tuwunel_core/config/

check.rs

use std::env::consts::OS;

use either::Either;
use itertools::Itertools;

use super::{DEPRECATED_KEYS, IdentityProvider, IpSource};
use crate::{Config, Err, Result, debug, debug_info, error, warn};

/// Performs check() with additional checks specific to reloading old config
/// with new config.
pub fn reload(old: &Config, new: &Config) -> Result {
	check(new)?;

	if new.server_name != old.server_name {
		return Err!(Config(
			"server_name",
			"You can't change the server's name from {:?}.",
			old.server_name
		));
	}

	if new.ip_source != old.ip_source {
		return Err!(Config(
			"ip_source",
			"ip_source cannot be changed at runtime; restart the server to apply this change."
		));
	}

	Ok(())
}

pub fn check(config: &Config) -> Result {
	#[cfg(debug_assertions)]
	warn!("Note: tuwunel was built without optimisations (i.e. debug build)");

	warn_deprecated(config);
	warn_unknown_key(config)?;

	if config.sentry && config.sentry_endpoint.is_none() {
		return Err!(Config(
			"sentry_endpoint",
			"Sentry cannot be enabled without an endpoint set"
		));
	}

	#[cfg(all(
		feature = "hardened_malloc",
		feature = "jemalloc",
		not(target_env = "msvc")
	))]
	debug_warn!(
		"hardened_malloc and jemalloc compile-time features are both enabled, this causes \
		 jemalloc to be used."
	);

	#[cfg(not(unix))]
	if config.unix_socket_path.is_some() {
		return Err!(Config(
			"unix_socket_path",
			"UNIX socket support is only available on *nix platforms. Please remove \
			 'unix_socket_path' from your config."
		));
	}

	let certs_set = config.tls.certs.is_some();
	let key_set = config.tls.key.is_some();
	if certs_set ^ key_set {
		return Err!(Config("tls", "tls.certs and tls.key must either both be set or unset"));
	}

	if let Some(source) = config.ip_source
		&& !matches!(source, IpSource::ConnectInfo)
	{
		warn!(
			"ip_source is set to {source:?}, a header-based source. Ensure a trusted reverse \
			 proxy populates this header for every request; otherwise clients can spoof their \
			 IP address."
		);
	}

	if !config.listening {
		warn!("Configuration item `listening` is set to `false`. Cannot hear anyone.");
	}

	if config.unix_socket_path.is_none() {
		config.get_bind_addrs().iter().for_each(|addr| {
			use std::path::Path;

			if addr.ip().is_loopback() {
				debug_info!(
					"Found loopback listening address {addr}, running checks if we're in a \
					 container."
				);

				if Path::new("/proc/vz").exists() /* Guest */ && !Path::new("/proc/bz").exists()
				/* Host */
				{
					error!(
						"You are detected using OpenVZ with a loopback/localhost listening \
						 address of {addr}. If you are using OpenVZ for containers and you use \
						 NAT-based networking to communicate with the host and guest, this will \
						 NOT work. Please change this to \"0.0.0.0\". If this is expected, you \
						 can ignore.",
					);
				} else if Path::new("/.dockerenv").exists() {
					error!(
						"You are detected using Docker with a loopback/localhost listening \
						 address of {addr}. If you are using a reverse proxy on the host and \
						 require communication to tuwunel in the Docker container via NAT-based \
						 networking, this will NOT work. Please change this to \"0.0.0.0\". If \
						 this is expected, you can ignore.",
					);
				} else if Path::new("/run/.containerenv").exists() {
					error!(
						"You are detected using Podman with a loopback/localhost listening \
						 address of {addr}. If you are using a reverse proxy on the host and \
						 require communication to tuwunel in the Podman container via NAT-based \
						 networking, this will NOT work. Please change this to \"0.0.0.0\". If \
						 this is expected, you can ignore.",
					);
				}
			}
		});
	}

	// rocksdb does not allow max_log_files to be 0
	if config.rocksdb_max_log_files == 0 {
		return Err!(Config(
			"max_log_files",
			"rocksdb_max_log_files cannot be 0. Please set a value at least 1."
		));
	}

	// yeah, unless the user built a debug build hopefully for local testing only
	#[cfg(not(debug_assertions))]
	if config.server_name == "your.server.name" {
		return Err!(Config(
			"server_name",
			"You must specify a valid server name for production usage of tuwunel."
		));
	}

	if config
		.emergency_password
		.as_ref()
		.is_some_and(|emergency_password| emergency_password == "F670$2CP@Hw8mG7RY1$%!#Ic7YA")
	{
		return Err!(Config(
			"emergency_password",
			"The public example emergency password is being used, this is insecure. Please \
			 change this."
		));
	}

	if config
		.emergency_password
		.as_ref()
		.is_some_and(String::is_empty)
	{
		return Err!(Config(
			"emergency_password",
			"Emergency password was set to an empty string, this is not valid. Unset \
			 emergency_password to disable it or set it to a real password."
		));
	}

	// check if the user specified a registration token as `""`
	if config
		.registration_token
		.as_ref()
		.is_some_and(String::is_empty)
	{
		return Err!(Config(
			"registration_token",
			"Registration token was specified but is empty (\"\")"
		));
	}

	// check if we can read the token file path, and check if the file is empty
	if config
		.registration_token_file
		.as_ref()
		.is_some_and(|path| {
			let Ok(token) = std::fs::read_to_string(path).inspect_err(|e| {
				error!("Failed to read the registration token file: {e}");
			}) else {
				return true;
			};

			token == String::new()
		}) {
		return Err!(Config(
			"registration_token_file",
			"Registration token file was specified but is empty or failed to be read"
		));
	}

	if !config.turn_uris.is_empty()
		&& config.turn_secret.is_none()
		&& config.turn_secret_file.is_none()
		&& config.turn_username.is_empty()
		&& config.turn_password.is_empty()
	{
		warn!(
			"turn_uris is configured but no credential source is set; the endpoint \
			 /_matrix/client/v3/voip/turnServer will return empty username and password. Set \
			 turn_secret, turn_secret_file, or both turn_username and turn_password."
		);
	}

	if config.max_request_size < 10_000_000 {
		return Err!(Config(
			"max_request_size",
			"Max request size is less than 10MB. Please increase it as this is too low for \
			 operable federation."
		));
	}

	// check if user specified valid IP CIDR ranges on startup
	for cidr in &config.ip_range_denylist {
		if let Err(e) = ipaddress::IPAddress::parse(cidr) {
			return Err!(Config(
				"ip_range_denylist",
				"Parsing specified IP CIDR range from string failed: {e}."
			));
		}
	}

	if config.allow_registration
		&& !config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
		&& config.registration_token.is_none()
		&& config.registration_token_file.is_none()
	{
		return Err!(Config(
			"registration_token",
			"!! You have `allow_registration` enabled without a token configured in your config \
			 which means you are allowing ANYONE to register on your tuwunel instance without \
			 any 2nd-step (e.g. registration token). If this is not the intended behaviour, \
			 please set a registration token. For security and safety reasons, tuwunel will \
			 shut down. If you are extra sure this is the desired behaviour you want, please \
			 set the following config option to true:
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`"
		));
	}

	if config.allow_registration
		&& config.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
		&& config.registration_token.is_none()
		&& config.registration_token_file.is_none()
	{
		warn!(
			"Open registration is enabled via setting \
			 `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` and \
			 `allow_registration` to true without a registration token configured. You are \
			 expected to be aware of the risks now. If this is not the desired behaviour, \
			 please set a registration token."
		);
	}

	if config.allow_outgoing_presence && !config.allow_local_presence {
		return Err!(Config(
			"allow_local_presence",
			"Outgoing presence requires allowing local presence. Please enable \
			 'allow_local_presence' or disable outgoing presence."
		));
	}

	if config.suppress_push_when_active {
		warn!(
			"Push suppression when active is enabled (EXPERIMENTAL): behavior may change or be \
			 unstable. Disable by removing or setting suppress_push_when_active to false."
		);
	}

	if config
		.url_preview_domain_contains_allowlist
		.contains(&"*".to_owned())
	{
		warn!(
			"All URLs are allowed for URL previews via setting \
			 \"url_preview_domain_contains_allowlist\" to \"*\". This opens up significant \
			 attack surface to your server. You are expected to be aware of the risks by doing \
			 this."
		);
	}
	if config
		.url_preview_domain_explicit_allowlist
		.contains(&"*".to_owned())
	{
		warn!(
			"All URLs are allowed for URL previews via setting \
			 \"url_preview_domain_explicit_allowlist\" to \"*\". This opens up significant \
			 attack surface to your server. You are expected to be aware of the risks by doing \
			 this."
		);
	}
	if config
		.url_preview_url_contains_allowlist
		.contains(&"*".to_owned())
	{
		warn!(
			"All URLs are allowed for URL previews via setting \
			 \"url_preview_url_contains_allowlist\" to \"*\". This opens up significant attack \
			 surface to your server. You are expected to be aware of the risks by doing this."
		);
	}

	if let Some(Either::Right(_)) = config.url_preview_bound_interface.as_ref()
		&& !matches!(OS, "android" | "fuchsia" | "linux")
	{
		return Err!(Config(
			"url_preview_bound_interface",
			"Not a valid IP address. Interface names not supported on {OS}."
		));
	}

	if !config.supported_room_version(&config.default_room_version) {
		return Err!(Config(
			"default_room_version",
			"Room version {:?} is not available",
			config.default_room_version
		));
	}

	for a in config.identity_provider.values() {
		let count = config
			.identity_provider
			.values()
			.filter(|b| a.id().eq(b.id()))
			.count();

		debug_assert_ne!(count, 0, "expected at least one identity_provider");
		if count > 1 {
			return Err!(Config(
				"client_id",
				"Duplicate identity_provider with client_id {}",
				a.client_id
			));
		}
	}

	for (i, provider) in &config.identity_provider {
		if provider.client_secret.is_some() {
			continue;
		}

		let Some(secret_path) = &provider.client_secret_file else {
			return Err!(Config(
				"client_secret",
				"Either client secret or a client secret file must be set on identity provider \
				 №{i}."
			));
		};

		let Ok(secret) = std::fs::read_to_string(secret_path) else {
			return Err!(Config(
				"client_secret_file",
				"Client secret file was specified but failed to be read at identity provider \
				 №{i}"
			));
		};

		if secret.is_empty() {
			return Err!(Config(
				"client_secret_file",
				"Client secret file was specified but is empty on identity provider №{i}"
			));
		}
	}

	if !config.sso_custom_providers_page
		&& config.identity_provider.len() > 1
		&& config
			.identity_provider
			.values()
			.filter(|idp| idp.default)
			.count()
			.eq(&0)
	{
		let default = config
			.identity_provider
			.values()
			.next()
			.map(IdentityProvider::id)
			.expect("Check at least one provider is configured to reach here");

		warn!(
			"More than one identity_provider has been configured without any default selected. \
			 To prevent this warning set `default = true` for one provider. Considering \
			 {default} the default for now..."
		);
	}

	for provider in &config.store_media_on_providers {
		if !config.media_storage_providers.contains(provider) {
			return Err!(Config(
				"store_media_on_providers",
				"Providers must be listed in 'media_storage_providers'"
			));
		}
	}

	if config
		.media_storage_providers
		.iter()
		.filter(|&provider| {
			if config.storage_provider.contains_key(provider) || provider == "media" {
				return false;
			}

			error!("`media_storage_providers` references non-existent provider {provider:?}");
			true
		})
		.count()
		.gt(&0)
	{
		return Err!(Config(
			"media_storage_providers",
			"Contains missing or unconfigured storage providers."
		));
	}

	if config.media_storage_providers.len() > 1 && config.store_media_on_providers.is_empty() {
		warn!(
			"Media will be duplicated to multiple providers {:?} until \
			 `store_media_on_providers` is configured. This warning can be suppressed by \
			 explicitly configuring `store_media_on_providers`",
			config.media_storage_providers
		);
	}

	Ok(())
}

/// Iterates over all the keys in the config file and warns if there is a
/// deprecated key specified
fn warn_deprecated(config: &Config) {
	debug!("Checking for deprecated config keys");
	let found_deprecated_keys = config
		.catchall
		.keys()
		.filter(|key| DEPRECATED_KEYS.iter().any(|s| s == key))
		.inspect(|key| warn!("Config parameter \"{key}\" is deprecated, ignoring."))
		.next()
		.is_some();

	if found_deprecated_keys {
		warn!(
			"Deprecated config keys were found. Read tuwunel config documentation at https://tuwunel.chat/configuration.html and \
			 check your configuration if any new configuration parameters should be adjusted"
		);
	}
}

/// iterates over all the catchall keys (unknown config options) and warns or
/// errors if there are any.
fn warn_unknown_key(config: &Config) -> Result {
	debug!("Checking for unknown config keys");
	let unknown_keys = config
		.catchall
		.keys()
		.filter_map(|key| {
			if key == "config" {
				None
			} else {
				if config.error_on_unknown_config_opts {
					error!("Config parameter \"{key}\" is unknown to tuwunel");
				} else {
					warn!("Config parameter \"{key}\" is unknown to tuwunel, ignoring.");
				}
				Some(key.as_str())
			}
		})
		.collect_vec();

	if !unknown_keys.is_empty() && config.error_on_unknown_config_opts {
		Err!("Unknown config options were found: {unknown_keys:?}")
	} else {
		Ok(())
	}
}