update config for roles and add validator

2026-04-15 11:32:09 +03:00 · 2025-09-09 10:16:51 -05:00 · 2025-09-09 10:16:51 -05:00 · 320165aa3e
commit 320165aa3e
parent fd6e7afea9
2 changed files with 43 additions and 2 deletions
--- a/frigate/config/auth.py
+++ b/frigate/config/auth.py
@ -1,6 +1,6 @@
-from typing import Optional
+from typing import Dict, List, Optional
-from pydantic import Field
+from pydantic import Field, field_validator
 from .base import FrigateBaseModel
@ -34,3 +34,23 @@ class AuthConfig(FrigateBaseModel):
    )
    # As of Feb 2023, OWASP recommends 600000 iterations for PBKDF2-SHA256
    hash_iterations: int = Field(default=600000, title="Password hash iterations")
    roles: Dict[str, List[str]] = Field(
        default_factory=dict,
        title="Role to camera mappings. Empty list grants access to all cameras.",
    )
    @field_validator("roles")
    @classmethod
    def validate_roles(cls, v: Dict[str, List[str]]) -> Dict[str, List[str]]:
        # Ensure role names are valid (alphanumeric with underscores)
        for role in v.keys():
            if not role.replace("_", "").isalnum():
                raise ValueError(
                    f"Invalid role name '{role}'. Must be alphanumeric with underscores."
                )
        # Default admin and viewer to empty lists if not present
        if "admin" not in v:
            v["admin"] = []
        if "viewer" not in v:
            v["viewer"] = []
        return v
--- a/frigate/config/config.py
+++ b/frigate/config/config.py
@ -730,6 +730,27 @@ class FrigateConfig(FrigateBaseModel):
                raise ValueError("Zones cannot share names with cameras")
        return v
    @field_validator("auth")
    @classmethod
    def validate_auth_roles(cls, v: AuthConfig, info: ValidationInfo) -> AuthConfig:
        # Access cameras from the validated model
        frigate_config = info.data.get("cameras", {})
        camera_names = (
            set(frigate_config.keys()) if isinstance(frigate_config, dict) else set()
        )
        for role, allowed_cameras in v.roles.items():
            invalid_cameras = [
                cam for cam in allowed_cameras if cam not in camera_names
            ]
            if invalid_cameras:
                logger.warning(
                    f"Role '{role}' references non-existent cameras: {invalid_cameras}. "
                    f"These will grant no access until cameras are added."
                )
        return v
    @classmethod
    def load(cls, **kwargs):
        """Loads the Frigate config file, runs migrations, and creates the config object."""