Projections projection.Config
|
|
Notifications handlers.WorkerConfig
|
|
Executions execution.WorkerConfig
|
|
Auth auth_es.Config
|
|
Admin admin_es.Config
|
|
UserAgentCookie *middleware.UserAgentCookieConfig
|
|
OIDC oidc.Config
|
|
SAML saml.Config
|
|
SCIM scim_config.Config
|
|
Login login.Config
|
|
Console console.Config
|
|
AssetStorage static_config.AssetStorageConfig
|
|
InternalAuthZ authz.Config
|
|
SystemAuthZ authz.Config
|
|
SystemDefaults systemdefaults.SystemDefaults
|
|
EncryptionKeys *encryption.EncryptionKeyConfig
|
|
DefaultInstance command.InstanceSetup
|
|
AuditLogRetention time.Duration
|
|
SystemAPIUsers map[string]*authz.SystemAPIUser
|
|
CustomerPortal string
|
|
Machine *id.Config
|
|
Actions *actions.Config
|
|
Eventstore *eventstore.Config
|
|
LogStore *logstore.Configs
|
|
Quotas *QuotasConfig
|
|
Telemetry *handlers.TelemetryPusherConfig
|
|
}
|
|
|
|
type QuotasConfig struct {
|
|
Access struct {
|
|
logstore.EmitterConfig `mapstructure:",squash"`
|
|
middleware.AccessConfig `mapstructure:",squash"`
|
|
}
|
|
Execution *logstore.EmitterConfig
|
|
}
|
|
|
|
func MustNewConfig(v *viper.Viper) *Config {
|
|
config := new(Config)
|
|
|
|
err := v.Unmarshal(config,
|
|
viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
|
|
hooks.SliceTypeStringDecode[*domain.CustomMessageText],
|
|
hooks.SliceTypeStringDecode[authz.RoleMapping],
|
|
hooks.MapTypeStringDecode[string, *authz.SystemAPIUser],
|
|
hooks.MapHTTPHeaderStringDecode,
|
|
database.DecodeHook(false),
|
|
actions.HTTPConfigDecodeHook,
|
|
hook.EnumHookFunc(authz.MemberTypeString),
|
|
hooks.MapTypeStringDecode[domain.Feature, any],
|
|
hooks.SliceTypeStringDecode[*command.SetQuota],
|
|
hook.Base64ToBytesHookFunc(),
|
|
hook.TagToLanguageHookFunc(),
|
|
mapstructure.StringToTimeDurationHookFunc(),
|
|
mapstructure.StringToTimeHookFunc(time.RFC3339),
|
|
mapstructure.StringToSliceHookFunc(","),
|
|
mapstructure.TextUnmarshallerHookFunc(),
|
|
)),
|
|
)
|
|
logging.OnError(err).Fatal("unable to read config")
|
|
|
|
err = config.Log.SetLogger()
|
|
logging.OnError(err).Fatal("unable to set logger")
|
|
|
|
err = config.Tracing.NewTracer()
|
|
logging.OnError(err).Fatal("unable to set tracer")
|
|
|
|
err = config.Metrics.NewMeter()
|
|
logging.OnError(err).Fatal("unable to set meter")
|
|
|
|
err = config.Profiler.NewProfiler()
|
|
logging.OnError(err).Fatal("unable to set profiler")
|
|
|
|
id.Configure(config.Machine)
|
|
if config.Actions != nil {
|
|
actions.SetHTTPConfig(&config.Actions.HTTP)
|
|
}
|
|
|
|
// Copy the global role permissions mappings to the instance until we allow instance-level configuration over the API.
|
|
config.DefaultInstance.RolePermissionMappings = config.InternalAuthZ.RolePermissionMappings
|
|
|
|
return config
|
|
}
|