authelia/internal/storage/const.go

package storage

import (
	"regexp"
)

const (
	tableAuthenticationLogs   = "authentication_logs"
	tableDuoDevices           = "duo_devices"
	tableIdentityVerification = "identity_verification"
	tableTOTPConfigurations   = "totp_configurations"
	tableUserOpaqueIdentifier = "user_opaque_identifier"
	tableUserPreferences      = "user_preferences"
	tableWebAuthnDevices      = "webauthn_devices"

	tableOAuth2BlacklistedJTI          = "oauth2_blacklisted_jti"
	tableOAuth2ConsentSession          = "oauth2_consent_session"
	tableOAuth2ConsentPreConfiguration = "oauth2_consent_preconfiguration"

	tableOAuth2AccessTokenSession   = "oauth2_access_token_session" //nolint:gosec // This is not a hardcoded credential.
	tableOAuth2AuthorizeCodeSession = "oauth2_authorization_code_session"
	tableOAuth2OpenIDConnectSession = "oauth2_openid_connect_session"
	tableOAuth2PARContext           = "oauth2_par_context"
	tableOAuth2PKCERequestSession   = "oauth2_pkce_request_session"
	tableOAuth2RefreshTokenSession  = "oauth2_refresh_token_session" //nolint:gosec // This is not a hardcoded credential.

	tableMigrations = "migrations"
	tableEncryption = "encryption"
)

// OAuth2SessionType represents the potential OAuth 2.0 session types.
type OAuth2SessionType int

// Representation of specific OAuth 2.0 session types.
const (
	OAuth2SessionTypeAccessToken OAuth2SessionType = iota
	OAuth2SessionTypeAuthorizeCode
	OAuth2SessionTypeOpenIDConnect
	OAuth2SessionTypePAR
	OAuth2SessionTypePKCEChallenge
	OAuth2SessionTypeRefreshToken
)

// String returns a string representation of this OAuth2SessionType.
func (s OAuth2SessionType) String() string {
	switch s {
	case OAuth2SessionTypeAccessToken:
		return "access token"
	case OAuth2SessionTypeAuthorizeCode:
		return "authorization code"
	case OAuth2SessionTypeOpenIDConnect:
		return "openid connect"
	case OAuth2SessionTypePAR:
		return "pushed authorization request context"
	case OAuth2SessionTypePKCEChallenge:
		return "pkce challenge"
	case OAuth2SessionTypeRefreshToken:
		return "refresh token"
	default:
		return "invalid"
	}
}

// Table returns the table name for this session type.
func (s OAuth2SessionType) Table() string {
	switch s {
	case OAuth2SessionTypeAccessToken:
		return tableOAuth2AccessTokenSession
	case OAuth2SessionTypeAuthorizeCode:
		return tableOAuth2AuthorizeCodeSession
	case OAuth2SessionTypeOpenIDConnect:
		return tableOAuth2OpenIDConnectSession
	case OAuth2SessionTypePAR:
		return tableOAuth2PARContext
	case OAuth2SessionTypePKCEChallenge:
		return tableOAuth2PKCERequestSession
	case OAuth2SessionTypeRefreshToken:
		return tableOAuth2RefreshTokenSession
	default:
		return ""
	}
}

const (
	sqlNetworkTypeTCP        = "tcp"
	sqlNetworkTypeUnixSocket = "unix"
)

const (
	encryptionNameCheck = "check"
)

// WARNING: Do not change/remove these consts. They are used for Pre1 migrations.
const (
	tablePre1TOTPSecrets                = "totp_secrets"
	tablePre1IdentityVerificationTokens = "identity_verification_tokens"
	tablePre1U2FDevices                 = "u2f_devices"
)

var tablesPre1 = []string{
	tablePre1TOTPSecrets,
	tablePre1IdentityVerificationTokens,
	tablePre1U2FDevices,

	tableUserPreferences,
	tableAuthenticationLogs,
}

const (
	providerAll      = "all"
	providerMySQL    = "mysql"
	providerPostgres = "postgres"
	providerSQLite   = "sqlite"
)

const (
	// SchemaLatest represents the value expected for a "migrate to latest" migration. It's the maximum 32bit signed integer.
	SchemaLatest = 2147483647
)

type ctxKey int

const (
	ctxKeyTransaction ctxKey = iota
)

var (
	reMigration = regexp.MustCompile(`^V(?P<Version>\d{4})\.(?P<Name>[^.]+)\.(?P<Provider>(all|sqlite|postgres|mysql))\.(?P<Direction>(up|down))\.sql$`)
)

const (
	na      = "N/A"
	invalid = "invalid"
)
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`package storage`

[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations 2020-07-16 05:56:08 +00:00			`import (`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`"regexp"`
[MISC] Storage Schema Versioning Model (#1057) * [MISC] Storage Schema Versioning Model * fixup go.sum * remove pq * fix int to text issue * fix incorrect SQL text * use key_name vs key * use transactions for all queries during upgrades * fix missing parenthesis * move upgrades to their own file * add provider name for future usage in upgrades * fix missing create config table values * fix using the const instead of the provider SQL * import logging once and reuse * update docs * remove db at suite teardown * apply suggestions from code review * fix mysql * make errors more uniform * style changes * remove commented code sections * remove commented code sections * add schema version type * add sql mock unit tests * go mod tidy * test blank row situations 2020-07-16 05:56:08 +00:00			`)`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`const (`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`tableAuthenticationLogs = "authentication_logs"`
			`tableDuoDevices = "duo_devices"`
feat(storage): only store identity token metadata (#2627) This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now. 2021-11-30 06:58:21 +00:00			`tableIdentityVerification = "identity_verification"`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`tableTOTPConfigurations = "totp_configurations"`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`tableUserOpaqueIdentifier = "user_opaque_identifier"`
			`tableUserPreferences = "user_preferences"`
refactor: webauthn naming (#5243) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 16:04:42 +00:00			`tableWebAuthnDevices = "webauthn_devices"`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`tableOAuth2BlacklistedJTI = "oauth2_blacklisted_jti"`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`tableOAuth2ConsentSession = "oauth2_consent_session"`
			`tableOAuth2ConsentPreConfiguration = "oauth2_consent_preconfiguration"`
refactor: remove pre1 migration path (#4356) This removes pre1 migrations and improves a lot of tooling. 2022-11-25 12:44:55 +00:00
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`tableOAuth2AccessTokenSession = "oauth2_access_token_session" //nolint:gosec // This is not a hardcoded credential.`
refactor: remove pre1 migration path (#4356) This removes pre1 migrations and improves a lot of tooling. 2022-11-25 12:44:55 +00:00			`tableOAuth2AuthorizeCodeSession = "oauth2_authorization_code_session"`
			`tableOAuth2OpenIDConnectSession = "oauth2_openid_connect_session"`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`tableOAuth2PARContext = "oauth2_par_context"`
			`tableOAuth2PKCERequestSession = "oauth2_pkce_request_session"`
			`tableOAuth2RefreshTokenSession = "oauth2_refresh_token_session" //nolint:gosec // This is not a hardcoded credential.`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00
			`tableMigrations = "migrations"`
			`tableEncryption = "encryption"`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`)`

feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`// OAuth2SessionType represents the potential OAuth 2.0 session types.`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`type OAuth2SessionType int`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00
			`// Representation of specific OAuth 2.0 session types.`
			`const (`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`OAuth2SessionTypeAccessToken OAuth2SessionType = iota`
			`OAuth2SessionTypeAuthorizeCode`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`OAuth2SessionTypeOpenIDConnect`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`OAuth2SessionTypePAR`
			`OAuth2SessionTypePKCEChallenge`
			`OAuth2SessionTypeRefreshToken`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`)`

build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`// String returns a string representation of this OAuth2SessionType.`
			`func (s OAuth2SessionType) String() string {`
			`switch s {`
			`case OAuth2SessionTypeAccessToken:`
			`return "access token"`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`case OAuth2SessionTypeAuthorizeCode:`
			`return "authorization code"`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`case OAuth2SessionTypeOpenIDConnect:`
			`return "openid connect"`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`case OAuth2SessionTypePAR:`
			`return "pushed authorization request context"`
			`case OAuth2SessionTypePKCEChallenge:`
			`return "pkce challenge"`
			`case OAuth2SessionTypeRefreshToken:`
			`return "refresh token"`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`default:`
			`return "invalid"`
			`}`
			`}`

refactor: remove pre1 migration path (#4356) This removes pre1 migrations and improves a lot of tooling. 2022-11-25 12:44:55 +00:00			`// Table returns the table name for this session type.`
			`func (s OAuth2SessionType) Table() string {`
			`switch s {`
			`case OAuth2SessionTypeAccessToken:`
			`return tableOAuth2AccessTokenSession`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`case OAuth2SessionTypeAuthorizeCode:`
			`return tableOAuth2AuthorizeCodeSession`
refactor: remove pre1 migration path (#4356) This removes pre1 migrations and improves a lot of tooling. 2022-11-25 12:44:55 +00:00			`case OAuth2SessionTypeOpenIDConnect:`
			`return tableOAuth2OpenIDConnectSession`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`case OAuth2SessionTypePAR:`
			`return tableOAuth2PARContext`
			`case OAuth2SessionTypePKCEChallenge:`
			`return tableOAuth2PKCERequestSession`
			`case OAuth2SessionTypeRefreshToken:`
			`return tableOAuth2RefreshTokenSession`
refactor: remove pre1 migration path (#4356) This removes pre1 migrations and improves a lot of tooling. 2022-11-25 12:44:55 +00:00			`default:`
			`return ""`
			`}`
			`}`

fix(storage): mysql timestamp parsed incorrectly (#4230) The timestamps in MySQL were not being parsed correctly. The driver treats all timestamp and datetime objects the same which is not correct. 2022-10-22 04:25:12 +00:00			`const (`
feat(storage): unix socket support (#4231) Support for unix sockets for MySQL and PostgreSQL. 2022-10-22 05:41:27 +00:00			`sqlNetworkTypeTCP = "tcp"`
			`sqlNetworkTypeUnixSocket = "unix"`
fix(storage): mysql timestamp parsed incorrectly (#4230) The timestamps in MySQL were not being parsed correctly. The driver treats all timestamp and datetime objects the same which is not correct. 2022-10-22 04:25:12 +00:00			`)`

feat(storage): encrypted secret values (#2588) This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330. Closes #682 2021-11-25 01:56:58 +00:00			`const (`
			`encryptionNameCheck = "check"`
			`)`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`// WARNING: Do not change/remove these consts. They are used for Pre1 migrations.`
			`const (`
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that. 2021-12-03 00:04:11 +00:00			`tablePre1TOTPSecrets = "totp_secrets"`
			`tablePre1IdentityVerificationTokens = "identity_verification_tokens"`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`tablePre1U2FDevices = "u2f_devices"`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`)`

feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that. 2021-12-03 00:04:11 +00:00			`var tablesPre1 = []string{`
			`tablePre1TOTPSecrets,`
			`tablePre1IdentityVerificationTokens,`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`tablePre1U2FDevices,`
feat(storage): encrypt u2f key (#2664) Adds encryption to the U2F public keys. While the public keys cannot be used to authenticate, only to validate someone is authenticated, if a rogue operator changed these in the database they may be able to bypass 2FA. This prevents that. 2021-12-03 00:04:11 +00:00
			`tableUserPreferences,`
			`tableAuthenticationLogs,`
			`}`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`const (`
			`providerAll = "all"`
			`providerMySQL = "mysql"`
			`providerPostgres = "postgres"`
			`providerSQLite = "sqlite"`
			`)`

			`const (`
			`// SchemaLatest represents the value expected for a "migrate to latest" migration. It's the maximum 32bit signed integer.`
			`SchemaLatest = 2147483647`
			`)`

feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`type ctxKey int`

			`const (`
			`ctxKeyTransaction ctxKey = iota`
			`)`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`var (`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			reMigration = regexp.MustCompile(`^V(?P<Version>\d{4})\.(?P<Name>[^.]+)\.(?P<Provider>(all\|sqlite\|postgres\|mysql))\.(?P<Direction>(up\|down))\.sql$`)
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`)`
refactor: remove pre1 migration path (#4356) This removes pre1 migrations and improves a lot of tooling. 2022-11-25 12:44:55 +00:00
			`const (`
			`na = "N/A"`
			`invalid = "invalid"`
			`)`