authelia/internal/handlers/const.go

package handlers

import (
	"github.com/valyala/fasthttp"
)

const (
	// ActionTOTPRegistration is the string representation of the action for which the token has been produced.
	ActionTOTPRegistration = "RegisterTOTPDevice"

	// ActionU2FRegistration is the string representation of the action for which the token has been produced.
	ActionU2FRegistration = "RegisterU2FDevice"

	// ActionResetPassword is the string representation of the action for which the token has been produced.
	ActionResetPassword = "ResetPassword"
)

var (
	headerAuthorization      = []byte(fasthttp.HeaderAuthorization)
	headerProxyAuthorization = []byte(fasthttp.HeaderProxyAuthorization)

	headerSessionUsername = []byte("Session-Username")
	headerRemoteUser      = []byte("Remote-User")
	headerRemoteGroups    = []byte("Remote-Groups")
	headerRemoteName      = []byte("Remote-Name")
	headerRemoteEmail     = []byte("Remote-Email")
)

const (
	// Forbidden means the user is forbidden the access to a resource.
	Forbidden authorizationMatching = iota
	// NotAuthorized means the user can access the resource with more permissions.
	NotAuthorized authorizationMatching = iota
	// Authorized means the user is authorized given her current permissions.
	Authorized authorizationMatching = iota
)

const (
	messageOperationFailed                 = "Operation failed."
	messageAuthenticationFailed            = "Authentication failed. Check your credentials."
	messageUnableToRegisterOneTimePassword = "Unable to set up one-time passwords." //nolint:gosec
	messageUnableToRegisterSecurityKey     = "Unable to register your security key."
	messageUnableToResetPassword           = "Unable to reset your password."
	messageMFAValidationFailed             = "Authentication failed, please retry later."
)

const (
	logFmtErrParseRequestBody     = "Failed to parse %s request body: %+v"
	logFmtErrWriteResponseBody    = "Failed to write %s response body for user '%s': %+v"
	logFmtErrRegulationFail       = "Failed to perform %s authentication regulation for user '%s': %+v"
	logFmtErrSessionRegenerate    = "Could not regenerate session during %s authentication for user '%s': %+v"
	logFmtErrSessionReset         = "Could not reset session during %s authentication for user '%s': %+v"
	logFmtErrSessionSave          = "Could not save session with the %s during %s authentication for user '%s': %+v"
	logFmtErrObtainProfileDetails = "Could not obtain profile details during %s authentication for user '%s': %+v"
	logFmtTraceProfileDetails     = "Profile details for user '%s' => groups: %s, emails %s"
)

const (
	testInactivity     = "10"
	testRedirectionURL = "http://redirection.local"
	testUsername       = "john"
)

const (
	loginDelayMovingAverageWindow            = 10
	loginDelayMinimumDelayMilliseconds       = float64(250)
	loginDelayMaximumRandomDelayMilliseconds = int64(85)
)

// Duo constants.
const (
	allow  = "allow"
	deny   = "deny"
	enroll = "enroll"
	auth   = "auth"
)

// OIDC constants.
const (
	pathOpenIDConnectWellKnown = "/.well-known/openid-configuration"

	pathOpenIDConnectJWKs          = "/api/oidc/jwks"
	pathOpenIDConnectAuthorization = "/api/oidc/authorize"
	pathOpenIDConnectToken         = "/api/oidc/token" //nolint:gosec // This is not a hard coded credential, it's a path.
	pathOpenIDConnectIntrospection = "/api/oidc/introspect"
	pathOpenIDConnectRevocation    = "/api/oidc/revoke"
	pathOpenIDConnectUserinfo      = "/api/oidc/userinfo"

	// Note: If you change this const you must also do so in the frontend at web/src/services/Api.ts.
	pathOpenIDConnectConsent = "/api/oidc/consent"
)

const (
	accept = "accept"
	reject = "reject"
)

const authPrefix = "Basic "

const ldapPasswordComplexityCode = "0000052D."

var ldapPasswordComplexityCodes = []string{
	"0000052D", "SynoNumber", "SynoMixedCase", "SynoExcludeNameDesc", "SynoSpecialChar",
}

var ldapPasswordComplexityErrors = []string{
	"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy",
	"LDAP Result Code 19 \"Constraint Violation\": Password is too young to change",
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package handlers`

refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`import (`
			`"github.com/valyala/fasthttp"`
			`)`

fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`const (`
			`// ActionTOTPRegistration is the string representation of the action for which the token has been produced.`
			`ActionTOTPRegistration = "RegisterTOTPDevice"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`// ActionU2FRegistration is the string representation of the action for which the token has been produced.`
			`ActionU2FRegistration = "RegisterU2FDevice"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`// ActionResetPassword is the string representation of the action for which the token has been produced.`
			`ActionResetPassword = "ResetPassword"`
			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`var (`
			`headerAuthorization = []byte(fasthttp.HeaderAuthorization)`
			`headerProxyAuthorization = []byte(fasthttp.HeaderProxyAuthorization)`
[FEATURE] Add Optional Check for Session Username on VerifyGet (#1427) * Adding the Session-Username header to the /api/verify endpoint when using cookie auth will check the value stored in the session store for the username and the header value are the same. * use strings.EqualFold to compare case insensitively * add docs * add unit tests * invalidate session if it is theoretically hijacked and log it as a warning (can only be determined if the header doesn't match the cookie) * add example PAM script * go mod tidy * go mod bump to 1.15 2020-12-01 23:03:44 +00:00
refactor(handlers): utilize referer for auth logging rm/rd (#2655) This utilizes the referrer query parameters instead of current request query parameters for logging the requested URI and method. Minor performance improvements to header peek/sets. 2021-12-02 02:21:46 +00:00			`headerSessionUsername = []byte("Session-Username")`
			`headerRemoteUser = []byte("Remote-User")`
			`headerRemoteGroups = []byte("Remote-Groups")`
			`headerRemoteName = []byte("Remote-Name")`
			`headerRemoteEmail = []byte("Remote-Email")`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
			`const (`
[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// Forbidden means the user is forbidden the access to a resource.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`Forbidden authorizationMatching = iota`
			`// NotAuthorized means the user can access the resource with more permissions.`
			`NotAuthorized authorizationMatching = iota`
			`// Authorized means the user is authorized given her current permissions.`
			`Authorized authorizationMatching = iota`
			`)`

fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`const (`
			`messageOperationFailed = "Operation failed."`
			`messageAuthenticationFailed = "Authentication failed. Check your credentials."`
			`messageUnableToRegisterOneTimePassword = "Unable to set up one-time passwords." //nolint:gosec`
			`messageUnableToRegisterSecurityKey = "Unable to register your security key."`
			`messageUnableToResetPassword = "Unable to reset your password."`
			`messageMFAValidationFailed = "Authentication failed, please retry later."`
			`)`
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460) * Added `ActiveDirectory` suite for integration tests with Samba AD * Updated documentation * Minor styling refactor to suites * Clean up LDAP user provisioning * Fix Authelia home splash to reference correct link for webmail * Add notification message for password complexity errors * Add password complexity integration test * Rename implementation default from rfc to custom * add specific defaults for LDAP (activedirectory implementation) * add docs to show the new defaults * add docs explaining the importance of users filter * add tests * update instances of LDAP implementation names to use the new consts where applicable * made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead * update config examples due to the new defaults * apply changes from code review * replace schema default name from MSAD to ActiveDirectory for consistency * fix missing default for username_attribute * replace test raising on empty username attribute with not raising on empty Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2020-11-27 09:59:22 +00:00
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 03:09:14 +00:00			`const (`
			`logFmtErrParseRequestBody = "Failed to parse %s request body: %+v"`
			`logFmtErrWriteResponseBody = "Failed to write %s response body for user '%s': %+v"`
			`logFmtErrRegulationFail = "Failed to perform %s authentication regulation for user '%s': %+v"`
			`logFmtErrSessionRegenerate = "Could not regenerate session during %s authentication for user '%s': %+v"`
			`logFmtErrSessionReset = "Could not reset session during %s authentication for user '%s': %+v"`
			`logFmtErrSessionSave = "Could not save session with the %s during %s authentication for user '%s': %+v"`
			`logFmtErrObtainProfileDetails = "Could not obtain profile details during %s authentication for user '%s': %+v"`
			`logFmtTraceProfileDetails = "Profile details for user '%s' => groups: %s, emails %s"`
			`)`

fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`const (`
			`testInactivity = "10"`
			`testRedirectionURL = "http://redirection.local"`
			`testUsername = "john"`
			`)`
[FEATURE] Delay 1FA Authentication (#993) * adaptively delay 1FA by the actual execution time of authentication * should grow and shrink over time as successful attempts are made * uses the average of the last 10 successful attempts to calculate * starts at an average of 1000ms * minimum is 250ms * a random delay is added to the largest of avg or minimum * the random delay is between 0ms and 85ms * bump LDAP suite to 80s timeout * bump regulation scenario to 45s * add mutex locking * amend logging * add docs * add tests Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-20 22:03:15 +00:00
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`const (`
			`loginDelayMovingAverageWindow = 10`
			`loginDelayMinimumDelayMilliseconds = float64(250)`
			`loginDelayMaximumRandomDelayMilliseconds = int64(85)`
			`)`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
feat(duo): multi device selection (#2137) Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator. Closes #594. Closes #1039. 2021-12-01 03:32:58 +00:00			`// Duo constants.`
			`const (`
			`allow = "allow"`
			`deny = "deny"`
			`enroll = "enroll"`
			`auth = "auth"`
			`)`

feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`// OIDC constants.`
			`const (`
fix: oidc issuer path and strip path middleware (#2272) * fix: oidc issuer path and strip path middleware This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content. * fix: only log the token error and general refactoring * refactor: factorize base_url functions * refactor(server): include all paths in startup logging * refactor: factorize * refactor: GetExternalRootURL -> ExternalRootURL Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-08-10 00:31:08 +00:00			`pathOpenIDConnectWellKnown = "/.well-known/openid-configuration"`

fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`pathOpenIDConnectJWKs = "/api/oidc/jwks"`
			`pathOpenIDConnectAuthorization = "/api/oidc/authorize"`
			`pathOpenIDConnectToken = "/api/oidc/token" //nolint:gosec // This is not a hard coded credential, it's a path.`
			`pathOpenIDConnectIntrospection = "/api/oidc/introspect"`
			`pathOpenIDConnectRevocation = "/api/oidc/revoke"`
			`pathOpenIDConnectUserinfo = "/api/oidc/userinfo"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00
			`// Note: If you change this const you must also do so in the frontend at web/src/services/Api.ts.`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00			`pathOpenIDConnectConsent = "/api/oidc/consent"`
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com> 2021-05-04 22:06:05 +00:00			`)`

			`const (`
			`accept = "accept"`
			`reject = "reject"`
			`)`
fix(handlers): handle xhr requests to /api/verify with 401 (#2189) This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303. 2021-07-22 03:52:37 +00:00
			`const authPrefix = "Basic "`

			`const ldapPasswordComplexityCode = "0000052D."`

			`var ldapPasswordComplexityCodes = []string{`
			`"0000052D", "SynoNumber", "SynoMixedCase", "SynoExcludeNameDesc", "SynoSpecialChar",`
			`}`

			`var ldapPasswordComplexityErrors = []string{`
			`"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy",`
			`"LDAP Result Code 19 \"Constraint Violation\": Password is too young to change",`
			`}`