fix(security): Do not allow invalid security configs (#1531)

* fix: Do not allow invalid security configs * test: Fix empty security config test * test: Add missing security config test scenarios
2026-03-24 16:20:07 +00:00 · 2026-03-23 22:35:42 +01:00
parent 593826ec5f
commit a2fc5ab9bb
2 changed files with 76 additions and 6 deletions
--- a/security/config.go
+++ b/security/config.go
@@ -28,7 +28,7 @@ type Config struct {

 // ValidateAndSetDefaults returns whether the security configuration is valid or not and sets default values.
 func (c *Config) ValidateAndSetDefaults() bool {
-	return (c.Basic != nil && c.Basic.isValid()) || (c.OIDC != nil && c.OIDC.ValidateAndSetDefaults())
+	return (c.Basic == nil || c.Basic.isValid()) && (c.OIDC == nil || c.OIDC.ValidateAndSetDefaults())
 }

 // RegisterHandlers registers all handlers required based on the security configuration
--- a/security/config_test.go
+++ b/security/config_test.go
@@ -10,12 +10,82 @@ import (
 )

 func TestConfig_ValidateAndSetDefaults(t *testing.T) {
-	c := &Config{
-		Basic: nil,
-		OIDC:  nil,
+	validBasicConfig := &BasicConfig{
+		Username:                        "test",
+		PasswordBcryptHashBase64Encoded: "somevalue",
 	}
-	if c.ValidateAndSetDefaults() {
-		t.Error("expected empty config to be valid")
+	validOIDCConfig := &OIDCConfig{
+		IssuerURL:    "testurl",
+		RedirectURL:  "testredirecturl/authorization-code/callback",
+		ClientID:     "testid",
+		ClientSecret: "testsecret",
+		Scopes:       []string{"testscope"},
+	}
+
+	type Scenario struct {
+		Name        string
+		Config      *Config
+		ExpectValid bool
+	}
+	scenarios := []Scenario{
+		{
+			Name: "empty",
+			Config: &Config{
+				Basic: nil,
+				OIDC:  nil,
+			},
+			ExpectValid: true,
+		},
+		{
+			Name: "empty-basic",
+			Config: &Config{
+				Basic: &BasicConfig{},
+				OIDC:  nil,
+			},
+			ExpectValid: false,
+		},
+		{
+			Name: "empty-oidc",
+			Config: &Config{
+				Basic: nil,
+				OIDC:  &OIDCConfig{},
+			},
+			ExpectValid: false,
+		},
+		{
+			Name: "valid-basic-only",
+			Config: &Config{
+				Basic: validBasicConfig,
+				OIDC:  nil,
+			},
+			ExpectValid: true,
+		},
+		{
+			Name: "valid-oidc-only",
+			Config: &Config{
+				Basic: nil,
+				OIDC:  validOIDCConfig,
+			},
+			ExpectValid: true,
+		},
+		{
+			Name: "valid-basic-and-oidc",
+			Config: &Config{
+				Basic: validBasicConfig,
+				OIDC:  validOIDCConfig,
+			},
+			ExpectValid: true,
+		},
+	}
+	for _, scenario := range scenarios {
+		t.Run(scenario.Name, func(t *testing.T) {
+			isValid := scenario.Config.ValidateAndSetDefaults()
+			if isValid && !scenario.ExpectValid {
+				t.Errorf("scenario %s: expected config to be invalid", scenario.Name)
+			} else if !isValid && scenario.ExpectValid {
+				t.Errorf("scenario %s: expected config to be valid", scenario.Name)
+			}
+		})
 	}
 }