update config for roles and add validator

2026-04-15 19:42:08 +03:00 · 2025-09-09 10:16:51 -05:00 · 2025-09-09 10:16:51 -05:00 · 320165aa3e
commit 320165aa3e
parent fd6e7afea9
2 changed files with 43 additions and 2 deletions
--- a/frigate/config/auth.py
+++ b/frigate/config/auth.py
@ -1,6 +1,6 @@
-from typing import Optional
+from typing import Dict, List, Optional

-from pydantic import Field
+from pydantic import Field, field_validator

 from .base import FrigateBaseModel

@ -34,3 +34,23 @@ class AuthConfig(FrigateBaseModel):
    )
    # As of Feb 2023, OWASP recommends 600000 iterations for PBKDF2-SHA256
    hash_iterations: int = Field(default=600000, title="Password hash iterations")
+    roles: Dict[str, List[str]] = Field(
+        default_factory=dict,
+        title="Role to camera mappings. Empty list grants access to all cameras.",
+    )
+
+    @field_validator("roles")
+    @classmethod
+    def validate_roles(cls, v: Dict[str, List[str]]) -> Dict[str, List[str]]:
+        # Ensure role names are valid (alphanumeric with underscores)
+        for role in v.keys():
+            if not role.replace("_", "").isalnum():
+                raise ValueError(
+                    f"Invalid role name '{role}'. Must be alphanumeric with underscores."
+                )
+        # Default admin and viewer to empty lists if not present
+        if "admin" not in v:
+            v["admin"] = []
+        if "viewer" not in v:
+            v["viewer"] = []
+        return v
--- a/frigate/config/config.py
+++ b/frigate/config/config.py
@ -730,6 +730,27 @@ class FrigateConfig(FrigateBaseModel):
                raise ValueError("Zones cannot share names with cameras")
        return v

+    @field_validator("auth")
+    @classmethod
+    def validate_auth_roles(cls, v: AuthConfig, info: ValidationInfo) -> AuthConfig:
+        # Access cameras from the validated model
+        frigate_config = info.data.get("cameras", {})
+        camera_names = (
+            set(frigate_config.keys()) if isinstance(frigate_config, dict) else set()
+        )
+
+        for role, allowed_cameras in v.roles.items():
+            invalid_cameras = [
+                cam for cam in allowed_cameras if cam not in camera_names
+            ]
+            if invalid_cameras:
+                logger.warning(
+                    f"Role '{role}' references non-existent cameras: {invalid_cameras}. "
+                    f"These will grant no access until cameras are added."
+                )
+
+        return v
+
    @classmethod
    def load(cls, **kwargs):
        """Loads the Frigate config file, runs migrations, and creates the config object."""