RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/storage/sql_provider.go

1023 lines
45 KiB
Go
Raw Normal View History

Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
package storage
import (
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
"context"
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
"crypto/sha256"
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
"database/sql"
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
"errors"
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
"fmt"
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
"strings"
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
"time"
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
"github.com/google/uuid"
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
"github.com/jmoiron/sqlx"
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
"github.com/sirupsen/logrus"
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/logging"
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
"github.com/authelia/authelia/v4/internal/model"
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
)
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// NewSQLProvider generates a generic SQLProvider to be used with other SQL provider NewUp's.
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceName string) (provider SQLProvider) {
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
db, err := sqlx.Open(driverName, dataSourceName)
[FEATURE] Support MySQL as a storage backend. (#678) * [FEATURE] Support MySQL as a storage backend. Fixes #512. * Fix integration tests and include MySQL in docs.
2020-03-04 23:25:52 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
provider = SQLProvider{
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
db: db,
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
key: sha256.Sum256([]byte(config.Storage.EncryptionKey)),
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
name: name,
driverName: driverName,
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
config: config,
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
errOpen: err,
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
log: logging.Logger(),
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
sqlInsertAuthenticationAttempt: fmt.Sprintf(queryFmtInsertAuthenticationLogEntry, tableAuthenticationLogs),
sqlSelectAuthenticationAttemptsByUsername: fmt.Sprintf(queryFmtSelect1FAAuthenticationLogEntryByUsername, tableAuthenticationLogs),
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
fix(storage): don't check exp against time using sql (#2676) This is already checked by JWT validation. There is no need and it's leading to timezone issues. Fixes #2672
2021-12-04 04:34:20 +00:00
sqlInsertIdentityVerification: fmt.Sprintf(queryFmtInsertIdentityVerification, tableIdentityVerification),
sqlConsumeIdentityVerification: fmt.Sprintf(queryFmtConsumeIdentityVerification, tableIdentityVerification),
sqlSelectIdentityVerification: fmt.Sprintf(queryFmtSelectIdentityVerification, tableIdentityVerification),
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
sqlUpsertTOTPConfig: fmt.Sprintf(queryFmtUpsertTOTPConfiguration, tableTOTPConfigurations),
sqlDeleteTOTPConfig: fmt.Sprintf(queryFmtDeleteTOTPConfiguration, tableTOTPConfigurations),
sqlSelectTOTPConfig: fmt.Sprintf(queryFmtSelectTOTPConfiguration, tableTOTPConfigurations),
sqlSelectTOTPConfigs: fmt.Sprintf(queryFmtSelectTOTPConfigurations, tableTOTPConfigurations),
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
sqlUpdateTOTPConfigSecret: fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecret, tableTOTPConfigurations),
sqlUpdateTOTPConfigSecretByUsername: fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecretByUsername, tableTOTPConfigurations),
sqlUpdateTOTPConfigRecordSignIn: fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignIn, tableTOTPConfigurations),
sqlUpdateTOTPConfigRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignInByUsername, tableTOTPConfigurations),
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
sqlUpsertWebauthnDevice: fmt.Sprintf(queryFmtUpsertWebauthnDevice, tableWebauthnDevices),
sqlSelectWebauthnDevices: fmt.Sprintf(queryFmtSelectWebauthnDevices, tableWebauthnDevices),
sqlSelectWebauthnDevicesByUsername: fmt.Sprintf(queryFmtSelectWebauthnDevicesByUsername, tableWebauthnDevices),
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
sqlUpdateWebauthnDevicePublicKey: fmt.Sprintf(queryFmtUpdateWebauthnDevicePublicKey, tableWebauthnDevices),
sqlUpdateWebauthnDevicePublicKeyByUsername: fmt.Sprintf(queryFmtUpdateUpdateWebauthnDevicePublicKeyByUsername, tableWebauthnDevices),
sqlUpdateWebauthnDeviceRecordSignIn: fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignIn, tableWebauthnDevices),
sqlUpdateWebauthnDeviceRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignInByUsername, tableWebauthnDevices),
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
feat(commands): add webauthn device commands (#3671)
2022-10-19 07:17:55 +00:00
sqlDeleteWebauthnDevice: fmt.Sprintf(queryFmtDeleteWebauthnDevice, tableWebauthnDevices),
sqlDeleteWebauthnDeviceByUsername: fmt.Sprintf(queryFmtDeleteWebauthnDeviceByUsername, tableWebauthnDevices),
sqlDeleteWebauthnDeviceByUsernameAndDescription: fmt.Sprintf(queryFmtDeleteWebauthnDeviceByUsernameAndDescription, tableWebauthnDevices),
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
sqlUpsertDuoDevice: fmt.Sprintf(queryFmtUpsertDuoDevice, tableDuoDevices),
sqlDeleteDuoDevice: fmt.Sprintf(queryFmtDeleteDuoDevice, tableDuoDevices),
sqlSelectDuoDevice: fmt.Sprintf(queryFmtSelectDuoDevice, tableDuoDevices),
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
sqlUpsertPreferred2FAMethod: fmt.Sprintf(queryFmtUpsertPreferred2FAMethod, tableUserPreferences),
sqlSelectPreferred2FAMethod: fmt.Sprintf(queryFmtSelectPreferred2FAMethod, tableUserPreferences),
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
sqlSelectUserInfo: fmt.Sprintf(queryFmtSelectUserInfo, tableTOTPConfigurations, tableWebauthnDevices, tableDuoDevices, tableUserPreferences),
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
sqlInsertUserOpaqueIdentifier: fmt.Sprintf(queryFmtInsertUserOpaqueIdentifier, tableUserOpaqueIdentifier),
sqlSelectUserOpaqueIdentifier: fmt.Sprintf(queryFmtSelectUserOpaqueIdentifier, tableUserOpaqueIdentifier),
feat(commands): user opaque identifiers commands (#3144) Add commands for handling user opaque identifiers.
2022-04-09 07:13:19 +00:00
sqlSelectUserOpaqueIdentifiers: fmt.Sprintf(queryFmtSelectUserOpaqueIdentifiers, tableUserOpaqueIdentifier),
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
sqlSelectUserOpaqueIdentifierBySignature: fmt.Sprintf(queryFmtSelectUserOpaqueIdentifierBySignature, tableUserOpaqueIdentifier),
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
sqlInsertOAuth2ConsentPreConfiguration: fmt.Sprintf(queryFmtInsertOAuth2ConsentPreConfiguration, tableOAuth2ConsentPreConfiguration),
sqlSelectOAuth2ConsentPreConfigurations: fmt.Sprintf(queryFmtSelectOAuth2ConsentPreConfigurations, tableOAuth2ConsentPreConfiguration),
sqlInsertOAuth2ConsentSession: fmt.Sprintf(queryFmtInsertOAuth2ConsentSession, tableOAuth2ConsentSession),
sqlUpdateOAuth2ConsentSessionSubject: fmt.Sprintf(queryFmtUpdateOAuth2ConsentSessionSubject, tableOAuth2ConsentSession),
sqlUpdateOAuth2ConsentSessionResponse: fmt.Sprintf(queryFmtUpdateOAuth2ConsentSessionResponse, tableOAuth2ConsentSession),
sqlUpdateOAuth2ConsentSessionGranted: fmt.Sprintf(queryFmtUpdateOAuth2ConsentSessionGranted, tableOAuth2ConsentSession),
sqlSelectOAuth2ConsentSessionByChallengeID: fmt.Sprintf(queryFmtSelectOAuth2ConsentSessionByChallengeID, tableOAuth2ConsentSession),
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
sqlInsertOAuth2AuthorizeCodeSession: fmt.Sprintf(queryFmtInsertOAuth2Session, tableOAuth2AuthorizeCodeSession),
sqlSelectOAuth2AuthorizeCodeSession: fmt.Sprintf(queryFmtSelectOAuth2Session, tableOAuth2AuthorizeCodeSession),
sqlRevokeOAuth2AuthorizeCodeSession: fmt.Sprintf(queryFmtRevokeOAuth2Session, tableOAuth2AuthorizeCodeSession),
sqlRevokeOAuth2AuthorizeCodeSessionByRequestID: fmt.Sprintf(queryFmtRevokeOAuth2SessionByRequestID, tableOAuth2AuthorizeCodeSession),
sqlDeactivateOAuth2AuthorizeCodeSession: fmt.Sprintf(queryFmtDeactivateOAuth2Session, tableOAuth2AuthorizeCodeSession),
sqlDeactivateOAuth2AuthorizeCodeSessionByRequestID: fmt.Sprintf(queryFmtDeactivateOAuth2SessionByRequestID, tableOAuth2AuthorizeCodeSession),
sqlInsertOAuth2AccessTokenSession: fmt.Sprintf(queryFmtInsertOAuth2Session, tableOAuth2AccessTokenSession),
sqlSelectOAuth2AccessTokenSession: fmt.Sprintf(queryFmtSelectOAuth2Session, tableOAuth2AccessTokenSession),
sqlRevokeOAuth2AccessTokenSession: fmt.Sprintf(queryFmtRevokeOAuth2Session, tableOAuth2AccessTokenSession),
sqlRevokeOAuth2AccessTokenSessionByRequestID: fmt.Sprintf(queryFmtRevokeOAuth2SessionByRequestID, tableOAuth2AccessTokenSession),
sqlDeactivateOAuth2AccessTokenSession: fmt.Sprintf(queryFmtDeactivateOAuth2Session, tableOAuth2AccessTokenSession),
sqlDeactivateOAuth2AccessTokenSessionByRequestID: fmt.Sprintf(queryFmtDeactivateOAuth2SessionByRequestID, tableOAuth2AccessTokenSession),
sqlInsertOAuth2RefreshTokenSession: fmt.Sprintf(queryFmtInsertOAuth2Session, tableOAuth2RefreshTokenSession),
sqlSelectOAuth2RefreshTokenSession: fmt.Sprintf(queryFmtSelectOAuth2Session, tableOAuth2RefreshTokenSession),
sqlRevokeOAuth2RefreshTokenSession: fmt.Sprintf(queryFmtRevokeOAuth2Session, tableOAuth2RefreshTokenSession),
sqlRevokeOAuth2RefreshTokenSessionByRequestID: fmt.Sprintf(queryFmtRevokeOAuth2SessionByRequestID, tableOAuth2RefreshTokenSession),
sqlDeactivateOAuth2RefreshTokenSession: fmt.Sprintf(queryFmtDeactivateOAuth2Session, tableOAuth2RefreshTokenSession),
sqlDeactivateOAuth2RefreshTokenSessionByRequestID: fmt.Sprintf(queryFmtDeactivateOAuth2SessionByRequestID, tableOAuth2RefreshTokenSession),
sqlInsertOAuth2PKCERequestSession: fmt.Sprintf(queryFmtInsertOAuth2Session, tableOAuth2PKCERequestSession),
sqlSelectOAuth2PKCERequestSession: fmt.Sprintf(queryFmtSelectOAuth2Session, tableOAuth2PKCERequestSession),
sqlRevokeOAuth2PKCERequestSession: fmt.Sprintf(queryFmtRevokeOAuth2Session, tableOAuth2PKCERequestSession),
sqlRevokeOAuth2PKCERequestSessionByRequestID: fmt.Sprintf(queryFmtRevokeOAuth2SessionByRequestID, tableOAuth2PKCERequestSession),
sqlDeactivateOAuth2PKCERequestSession: fmt.Sprintf(queryFmtDeactivateOAuth2Session, tableOAuth2PKCERequestSession),
sqlDeactivateOAuth2PKCERequestSessionByRequestID: fmt.Sprintf(queryFmtDeactivateOAuth2SessionByRequestID, tableOAuth2PKCERequestSession),
sqlInsertOAuth2OpenIDConnectSession: fmt.Sprintf(queryFmtInsertOAuth2Session, tableOAuth2OpenIDConnectSession),
sqlSelectOAuth2OpenIDConnectSession: fmt.Sprintf(queryFmtSelectOAuth2Session, tableOAuth2OpenIDConnectSession),
sqlRevokeOAuth2OpenIDConnectSession: fmt.Sprintf(queryFmtRevokeOAuth2Session, tableOAuth2OpenIDConnectSession),
sqlRevokeOAuth2OpenIDConnectSessionByRequestID: fmt.Sprintf(queryFmtRevokeOAuth2SessionByRequestID, tableOAuth2OpenIDConnectSession),
sqlDeactivateOAuth2OpenIDConnectSession: fmt.Sprintf(queryFmtDeactivateOAuth2Session, tableOAuth2OpenIDConnectSession),
sqlDeactivateOAuth2OpenIDConnectSessionByRequestID: fmt.Sprintf(queryFmtDeactivateOAuth2SessionByRequestID, tableOAuth2OpenIDConnectSession),
sqlUpsertOAuth2BlacklistedJTI: fmt.Sprintf(queryFmtUpsertOAuth2BlacklistedJTI, tableOAuth2BlacklistedJTI),
sqlSelectOAuth2BlacklistedJTI: fmt.Sprintf(queryFmtSelectOAuth2BlacklistedJTI, tableOAuth2BlacklistedJTI),
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
sqlInsertMigration: fmt.Sprintf(queryFmtInsertMigration, tableMigrations),
sqlSelectMigrations: fmt.Sprintf(queryFmtSelectMigrations, tableMigrations),
sqlSelectLatestMigration: fmt.Sprintf(queryFmtSelectLatestMigration, tableMigrations),
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
sqlUpsertEncryptionValue: fmt.Sprintf(queryFmtUpsertEncryptionValue, tableEncryption),
sqlSelectEncryptionValue: fmt.Sprintf(queryFmtSelectEncryptionValue, tableEncryption),
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
sqlFmtRenameTable: queryFmtRenameTable,
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
return provider
}
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// SQLProvider is a storage provider persisting data in a SQL database.
type SQLProvider struct {
db *sqlx.DB
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
key [32]byte
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
name string
driverName string
fix(storage): postgres schema hardcoded for tables query (#2667) This removes the hardcoded schema value from the PostgreSQL existing tables query, making it compatible with the new schema config option.
2021-12-03 06:29:55 +00:00
schema string
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
config *schema.Configuration
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
errOpen error
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
log *logrus.Logger
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// Table: authentication_logs.
sqlInsertAuthenticationAttempt string
sqlSelectAuthenticationAttemptsByUsername string
feat(storage): only store identity token metadata (#2627) This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
2021-11-30 06:58:21 +00:00
// Table: identity_verification.
fix(storage): don't check exp against time using sql (#2676) This is already checked by JWT validation. There is no need and it's leading to timezone issues. Fixes #2672
2021-12-04 04:34:20 +00:00
sqlInsertIdentityVerification string
sqlConsumeIdentityVerification string
sqlSelectIdentityVerification string
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// Table: totp_configurations.
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
sqlUpsertTOTPConfig string
sqlDeleteTOTPConfig string
sqlSelectTOTPConfig string
sqlSelectTOTPConfigs string
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
sqlUpdateTOTPConfigSecret string
sqlUpdateTOTPConfigSecretByUsername string
sqlUpdateTOTPConfigRecordSignIn string
sqlUpdateTOTPConfigRecordSignInByUsername string
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
// Table: webauthn_devices.
sqlUpsertWebauthnDevice string
sqlSelectWebauthnDevices string
sqlSelectWebauthnDevicesByUsername string
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
sqlUpdateWebauthnDevicePublicKey string
sqlUpdateWebauthnDevicePublicKeyByUsername string
sqlUpdateWebauthnDeviceRecordSignIn string
sqlUpdateWebauthnDeviceRecordSignInByUsername string
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
feat(commands): add webauthn device commands (#3671)
2022-10-19 07:17:55 +00:00
sqlDeleteWebauthnDevice string
sqlDeleteWebauthnDeviceByUsername string
sqlDeleteWebauthnDeviceByUsernameAndDescription string
refactor: apply godot recommendations (#2839)
2022-01-31 05:25:15 +00:00
// Table: duo_devices.
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
sqlUpsertDuoDevice string
sqlDeleteDuoDevice string
sqlSelectDuoDevice string
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// Table: user_preferences.
sqlUpsertPreferred2FAMethod string
sqlSelectPreferred2FAMethod string
sqlSelectUserInfo string
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
// Table: user_opaque_identifier.
sqlInsertUserOpaqueIdentifier string
sqlSelectUserOpaqueIdentifier string
feat(commands): user opaque identifiers commands (#3144) Add commands for handling user opaque identifiers.
2022-04-09 07:13:19 +00:00
sqlSelectUserOpaqueIdentifiers string
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
sqlSelectUserOpaqueIdentifierBySignature string
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// Table: migrations.
sqlInsertMigration string
sqlSelectMigrations string
sqlSelectLatestMigration string
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
// Table: encryption.
sqlUpsertEncryptionValue string
sqlSelectEncryptionValue string
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
// Table: oauth2_consent_preconfiguration.
sqlInsertOAuth2ConsentPreConfiguration string
sqlSelectOAuth2ConsentPreConfigurations string
// Table: oauth2_consent_session.
sqlInsertOAuth2ConsentSession string
sqlUpdateOAuth2ConsentSessionSubject string
sqlUpdateOAuth2ConsentSessionResponse string
sqlUpdateOAuth2ConsentSessionGranted string
sqlSelectOAuth2ConsentSessionByChallengeID string
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
// Table: oauth2_authorization_code_session.
sqlInsertOAuth2AuthorizeCodeSession string
sqlSelectOAuth2AuthorizeCodeSession string
sqlRevokeOAuth2AuthorizeCodeSession string
sqlRevokeOAuth2AuthorizeCodeSessionByRequestID string
sqlDeactivateOAuth2AuthorizeCodeSession string
sqlDeactivateOAuth2AuthorizeCodeSessionByRequestID string
// Table: oauth2_access_token_session.
sqlInsertOAuth2AccessTokenSession string
sqlSelectOAuth2AccessTokenSession string
sqlRevokeOAuth2AccessTokenSession string
sqlRevokeOAuth2AccessTokenSessionByRequestID string
sqlDeactivateOAuth2AccessTokenSession string
sqlDeactivateOAuth2AccessTokenSessionByRequestID string
// Table: oauth2_refresh_token_session.
sqlInsertOAuth2RefreshTokenSession string
sqlSelectOAuth2RefreshTokenSession string
sqlRevokeOAuth2RefreshTokenSession string
sqlRevokeOAuth2RefreshTokenSessionByRequestID string
sqlDeactivateOAuth2RefreshTokenSession string
sqlDeactivateOAuth2RefreshTokenSessionByRequestID string
// Table: oauth2_pkce_request_session.
sqlInsertOAuth2PKCERequestSession string
sqlSelectOAuth2PKCERequestSession string
sqlRevokeOAuth2PKCERequestSession string
sqlRevokeOAuth2PKCERequestSessionByRequestID string
sqlDeactivateOAuth2PKCERequestSession string
sqlDeactivateOAuth2PKCERequestSessionByRequestID string
// Table: oauth2_openid_connect_session.
sqlInsertOAuth2OpenIDConnectSession string
sqlSelectOAuth2OpenIDConnectSession string
sqlRevokeOAuth2OpenIDConnectSession string
sqlRevokeOAuth2OpenIDConnectSessionByRequestID string
sqlDeactivateOAuth2OpenIDConnectSession string
sqlDeactivateOAuth2OpenIDConnectSessionByRequestID string
sqlUpsertOAuth2BlacklistedJTI string
sqlSelectOAuth2BlacklistedJTI string
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// Utility.
sqlSelectExistingTables string
sqlFmtRenameTable string
}
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
// Close the underlying database connection.
func (p *SQLProvider) Close() (err error) {
return p.db.Close()
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// StartupCheck implements the provider startup check interface.
func (p *SQLProvider) StartupCheck() (err error) {
if p.errOpen != nil {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return fmt.Errorf("error opening database: %w", p.errOpen)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// TODO: Decide if this is needed, or if it should be configurable.
for i := 0; i < 19; i++ {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if err = p.db.Ping(); err == nil {
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
break
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
time.Sleep(time.Millisecond * 500)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
if err != nil {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return fmt.Errorf("error pinging database: %w", err)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
p.log.Infof("Storage schema is being checked for updates")
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
ctx := context.Background()
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if err = p.SchemaEncryptionCheckKey(ctx, false); err != nil && !errors.Is(err, ErrSchemaEncryptionVersionUnsupported) {
return err
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
err = p.SchemaMigrate(ctx, true, SchemaLatest)
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
switch err {
case ErrSchemaAlreadyUpToDate:
p.log.Infof("Storage schema is already up to date")
return nil
case nil:
return nil
default:
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return fmt.Errorf("error during schema migrate: %w", err)
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
}
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
// BeginTX begins a transaction.
func (p *SQLProvider) BeginTX(ctx context.Context) (c context.Context, err error) {
var tx *sql.Tx
if tx, err = p.db.Begin(); err != nil {
return nil, err
}
return context.WithValue(ctx, ctxKeyTransaction, tx), nil
}
// Commit performs a database commit.
func (p *SQLProvider) Commit(ctx context.Context) (err error) {
tx, ok := ctx.Value(ctxKeyTransaction).(*sql.Tx)
if !ok {
return errors.New("could not retrieve tx")
}
return tx.Commit()
}
// Rollback performs a database rollback.
func (p *SQLProvider) Rollback(ctx context.Context) (err error) {
tx, ok := ctx.Value(ctxKeyTransaction).(*sql.Tx)
if !ok {
return errors.New("could not retrieve tx")
}
return tx.Rollback()
}
// SaveUserOpaqueIdentifier saves a new opaque user identifier to the database.
func (p *SQLProvider) SaveUserOpaqueIdentifier(ctx context.Context, opaqueID model.UserOpaqueIdentifier) (err error) {
if _, err = p.db.ExecContext(ctx, p.sqlInsertUserOpaqueIdentifier, opaqueID.Service, opaqueID.SectorID, opaqueID.Username, opaqueID.Identifier); err != nil {
return fmt.Errorf("error inserting user opaque id for user '%s' with opaque id '%s': %w", opaqueID.Username, opaqueID.Identifier.String(), err)
}
return nil
}
// LoadUserOpaqueIdentifier selects an opaque user identifier from the database.
func (p *SQLProvider) LoadUserOpaqueIdentifier(ctx context.Context, opaqueUUID uuid.UUID) (opaqueID *model.UserOpaqueIdentifier, err error) {
opaqueID = &model.UserOpaqueIdentifier{}
if err = p.db.GetContext(ctx, opaqueID, p.sqlSelectUserOpaqueIdentifier, opaqueUUID); err != nil {
switch {
case errors.Is(err, sql.ErrNoRows):
return nil, nil
default:
return nil, err
}
}
return opaqueID, nil
}
feat(commands): user opaque identifiers commands (#3144) Add commands for handling user opaque identifiers.
2022-04-09 07:13:19 +00:00
// LoadUserOpaqueIdentifiers selects an opaque user identifiers from the database.
func (p *SQLProvider) LoadUserOpaqueIdentifiers(ctx context.Context) (opaqueIDs []model.UserOpaqueIdentifier, err error) {
var rows *sqlx.Rows
if rows, err = p.db.QueryxContext(ctx, p.sqlSelectUserOpaqueIdentifiers); err != nil {
return nil, fmt.Errorf("error selecting user opaque identifiers: %w", err)
}
var opaqueID *model.UserOpaqueIdentifier
for rows.Next() {
opaqueID = &model.UserOpaqueIdentifier{}
if err = rows.StructScan(opaqueID); err != nil {
return nil, fmt.Errorf("error selecting user opaque identifiers: error scanning row: %w", err)
}
opaqueIDs = append(opaqueIDs, *opaqueID)
}
return opaqueIDs, nil
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
// LoadUserOpaqueIdentifierBySignature selects an opaque user identifier from the database given a service name, sector id, and username.
func (p *SQLProvider) LoadUserOpaqueIdentifierBySignature(ctx context.Context, service, sectorID, username string) (opaqueID *model.UserOpaqueIdentifier, err error) {
opaqueID = &model.UserOpaqueIdentifier{}
if err = p.db.GetContext(ctx, opaqueID, p.sqlSelectUserOpaqueIdentifierBySignature, service, sectorID, username); err != nil {
switch {
case errors.Is(err, sql.ErrNoRows):
return nil, nil
default:
return nil, err
}
}
return opaqueID, nil
}
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
// SaveOAuth2ConsentSession inserts an OAuth2.0 consent session.
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
func (p *SQLProvider) SaveOAuth2ConsentSession(ctx context.Context, consent model.OAuth2ConsentSession) (err error) {
if _, err = p.db.ExecContext(ctx, p.sqlInsertOAuth2ConsentSession,
consent.ChallengeID, consent.ClientID, consent.Subject, consent.Authorized, consent.Granted,
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
consent.RequestedAt, consent.RespondedAt, consent.Form,
consent.RequestedScopes, consent.GrantedScopes, consent.RequestedAudience, consent.GrantedAudience, consent.PreConfiguration); err != nil {
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
return fmt.Errorf("error inserting oauth2 consent session with challenge id '%s' for subject '%s': %w", consent.ChallengeID.String(), consent.Subject.UUID.String(), err)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
return nil
}
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
// SaveOAuth2ConsentSessionSubject updates an OAuth2.0 consent session with the subject.
func (p *SQLProvider) SaveOAuth2ConsentSessionSubject(ctx context.Context, consent model.OAuth2ConsentSession) (err error) {
if _, err = p.db.ExecContext(ctx, p.sqlUpdateOAuth2ConsentSessionSubject, consent.Subject, consent.ID); err != nil {
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
return fmt.Errorf("error updating oauth2 consent session subject with id '%d' and challenge id '%s' for subject '%s': %w", consent.ID, consent.ChallengeID, consent.Subject.UUID, err)
fix(oidc): subject generated for anonymous users (#3238) Fix and issue that would prevent a correct ID Token from being generated for users who start off anonymous. This also avoids generating one in the first place for anonymous users.
2022-04-25 00:31:05 +00:00
}
return nil
}
// SaveOAuth2ConsentSessionResponse updates an OAuth2.0 consent session with the response.
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
func (p *SQLProvider) SaveOAuth2ConsentSessionResponse(ctx context.Context, consent model.OAuth2ConsentSession, authorized bool) (err error) {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlUpdateOAuth2ConsentSessionResponse, authorized, consent.GrantedScopes, consent.GrantedAudience, consent.PreConfiguration, consent.ID); err != nil {
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
return fmt.Errorf("error updating oauth2 consent session (authorized '%t') with id '%d' and challenge id '%s' for subject '%s': %w", authorized, consent.ID, consent.ChallengeID, consent.Subject.UUID, err)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
return nil
}
// SaveOAuth2ConsentSessionGranted updates an OAuth2.0 consent recording that it has been granted by the authorization endpoint.
func (p *SQLProvider) SaveOAuth2ConsentSessionGranted(ctx context.Context, id int) (err error) {
if _, err = p.db.ExecContext(ctx, p.sqlUpdateOAuth2ConsentSessionGranted, id); err != nil {
return fmt.Errorf("error updating oauth2 consent session (granted) with id '%d': %w", id, err)
}
return nil
}
// LoadOAuth2ConsentSessionByChallengeID returns an OAuth2.0 consent given the challenge ID.
func (p *SQLProvider) LoadOAuth2ConsentSessionByChallengeID(ctx context.Context, challengeID uuid.UUID) (consent *model.OAuth2ConsentSession, err error) {
consent = &model.OAuth2ConsentSession{}
if err = p.db.GetContext(ctx, consent, p.sqlSelectOAuth2ConsentSessionByChallengeID, challengeID); err != nil {
return nil, fmt.Errorf("error selecting oauth2 consent session with challenge id '%s': %w", challengeID.String(), err)
}
return consent, nil
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
// SaveOAuth2ConsentPreConfiguration inserts an OAuth2.0 consent pre-configuration.
func (p *SQLProvider) SaveOAuth2ConsentPreConfiguration(ctx context.Context, config model.OAuth2ConsentPreConfig) (insertedID int64, err error) {
switch p.name {
case providerPostgres:
if err = p.db.GetContext(ctx, &insertedID, p.sqlInsertOAuth2ConsentPreConfiguration,
config.ClientID, config.Subject, config.CreatedAt, config.ExpiresAt,
config.Revoked, config.Scopes, config.Audience); err != nil {
return -1, fmt.Errorf("error inserting oauth2 consent pre-configuration for subject '%s' with client id '%s' and scopes '%s': %w", config.Subject.String(), config.ClientID, strings.Join(config.Scopes, " "), err)
}
return insertedID, nil
default:
var result sql.Result
if result, err = p.db.ExecContext(ctx, p.sqlInsertOAuth2ConsentPreConfiguration,
config.ClientID, config.Subject, config.CreatedAt, config.ExpiresAt,
config.Revoked, config.Scopes, config.Audience); err != nil {
return -1, fmt.Errorf("error inserting oauth2 consent pre-configuration for subject '%s' with client id '%s' and scopes '%s': %w", config.Subject.String(), config.ClientID, strings.Join(config.Scopes, " "), err)
}
return result.LastInsertId()
}
}
// LoadOAuth2ConsentPreConfigurations returns an OAuth2.0 consents pre-configurations given the consent signature.
func (p *SQLProvider) LoadOAuth2ConsentPreConfigurations(ctx context.Context, clientID string, subject uuid.UUID) (rows *ConsentPreConfigRows, err error) {
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
var r *sqlx.Rows
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
if r, err = p.db.QueryxContext(ctx, p.sqlSelectOAuth2ConsentPreConfigurations, clientID, subject); err != nil {
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
if errors.Is(err, sql.ErrNoRows) {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
return &ConsentPreConfigRows{}, nil
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
return &ConsentPreConfigRows{}, fmt.Errorf("error selecting oauth2 consent pre-configurations by signature with client id '%s' and subject '%s': %w", clientID, subject.String(), err)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
return &ConsentPreConfigRows{rows: r}, nil
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}
// SaveOAuth2Session saves a OAuth2Session to the database.
func (p *SQLProvider) SaveOAuth2Session(ctx context.Context, sessionType OAuth2SessionType, session model.OAuth2Session) (err error) {
var query string
switch sessionType {
case OAuth2SessionTypeAuthorizeCode:
query = p.sqlInsertOAuth2AuthorizeCodeSession
case OAuth2SessionTypeAccessToken:
query = p.sqlInsertOAuth2AccessTokenSession
case OAuth2SessionTypeRefreshToken:
query = p.sqlInsertOAuth2RefreshTokenSession
case OAuth2SessionTypePKCEChallenge:
query = p.sqlInsertOAuth2PKCERequestSession
case OAuth2SessionTypeOpenIDConnect:
query = p.sqlInsertOAuth2OpenIDConnectSession
default:
return fmt.Errorf("error inserting oauth2 session for subject '%s' and request id '%s': unknown oauth2 session type '%s'", session.Subject, session.RequestID, sessionType)
}
if session.Session, err = p.encrypt(session.Session); err != nil {
return fmt.Errorf("error encrypting the oauth2 %s session data for subject '%s' and request id '%s' and challenge id '%s': %w", sessionType, session.Subject, session.RequestID, session.ChallengeID.String(), err)
}
_, err = p.db.ExecContext(ctx, query,
session.ChallengeID, session.RequestID, session.ClientID, session.Signature,
session.Subject, session.RequestedAt, session.RequestedScopes, session.GrantedScopes,
session.RequestedAudience, session.GrantedAudience,
session.Active, session.Revoked, session.Form, session.Session)
if err != nil {
return fmt.Errorf("error inserting oauth2 %s session data for subject '%s' and request id '%s' and challenge id '%s': %w", sessionType, session.Subject, session.RequestID, session.ChallengeID.String(), err)
}
return nil
}
// RevokeOAuth2Session marks a OAuth2Session as revoked in the database.
func (p *SQLProvider) RevokeOAuth2Session(ctx context.Context, sessionType OAuth2SessionType, signature string) (err error) {
var query string
switch sessionType {
case OAuth2SessionTypeAuthorizeCode:
query = p.sqlRevokeOAuth2AuthorizeCodeSession
case OAuth2SessionTypeAccessToken:
query = p.sqlRevokeOAuth2AccessTokenSession
case OAuth2SessionTypeRefreshToken:
query = p.sqlRevokeOAuth2RefreshTokenSession
case OAuth2SessionTypePKCEChallenge:
query = p.sqlRevokeOAuth2PKCERequestSession
case OAuth2SessionTypeOpenIDConnect:
query = p.sqlRevokeOAuth2OpenIDConnectSession
default:
return fmt.Errorf("error revoking oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType)
}
if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
return fmt.Errorf("error revoking oauth2 %s session with signature '%s': %w", sessionType, signature, err)
}
return nil
}
// RevokeOAuth2SessionByRequestID marks a OAuth2Session as revoked in the database.
func (p *SQLProvider) RevokeOAuth2SessionByRequestID(ctx context.Context, sessionType OAuth2SessionType, requestID string) (err error) {
var query string
switch sessionType {
case OAuth2SessionTypeAuthorizeCode:
query = p.sqlRevokeOAuth2AuthorizeCodeSessionByRequestID
case OAuth2SessionTypeAccessToken:
query = p.sqlRevokeOAuth2AccessTokenSessionByRequestID
case OAuth2SessionTypeRefreshToken:
query = p.sqlRevokeOAuth2RefreshTokenSessionByRequestID
case OAuth2SessionTypePKCEChallenge:
query = p.sqlRevokeOAuth2PKCERequestSessionByRequestID
case OAuth2SessionTypeOpenIDConnect:
query = p.sqlRevokeOAuth2OpenIDConnectSessionByRequestID
default:
return fmt.Errorf("error revoking oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType)
}
if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
return fmt.Errorf("error revoking oauth2 %s session with request id '%s': %w", sessionType, requestID, err)
}
return nil
}
// DeactivateOAuth2Session marks a OAuth2Session as inactive in the database.
func (p *SQLProvider) DeactivateOAuth2Session(ctx context.Context, sessionType OAuth2SessionType, signature string) (err error) {
var query string
switch sessionType {
case OAuth2SessionTypeAuthorizeCode:
query = p.sqlDeactivateOAuth2AuthorizeCodeSession
case OAuth2SessionTypeAccessToken:
query = p.sqlDeactivateOAuth2AccessTokenSession
case OAuth2SessionTypeRefreshToken:
query = p.sqlDeactivateOAuth2RefreshTokenSession
case OAuth2SessionTypePKCEChallenge:
query = p.sqlDeactivateOAuth2PKCERequestSession
case OAuth2SessionTypeOpenIDConnect:
query = p.sqlDeactivateOAuth2OpenIDConnectSession
default:
return fmt.Errorf("error deactivating oauth2 session with signature '%s': unknown oauth2 session type '%s'", signature, sessionType)
}
if _, err = p.db.ExecContext(ctx, query, signature); err != nil {
return fmt.Errorf("error deactivating oauth2 %s session with signature '%s': %w", sessionType, signature, err)
}
return nil
}
// DeactivateOAuth2SessionByRequestID marks a OAuth2Session as inactive in the database.
func (p *SQLProvider) DeactivateOAuth2SessionByRequestID(ctx context.Context, sessionType OAuth2SessionType, requestID string) (err error) {
var query string
switch sessionType {
case OAuth2SessionTypeAuthorizeCode:
query = p.sqlDeactivateOAuth2AuthorizeCodeSession
case OAuth2SessionTypeAccessToken:
query = p.sqlDeactivateOAuth2AccessTokenSessionByRequestID
case OAuth2SessionTypeRefreshToken:
query = p.sqlDeactivateOAuth2RefreshTokenSessionByRequestID
case OAuth2SessionTypePKCEChallenge:
query = p.sqlDeactivateOAuth2PKCERequestSessionByRequestID
case OAuth2SessionTypeOpenIDConnect:
query = p.sqlDeactivateOAuth2OpenIDConnectSessionByRequestID
default:
return fmt.Errorf("error deactivating oauth2 session with request id '%s': unknown oauth2 session type '%s'", requestID, sessionType)
}
if _, err = p.db.ExecContext(ctx, query, requestID); err != nil {
return fmt.Errorf("error deactivating oauth2 %s session with request id '%s': %w", sessionType, requestID, err)
}
return nil
}
// LoadOAuth2Session saves a OAuth2Session from the database.
func (p *SQLProvider) LoadOAuth2Session(ctx context.Context, sessionType OAuth2SessionType, signature string) (session *model.OAuth2Session, err error) {
var query string
switch sessionType {
case OAuth2SessionTypeAuthorizeCode:
query = p.sqlSelectOAuth2AuthorizeCodeSession
case OAuth2SessionTypeAccessToken:
query = p.sqlSelectOAuth2AccessTokenSession
case OAuth2SessionTypeRefreshToken:
query = p.sqlSelectOAuth2RefreshTokenSession
case OAuth2SessionTypePKCEChallenge:
query = p.sqlSelectOAuth2PKCERequestSession
case OAuth2SessionTypeOpenIDConnect:
query = p.sqlSelectOAuth2OpenIDConnectSession
default:
return nil, fmt.Errorf("error selecting oauth2 session: unknown oauth2 session type '%s'", sessionType)
}
session = &model.OAuth2Session{}
if err = p.db.GetContext(ctx, session, query, signature); err != nil {
return nil, fmt.Errorf("error selecting oauth2 %s session with signature '%s': %w", sessionType, signature, err)
}
if session.Session, err = p.decrypt(session.Session); err != nil {
return nil, fmt.Errorf("error decrypting the oauth2 %s session data with signature '%s' for subject '%s' and request id '%s': %w", sessionType, signature, session.Subject, session.RequestID, err)
}
return session, nil
}
// SaveOAuth2BlacklistedJTI saves a OAuth2BlacklistedJTI to the database.
func (p *SQLProvider) SaveOAuth2BlacklistedJTI(ctx context.Context, blacklistedJTI model.OAuth2BlacklistedJTI) (err error) {
if _, err = p.db.ExecContext(ctx, p.sqlUpsertOAuth2BlacklistedJTI, blacklistedJTI.Signature, blacklistedJTI.ExpiresAt); err != nil {
return fmt.Errorf("error inserting oauth2 blacklisted JTI with signature '%s': %w", blacklistedJTI.Signature, err)
}
return nil
}
// LoadOAuth2BlacklistedJTI loads a OAuth2BlacklistedJTI from the database.
func (p *SQLProvider) LoadOAuth2BlacklistedJTI(ctx context.Context, signature string) (blacklistedJTI *model.OAuth2BlacklistedJTI, err error) {
blacklistedJTI = &model.OAuth2BlacklistedJTI{}
if err = p.db.GetContext(ctx, blacklistedJTI, p.sqlSelectOAuth2BlacklistedJTI, signature); err != nil {
return nil, fmt.Errorf("error selecting oauth2 blacklisted JTI with signature '%s': %w", blacklistedJTI.Signature, err)
}
return blacklistedJTI, nil
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// SavePreferred2FAMethod save the preferred method for 2FA to the database.
func (p *SQLProvider) SavePreferred2FAMethod(ctx context.Context, username string, method string) (err error) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlUpsertPreferred2FAMethod, username, method); err != nil {
return fmt.Errorf("error upserting preferred two factor method for user '%s': %w", username, err)
}
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations
2020-07-16 05:56:08 +00:00
}
// LoadPreferred2FAMethod load the preferred method for 2FA from the database.
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
func (p *SQLProvider) LoadPreferred2FAMethod(ctx context.Context, username string) (method string, err error) {
err = p.db.GetContext(ctx, &method, p.sqlSelectPreferred2FAMethod, username)
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
switch {
case err == nil:
return method, nil
case errors.Is(err, sql.ErrNoRows):
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
return "", sql.ErrNoRows
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
default:
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return "", fmt.Errorf("error selecting preferred two factor method for user '%s': %w", username, err)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
// LoadUserInfo loads the model.UserInfo from the database.
func (p *SQLProvider) LoadUserInfo(ctx context.Context, username string) (info model.UserInfo, err error) {
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
err = p.db.GetContext(ctx, &info, p.sqlSelectUserInfo, username, username, username, username)
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
switch {
fix(web): show appropriate default and available methods (#2999) This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 01:26:30 +00:00
case err == nil, errors.Is(err, sql.ErrNoRows):
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
return info, nil
default:
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
return model.UserInfo{}, fmt.Errorf("error selecting user info for user '%s': %w", username, err)
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
}
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// SaveIdentityVerification save an identity verification record to the database.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) SaveIdentityVerification(ctx context.Context, verification model.IdentityVerification) (err error) {
feat(storage): only store identity token metadata (#2627) This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
2021-11-30 06:58:21 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlInsertIdentityVerification,
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
verification.JTI, verification.IssuedAt, verification.IssuedIP, verification.ExpiresAt,
feat(storage): only store identity token metadata (#2627) This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
2021-11-30 06:58:21 +00:00
verification.Username, verification.Action); err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return fmt.Errorf("error inserting identity verification for user '%s' with uuid '%s': %w", verification.Username, verification.JTI, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return nil
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
// ConsumeIdentityVerification marks an identity verification record in the database as consumed.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) ConsumeIdentityVerification(ctx context.Context, jti string, ip model.NullIP) (err error) {
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlConsumeIdentityVerification, ip, jti); err != nil {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return fmt.Errorf("error updating identity verification: %w", err)
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return nil
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// FindIdentityVerification checks if an identity verification record is in the database and active.
feat(storage): only store identity token metadata (#2627) This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
2021-11-30 06:58:21 +00:00
func (p *SQLProvider) FindIdentityVerification(ctx context.Context, jti string) (found bool, err error) {
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
verification := model.IdentityVerification{}
fix(storage): don't check exp against time using sql (#2676) This is already checked by JWT validation. There is no need and it's leading to timezone issues. Fixes #2672
2021-12-04 04:34:20 +00:00
if err = p.db.GetContext(ctx, &verification, p.sqlSelectIdentityVerification, jti); err != nil {
if errors.Is(err, sql.ErrNoRows) {
return false, nil
}
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return false, fmt.Errorf("error selecting identity verification exists: %w", err)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
fix(storage): don't check exp against time using sql (#2676) This is already checked by JWT validation. There is no need and it's leading to timezone issues. Fixes #2672
2021-12-04 04:34:20 +00:00
switch {
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
case verification.Consumed.Valid:
fix(storage): return reason for identity verification not being found (#2937) This includes the reason a token was not found during the identity verification process.
2022-03-02 05:33:47 +00:00
return false, fmt.Errorf("the token has already been consumed")
case verification.ExpiresAt.Before(time.Now()):
return false, fmt.Errorf("the token expired %s ago", time.Since(verification.ExpiresAt))
fix(storage): don't check exp against time using sql (#2676) This is already checked by JWT validation. There is no need and it's leading to timezone issues. Fixes #2672
2021-12-04 04:34:20 +00:00
default:
return true, nil
}
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
// SaveTOTPConfiguration save a TOTP configuration of a given user in the database.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) SaveTOTPConfiguration(ctx context.Context, config model.TOTPConfiguration) (err error) {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if config.Secret, err = p.encrypt(config.Secret); err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return fmt.Errorf("error encrypting the TOTP configuration secret for user '%s': %w", config.Username, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlUpsertTOTPConfig,
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
config.CreatedAt, config.LastUsedAt,
config.Username, config.Issuer,
config.Algorithm, config.Digits, config.Period, config.Secret); err != nil {
return fmt.Errorf("error upserting TOTP configuration for user '%s': %w", config.Username, err)
}
return nil
}
// UpdateTOTPConfigurationSignIn updates a registered Webauthn devices sign in information.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (p *SQLProvider) UpdateTOTPConfigurationSignIn(ctx context.Context, id int, lastUsedAt sql.NullTime) (err error) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigRecordSignIn, lastUsedAt, id); err != nil {
return fmt.Errorf("error updating TOTP configuration id %d: %w", id, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
return nil
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
// DeleteTOTPConfiguration delete a TOTP configuration from the database given a username.
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
func (p *SQLProvider) DeleteTOTPConfiguration(ctx context.Context, username string) (err error) {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlDeleteTOTPConfig, username); err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return fmt.Errorf("error deleting TOTP configuration for user '%s': %w", username, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return nil
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
// LoadTOTPConfiguration load a TOTP configuration given a username from the database.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) LoadTOTPConfiguration(ctx context.Context, username string) (config *model.TOTPConfiguration, err error) {
config = &model.TOTPConfiguration{}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if err = p.db.QueryRowxContext(ctx, p.sqlSelectTOTPConfig, username).StructScan(config); err != nil {
if errors.Is(err, sql.ErrNoRows) {
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226.
2021-12-01 12:11:29 +00:00
return nil, ErrNoTOTPConfiguration
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, fmt.Errorf("error selecting TOTP configuration for user '%s': %w", username, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
if config.Secret, err = p.decrypt(config.Secret); err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, fmt.Errorf("error decrypting the TOTP secret for user '%s': %w", username, err)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
return config, nil
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
// LoadTOTPConfigurations load a set of TOTP configurations.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) LoadTOTPConfigurations(ctx context.Context, limit, page int) (configs []model.TOTPConfiguration, err error) {
configs = make([]model.TOTPConfiguration, 0, limit)
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if err = p.db.SelectContext(ctx, &configs, p.sqlSelectTOTPConfigs, limit, limit*page); err != nil {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if errors.Is(err, sql.ErrNoRows) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, nil
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
return nil, fmt.Errorf("error selecting TOTP configurations: %w", err)
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
for i, c := range configs {
if configs[i].Secret, err = p.decrypt(c.Secret); err != nil {
return nil, fmt.Errorf("error decrypting TOTP configuration for user '%s': %w", c.Username, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
}
return configs, nil
}
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) updateTOTPConfigurationSecret(ctx context.Context, config model.TOTPConfiguration) (err error) {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
switch config.ID {
case 0:
_, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecretByUsername, config.Secret, config.Username)
default:
_, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecret, config.Secret, config.ID)
}
if err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return fmt.Errorf("error updating TOTP configuration secret for user '%s': %w", config.Username, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
return nil
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
// SaveWebauthnDevice saves a registered Webauthn device.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) SaveWebauthnDevice(ctx context.Context, device model.WebauthnDevice) (err error) {
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
if device.PublicKey, err = p.encrypt(device.PublicKey); err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return fmt.Errorf("error encrypting the Webauthn device public key for user '%s' kid '%x': %w", device.Username, device.KID, err)
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlUpsertWebauthnDevice,
device.CreatedAt, device.LastUsedAt,
device.RPID, device.Username, device.Description,
device.KID, device.PublicKey,
device.AttestationType, device.Transport, device.AAGUID, device.SignCount, device.CloneWarning,
); err != nil {
return fmt.Errorf("error upserting Webauthn device for user '%s' kid '%x': %w", device.Username, device.KID, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
return nil
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
// UpdateWebauthnDeviceSignIn updates a registered Webauthn devices sign in information.
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent.
2022-10-20 02:16:36 +00:00
func (p *SQLProvider) UpdateWebauthnDeviceSignIn(ctx context.Context, id int, rpid string, lastUsedAt sql.NullTime, signCount uint32, cloneWarning bool) (err error) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDeviceRecordSignIn, rpid, lastUsedAt, signCount, cloneWarning, id); err != nil {
return fmt.Errorf("error updating Webauthn signin metadata for id '%x': %w", id, err)
}
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil
}
feat(commands): add webauthn device commands (#3671)
2022-10-19 07:17:55 +00:00
// DeleteWebauthnDevice deletes a registered Webauthn device.
func (p *SQLProvider) DeleteWebauthnDevice(ctx context.Context, kid string) (err error) {
if _, err = p.db.ExecContext(ctx, p.sqlDeleteWebauthnDevice, kid); err != nil {
return fmt.Errorf("error deleting webauthn device with kid '%s': %w", kid, err)
}
return nil
}
// DeleteWebauthnDeviceByUsername deletes registered Webauthn devices by username or username and description.
func (p *SQLProvider) DeleteWebauthnDeviceByUsername(ctx context.Context, username, description string) (err error) {
if len(username) == 0 {
return fmt.Errorf("error deleting webauthn device with username '%s' and description '%s': username must not be empty", username, description)
}
if len(description) == 0 {
if _, err = p.db.ExecContext(ctx, p.sqlDeleteWebauthnDeviceByUsername, username); err != nil {
return fmt.Errorf("error deleting webauthn devices for username '%s': %w", username, err)
}
} else {
if _, err = p.db.ExecContext(ctx, p.sqlDeleteWebauthnDeviceByUsernameAndDescription, username, description); err != nil {
return fmt.Errorf("error deleting webauthn device with username '%s' and description '%s': %w", username, description, err)
}
}
return nil
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
// LoadWebauthnDevices loads Webauthn device registrations.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) LoadWebauthnDevices(ctx context.Context, limit, page int) (devices []model.WebauthnDevice, err error) {
devices = make([]model.WebauthnDevice, 0, limit)
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if err = p.db.SelectContext(ctx, &devices, p.sqlSelectWebauthnDevices, limit, limit*page); err != nil {
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
if errors.Is(err, sql.ErrNoRows) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, nil
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
}
Provide commands to migrate database from v3 to v4.
2019-11-17 01:05:46 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, fmt.Errorf("error selecting Webauthn devices: %w", err)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
Add support for PostgreSQL.
2019-11-16 19:50:58 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
for i, device := range devices {
if devices[i].PublicKey, err = p.decrypt(device.PublicKey); err != nil {
return nil, fmt.Errorf("error decrypting Webauthn public key for user '%s': %w", device.Username, err)
}
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return devices, nil
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
// LoadWebauthnDevicesByUsername loads all webauthn devices registration for a given username.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) LoadWebauthnDevicesByUsername(ctx context.Context, username string) (devices []model.WebauthnDevice, err error) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if err = p.db.SelectContext(ctx, &devices, p.sqlSelectWebauthnDevicesByUsername, username); err != nil {
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
if errors.Is(err, sql.ErrNoRows) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, ErrNoWebauthnDevice
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, fmt.Errorf("error selecting Webauthn devices for user '%s': %w", username, err)
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
for i, device := range devices {
if devices[i].PublicKey, err = p.decrypt(device.PublicKey); err != nil {
return nil, fmt.Errorf("error decrypting Webauthn public key for user '%s': %w", username, err)
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
}
}
return devices, nil
}
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) updateWebauthnDevicePublicKey(ctx context.Context, device model.WebauthnDevice) (err error) {
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
switch device.ID {
case 0:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
_, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKeyByUsername, device.PublicKey, device.Username, device.KID)
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
default:
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
_, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKey, device.PublicKey, device.ID)
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
}
if err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return fmt.Errorf("error updating Webauthn public key for user '%s' kid '%x': %w", device.Username, device.KID, err)
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that.
2021-12-03 00:04:11 +00:00
}
return nil
}
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
// SavePreferredDuoDevice saves a Duo device.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) SavePreferredDuoDevice(ctx context.Context, device model.DuoDevice) (err error) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlUpsertDuoDevice, device.Username, device.Device, device.Method); err != nil {
return fmt.Errorf("error upserting preferred duo device for user '%s': %w", device.Username, err)
}
return nil
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
}
// DeletePreferredDuoDevice deletes a Duo device of a given user.
func (p *SQLProvider) DeletePreferredDuoDevice(ctx context.Context, username string) (err error) {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlDeleteDuoDevice, username); err != nil {
return fmt.Errorf("error deleting preferred duo device for user '%s': %w", username, err)
}
return nil
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
}
// LoadPreferredDuoDevice loads a Duo device of a given user.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) LoadPreferredDuoDevice(ctx context.Context, username string) (device *model.DuoDevice, err error) {
device = &model.DuoDevice{}
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if err = p.db.QueryRowxContext(ctx, p.sqlSelectDuoDevice, username).StructScan(device); err != nil {
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
if err == sql.ErrNoRows {
return nil, ErrNoDuoDevice
}
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, fmt.Errorf("error selecting preferred duo device for user '%s': %w", username, err)
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039.
2021-12-01 03:32:58 +00:00
}
return device, nil
}
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
// AppendAuthenticationLog append a mark to the authentication log.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) AppendAuthenticationLog(ctx context.Context, attempt model.AuthenticationAttempt) (err error) {
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293.
2021-11-29 03:09:14 +00:00
if _, err = p.db.ExecContext(ctx, p.sqlInsertAuthenticationAttempt,
attempt.Time, attempt.Successful, attempt.Banned, attempt.Username,
attempt.Type, attempt.RemoteIP, attempt.RequestURI, attempt.RequestMethod); err != nil {
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return fmt.Errorf("error inserting authentication attempt for user '%s': %w", attempt.Username, err)
feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682
2021-11-25 01:56:58 +00:00
}
return nil
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337
2021-11-23 09:45:38 +00:00
// LoadAuthenticationLogs retrieve the latest failed authentications from the authentication log.
refactor(model): rename from models (#2968)
2022-03-06 05:47:40 +00:00
func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error) {
attempts = make([]model.AuthenticationAttempt, 0, limit)
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
if err = p.db.SelectContext(ctx, &attempts, p.sqlSelectAuthenticationAttemptsByUsername, fromDate, username, limit, limit*page); err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrNoAuthenticationLogs
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 11:20:43 +00:00
return nil, fmt.Errorf("error selecting authentication logs for user '%s': %w", username, err)
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Deprecate mongo and add mariadb as storage backend option.
2019-11-16 10:38:21 +00:00
return attempts, nil
}