authelia/internal/authentication/types.go

package authentication

import (
	"crypto/tls"
	"net/mail"
	"time"

	"github.com/go-ldap/ldap/v3"
)

// LDAPClientFactory an interface of factory of LDAP clients.
type LDAPClientFactory interface {
	DialURL(addr string, opts ...ldap.DialOpt) (client LDAPClient, err error)
}

// LDAPClient is a cut down version of the ldap.Client interface with just the methods we use.
//
// Methods added to this interface that have a direct correlation with one from ldap.Client should have the same signature.
type LDAPClient interface {
	Close() (err error)
	IsClosing() bool
	SetTimeout(timeout time.Duration)

	TLSConnectionState() (state tls.ConnectionState, ok bool)
	StartTLS(config *tls.Config) (err error)

	Unbind() (err error)
	Bind(username, password string) (err error)
	SimpleBind(request *ldap.SimpleBindRequest) (result *ldap.SimpleBindResult, err error)
	MD5Bind(host string, username string, password string) (err error)
	DigestMD5Bind(request *ldap.DigestMD5BindRequest) (result *ldap.DigestMD5BindResult, err error)
	UnauthenticatedBind(username string) (err error)
	ExternalBind() (err error)
	NTLMBind(domain string, username string, password string) (err error)
	NTLMUnauthenticatedBind(domain string, username string) (err error)
	NTLMBindWithHash(domain string, username string, hash string) (err error)
	NTLMChallengeBind(request *ldap.NTLMBindRequest) (result *ldap.NTLMBindResult, err error)

	Modify(request *ldap.ModifyRequest) (err error)
	ModifyWithResult(request *ldap.ModifyRequest) (result *ldap.ModifyResult, err error)
	ModifyDN(m *ldap.ModifyDNRequest) (err error)
	PasswordModify(request *ldap.PasswordModifyRequest) (result *ldap.PasswordModifyResult, err error)

	Add(request *ldap.AddRequest) (err error)
	Del(request *ldap.DelRequest) (err error)

	Search(request *ldap.SearchRequest) (result *ldap.SearchResult, err error)
	SearchWithPaging(request *ldap.SearchRequest, pagingSize uint32) (result *ldap.SearchResult, err error)
	Compare(dn string, attribute string, value string) (same bool, err error)

	WhoAmI(controls []ldap.Control) (result *ldap.WhoAmIResult, err error)
}

// UserDetails represent the details retrieved for a given user.
type UserDetails struct {
	Username    string
	DisplayName string
	Emails      []string
	Groups      []string
}

// Addresses returns the Emails []string as []mail.Address formatted with DisplayName as the Name attribute.
func (d UserDetails) Addresses() (addresses []mail.Address) {
	if len(d.Emails) == 0 {
		return nil
	}

	addresses = make([]mail.Address, len(d.Emails))

	for i, email := range d.Emails {
		addresses[i] = mail.Address{
			Name:    d.DisplayName,
			Address: email,
		}
	}

	return addresses
}

type ldapUserProfile struct {
	DN          string
	Emails      []string
	DisplayName string
	Username    string
	MemberOf    []string
}

// LDAPSupportedFeatures represents features which a server may support which are implemented in code.
type LDAPSupportedFeatures struct {
	Extensions   LDAPSupportedExtensions
	ControlTypes LDAPSupportedControlTypes
}

// LDAPSupportedExtensions represents extensions which a server may support which are implemented in code.
type LDAPSupportedExtensions struct {
	TLS           bool
	PwdModifyExOp bool
}

// LDAPSupportedControlTypes represents control types which a server may support which are implemented in code.
type LDAPSupportedControlTypes struct {
	MsftPwdPolHints           bool
	MsftPwdPolHintsDeprecated bool
}

// Level is the type representing a level of authentication.
type Level int

const (
	// NotAuthenticated if the user is not authenticated yet.
	NotAuthenticated Level = iota

	// OneFactor if the user has passed first factor only.
	OneFactor

	// TwoFactor if the user has passed two factors.
	TwoFactor
)

// String returns a string representation of an authentication.Level.
func (l Level) String() string {
	switch l {
	case NotAuthenticated:
		return "not_authenticated"
	case OneFactor:
		return "one_factor"
	case TwoFactor:
		return "two_factor"
	default:
		return "invalid"
	}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package authentication`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`import (`
			`"crypto/tls"`
fix(notification): incorrect date header format (#3684) * fix(notification): incorrect date header format The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself. * test: fix tests and linting issues * fix: misc issues * refactor: misc refactoring * docs: add example for envelope with message id * refactor: organize smtp notifier * refactor: move subject interpolation * refactor: include additional placeholders * docs: fix missing link * docs: gravity * fix: rcpt to command * refactor: remove mid * refactor: apply suggestions Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * refactor: include pid Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-07-18 00:56:09 +00:00			`"net/mail"`
refactor: misc out of band changes (#5238) This just implements some changes from feat-settings-ui that are out of scope. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 11:42:31 +00:00			`"time"`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00
			`"github.com/go-ldap/ldap/v3"`
			`)`

fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user. 2022-05-10 04:38:36 +00:00			`// LDAPClientFactory an interface of factory of LDAP clients.`
			`type LDAPClientFactory interface {`
			`DialURL(addr string, opts ...ldap.DialOpt) (client LDAPClient, err error)`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`}`

fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user. 2022-05-10 04:38:36 +00:00			`// LDAPClient is a cut down version of the ldap.Client interface with just the methods we use.`
			`//`
			`// Methods added to this interface that have a direct correlation with one from ldap.Client should have the same signature.`
			`type LDAPClient interface {`
build(deps): update module github.com/go-ldap/ldap/v3 to b50d289 (#5396) This fixes various issues. Fixes #4199 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-06 03:02:04 +00:00			`Close() (err error)`
refactor: misc out of band changes (#5238) This just implements some changes from feat-settings-ui that are out of scope. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 11:42:31 +00:00			`IsClosing() bool`
			`SetTimeout(timeout time.Duration)`

			`TLSConnectionState() (state tls.ConnectionState, ok bool)`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`StartTLS(config *tls.Config) (err error)`

refactor: misc out of band changes (#5238) This just implements some changes from feat-settings-ui that are out of scope. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 11:42:31 +00:00			`Unbind() (err error)`
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user. 2022-05-10 04:38:36 +00:00			`Bind(username, password string) (err error)`
refactor: misc out of band changes (#5238) This just implements some changes from feat-settings-ui that are out of scope. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 11:42:31 +00:00			`SimpleBind(request ldap.SimpleBindRequest) (result ldap.SimpleBindResult, err error)`
			`MD5Bind(host string, username string, password string) (err error)`
			`DigestMD5Bind(request ldap.DigestMD5BindRequest) (result ldap.DigestMD5BindResult, err error)`
feat(authentication): unauthenticated ldap bind (#3291) This allows configuring unauthenticated LDAP binding. 2022-06-17 11:03:47 +00:00			`UnauthenticatedBind(username string) (err error)`
refactor: misc out of band changes (#5238) This just implements some changes from feat-settings-ui that are out of scope. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 11:42:31 +00:00			`ExternalBind() (err error)`
			`NTLMBind(domain string, username string, password string) (err error)`
			`NTLMUnauthenticatedBind(domain string, username string) (err error)`
			`NTLMBindWithHash(domain string, username string, hash string) (err error)`
			`NTLMChallengeBind(request ldap.NTLMBindRequest) (result ldap.NTLMBindResult, err error)`

			`Modify(request *ldap.ModifyRequest) (err error)`
			`ModifyWithResult(request ldap.ModifyRequest) (result ldap.ModifyResult, err error)`
			`ModifyDN(m *ldap.ModifyDNRequest) (err error)`
			`PasswordModify(request ldap.PasswordModifyRequest) (result ldap.PasswordModifyResult, err error)`

			`Add(request *ldap.AddRequest) (err error)`
			`Del(request *ldap.DelRequest) (err error)`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00
refactor: misc out of band changes (#5238) This just implements some changes from feat-settings-ui that are out of scope. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 11:42:31 +00:00			`Search(request ldap.SearchRequest) (result ldap.SearchResult, err error)`
			`SearchWithPaging(request ldap.SearchRequest, pagingSize uint32) (result ldap.SearchResult, err error)`
			`Compare(dn string, attribute string, value string) (same bool, err error)`
fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user. 2022-05-10 04:38:36 +00:00
refactor: misc out of band changes (#5238) This just implements some changes from feat-settings-ui that are out of scope. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-14 11:42:31 +00:00			`WhoAmI(controls []ldap.Control) (result *ldap.WhoAmIResult, err error)`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`}`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// UserDetails represent the details retrieved for a given user.`
			`type UserDetails struct {`
[FEATURE] Add configurable display name to frontend (#1124) * [FEATURE] Add configurable display name to frontend This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting. Similarly for the file based backend a new required key "name" has been introduced. This can also be used down the line with OIDC as a separate scope. * Update references from Name to DisplayName * Update compose bundles to include displayname refs * Update LDAP automatic profile refresh * Ensure display name is updated * Fix bug which prevented trace logging for profile refresh to not trigger 2020-06-19 10:50:21 +00:00			`Username string`
			`DisplayName string`
			`Emails []string`
			`Groups []string`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00
fix(notification): incorrect date header format (#3684) * fix(notification): incorrect date header format The date header in the email envelopes was incorrectly formatted missing a space between the `Date:` header and the value of this header. This also refactors the notification templates system allowing people to manually override the envelope itself. * test: fix tests and linting issues * fix: misc issues * refactor: misc refactoring * docs: add example for envelope with message id * refactor: organize smtp notifier * refactor: move subject interpolation * refactor: include additional placeholders * docs: fix missing link * docs: gravity * fix: rcpt to command * refactor: remove mid * refactor: apply suggestions Co-authored-by: Amir Zarrinkafsh <nightah@me.com> * refactor: include pid Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-07-18 00:56:09 +00:00			`// Addresses returns the Emails []string as []mail.Address formatted with DisplayName as the Name attribute.`
			`func (d UserDetails) Addresses() (addresses []mail.Address) {`
			`if len(d.Emails) == 0 {`
			`return nil`
			`}`

			`addresses = make([]mail.Address, len(d.Emails))`

			`for i, email := range d.Emails {`
			`addresses[i] = mail.Address{`
			`Name: d.DisplayName,`
			`Address: email,`
			`}`
			`}`

			`return addresses`
			`}`

fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`type ldapUserProfile struct {`
			`DN string`
			`Emails []string`
			`DisplayName string`
			`Username string`
feat(authentication): ldap memberof group search (#5418) Introduces the concept of group search mode into the LDAP configuration. This also adds the filter and memberof search modes. The full description of these is included in the docs but the filter mode is the same mode as previous which is also the default and recommended value. The memberof mode should only be used by users who are aware of how the concept works as per the docs. Closes #2161 Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-06-18 04:40:38 +00:00			`MemberOf []string`
fix(authentication): follow ldap referrals (#3251) This ensures we are able to follow referrals for LDAP password modify operations when permit_referrals is true. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-05-02 01:51:38 +00:00			`}`

fix(authentication): utilize msad password history control (#3256) This fixes an issue where the Microsoft Active Directory Server Policy Hints control was not being used to prevent avoidance of the PSO / FGPP applicable to the user. 2022-05-10 04:38:36 +00:00			`// LDAPSupportedFeatures represents features which a server may support which are implemented in code.`
			`type LDAPSupportedFeatures struct {`
			`Extensions LDAPSupportedExtensions`
			`ControlTypes LDAPSupportedControlTypes`
			`}`

			`// LDAPSupportedExtensions represents extensions which a server may support which are implemented in code.`
			`type LDAPSupportedExtensions struct {`
			`TLS bool`
			`PwdModifyExOp bool`
			`}`

			`// LDAPSupportedControlTypes represents control types which a server may support which are implemented in code.`
			`type LDAPSupportedControlTypes struct {`
			`MsftPwdPolHints bool`
			`MsftPwdPolHintsDeprecated bool`
			`}`

test(authentication): add missing type tests (#5483) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-25 02:26:19 +00:00			`// Level is the type representing a level of authentication.`
			`type Level int`

			`const (`
			`// NotAuthenticated if the user is not authenticated yet.`
			`NotAuthenticated Level = iota`

			`// OneFactor if the user has passed first factor only.`
			`OneFactor`

			`// TwoFactor if the user has passed two factors.`
			`TwoFactor`
			`)`

			`// String returns a string representation of an authentication.Level.`
			`func (l Level) String() string {`
			`switch l {`
			`case NotAuthenticated:`
			`return "not_authenticated"`
			`case OneFactor:`
			`return "one_factor"`
			`case TwoFactor:`
			`return "two_factor"`
			`default:`
			`return "invalid"`
			`}`
			`}`