RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/configuration/validator/const.go

216 lines
9.4 KiB
Go
Raw Normal View History

[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
package validator
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
var validRequestMethods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
var validKeys = []string{
// Root Keys.
"host",
"port",
"log_level",
[FEATURE] Add JSON log formatting option (#1488) This change adds the ability to format Authelia's log output as JSON. Example below: ``` {"level":"info","msg":"Logging severity set to info","time":"2020-01-01T00:00:00+11:00"} {"level":"info","msg":"Authelia is listening for non-TLS connections on 0.0.0.0:9091","time":"2020-01-01T00:00:00+11:00"} ```
2020-11-24 23:46:41 +00:00
"log_format",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"log_file_path",
"default_redirection_url",
"jwt_secret",
[FEATURE] Add theme support (#1584) * [FEATURE] Add theme support This change allows users to select a theme for Authelia on start-up. The default will continue to be the existing theme which is known as `light`. Three new options are now also provided: * `dark` * `grey` * `custom` The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal. Co-authored-by: BankaiNoJutsu <lbegert@gmail.com> * Add themes to integration tests * Remove custom theme * Fix linting issue in access_control_test.go Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 12:07:40 +00:00
"theme",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"tls_key",
"tls_cert",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
"certificates_directory",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
// Server Keys.
"server.read_buffer_size",
"server.write_buffer_size",
[FEATURE] Allow Authelia to listen on a specified path (#1027) * [FEATURE] Allow Authelia to listen on a specified path * Fix linting and add a couple typescript types * Template index.html to support base_url * Update docs and configuration template * Access base path from body attribute. * Update CSP * Fix unit test Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful. * Template index.html with ${PUBLIC_URL} * Define PUBLIC_URL in .env(s) * Add docs clarification Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 02:20:55 +00:00
"server.path",
[FEATURE] Buffer size configuration and additional http error handling (#944) * implement read buffer size config option * implement write buffer size config option * implement fasthttp ErrorHandler so we can log errors to Authelia as well * add struct/schema validation * add default value * add docs * add config key to validator * refactoring * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 02:03:05 +00:00
[DEPRECATE] Remove Google Analytics (#1021) * it doesn't work with our current CSP * it's probably not used by anyone * it isn't in harmony with our security purposes * literally removes all use of it * suggestions from code review * remove useless test. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-15 23:41:42 +00:00
// TOTP Keys.
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"totp.issuer",
"totp.period",
"totp.skew",
[DEPRECATE] Remove Google Analytics (#1021) * it doesn't work with our current CSP * it's probably not used by anyone * it isn't in harmony with our security purposes * literally removes all use of it * suggestions from code review * remove useless test. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-15 23:41:42 +00:00
// Access Control Keys.
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"access_control.rules",
"access_control.default_policy",
[FEATURE] Validate ACLs and add network groups (#1568) * adds validation to ACL's * adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 10:55:23 +00:00
"access_control.networks",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
// Session Keys.
"session.name",
"session.secret",
"session.expiration",
"session.inactivity",
"session.remember_me_duration",
"session.domain",
// Redis Session Keys.
"session.redis.host",
"session.redis.port",
feat(session): add redis sentinel provider (#1768) * feat(session): add redis sentinel provider * refactor(session): use int for ports as per go standards * refactor(configuration): adjust tests and validation * refactor(configuration): add err format consts * refactor(configuration): explicitly map redis structs * refactor(session): merge redis/redis sentinel providers * refactor(session): add additional checks to redis providers * feat(session): add redis cluster provider * fix: update config for new values * fix: provide nil certpool to affected tests/mocks * test: add additional tests to cover uncovered code * docs: expand explanation of host and nodes relation for redis * ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum * fix(session): sentinel password * test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config * test: make entrypoint.sh executable, fix entrypoint.sh if/elif * test: add redis failover tests * test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging * test: add sentinel integration test * test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep * feat: use sentinel failover cluster * fix: renamed addrs to sentineladdrs upstream * test(session): sentinel failover * test: add redis standard back into testing * test: move redis standalone test to traefik2 * fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
"session.redis.username",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"session.redis.password",
"session.redis.database_index",
feat(session): add redis sentinel provider (#1768) * feat(session): add redis sentinel provider * refactor(session): use int for ports as per go standards * refactor(configuration): adjust tests and validation * refactor(configuration): add err format consts * refactor(configuration): explicitly map redis structs * refactor(session): merge redis/redis sentinel providers * refactor(session): add additional checks to redis providers * feat(session): add redis cluster provider * fix: update config for new values * fix: provide nil certpool to affected tests/mocks * test: add additional tests to cover uncovered code * docs: expand explanation of host and nodes relation for redis * ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum * fix(session): sentinel password * test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config * test: make entrypoint.sh executable, fix entrypoint.sh if/elif * test: add redis failover tests * test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging * test: add sentinel integration test * test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep * feat: use sentinel failover cluster * fix: renamed addrs to sentineladdrs upstream * test(session): sentinel failover * test: add redis standard back into testing * test: move redis standalone test to traefik2 * fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
"session.redis.maximum_active_connections",
"session.redis.minimum_idle_connections",
"session.redis.tls.minimum_version",
"session.redis.tls.skip_verify",
"session.redis.tls.server_name",
"session.redis.high_availability.sentinel_name",
"session.redis.high_availability.sentinel_password",
"session.redis.high_availability.nodes",
"session.redis.high_availability.route_by_latency",
"session.redis.high_availability.route_randomly",
"session.redis.timeouts.dial",
"session.redis.timeouts.idle",
"session.redis.timeouts.pool",
"session.redis.timeouts.read",
"session.redis.timeouts.write",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
// Local Storage Keys.
"storage.local.path",
// MySQL Storage Keys.
"storage.mysql.host",
"storage.mysql.port",
"storage.mysql.database",
"storage.mysql.username",
"storage.mysql.password",
// PostgreSQL Storage Keys.
"storage.postgres.host",
"storage.postgres.port",
"storage.postgres.database",
"storage.postgres.username",
"storage.postgres.password",
"storage.postgres.sslmode",
// FileSystem Notifier Keys.
"notifier.filesystem.filename",
"notifier.disable_startup_check",
// SMTP Notifier Keys.
"notifier.smtp.username",
"notifier.smtp.password",
"notifier.smtp.host",
"notifier.smtp.port",
[BUGFIX] Add ability to specify SMTP HELO/EHLO identifier (#1416) * add docs * add configuration option for SMTP called `identifier` * default should act the same as before
2020-11-04 23:22:10 +00:00
"notifier.smtp.identifier",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"notifier.smtp.sender",
"notifier.smtp.subject",
"notifier.smtp.startup_check_address",
"notifier.smtp.disable_require_tls",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
"notifier.smtp.trusted_cert", // TODO: Deprecated: Remove in 4.28.
[FEATURE] Plain Text Email Notifications (#1238) * add a plain text email template * use plain text email template for file based emails * add config option to SMTP emails named disable_html_emails * config option is a boolean that when set to true will only send plain text emails * add docs for more complex SMTP notifier options * update template * add rfc1341 multipart logic to notifier * check for errors after identity_verification * * fix nil ptr * go mod tidy * remove needless checks * * use multipart/atlernative instead * * add rfc5322 compliant date header * * fix linting issues
2020-08-21 02:16:23 +00:00
"notifier.smtp.disable_html_emails",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
"notifier.smtp.tls.minimum_version",
"notifier.smtp.tls.skip_verify",
"notifier.smtp.tls.server_name",
"notifier.smtp.disable_verify_cert", // TODO: Deprecated: Remove in 4.28.
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
// Regulation Keys.
"regulation.max_retries",
"regulation.find_time",
"regulation.ban_time",
// DUO API Keys.
"duo_api.hostname",
"duo_api.integration_key",
"duo_api.secret_key",
// Authentication Backend Keys.
"authentication_backend.disable_reset_password",
[FEATURE] Automatic Profile Refresh - LDAP (#912) * [FIX] LDAP Not Checking for Updated Groups * refactor handlers verifyFromSessionCookie * refactor authorizer selectMatchingObjectRules * refactor authorizer isDomainMatching * add authorizer URLHasGroupSubjects method * add user provider ProviderType method * update tests * check for new LDAP groups and update session when: * user provider type is LDAP * authorization is forbidden * URL has rule with group subjects * Implement Refresh Interval * add default values for LDAP user provider * add default for refresh interval * add schema validator for refresh interval * add various tests * rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong * use Authelia ctx clock * add check to determine if user is deleted, if so destroy the * make ldap user not found error a const * implement GetRefreshSettings in mock * Use user not found const with FileProvider * comment exports * use ctx.Clock instead of time pkg * add debug logging * use ptr to reference userSession so we don't have to retrieve it again * add documenation * add check for 0 refresh interval to reduce CPU cost * remove badly copied debug msg * add group change delta message * add SliceStringDelta * refactor ldap refresh to use the new func * improve delta add/remove log message * fix incorrect logic in SliceStringDelta * add tests to SliceStringDelta * add always config option * add tests for always config option * update docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> * complete mocks and fix an old one * show warning when LDAP details failed to update for an unknown reason * golint fix * actually fix existing mocks * use mocks for LDAP refresh testing * use mocks for LDAP refresh testing for both added and removed groups * use test mock to verify disabled refresh behaviour * add information to threat model * add time const for default Unix() value * misc adjustments to mocks * Suggestions from code review * requested changes * update emails * docs updates * test updates * misc * golint fix * set debug for dev testing * misc docs and logging updates * misc grammar/spelling * use built function for VerifyGet * fix reviewdog suggestions * requested changes * Apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 19:39:25 +00:00
"authentication_backend.refresh_interval",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
// LDAP Authentication Backend Keys.
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460) * Added `ActiveDirectory` suite for integration tests with Samba AD * Updated documentation * Minor styling refactor to suites * Clean up LDAP user provisioning * Fix Authelia home splash to reference correct link for webmail * Add notification message for password complexity errors * Add password complexity integration test * Rename implementation default from rfc to custom * add specific defaults for LDAP (activedirectory implementation) * add docs to show the new defaults * add docs explaining the importance of users filter * add tests * update instances of LDAP implementation names to use the new consts where applicable * made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead * update config examples due to the new defaults * apply changes from code review * replace schema default name from MSAD to ActiveDirectory for consistency * fix missing default for username_attribute * replace test raising on empty username attribute with not raising on empty Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 09:59:22 +00:00
"authentication_backend.ldap.implementation",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"authentication_backend.ldap.url",
"authentication_backend.ldap.base_dn",
"authentication_backend.ldap.username_attribute",
"authentication_backend.ldap.additional_users_dn",
"authentication_backend.ldap.users_filter",
"authentication_backend.ldap.additional_groups_dn",
"authentication_backend.ldap.groups_filter",
"authentication_backend.ldap.group_name_attribute",
"authentication_backend.ldap.mail_attribute",
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
"authentication_backend.ldap.display_name_attribute",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"authentication_backend.ldap.user",
"authentication_backend.ldap.password",
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557) * add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia * this is in ADDITION to system certs and are trusted by both LDAP and SMTP * added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS * remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use * use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section * added temporary translations from the old names to the new ones for all deprecated options * added docs * updated example configuration * final deprecations to be done in 4.28.0 * doc updates * fix misc linting issues * uniform deprecation notices for ease of final removal * added additional tests covering previously uncovered areas and the new configuration options * add non-fatal to certificate loading when system certs could not be loaded * adjust timeout of Suite ShortTimeouts * add warnings pusher for the StructValidator * make the schema suites uninform * utilize the warnings in the StructValidator * fix test suite usage for skip_verify * extract LDAP filter parsing into it's own function to make it possible to test * test LDAP filter parsing * update ErrorContainer interface * add tests to the StructValidator * add NewTLSConfig test * move baseDN for users/groups into parsed values * add tests to cover many of the outstanding areas in LDAP * add explicit deferred LDAP conn close to UpdatePassword * add some basic testing to SMTP notifier * suggestions from code review
2021-01-04 10:28:55 +00:00
"authentication_backend.ldap.start_tls",
"authentication_backend.ldap.tls.minimum_version",
"authentication_backend.ldap.tls.skip_verify",
"authentication_backend.ldap.tls.server_name",
"authentication_backend.ldap.skip_verify", // TODO: Deprecated: Remove in 4.28.
"authentication_backend.ldap.minimum_tls_version", // TODO: Deprecated: Remove in 4.28.
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
// File Authentication Backend Keys.
"authentication_backend.file.path",
"authentication_backend.file.password.algorithm",
"authentication_backend.file.password.iterations",
"authentication_backend.file.password.key_length",
"authentication_backend.file.password.salt_length",
"authentication_backend.file.password.memory",
"authentication_backend.file.password.parallelism",
// Secret Keys.
"authelia.jwt_secret",
"authelia.duo_api.secret_key",
"authelia.session.secret",
"authelia.authentication_backend.ldap.password",
"authelia.notifier.smtp.password",
"authelia.session.redis.password",
"authelia.storage.mysql.password",
"authelia.storage.postgres.password",
"authelia.jwt_secret.file",
"authelia.duo_api.secret_key.file",
"authelia.session.secret.file",
"authelia.authentication_backend.ldap.password.file",
"authelia.notifier.smtp.password.file",
"authelia.session.redis.password.file",
"authelia.storage.mysql.password.file",
"authelia.storage.postgres.password.file",
}
var specificErrorKeys = map[string]string{
[DEPRECATE] Remove Google Analytics (#1021) * it doesn't work with our current CSP * it's probably not used by anyone * it isn't in harmony with our security purposes * literally removes all use of it * suggestions from code review * remove useless test. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-15 23:41:42 +00:00
"logs_file_path": "config key replaced: logs_file is now log_file",
"logs_level": "config key replaced: logs_level is now log_level",
"google_analytics": "config key removed: google_analytics - this functionality has been deprecated",
[FEATURE] Config Validation (#901) * [FEATURE] Config Validation * check configuration for invalid keys on startup * allow users to manually trigger all configuration validation on a file using a cmd * setup all defaults in config template and run tests against it to prevent accidents * use tests to check bad configuration values are caught * use tests to check old configuration values are caught * add tests for specific key errors * resolve merge conflicts * nolint prealloc for test
2020-04-23 01:47:27 +00:00
"authentication_backend.file.password_options.algorithm": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
"authentication_backend.file.password_options.iterations": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
"authentication_backend.file.password_options.key_length": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
"authentication_backend.file.password_options.salt_length": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
"authentication_backend.file.password_options.memory": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
"authentication_backend.file.password_options.parallelism": "config key incorrect: authentication_backend.file.password_options should be authentication_backend.file.password",
"authentication_backend.file.password_hashing.algorithm": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
"authentication_backend.file.password_hashing.iterations": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
"authentication_backend.file.password_hashing.key_length": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
"authentication_backend.file.password_hashing.salt_length": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
"authentication_backend.file.password_hashing.memory": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
"authentication_backend.file.password_hashing.parallelism": "config key incorrect: authentication_backend.file.password_hashing should be authentication_backend.file.password",
"authentication_backend.file.hashing.algorithm": "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
"authentication_backend.file.hashing.iterations": "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
"authentication_backend.file.hashing.key_length": "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
"authentication_backend.file.hashing.salt_length": "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
"authentication_backend.file.hashing.memory": "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
"authentication_backend.file.hashing.parallelism": "config key incorrect: authentication_backend.file.hashing should be authentication_backend.file.password",
}
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 16:20:40 +00:00
feat(session): add redis sentinel provider (#1768) * feat(session): add redis sentinel provider * refactor(session): use int for ports as per go standards * refactor(configuration): adjust tests and validation * refactor(configuration): add err format consts * refactor(configuration): explicitly map redis structs * refactor(session): merge redis/redis sentinel providers * refactor(session): add additional checks to redis providers * feat(session): add redis cluster provider * fix: update config for new values * fix: provide nil certpool to affected tests/mocks * test: add additional tests to cover uncovered code * docs: expand explanation of host and nodes relation for redis * ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum * fix(session): sentinel password * test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config * test: make entrypoint.sh executable, fix entrypoint.sh if/elif * test: add redis failover tests * test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging * test: add sentinel integration test * test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep * feat: use sentinel failover cluster * fix: renamed addrs to sentineladdrs upstream * test(session): sentinel failover * test: add redis standard back into testing * test: move redis standalone test to traefik2 * fix/docs: apply suggestions from code review
2021-03-09 23:03:05 +00:00
const errFmtSessionSecretRedisProvider = "The session secret must be set when using the %s session provider"
const errFmtSessionRedisPortRange = "The port must be between 1 and 65535 for the %s session provider"
const errFmtSessionRedisHostRequired = "The host must be provided when using the %s session provider"
const errFmtSessionRedisHostOrNodesRequired = "Either the host or a node must be provided when using the %s session provider"
[FEATURE] Validate ACLs and add network groups (#1568) * adds validation to ACL's * adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 10:55:23 +00:00
const denyPolicy = "deny"
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
const bypassPolicy = "bypass"
[FEATURE] Validate ACLs and add network groups (#1568) * adds validation to ACL's * adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 10:55:23 +00:00
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 16:20:40 +00:00
const argon2id = "argon2id"
const sha512 = "sha512"
const schemeLDAP = "ldap"
const schemeLDAPS = "ldaps"
const testBadTimer = "-1"
[FEATURE] Add theme support (#1584) * [FEATURE] Add theme support This change allows users to select a theme for Authelia on start-up. The default will continue to be the existing theme which is known as `light`. Three new options are now also provided: * `dark` * `grey` * `custom` The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal. Co-authored-by: BankaiNoJutsu <lbegert@gmail.com> * Add themes to integration tests * Remove custom theme * Fix linting issue in access_control_test.go Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 12:07:40 +00:00
const testInvalidPolicy = "invalid"
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 16:20:40 +00:00
const testJWTSecret = "a_secret"
[CI] Adjust reviewdog filtermode for linting (#1506) This will ensure that linter errors are picked up for the entire codebase instead of just against the default of [added/modified lines](https://github.com/reviewdog/reviewdog#added-default).
2020-12-03 07:06:42 +00:00
const testLDAPBaseDN = "base_dn"
const testLDAPPassword = "password"
const testLDAPURL = "ldap://ldap"
const testLDAPUser = "user"
const testModeDisabled = "disable"
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 16:20:40 +00:00
const testTLSCert = "/tmp/cert.pem"
const testTLSKey = "/tmp/key.pem"
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
const errAccessControlInvalidPolicyWithSubjects = "Policy [bypass] for domain %s with subjects %s is invalid. It is not supported to configure both policy bypass and subjects. For more information see: https://www.authelia.com/docs/configuration/access-control.html#combining-subjects-and-the-bypass-policy"