authelia/internal/handlers/const.go

package handlers

// TOTPRegistrationAction is the string representation of the action for which the token has been produced.
const TOTPRegistrationAction = "RegisterTOTPDevice"

// U2FRegistrationAction is the string representation of the action for which the token has been produced.
const U2FRegistrationAction = "RegisterU2FDevice"

// ResetPasswordAction is the string representation of the action for which the token has been produced.
const ResetPasswordAction = "ResetPassword"

const authPrefix = "Basic "

// ProxyAuthorizationHeader is the basic-auth HTTP header Authelia utilises.
const ProxyAuthorizationHeader = "Proxy-Authorization"

// AuthorizationHeader is the basic-auth HTTP header Authelia utilises with "auth=basic" query param.
const AuthorizationHeader = "Authorization"

// SessionUsernameHeader is used as additional protection to validate a user for things like pam_exec.
const SessionUsernameHeader = "Session-Username"

const remoteUserHeader = "Remote-User"
const remoteNameHeader = "Remote-Name"
const remoteEmailHeader = "Remote-Email"
const remoteGroupsHeader = "Remote-Groups"

const (
	// Forbidden means the user is forbidden the access to a resource.
	Forbidden authorizationMatching = iota
	// NotAuthorized means the user can access the resource with more permissions.
	NotAuthorized authorizationMatching = iota
	// Authorized means the user is authorized given her current permissions.
	Authorized authorizationMatching = iota
)

const operationFailedMessage = "Operation failed."
const authenticationFailedMessage = "Authentication failed. Check your credentials."
const userBannedMessage = "Please retry in a few minutes."
const unableToRegisterOneTimePasswordMessage = "Unable to set up one-time passwords." //nolint:gosec
const unableToRegisterSecurityKeyMessage = "Unable to register your security key."
const unableToResetPasswordMessage = "Unable to reset your password."
const mfaValidationFailedMessage = "Authentication failed, please retry later."

const ldapPasswordComplexityCode = "0000052D."

var ldapPasswordComplexityCodes = []string{
	"0000052D", "SynoNumber", "SynoMixedCase", "SynoExcludeNameDesc", "SynoSpecialChar",
}
var ldapPasswordComplexityErrors = []string{
	"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy",
	"LDAP Result Code 19 \"Constraint Violation\": Password is too young to change",
}

const testInactivity = "10"
const testRedirectionURL = "http://redirection.local"
const testResultAllow = "allow"
const testUsername = "john"

const movingAverageWindow = 10
const msMinimumDelay1FA = float64(250)
const msMaximumRandomDelay = int64(85)

// OIDC constants.
const (
	oidcWellKnownPath  = "/.well-known/openid-configuration"
	oidcJWKsPath       = "/api/oidc/jwks"
	oidcAuthorizePath  = "/api/oidc/authorize"
	oidcTokenPath      = "/api/oidc/token" //nolint:gosec // This is not a hard coded credential, it's a path.
	oidcIntrospectPath = "/api/oidc/introspect"
	oidcRevokePath     = "/api/oidc/revoke"

	// Note: If you change this const you must also do so in the frontend at web/src/services/Api.ts.
	oidcConsentPath = "/api/oidc/consent"
)

const (
	accept = "accept"
	reject = "reject"
)

var scopeDescriptions = map[string]string{
	"openid":  "Use OpenID to verify your identity",
	"email":   "Access your email addresses",
	"profile": "Access your username",
	"groups":  "Access your group membership",
}

var audienceDescriptions = map[string]string{}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package handlers`

			`// TOTPRegistrationAction is the string representation of the action for which the token has been produced.`
			`const TOTPRegistrationAction = "RegisterTOTPDevice"`

			`// U2FRegistrationAction is the string representation of the action for which the token has been produced.`
			`const U2FRegistrationAction = "RegisterU2FDevice"`

			`// ResetPasswordAction is the string representation of the action for which the token has been produced.`
			`const ResetPasswordAction = "ResetPassword"`

			`const authPrefix = "Basic "`

feat(handlers): authorization header switch via query param to /api/verify (#1563) * [FEATURE] Add auth query param to /api/verify (#1353) When `/api/verify` is called with `?auth=basic`, use the standard Authorization header instead of Proxy-Authorization. * [FIX] Better basic auth error reporting * [FIX] Return 401 when using basic auth instead of redirecting * [TESTS] Add tests for auth=basic query param * [DOCS] Mention auth=basic argument and provide nginx example * docs: add/adjust basic auth query arg docs for proxies Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2021-02-23 23:35:04 +00:00			`// ProxyAuthorizationHeader is the basic-auth HTTP header Authelia utilises.`
			`const ProxyAuthorizationHeader = "Proxy-Authorization"`

			`// AuthorizationHeader is the basic-auth HTTP header Authelia utilises with "auth=basic" query param.`
			`const AuthorizationHeader = "Authorization"`
[FEATURE] Add Optional Check for Session Username on VerifyGet (#1427) * Adding the Session-Username header to the /api/verify endpoint when using cookie auth will check the value stored in the session store for the username and the header value are the same. * use strings.EqualFold to compare case insensitively * add docs * add unit tests * invalidate session if it is theoretically hijacked and log it as a warning (can only be determined if the header doesn't match the cookie) * add example PAM script * go mod tidy * go mod bump to 1.15 2020-12-01 23:03:44 +00:00
			`// SessionUsernameHeader is used as additional protection to validate a user for things like pam_exec.`
			`const SessionUsernameHeader = "Session-Username"`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`const remoteUserHeader = "Remote-User"`
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 11:38:08 +00:00			`const remoteNameHeader = "Remote-Name"`
			`const remoteEmailHeader = "Remote-Email"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`const remoteGroupsHeader = "Remote-Groups"`

			`const (`
[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// Forbidden means the user is forbidden the access to a resource.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`Forbidden authorizationMatching = iota`
			`// NotAuthorized means the user can access the resource with more permissions.`
			`NotAuthorized authorizationMatching = iota`
			`// Authorized means the user is authorized given her current permissions.`
			`Authorized authorizationMatching = iota`
			`)`

			`const operationFailedMessage = "Operation failed."`
			`const authenticationFailedMessage = "Authentication failed. Check your credentials."`
			`const userBannedMessage = "Please retry in a few minutes."`
[BUGFIX] Password hashing schema map mismatch with docs (#852) * add a nolint for gosec 'possibly hardcoded password' that was incorrect * make all parameters consistent * update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing' * reword some of the docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com> 2020-04-11 03:54:18 +00:00			`const unableToRegisterOneTimePasswordMessage = "Unable to set up one-time passwords." //nolint:gosec`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`const unableToRegisterSecurityKeyMessage = "Unable to register your security key."`
			`const unableToResetPasswordMessage = "Unable to reset your password."`
			`const mfaValidationFailedMessage = "Authentication failed, please retry later."`
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-02 16:20:40 +00:00
[MISC] Catch OpenLDAP ppolicy error (#1508) * [MISC] Catch OpenLDAP ppolicy error Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled. This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced. * Remove password history for integration tests * Adjust max failures due to regulation trigger * Fix error handling for password resets * Refactor and include code suggestions 2020-12-16 01:30:03 +00:00			`const ldapPasswordComplexityCode = "0000052D."`

feat(handlers): synology password complexity err on reset (#2083) This responds to the client with the correct error when used with Synology LDAP servers. 2021-06-16 02:50:14 +00:00			`var ldapPasswordComplexityCodes = []string{`
			`"0000052D", "SynoNumber", "SynoMixedCase", "SynoExcludeNameDesc", "SynoSpecialChar",`
			`}`
			`var ldapPasswordComplexityErrors = []string{`
			`"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy",`
			`"LDAP Result Code 19 \"Constraint Violation\": Password is too young to change",`
			`}`
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460) * Added `ActiveDirectory` suite for integration tests with Samba AD * Updated documentation * Minor styling refactor to suites * Clean up LDAP user provisioning * Fix Authelia home splash to reference correct link for webmail * Add notification message for password complexity errors * Add password complexity integration test * Rename implementation default from rfc to custom * add specific defaults for LDAP (activedirectory implementation) * add docs to show the new defaults * add docs explaining the importance of users filter * add tests * update instances of LDAP implementation names to use the new consts where applicable * made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead * update config examples due to the new defaults * apply changes from code review * replace schema default name from MSAD to ActiveDirectory for consistency * fix missing default for username_attribute * replace test raising on empty username attribute with not raising on empty Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2020-11-27 09:59:22 +00:00
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-02 16:20:40 +00:00			`const testInactivity = "10"`
			`const testRedirectionURL = "http://redirection.local"`
			`const testResultAllow = "allow"`
			`const testUsername = "john"`
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-20 22:03:15 +00:00
			`const movingAverageWindow = 10`
			`const msMinimumDelay1FA = float64(250)`
			`const msMaximumRandomDelay = int64(85)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`// OIDC constants.`
			`const (`
			`oidcWellKnownPath = "/.well-known/openid-configuration"`
			`oidcJWKsPath = "/api/oidc/jwks"`
			`oidcAuthorizePath = "/api/oidc/authorize"`
			`oidcTokenPath = "/api/oidc/token" //nolint:gosec // This is not a hard coded credential, it's a path.`
			`oidcIntrospectPath = "/api/oidc/introspect"`
			`oidcRevokePath = "/api/oidc/revoke"`

			`// Note: If you change this const you must also do so in the frontend at web/src/services/Api.ts.`
			`oidcConsentPath = "/api/oidc/consent"`
			`)`

			`const (`
			`accept = "accept"`
			`reject = "reject"`
			`)`

			`var scopeDescriptions = map[string]string{`
			`"openid": "Use OpenID to verify your identity",`
			`"email": "Access your email addresses",`
			`"profile": "Access your username",`
			`"groups": "Access your group membership",`
			`}`

			`var audienceDescriptions = map[string]string{}`