authelia/internal/handlers/const.go

package handlers

// TOTPRegistrationAction is the string representation of the action for which the token has been produced.
const TOTPRegistrationAction = "RegisterTOTPDevice"

// U2FRegistrationAction is the string representation of the action for which the token has been produced.
const U2FRegistrationAction = "RegisterU2FDevice"

// ResetPasswordAction is the string representation of the action for which the token has been produced.
const ResetPasswordAction = "ResetPassword"

const authPrefix = "Basic "

// ProxyAuthorizationHeader is the basic-auth HTTP header Authelia utilises.
const ProxyAuthorizationHeader = "Proxy-Authorization"

// AuthorizationHeader is the basic-auth HTTP header Authelia utilises with "auth=basic" query param.
const AuthorizationHeader = "Authorization"

// SessionUsernameHeader is used as additional protection to validate a user for things like pam_exec.
const SessionUsernameHeader = "Session-Username"

const remoteUserHeader = "Remote-User"
const remoteNameHeader = "Remote-Name"
const remoteEmailHeader = "Remote-Email"
const remoteGroupsHeader = "Remote-Groups"

var protoHostSeparator = []byte("://")

const (
	// Forbidden means the user is forbidden the access to a resource.
	Forbidden authorizationMatching = iota
	// NotAuthorized means the user can access the resource with more permissions.
	NotAuthorized authorizationMatching = iota
	// Authorized means the user is authorized given her current permissions.
	Authorized authorizationMatching = iota
)

const operationFailedMessage = "Operation failed."
const authenticationFailedMessage = "Authentication failed. Check your credentials."
const userBannedMessage = "Please retry in a few minutes."
const unableToRegisterOneTimePasswordMessage = "Unable to set up one-time passwords." //nolint:gosec
const unableToRegisterSecurityKeyMessage = "Unable to register your security key."
const unableToResetPasswordMessage = "Unable to reset your password."
const mfaValidationFailedMessage = "Authentication failed, please retry later."

const ldapPasswordComplexityCode = "0000052D."

var ldapPasswordComplexityCodes = []string{"0000052D"}
var ldapPasswordComplexityErrors = []string{"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy"}

const testInactivity = "10"
const testRedirectionURL = "http://redirection.local"
const testResultAllow = "allow"
const testUsername = "john"

const movingAverageWindow = 10
const msMinimumDelay1FA = float64(250)
const msMaximumRandomDelay = int64(85)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package handlers`

			`// TOTPRegistrationAction is the string representation of the action for which the token has been produced.`
			`const TOTPRegistrationAction = "RegisterTOTPDevice"`

			`// U2FRegistrationAction is the string representation of the action for which the token has been produced.`
			`const U2FRegistrationAction = "RegisterU2FDevice"`

			`// ResetPasswordAction is the string representation of the action for which the token has been produced.`
			`const ResetPasswordAction = "ResetPassword"`

			`const authPrefix = "Basic "`

feat(handlers): authorization header switch via query param to /api/verify (#1563) * [FEATURE] Add auth query param to /api/verify (#1353) When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization. * [FIX] Better basic auth error reporting * [FIX] Return 401 when using basic auth instead of redirecting * [TESTS] Add tests for auth=basic query param * [DOCS] Mention auth=basic argument and provide nginx example * docs: add/adjust basic auth query arg docs for proxies Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2021-02-23 23:35:04 +00:00			`// ProxyAuthorizationHeader is the basic-auth HTTP header Authelia utilises.`
			`const ProxyAuthorizationHeader = "Proxy-Authorization"`

			`// AuthorizationHeader is the basic-auth HTTP header Authelia utilises with "auth=basic" query param.`
			`const AuthorizationHeader = "Authorization"`
[FEATURE] Add Optional Check for Session Username on VerifyGet (#1427) * Adding the Session-Username header to the /api/verify endpoint when using cookie auth will check the value stored in the session store for the username and the header value are the same. * use strings.EqualFold to compare case insensitively * add docs * add unit tests * invalidate session if it is theoretically hijacked and log it as a warning (can only be determined if the header doesn't match the cookie) * add example PAM script * go mod tidy * go mod bump to 1.15 2020-12-01 23:03:44 +00:00
			`// SessionUsernameHeader is used as additional protection to validate a user for things like pam_exec.`
			`const SessionUsernameHeader = "Session-Username"`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`const remoteUserHeader = "Remote-User"`
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 11:38:08 +00:00			`const remoteNameHeader = "Remote-Name"`
			`const remoteEmailHeader = "Remote-Email"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`const remoteGroupsHeader = "Remote-Groups"`

			`var protoHostSeparator = []byte("://")`

			`const (`
[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// Forbidden means the user is forbidden the access to a resource.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`Forbidden authorizationMatching = iota`
			`// NotAuthorized means the user can access the resource with more permissions.`
			`NotAuthorized authorizationMatching = iota`
			`// Authorized means the user is authorized given her current permissions.`
			`Authorized authorizationMatching = iota`
			`)`

			`const operationFailedMessage = "Operation failed."`
			`const authenticationFailedMessage = "Authentication failed. Check your credentials."`
			`const userBannedMessage = "Please retry in a few minutes."`
[BUGFIX] Password hashing schema map mismatch with docs (#852) * add a nolint for gosec 'possibly hardcoded password' that was incorrect * make all parameters consistent * update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing' * reword some of the docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> 2020-04-11 03:54:18 +00:00			`const unableToRegisterOneTimePasswordMessage = "Unable to set up one-time passwords." //nolint:gosec`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`const unableToRegisterSecurityKeyMessage = "Unable to register your security key."`
			`const unableToResetPasswordMessage = "Unable to reset your password."`
			`const mfaValidationFailedMessage = "Authentication failed, please retry later."`
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-02 16:20:40 +00:00
[MISC] Catch OpenLDAP ppolicy error (#1508) * [MISC] Catch OpenLDAP ppolicy error Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled. This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced. * Remove password history for integration tests * Adjust max failures due to regulation trigger * Fix error handling for password resets * Refactor and include code suggestions 2020-12-16 01:30:03 +00:00			`const ldapPasswordComplexityCode = "0000052D."`

			`var ldapPasswordComplexityCodes = []string{"0000052D"}`
			`var ldapPasswordComplexityErrors = []string{"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy"}`
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460) * Added `ActiveDirectory` suite for integration tests with Samba AD * Updated documentation * Minor styling refactor to suites * Clean up LDAP user provisioning * Fix Authelia home splash to reference correct link for webmail * Add notification message for password complexity errors * Add password complexity integration test * Rename implementation default from rfc to custom * add specific defaults for LDAP (activedirectory implementation) * add docs to show the new defaults * add docs explaining the importance of users filter * add tests * update instances of LDAP implementation names to use the new consts where applicable * made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead * update config examples due to the new defaults * apply changes from code review * replace schema default name from MSAD to ActiveDirectory for consistency * fix missing default for username_attribute * replace test raising on empty username attribute with not raising on empty Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2020-11-27 09:59:22 +00:00
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-02 16:20:40 +00:00			`const testInactivity = "10"`
			`const testRedirectionURL = "http://redirection.local"`
			`const testResultAllow = "allow"`
			`const testUsername = "john"`
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-20 22:03:15 +00:00
			`const movingAverageWindow = 10`
			`const msMinimumDelay1FA = float64(250)`
			`const msMaximumRandomDelay = int64(85)`