RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/middlewares/authelia_context.go

370 lines
10 KiB
Go
Raw Normal View History

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
package middlewares
import (
"encoding/json"
"fmt"
"net"
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
"net/url"
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
"path"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"strings"
"github.com/asaskevich/govalidator"
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
"github.com/sirupsen/logrus"
"github.com/valyala/fasthttp"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
fix(middlewares): smart delay on reset password (#2767) This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
2022-01-20 23:46:13 +00:00
"github.com/authelia/authelia/v4/internal/logging"
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
"github.com/authelia/authelia/v4/internal/model"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/session"
"github.com/authelia/authelia/v4/internal/utils"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
)
Display correct RemoteIP in logs.
2019-12-11 07:52:02 +00:00
// NewRequestLogger create a new request logger for the given request.
func NewRequestLogger(ctx *AutheliaCtx) *logrus.Entry {
fix(middlewares): smart delay on reset password (#2767) This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
2022-01-20 23:46:13 +00:00
return logging.Logger().WithFields(logrus.Fields{
Display correct RemoteIP in logs.
2019-12-11 07:52:02 +00:00
"method": string(ctx.Method()),
"path": string(ctx.Path()),
"remote_ip": ctx.RemoteIP().String(),
})
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
// NewAutheliaCtx instantiate an AutheliaCtx out of a RequestCtx.
refactor(middlewares): convert the bridge to a builder (#3338) This adjusts the bridge to be utilized as a builder in order to make it more reusable.
2022-06-10 01:34:43 +00:00
func NewAutheliaCtx(requestCTX *fasthttp.RequestCtx, configuration schema.Configuration, providers Providers) (ctx *AutheliaCtx) {
ctx = new(AutheliaCtx)
ctx.RequestCtx = requestCTX
ctx.Providers = providers
ctx.Configuration = configuration
ctx.Logger = NewRequestLogger(ctx)
ctx.Clock = utils.RealClock{}
return ctx
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
// AvailableSecondFactorMethods returns the available 2FA methods.
func (ctx *AutheliaCtx) AvailableSecondFactorMethods() (methods []string) {
methods = make([]string, 0, 3)
if !ctx.Configuration.TOTP.Disable {
methods = append(methods, model.SecondFactorMethodTOTP)
}
if !ctx.Configuration.Webauthn.Disable {
methods = append(methods, model.SecondFactorMethodWebauthn)
}
refactor(configuration): remove ptr for duoapi and notifier (#3200) This adds to the ongoing effort to remove all pointers to structs in the configuration without breaking backwards compatibility.
2022-04-15 23:34:26 +00:00
if !ctx.Configuration.DuoAPI.Disable {
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
methods = append(methods, model.SecondFactorMethodDuo)
}
return methods
}
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
// Error reply with an error and display the stack trace in the logs.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) Error(err error, message string) {
ctx.SetJSONError(message)
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Error(err)
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
}
// SetJSONError sets the body of the response to an JSON error KO message.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) SetJSONError(message string) {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
if replyErr := ctx.ReplyJSON(ErrorResponse{Status: "KO", Message: message}, 0); replyErr != nil {
ctx.Logger.Error(replyErr)
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyError reply with an error but does not display any stack trace in the logs.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyError(err error, message string) {
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
b, marshalErr := json.Marshal(ErrorResponse{Status: "KO", Message: message})
if marshalErr != nil {
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Error(marshalErr)
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
}
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.SetContentTypeBytes(contentTypeApplicationJSON)
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.SetBody(b)
ctx.Logger.Debug(err)
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
}
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
// ReplyStatusCode resets a response and replies with the given status code and relevant message.
func (ctx *AutheliaCtx) ReplyStatusCode(statusCode int) {
ctx.Response.Reset()
ctx.SetStatusCode(statusCode)
ctx.SetContentTypeBytes(contentTypeTextPlain)
ctx.SetBodyString(fmt.Sprintf("%d %s", statusCode, fasthttp.StatusMessage(statusCode)))
}
// ReplyJSON writes a JSON response.
func (ctx *AutheliaCtx) ReplyJSON(data interface{}, statusCode int) (err error) {
var (
body []byte
)
if body, err = json.Marshal(data); err != nil {
return fmt.Errorf("unable to marshal JSON body: %w", err)
}
if statusCode > 0 {
ctx.SetStatusCode(statusCode)
}
ctx.SetContentTypeBytes(contentTypeApplicationJSON)
ctx.SetBody(body)
return nil
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyUnauthorized response sent when user is unauthorized.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyUnauthorized() {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.ReplyStatusCode(fasthttp.StatusUnauthorized)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyForbidden response sent when access is forbidden to user.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyForbidden() {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.ReplyStatusCode(fasthttp.StatusForbidden)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
// ReplyBadRequest response sent when bad request has been sent.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyBadRequest() {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.ReplyStatusCode(fasthttp.StatusBadRequest)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
// XForwardedProto return the content of the X-Forwarded-Proto header.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) XForwardedProto() (proto []byte) {
proto = ctx.RequestCtx.Request.Header.PeekBytes(headerXForwardedProto)
if proto == nil {
if ctx.RequestCtx.IsTLS() {
return protoHTTPS
}
return protoHTTP
}
return proto
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
// XForwardedMethod return the content of the X-Forwarded-Method header.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) XForwardedMethod() (method []byte) {
return ctx.RequestCtx.Request.Header.PeekBytes(headerXForwardedMethod)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}
// XForwardedHost return the content of the X-Forwarded-Host header.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) XForwardedHost() (host []byte) {
host = ctx.RequestCtx.Request.Header.PeekBytes(headerXForwardedHost)
if host == nil {
return ctx.RequestCtx.Host()
}
return host
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
// XForwardedURI return the content of the X-Forwarded-URI header.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) XForwardedURI() (uri []byte) {
uri = ctx.RequestCtx.Request.Header.PeekBytes(headerXForwardedURI)
if len(uri) == 0 {
return ctx.RequestCtx.RequestURI()
}
return uri
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
// BasePath returns the base_url as per the path visited by the client.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) BasePath() (base string) {
if baseURL := ctx.UserValueBytes(UserValueKeyBaseURL); baseURL != nil {
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
return baseURL.(string)
}
return base
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
// ExternalRootURL gets the X-Forwarded-Proto, X-Forwarded-Host headers and the BasePath and forms them into a URL.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ExternalRootURL() (string, error) {
protocol := ctx.XForwardedProto()
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
if protocol == nil {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return "", errMissingXForwardedProto
}
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
host := ctx.XForwardedHost()
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
if host == nil {
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return "", errMissingXForwardedHost
}
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
externalRootURL := fmt.Sprintf("%s://%s", protocol, host)
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
if base := ctx.BasePath(); base != "" {
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 00:31:08 +00:00
externalBaseURL, err := url.Parse(externalRootURL)
if err != nil {
return "", err
}
externalBaseURL.Path = path.Join(externalBaseURL.Path, base)
return externalBaseURL.String(), nil
}
return externalRootURL, nil
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
// XOriginalURL return the content of the X-Original-URL header.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) XOriginalURL() []byte {
return ctx.RequestCtx.Request.Header.PeekBytes(headerXOriginalURL)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
// GetSession return the user session. Any update will be saved in cache.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) GetSession() session.UserSession {
userSession, err := ctx.Providers.SessionProvider.GetSession(ctx.RequestCtx)
Disable inactivity timeout when user checked remember me. Instead of checking the value of the cookie expiration we rely on the boolean stored in the user session to check whether inactivity timeout should be disabled.
2020-01-17 22:48:48 +00:00
if err != nil {
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Error("Unable to retrieve user session")
Disable inactivity timeout when user checked remember me. Instead of checking the value of the cookie expiration we rely on the boolean stored in the user session to check whether inactivity timeout should be disabled.
2020-01-17 22:48:48 +00:00
return session.NewDefaultUserSession()
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Disable inactivity timeout when user checked remember me. Instead of checking the value of the cookie expiration we rely on the boolean stored in the user session to check whether inactivity timeout should be disabled.
2020-01-17 22:48:48 +00:00
return userSession
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
// SaveSession save the content of the session.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) SaveSession(userSession session.UserSession) error {
return ctx.Providers.SessionProvider.SaveSession(ctx.RequestCtx, userSession)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ReplyOK is a helper method to reply ok.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ReplyOK() {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.SetContentTypeBytes(contentTypeApplicationJSON)
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.SetBody(okMessageBytes)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// ParseBody parse the request body into the type of value.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) ParseBody(value interface{}) error {
err := json.Unmarshal(ctx.PostBody(), &value)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
if err != nil {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
return fmt.Errorf("unable to parse body: %w", err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
valid, err := govalidator.ValidateStruct(value)
if err != nil {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
return fmt.Errorf("unable to validate body: %w", err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
if !valid {
return fmt.Errorf("Body is not valid")
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return nil
}
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations
2020-05-02 05:06:39 +00:00
// SetJSONBody Set json body.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) SetJSONBody(value interface{}) error {
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
return ctx.ReplyJSON(OKResponse{Status: "OK", Data: value}, 0)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
// RemoteIP return the remote IP taking X-Forwarded-For header into account if provided.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) RemoteIP() net.IP {
XForwardedFor := ctx.Request.Header.PeekBytes(headerXForwardedFor)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
if XForwardedFor != nil {
ips := strings.Split(string(XForwardedFor), ",")
if len(ips) > 0 {
Revert "Read X-Real-Ip as the remote IP provided by the proxy." This reverts commit fccb55f714d0427bc2b3e0d5eb4372b1c32bf246. Avoid exposing Authelia to more attacks by only keeping X-Forwarded-For.
2019-12-11 07:29:32 +00:00
return net.ParseIP(strings.Trim(ips[0], " "))
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
return ctx.RequestCtx.RemoteIP()
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
// GetOriginalURL extract the URL from the request headers (X-Original-URL or X-Forwarded-* headers).
func (ctx *AutheliaCtx) GetOriginalURL() (*url.URL, error) {
originalURL := ctx.XOriginalURL()
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
if originalURL != nil {
parsedURL, err := url.ParseRequestURI(string(originalURL))
if err != nil {
return nil, fmt.Errorf("Unable to parse URL extracted from X-Original-URL header: %v", err)
}
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Trace("Using X-Original-URL header content as targeted site URL")
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
return parsedURL, nil
}
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
forwardedProto, forwardedHost, forwardedURI := ctx.XForwardedProto(), ctx.XForwardedHost(), ctx.XForwardedURI()
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
if forwardedProto == nil {
return nil, errMissingXForwardedProto
}
if forwardedHost == nil {
return nil, errMissingXForwardedHost
}
var requestURI string
fix(authorization): object path not normalized (#3661) This fixes an issue where the object path is not normalized.
2022-07-05 01:32:10 +00:00
forwardedProto = append(forwardedProto, protoHostSeparator...)
requestURI = string(append(forwardedProto,
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
append(forwardedHost, forwardedURI...)...))
parsedURL, err := url.ParseRequestURI(requestURI)
if err != nil {
return nil, fmt.Errorf("Unable to parse URL %s: %v", requestURI, err)
}
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.Logger.Tracef("Using X-Fowarded-Proto, X-Forwarded-Host and X-Forwarded-URI headers " +
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
"to construct targeted site URL")
return parsedURL, nil
}
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
// IsXHR returns true if the request is a XMLHttpRequest.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx AutheliaCtx) IsXHR() (xhr bool) {
requestedWith := ctx.Request.Header.PeekBytes(headerXRequestedWith)
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
return requestedWith != nil && strings.EqualFold(string(requestedWith), headerValueXRequestedWithXHR)
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
}
// AcceptsMIME takes a mime type and returns true if the request accepts that type or the wildcard type.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx AutheliaCtx) AcceptsMIME(mime string) (acceptsMime bool) {
accepts := strings.Split(string(ctx.Request.Header.PeekBytes(headerAccept)), ",")
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
for i, accept := range accepts {
mimeType := strings.Trim(strings.SplitN(accept, ";", 2)[0], " ")
if mimeType == mime || (i == 0 && mimeType == "*/*") {
return true
}
}
return false
}
// SpecialRedirect performs a redirect similar to fasthttp.RequestCtx except it allows statusCode 401 and includes body
// content in the form of a link to the location.
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
func (ctx *AutheliaCtx) SpecialRedirect(uri string, statusCode int) {
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
if statusCode < fasthttp.StatusMovedPermanently || (statusCode > fasthttp.StatusSeeOther && statusCode != fasthttp.StatusTemporaryRedirect && statusCode != fasthttp.StatusPermanentRedirect && statusCode != fasthttp.StatusUnauthorized) {
statusCode = fasthttp.StatusFound
}
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.SetContentTypeBytes(contentTypeTextHTML)
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.SetStatusCode(statusCode)
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
u := fasthttp.AcquireURI()
fix(server): use of inconsistent methods for determining origin (#2848) This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler. Fixes #2765
2022-02-06 13:37:28 +00:00
ctx.URI().CopyTo(u)
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
u.Update(uri)
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.Response.Header.SetBytesKV(headerLocation, u.FullURI())
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
refactor(middlewares): factorize responses (#3628)
2022-07-08 12:18:52 +00:00
ctx.SetBodyString(fmt.Sprintf("<a href=\"%s\">%d %s</a>", utils.StringHTMLEscape(string(u.FullURI())), statusCode, fasthttp.StatusMessage(statusCode)))
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 03:52:37 +00:00
fasthttp.ReleaseURI(u)
}
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus.
2022-06-14 07:20:13 +00:00
// RecordAuthentication records authentication metrics.
func (ctx *AutheliaCtx) RecordAuthentication(success, regulated bool, method string) {
if ctx.Providers.Metrics == nil {
return
}
ctx.Providers.Metrics.RecordAuthentication(success, regulated, method)
}