RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/authentication/file_user_provider.go

234 lines
6.2 KiB
Go
Raw Normal View History

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
package authentication
import (
"fmt"
"io/ioutil"
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
"os"
Improve logs of password hashing to help troubleshoot issues.
2019-12-27 16:55:00 +00:00
"strings"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"sync"
"github.com/asaskevich/govalidator"
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
"github.com/simia-tech/crypt"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"gopkg.in/yaml.v2"
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 12:37:21 +00:00
"github.com/authelia/authelia/internal/configuration/schema"
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
"github.com/authelia/authelia/internal/logging"
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
"github.com/authelia/authelia/internal/utils"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
)
// FileUserProvider is a provider reading details from a file.
type FileUserProvider struct {
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
configuration *schema.FileAuthenticationBackendConfiguration
database *DatabaseModel
lock *sync.Mutex
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
// TODO: Remove this. This is only here to temporarily fix the username enumeration security flaw in #949.
fakeHash string
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
// UserDetailsModel is the model of user details in the file database.
type UserDetailsModel struct {
HashedPassword string `yaml:"password" valid:"required"`
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
DisplayName string `yaml:"displayname" valid:"required"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
Email string `yaml:"email"`
Groups []string `yaml:"groups"`
}
// DatabaseModel is the model of users file database.
type DatabaseModel struct {
Users map[string]UserDetailsModel `yaml:"users" valid:"required"`
}
// NewFileUserProvider creates a new instance of FileUserProvider.
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
func NewFileUserProvider(configuration *schema.FileAuthenticationBackendConfiguration) *FileUserProvider {
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
errs := checkDatabase(configuration.Path)
if errs != nil {
for _, err := range errs {
logging.Logger().Error(err)
}
os.Exit(1)
}
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
database, err := readDatabase(configuration.Path)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
if err != nil {
// Panic since the file does not exist when Authelia is starting.
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
panic(err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
// Early check whether hashed passwords are correct for all users
err = checkPasswordHashes(database)
if err != nil {
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
panic(err)
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
}
[MISC] Introduce CryptAlgo type. (#960) * [MISC] Introduce CryptAlgo type. It helps distinguish between the configuration representation of an algorithm and the crypt representation (6 and argon2id vs sha512 vs argon2id). * Add a description to CryptAlgo. * use const Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-05-03 04:06:09 +00:00
var cryptAlgo CryptAlgo = HashingAlgorithmArgon2id
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
// TODO: Remove this. This is only here to temporarily fix the username enumeration security flaw in #949.
// This generates a hash that should be usable to do a fake CheckUserPassword
[CI] Add goconst linter (#961) * [CI] Add goconst linter * Implement goconst recommendations * Rename defaultPolicy to denyPolicy * Change order for test constants Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 16:20:40 +00:00
if configuration.Password.Algorithm == sha512 {
[MISC] Introduce CryptAlgo type. (#960) * [MISC] Introduce CryptAlgo type. It helps distinguish between the configuration representation of an algorithm and the crypt representation (6 and argon2id vs sha512 vs argon2id). * Add a description to CryptAlgo. * use const Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-05-03 04:06:09 +00:00
cryptAlgo = HashingAlgorithmSHA512
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
settings := getCryptSettings(utils.RandomString(configuration.Password.SaltLength, HashingPossibleSaltCharacters),
[MISC] Introduce CryptAlgo type. (#960) * [MISC] Introduce CryptAlgo type. It helps distinguish between the configuration representation of an algorithm and the crypt representation (6 and argon2id vs sha512 vs argon2id). * Add a description to CryptAlgo. * use const Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-05-03 04:06:09 +00:00
cryptAlgo, configuration.Password.Iterations, configuration.Password.Memory*1024, configuration.Password.Parallelism,
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
configuration.Password.KeyLength)
data := crypt.Base64Encoding.EncodeToString([]byte(utils.RandomString(configuration.Password.KeyLength, HashingPossibleSaltCharacters)))
fakeHash := fmt.Sprintf("%s$%s", settings, data)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return &FileUserProvider{
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
configuration: configuration,
database: database,
lock: &sync.Mutex{},
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
fakeHash: fakeHash,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
}
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
func checkPasswordHashes(database *DatabaseModel) error {
for u, v := range database.Users {
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
v.HashedPassword = strings.ReplaceAll(v.HashedPassword, "{CRYPT}", "")
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
_, err := ParseHash(v.HashedPassword)
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
if err != nil {
return fmt.Errorf("Unable to parse hash of user %s: %s", u, err)
}
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
database.Users[u] = v
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
return nil
}
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 06:25:35 +00:00
func checkDatabase(path string) []error {
_, err := os.Stat(path)
if err != nil {
errs := []error{
fmt.Errorf("Unable to find database file: %v", path),
fmt.Errorf("Generating database file: %v", path),
}
err := generateDatabaseFromTemplate(path)
if err != nil {
errs = append(errs, err)
} else {
errs = append(errs, fmt.Errorf("Generated database at: %v", path))
}
return errs
}
return nil
}
func generateDatabaseFromTemplate(path string) error {
f, err := cfg.Open("users_database.template.yml")
if err != nil {
return fmt.Errorf("Unable to open users_database.template.yml: %v", err)
}
b, err := ioutil.ReadAll(f)
if err != nil {
return fmt.Errorf("Unable to read users_database.template.yml: %v", err)
}
err = ioutil.WriteFile(path, b, 0600)
if err != nil {
return fmt.Errorf("Unable to generate %v: %v", path, err)
}
return nil
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
func readDatabase(path string) (*DatabaseModel, error) {
content, err := ioutil.ReadFile(path)
if err != nil {
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
return nil, fmt.Errorf("Unable to read database from file %s: %s", path, err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
db := DatabaseModel{}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
err = yaml.Unmarshal(content, &db)
if err != nil {
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
return nil, fmt.Errorf("Unable to parse database: %s", err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
ok, err := govalidator.ValidateStruct(db)
if err != nil {
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
return nil, fmt.Errorf("Invalid schema of database: %s", err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
if !ok {
Add early checks for user hashes.
2019-12-27 17:09:57 +00:00
return nil, fmt.Errorf("The database format is invalid: %s", err)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return &db, nil
}
// CheckUserPassword checks if provided password matches for the given user.
func (p *FileUserProvider) CheckUserPassword(username string, password string) (bool, error) {
if details, ok := p.database.Users[username]; ok {
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
ok, err := CheckPassword(password, details.HashedPassword)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
if err != nil {
return false, err
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return ok, nil
}
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
// TODO: Remove this. This is only here to temporarily fix the username enumeration security flaw in #949.
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
_, _ = CheckPassword(password, p.fakeHash)
[HOTFIX] Prevent Username Enumeration (#950) * [HOTFIX] Prevent Username Enumeration * thanks to TheHllm for identifying the bug: https://github.com/TheHllm * temporarily prevents username enumeration with file auth * proper calculated and very slightly random fix to come * closely replicate behaviour * allow error to bubble up * Synchronize security documentation. Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-01 22:32:09 +00:00
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
return false, ErrUserNotFound
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
// GetDetails retrieve the groups a user belongs to.
func (p *FileUserProvider) GetDetails(username string) (*UserDetails, error) {
if details, ok := p.database.Users[username]; ok {
return &UserDetails{
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 10:50:21 +00:00
Username: username,
DisplayName: details.DisplayName,
Groups: details.Groups,
Emails: []string{details.Email},
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}, nil
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return nil, fmt.Errorf("User '%s' does not exist in database", username)
}
// UpdatePassword update the password of the given user.
func (p *FileUserProvider) UpdatePassword(username string, newPassword string) error {
details, ok := p.database.Users[username]
if !ok {
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
return ErrUserNotFound
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
algorithm, err := ConfigAlgoToCryptoAlgo(p.configuration.Password.Algorithm)
if err != nil {
return err
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
}
hash, err := HashPassword(
[BUGFIX] Password hashing schema map mismatch with docs (#852) * add a nolint for gosec 'possibly hardcoded password' that was incorrect * make all parameters consistent * update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing' * reword some of the docs * apply suggestions from code review Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 03:54:18 +00:00
newPassword, "", algorithm, p.configuration.Password.Iterations,
p.configuration.Password.Memory*1024, p.configuration.Password.Parallelism,
p.configuration.Password.KeyLength, p.configuration.Password.SaltLength)
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
if err != nil {
return err
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
[FEATURE] Support Argon2id password hasing and improved entropy (#679) * [FEATURE] Support Argon2id Passwords - Updated go module github.com/simia-tech/crypt - Added Argon2id support for file based authentication backend - Made it the default method - Made it so backwards compatibility with SHA512 exists - Force seeding of the random string generator used for salts to ensure they are all different - Added command params to the authelia hash-password command - Automatically remove {CRYPT} from hashes as they are updated - Automatically change hashes when they are updated to the configured algorithm - Made the hashing algorithm parameters completely configurable - Added reasonably comprehensive test suites - Updated docs - Updated config template * Adjust error output * Fix unit test * Add unit tests and argon2 version check * Fix new unit tests * Update docs, added tests * Implement configurable values and more comprehensive testing * Added cmd params to hash_password, updated docs, misc fixes * More detailed error for cmd, fixed a typo * Fixed cmd flag error, minor refactoring * Requested Changes and Minor refactoring * Increase entropy * Update docs for entropy changes * Refactor to reduce nesting and easier code maintenance * Cleanup Errors (uniformity for the function call) * Check salt length, fix docs * Add Base64 string validation for argon2id * Cleanup and Finalization - Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go - Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len - Fixed an error in validator that would allow a zero salt length - Added a test to verify the upstream crypt module supports our defined random salt chars - Updated docs - Removed unused "HashingAlgorithm" string type * Update crypt go mod, support argon2id key length and major refactor * Config Template Update, Final Tests * Use schema defaults for hash-password cmd * Iterations check * Docs requested changes * Test Coverage, suggested edits * Wording edit * Doc changes * Default sanity changes * Default sanity changes - docs * CI Sanity changes * Memory in MB
2020-03-06 01:38:02 +00:00
details.HashedPassword = hash
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
p.lock.Lock()
p.database.Users[username] = details
b, err := yaml.Marshal(p.database)
if err != nil {
p.lock.Unlock()
return err
}
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
[MISC] Refactor Authentication (#987) * only do salt validation in validate salt * fix tests * remove panic(err.Error()) * use file mode const * do hash cleanup on file read instead of check password * design ConfigAlgoToCryptoAlgo and implement it * split HashPassword func into functional chunks that could theoretically be reused
2020-05-08 03:38:22 +00:00
err = ioutil.WriteFile(p.configuration.Path, b, fileAuthenticationMode)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
p.lock.Unlock()
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return err
}