From 1404d46bdb8c0833f531d47ddffa99cda241b73f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 19 Nov 2022 22:11:40 +0000 Subject: [PATCH 01/32] build(deps): update dependency vite-tsconfig-paths to v3.6.0 (#4408) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 2 +- web/pnpm-lock.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/web/package.json b/web/package.json index 02c8bc8c7..e7b3fb652 100644 --- a/web/package.json +++ b/web/package.json @@ -180,6 +180,6 @@ "vite-plugin-eslint": "1.8.1", "vite-plugin-istanbul": "3.0.2", "vite-plugin-svgr": "2.2.2", - "vite-tsconfig-paths": "3.5.2" + "vite-tsconfig-paths": "3.6.0" } } diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 9427b3951..60e00fe7e 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -62,7 +62,7 @@ specifiers: vite-plugin-eslint: 1.8.1 vite-plugin-istanbul: 3.0.2 vite-plugin-svgr: 2.2.2 - vite-tsconfig-paths: 3.5.2 + vite-tsconfig-paths: 3.6.0 zxcvbn: 4.4.2 dependencies: @@ -130,7 +130,7 @@ devDependencies: vite-plugin-eslint: 1.8.1_eslint@8.28.0+vite@3.2.4 vite-plugin-istanbul: 3.0.2 vite-plugin-svgr: 2.2.2_vite@3.2.4 - vite-tsconfig-paths: 3.5.2_vite@3.2.4 + vite-tsconfig-paths: 3.6.0_vite@3.2.4 packages: @@ -9396,8 +9396,8 @@ packages: - supports-color dev: true - /vite-tsconfig-paths/3.5.2_vite@3.2.4: - resolution: {integrity: sha512-xJMgHA2oJ28QCG2f+hXrcqzo7IttrSRK4A//Tp94CfuX5eetOx33qiwXHUdi3FwkHP2ocpxHuvE45Ix67gwEmQ==} + /vite-tsconfig-paths/3.6.0_vite@3.2.4: + resolution: {integrity: sha512-UfsPYonxLqPD633X8cWcPFVuYzx/CMNHAjZTasYwX69sXpa4gNmQkR0XCjj82h7zhLGdTWagMjC1qfb9S+zv0A==} peerDependencies: vite: '>2.0.0-0' dependencies: From ef28345f05f0b11ccba11bd35c1eb9c8e0d7b1e5 Mon Sep 17 00:00:00 2001 From: Jacob Gee-Clarke Date: Sun, 20 Nov 2022 19:27:43 +0000 Subject: [PATCH 02/32] docs: fix grammar (#4334) A fixed grammatical issue with the docker deployment page. --- docs/content/en/integration/deployment/docker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/integration/deployment/docker.md b/docs/content/en/integration/deployment/docker.md index 42109751f..58177b2be 100644 --- a/docs/content/en/integration/deployment/docker.md +++ b/docs/content/en/integration/deployment/docker.md @@ -35,7 +35,7 @@ bootstrapping *Authelia*. ### Standalone Example -The following is an examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or +The following examples are [Docker Compose] deployments with just *Authelia* and no bundled applications or proxies. It expects the following: From c481ac86bbcf91cd551fb3c50c776d4bbb6872ed Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 21 Nov 2022 11:52:27 +1100 Subject: [PATCH 03/32] fix(configuration): valid oidc redirect uris not accepted (#4410) This fixes an issue where redirect URIs which may be valid are rejected by the configuration validator. This will instead allow the OpenID Connect 1.0 flows to validate them individually. --- internal/configuration/validator/const.go | 6 ++---- internal/configuration/validator/identity_providers.go | 6 +----- .../configuration/validator/identity_providers_test.go | 9 ++++----- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/internal/configuration/validator/const.go b/internal/configuration/validator/const.go index a8b102ac7..63e618bc0 100644 --- a/internal/configuration/validator/const.go +++ b/internal/configuration/validator/const.go @@ -161,15 +161,13 @@ const ( errFmtOIDCClientInvalidSecret = "identity_providers: oidc: client '%s': option 'secret' is required" errFmtOIDCClientPublicInvalidSecret = "identity_providers: oidc: client '%s': option 'secret' is " + "required to be empty when option 'public' is true" - errFmtOIDCClientRedirectURI = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " + - "invalid value: redirect uri '%s' must have a scheme of 'http' or 'https' but '%s' is configured" errFmtOIDCClientRedirectURICantBeParsed = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " + "invalid value: redirect uri '%s' could not be parsed: %v" - errFmtOIDCClientRedirectURIPublic = "identity_providers: oidc: client '%s': option 'redirect_uris' has the" + + errFmtOIDCClientRedirectURIPublic = "identity_providers: oidc: client '%s': option 'redirect_uris' has the " + "redirect uri '%s' when option 'public' is false but this is invalid as this uri is not valid " + "for the openid connect confidential client type" errFmtOIDCClientRedirectURIAbsolute = "identity_providers: oidc: client '%s': option 'redirect_uris' has an " + - "invalid value: redirect uri '%s' must have the scheme 'http' or 'https' but it has no scheme" + "invalid value: redirect uri '%s' must have the scheme but it is absent" errFmtOIDCClientInvalidPolicy = "identity_providers: oidc: client '%s': option 'policy' must be 'one_factor' " + "or 'two_factor' but it is configured as '%s'" errFmtOIDCClientInvalidConsentMode = "identity_providers: oidc: client '%s': consent: option 'mode' must be one of " + diff --git a/internal/configuration/validator/identity_providers.go b/internal/configuration/validator/identity_providers.go index a2ee5a549..3bea1c63b 100644 --- a/internal/configuration/validator/identity_providers.go +++ b/internal/configuration/validator/identity_providers.go @@ -330,13 +330,9 @@ func validateOIDCClientRedirectURIs(client schema.OpenIDConnectClientConfigurati continue } - if !parsedURL.IsAbs() { + if !parsedURL.IsAbs() || (!client.Public && parsedURL.Scheme == "") { validator.Push(fmt.Errorf(errFmtOIDCClientRedirectURIAbsolute, client.ID, redirectURI)) return } - - if !client.Public && parsedURL.Scheme != schemeHTTPS && parsedURL.Scheme != schemeHTTP { - validator.Push(fmt.Errorf(errFmtOIDCClientRedirectURI, client.ID, redirectURI, parsedURL.Scheme)) - } } } diff --git a/internal/configuration/validator/identity_providers_test.go b/internal/configuration/validator/identity_providers_test.go index 727676bb4..b07f9f29f 100644 --- a/internal/configuration/validator/identity_providers_test.go +++ b/internal/configuration/validator/identity_providers_test.go @@ -124,13 +124,12 @@ func TestShouldRaiseErrorWhenOIDCCORSOriginsHasInvalidValues(t *testing.T) { ValidateIdentityProviders(config, validator) - require.Len(t, validator.Errors(), 6) + require.Len(t, validator.Errors(), 5) assert.EqualError(t, validator.Errors()[0], "identity_providers: oidc: cors: option 'allowed_origins' contains an invalid value 'https://example.com/' as it has a path: origins must only be scheme, hostname, and an optional port") assert.EqualError(t, validator.Errors()[1], "identity_providers: oidc: cors: option 'allowed_origins' contains an invalid value 'https://site.example.com/subpath' as it has a path: origins must only be scheme, hostname, and an optional port") assert.EqualError(t, validator.Errors()[2], "identity_providers: oidc: cors: option 'allowed_origins' contains an invalid value 'https://site.example.com?example=true' as it has a query string: origins must only be scheme, hostname, and an optional port") assert.EqualError(t, validator.Errors()[3], "identity_providers: oidc: cors: option 'allowed_origins' contains the wildcard origin '*' with more than one origin but the wildcard origin must be defined by itself") assert.EqualError(t, validator.Errors()[4], "identity_providers: oidc: cors: option 'allowed_origins' contains the wildcard origin '*' cannot be specified with option 'allowed_origins_from_client_redirect_uris' enabled") - assert.EqualError(t, validator.Errors()[5], "identity_providers: oidc: client 'myclient': option 'redirect_uris' has an invalid value: redirect uri 'file://a/file' must have a scheme of 'http' or 'https' but 'file' is configured") require.Len(t, config.OIDC.CORS.AllowedOrigins, 6) assert.Equal(t, "*", config.OIDC.CORS.AllowedOrigins[3].String()) @@ -749,6 +748,7 @@ func TestValidateOIDCClientRedirectURIsSupportingPrivateUseURISchemes(t *testing "oc://ios.owncloud.com", // example given in the RFC https://datatracker.ietf.org/doc/html/rfc8252#section-7.1 "com.example.app:/oauth2redirect/example-provider", + oauth2InstalledApp, }, } @@ -767,10 +767,9 @@ func TestValidateOIDCClientRedirectURIsSupportingPrivateUseURISchemes(t *testing validateOIDCClientRedirectURIs(conf, validator) assert.Len(t, validator.Warnings(), 0) - assert.Len(t, validator.Errors(), 2) + assert.Len(t, validator.Errors(), 1) assert.ElementsMatch(t, validator.Errors(), []error{ - errors.New("identity_providers: oidc: client 'owncloud': option 'redirect_uris' has an invalid value: redirect uri 'oc://ios.owncloud.com' must have a scheme of 'http' or 'https' but 'oc' is configured"), - errors.New("identity_providers: oidc: client 'owncloud': option 'redirect_uris' has an invalid value: redirect uri 'com.example.app:/oauth2redirect/example-provider' must have a scheme of 'http' or 'https' but 'com.example.app' is configured"), + errors.New("identity_providers: oidc: client 'owncloud': option 'redirect_uris' has the redirect uri 'urn:ietf:wg:oauth:2.0:oob' when option 'public' is false but this is invalid as this uri is not valid for the openid connect confidential client type"), }) }) } From 1f57d83873f0704a18b35f8277b75bf6f38287ea Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Nov 2022 12:05:03 +1100 Subject: [PATCH 04/32] build(deps): update dependency esbuild to v0.15.15 (#4411) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 2 +- web/pnpm-lock.yaml | 148 ++++++++++++++++++++++----------------------- 2 files changed, 75 insertions(+), 75 deletions(-) diff --git a/web/package.json b/web/package.json index e7b3fb652..bd21bb84e 100644 --- a/web/package.json +++ b/web/package.json @@ -156,7 +156,7 @@ "@typescript-eslint/eslint-plugin": "5.43.0", "@typescript-eslint/parser": "5.43.0", "@vitejs/plugin-react": "2.2.0", - "esbuild": "0.15.14", + "esbuild": "0.15.15", "esbuild-jest": "0.5.0", "eslint": "8.28.0", "eslint-config-prettier": "8.5.0", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 60e00fe7e..735f0320d 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -27,7 +27,7 @@ specifiers: axios: 1.1.3 broadcast-channel: 4.18.1 classnames: 2.3.2 - esbuild: 0.15.14 + esbuild: 0.15.15 esbuild-jest: 0.5.0 eslint: 8.28.0 eslint-config-prettier: 8.5.0 @@ -106,8 +106,8 @@ devDependencies: '@typescript-eslint/eslint-plugin': 5.43.0_nqj4bdx4ekws7aecttskpih4py '@typescript-eslint/parser': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a '@vitejs/plugin-react': 2.2.0_vite@3.2.4 - esbuild: 0.15.14 - esbuild-jest: 0.5.0_esbuild@0.15.14 + esbuild: 0.15.15 + esbuild-jest: 0.5.0_esbuild@0.15.15 eslint: 8.28.0 eslint-config-prettier: 8.5.0_eslint@8.28.0 eslint-config-react-app: 7.0.1_ffu622cxxp5swe5tqcog7svb5i @@ -2443,8 +2443,8 @@ packages: resolution: {integrity: sha512-AHPmaAx+RYfZz0eYu6Gviiagpmiyw98ySSlQvCUhVGDRtDFe4DBS0x1bSjdF3gqUDYOczB+yYvBTtEylYSdRhg==} dev: false - /@esbuild/android-arm/0.15.14: - resolution: {integrity: sha512-+Rb20XXxRGisNu2WmNKk+scpanb7nL5yhuI1KR9wQFiC43ddPj/V1fmNyzlFC9bKiG4mYzxW7egtoHVcynr+OA==} + /@esbuild/android-arm/0.15.15: + resolution: {integrity: sha512-JJjZjJi2eBL01QJuWjfCdZxcIgot+VoK6Fq7eKF9w4YHm9hwl7nhBR1o2Wnt/WcANk5l9SkpvrldW1PLuXxcbw==} engines: {node: '>=12'} cpu: [arm] os: [android] @@ -2452,8 +2452,8 @@ packages: dev: true optional: true - /@esbuild/linux-loong64/0.15.14: - resolution: {integrity: sha512-eQi9rosGNVQFJyJWV0HCA5WZae/qWIQME7s8/j8DMvnylfBv62Pbu+zJ2eUDqNf2O4u3WB+OEXyfkpBoe194sg==} + /@esbuild/linux-loong64/0.15.15: + resolution: {integrity: sha512-lhz6UNPMDXUhtXSulw8XlFAtSYO26WmHQnCi2Lg2p+/TMiJKNLtZCYUxV4wG6rZMzXmr8InGpNwk+DLT2Hm0PA==} engines: {node: '>=12'} cpu: [loong64] os: [linux] @@ -5089,8 +5089,8 @@ packages: is-symbol: 1.0.4 dev: true - /esbuild-android-64/0.15.14: - resolution: {integrity: sha512-HuilVIb4rk9abT4U6bcFdU35UHOzcWVGLSjEmC58OVr96q5UiRqzDtWjPlCMugjhgUGKEs8Zf4ueIvYbOStbIg==} + /esbuild-android-64/0.15.15: + resolution: {integrity: sha512-F+WjjQxO+JQOva3tJWNdVjouFMLK6R6i5gjDvgUthLYJnIZJsp1HlF523k73hELY20WPyEO8xcz7aaYBVkeg5Q==} engines: {node: '>=12'} cpu: [x64] os: [android] @@ -5098,8 +5098,8 @@ packages: dev: true optional: true - /esbuild-android-arm64/0.15.14: - resolution: {integrity: sha512-/QnxRVxsR2Vtf3XottAHj7hENAMW2wCs6S+OZcAbc/8nlhbAL/bCQRCVD78VtI5mdwqWkVi3wMqM94kScQCgqg==} + /esbuild-android-arm64/0.15.15: + resolution: {integrity: sha512-attlyhD6Y22jNyQ0fIIQ7mnPvDWKw7k6FKnsXlBvQE6s3z6s6cuEHcSgoirquQc7TmZgVCK5fD/2uxmRN+ZpcQ==} engines: {node: '>=12'} cpu: [arm64] os: [android] @@ -5107,8 +5107,8 @@ packages: dev: true optional: true - /esbuild-darwin-64/0.15.14: - resolution: {integrity: sha512-ToNuf1uifu8hhwWvoZJGCdLIX/1zpo8cOGnT0XAhDQXiKOKYaotVNx7pOVB1f+wHoWwTLInrOmh3EmA7Fd+8Vg==} + /esbuild-darwin-64/0.15.15: + resolution: {integrity: sha512-ohZtF8W1SHJ4JWldsPVdk8st0r9ExbAOSrBOh5L+Mq47i696GVwv1ab/KlmbUoikSTNoXEhDzVpxUR/WIO19FQ==} engines: {node: '>=12'} cpu: [x64] os: [darwin] @@ -5116,8 +5116,8 @@ packages: dev: true optional: true - /esbuild-darwin-arm64/0.15.14: - resolution: {integrity: sha512-KgGP+y77GszfYJgceO0Wi/PiRtYo5y2Xo9rhBUpxTPaBgWDJ14gqYN0+NMbu+qC2fykxXaipHxN4Scaj9tUS1A==} + /esbuild-darwin-arm64/0.15.15: + resolution: {integrity: sha512-P8jOZ5zshCNIuGn+9KehKs/cq5uIniC+BeCykvdVhx/rBXSxmtj3CUIKZz4sDCuESMbitK54drf/2QX9QHG5Ag==} engines: {node: '>=12'} cpu: [arm64] os: [darwin] @@ -5125,8 +5125,8 @@ packages: dev: true optional: true - /esbuild-freebsd-64/0.15.14: - resolution: {integrity: sha512-xr0E2n5lyWw3uFSwwUXHc0EcaBDtsal/iIfLioflHdhAe10KSctV978Te7YsfnsMKzcoGeS366+tqbCXdqDHQA==} + /esbuild-freebsd-64/0.15.15: + resolution: {integrity: sha512-KkTg+AmDXz1IvA9S1gt8dE24C8Thx0X5oM0KGF322DuP+P3evwTL9YyusHAWNsh4qLsR80nvBr/EIYs29VSwuA==} engines: {node: '>=12'} cpu: [x64] os: [freebsd] @@ -5134,8 +5134,8 @@ packages: dev: true optional: true - /esbuild-freebsd-arm64/0.15.14: - resolution: {integrity: sha512-8XH96sOQ4b1LhMlO10eEWOjEngmZ2oyw3pW4o8kvBcpF6pULr56eeYVP5radtgw54g3T8nKHDHYEI5AItvskZg==} + /esbuild-freebsd-arm64/0.15.15: + resolution: {integrity: sha512-FUcML0DRsuyqCMfAC+HoeAqvWxMeq0qXvclZZ/lt2kLU6XBnDA5uKTLUd379WYEyVD4KKFctqWd9tTuk8C/96g==} engines: {node: '>=12'} cpu: [arm64] os: [freebsd] @@ -5143,7 +5143,7 @@ packages: dev: true optional: true - /esbuild-jest/0.5.0_esbuild@0.15.14: + /esbuild-jest/0.5.0_esbuild@0.15.15: resolution: {integrity: sha512-AMZZCdEpXfNVOIDvURlqYyHwC8qC1/BFjgsrOiSL1eyiIArVtHL8YAC83Shhn16cYYoAWEW17yZn0W/RJKJKHQ==} peerDependencies: esbuild: '>=0.8.50' @@ -5151,13 +5151,13 @@ packages: '@babel/core': 7.18.6 '@babel/plugin-transform-modules-commonjs': 7.18.6_@babel+core@7.18.6 babel-jest: 26.6.3_@babel+core@7.18.6 - esbuild: 0.15.14 + esbuild: 0.15.15 transitivePeerDependencies: - supports-color dev: true - /esbuild-linux-32/0.15.14: - resolution: {integrity: sha512-6ssnvwaTAi8AzKN8By2V0nS+WF5jTP7SfuK6sStGnDP7MCJo/4zHgM9oE1eQTS2jPmo3D673rckuCzRlig+HMA==} + /esbuild-linux-32/0.15.15: + resolution: {integrity: sha512-q28Qn5pZgHNqug02aTkzw5sW9OklSo96b5nm17Mq0pDXrdTBcQ+M6Q9A1B+dalFeynunwh/pvfrNucjzwDXj+Q==} engines: {node: '>=12'} cpu: [ia32] os: [linux] @@ -5165,8 +5165,8 @@ packages: dev: true optional: true - /esbuild-linux-64/0.15.14: - resolution: {integrity: sha512-ONySx3U0wAJOJuxGUlXBWxVKFVpWv88JEv0NZ6NlHknmDd1yCbf4AEdClSgLrqKQDXYywmw4gYDvdLsS6z0hcw==} + /esbuild-linux-64/0.15.15: + resolution: {integrity: sha512-217KPmWMirkf8liO+fj2qrPwbIbhNTGNVtvqI1TnOWJgcMjUWvd677Gq3fTzXEjilkx2yWypVnTswM2KbXgoAg==} engines: {node: '>=12'} cpu: [x64] os: [linux] @@ -5174,8 +5174,8 @@ packages: dev: true optional: true - /esbuild-linux-arm/0.15.14: - resolution: {integrity: sha512-D2LImAIV3QzL7lHURyCHBkycVFbKwkDb1XEUWan+2fb4qfW7qAeUtul7ZIcIwFKZgPcl+6gKZmvLgPSj26RQ2Q==} + /esbuild-linux-arm/0.15.15: + resolution: {integrity: sha512-RYVW9o2yN8yM7SB1yaWr378CwrjvGCyGybX3SdzPHpikUHkME2AP55Ma20uNwkNyY2eSYFX9D55kDrfQmQBR4w==} engines: {node: '>=12'} cpu: [arm] os: [linux] @@ -5183,8 +5183,8 @@ packages: dev: true optional: true - /esbuild-linux-arm64/0.15.14: - resolution: {integrity: sha512-kle2Ov6a1e5AjlHlMQl1e+c4myGTeggrRzArQFmWp6O6JoqqB9hT+B28EW4tjFWgV/NxUq46pWYpgaWXsXRPAg==} + /esbuild-linux-arm64/0.15.15: + resolution: {integrity: sha512-/ltmNFs0FivZkYsTzAsXIfLQX38lFnwJTWCJts0IbCqWZQe+jjj0vYBNbI0kmXLb3y5NljiM5USVAO1NVkdh2g==} engines: {node: '>=12'} cpu: [arm64] os: [linux] @@ -5192,8 +5192,8 @@ packages: dev: true optional: true - /esbuild-linux-mips64le/0.15.14: - resolution: {integrity: sha512-FVdMYIzOLXUq+OE7XYKesuEAqZhmAIV6qOoYahvUp93oXy0MOVTP370ECbPfGXXUdlvc0TNgkJa3YhEwyZ6MRA==} + /esbuild-linux-mips64le/0.15.15: + resolution: {integrity: sha512-PksEPb321/28GFFxtvL33yVPfnMZihxkEv5zME2zapXGp7fA1X2jYeiTUK+9tJ/EGgcNWuwvtawPxJG7Mmn86A==} engines: {node: '>=12'} cpu: [mips64el] os: [linux] @@ -5201,8 +5201,8 @@ packages: dev: true optional: true - /esbuild-linux-ppc64le/0.15.14: - resolution: {integrity: sha512-2NzH+iuzMDA+jjtPjuIz/OhRDf8tzbQ1tRZJI//aT25o1HKc0reMMXxKIYq/8nSHXiJSnYV4ODzTiv45s+h73w==} + /esbuild-linux-ppc64le/0.15.15: + resolution: {integrity: sha512-ek8gJBEIhcpGI327eAZigBOHl58QqrJrYYIZBWQCnH3UnXoeWMrMZLeeZL8BI2XMBhP+sQ6ERctD5X+ajL/AIA==} engines: {node: '>=12'} cpu: [ppc64] os: [linux] @@ -5210,8 +5210,8 @@ packages: dev: true optional: true - /esbuild-linux-riscv64/0.15.14: - resolution: {integrity: sha512-VqxvutZNlQxmUNS7Ac+aczttLEoHBJ9e3OYGqnULrfipRvG97qLrAv9EUY9iSrRKBqeEbSvS9bSfstZqwz0T4Q==} + /esbuild-linux-riscv64/0.15.15: + resolution: {integrity: sha512-H5ilTZb33/GnUBrZMNJtBk7/OXzDHDXjIzoLXHSutwwsLxSNaLxzAaMoDGDd/keZoS+GDBqNVxdCkpuiRW4OSw==} engines: {node: '>=12'} cpu: [riscv64] os: [linux] @@ -5219,8 +5219,8 @@ packages: dev: true optional: true - /esbuild-linux-s390x/0.15.14: - resolution: {integrity: sha512-+KVHEUshX5n6VP6Vp/AKv9fZIl5kr2ph8EUFmQUJnDpHwcfTSn2AQgYYm0HTBR2Mr4d0Wlr0FxF/Cs5pbFgiOw==} + /esbuild-linux-s390x/0.15.15: + resolution: {integrity: sha512-jKaLUg78mua3rrtrkpv4Or2dNTJU7bgHN4bEjT4OX4GR7nLBSA9dfJezQouTxMmIW7opwEC5/iR9mpC18utnxQ==} engines: {node: '>=12'} cpu: [s390x] os: [linux] @@ -5228,8 +5228,8 @@ packages: dev: true optional: true - /esbuild-netbsd-64/0.15.14: - resolution: {integrity: sha512-6D/dr17piEgevIm1xJfZP2SjB9Z+g8ERhNnBdlZPBWZl+KSPUKLGF13AbvC+nzGh8IxOH2TyTIdRMvKMP0nEzQ==} + /esbuild-netbsd-64/0.15.15: + resolution: {integrity: sha512-aOvmF/UkjFuW6F36HbIlImJTTx45KUCHJndtKo+KdP8Dhq3mgLRKW9+6Ircpm8bX/RcS3zZMMmaBLkvGY06Gvw==} engines: {node: '>=12'} cpu: [x64] os: [netbsd] @@ -5237,8 +5237,8 @@ packages: dev: true optional: true - /esbuild-openbsd-64/0.15.14: - resolution: {integrity: sha512-rREQBIlMibBetgr2E9Lywt2Qxv2ZdpmYahR4IUlAQ1Efv/A5gYdO0/VIN3iowDbCNTLxp0bb57Vf0LFcffD6kA==} + /esbuild-openbsd-64/0.15.15: + resolution: {integrity: sha512-HFFX+WYedx1w2yJ1VyR1Dfo8zyYGQZf1cA69bLdrHzu9svj6KH6ZLK0k3A1/LFPhcEY9idSOhsB2UyU0tHPxgQ==} engines: {node: '>=12'} cpu: [x64] os: [openbsd] @@ -5246,8 +5246,8 @@ packages: dev: true optional: true - /esbuild-sunos-64/0.15.14: - resolution: {integrity: sha512-DNVjSp/BY4IfwtdUAvWGIDaIjJXY5KI4uD82+15v6k/w7px9dnaDaJJ2R6Mu+KCgr5oklmFc0KjBjh311Gxl9Q==} + /esbuild-sunos-64/0.15.15: + resolution: {integrity: sha512-jOPBudffG4HN8yJXcK9rib/ZTFoTA5pvIKbRrt3IKAGMq1EpBi4xoVoSRrq/0d4OgZLaQbmkHp8RO9eZIn5atA==} engines: {node: '>=12'} cpu: [x64] os: [sunos] @@ -5255,8 +5255,8 @@ packages: dev: true optional: true - /esbuild-windows-32/0.15.14: - resolution: {integrity: sha512-pHBWrcA+/oLgvViuG9FO3kNPO635gkoVrRQwe6ZY1S0jdET07xe2toUvQoJQ8KT3/OkxqUasIty5hpuKFLD+eg==} + /esbuild-windows-32/0.15.15: + resolution: {integrity: sha512-MDkJ3QkjnCetKF0fKxCyYNBnOq6dmidcwstBVeMtXSgGYTy8XSwBeIE4+HuKiSsG6I/mXEb++px3IGSmTN0XiA==} engines: {node: '>=12'} cpu: [ia32] os: [win32] @@ -5264,8 +5264,8 @@ packages: dev: true optional: true - /esbuild-windows-64/0.15.14: - resolution: {integrity: sha512-CszIGQVk/P8FOS5UgAH4hKc9zOaFo69fe+k1rqgBHx3CSK3Opyk5lwYriIamaWOVjBt7IwEP6NALz+tkVWdFog==} + /esbuild-windows-64/0.15.15: + resolution: {integrity: sha512-xaAUIB2qllE888SsMU3j9nrqyLbkqqkpQyWVkfwSil6BBPgcPk3zOFitTTncEKCLTQy3XV9RuH7PDj3aJDljWA==} engines: {node: '>=12'} cpu: [x64] os: [win32] @@ -5273,8 +5273,8 @@ packages: dev: true optional: true - /esbuild-windows-arm64/0.15.14: - resolution: {integrity: sha512-KW9W4psdZceaS9A7Jsgl4WialOznSURvqX/oHZk3gOP7KbjtHLSsnmSvNdzagGJfxbAe30UVGXRe8q8nDsOSQw==} + /esbuild-windows-arm64/0.15.15: + resolution: {integrity: sha512-ttuoCYCIJAFx4UUKKWYnFdrVpoXa3+3WWkXVI6s09U+YjhnyM5h96ewTq/WgQj9LFSIlABQvadHSOQyAVjW5xQ==} engines: {node: '>=12'} cpu: [arm64] os: [win32] @@ -5282,34 +5282,34 @@ packages: dev: true optional: true - /esbuild/0.15.14: - resolution: {integrity: sha512-pJN8j42fvWLFWwSMG4luuupl2Me7mxciUOsMegKvwCmhEbJ2covUdFnihxm0FMIBV+cbwbtMoHgMCCI+pj1btQ==} + /esbuild/0.15.15: + resolution: {integrity: sha512-TEw/lwK4Zzld9x3FedV6jy8onOUHqcEX3ADFk4k+gzPUwrxn8nWV62tH0udo8jOtjFodlEfc4ypsqX3e+WWO6w==} engines: {node: '>=12'} hasBin: true requiresBuild: true optionalDependencies: - '@esbuild/android-arm': 0.15.14 - '@esbuild/linux-loong64': 0.15.14 - esbuild-android-64: 0.15.14 - esbuild-android-arm64: 0.15.14 - esbuild-darwin-64: 0.15.14 - esbuild-darwin-arm64: 0.15.14 - esbuild-freebsd-64: 0.15.14 - esbuild-freebsd-arm64: 0.15.14 - esbuild-linux-32: 0.15.14 - esbuild-linux-64: 0.15.14 - esbuild-linux-arm: 0.15.14 - esbuild-linux-arm64: 0.15.14 - esbuild-linux-mips64le: 0.15.14 - esbuild-linux-ppc64le: 0.15.14 - esbuild-linux-riscv64: 0.15.14 - esbuild-linux-s390x: 0.15.14 - esbuild-netbsd-64: 0.15.14 - esbuild-openbsd-64: 0.15.14 - esbuild-sunos-64: 0.15.14 - esbuild-windows-32: 0.15.14 - esbuild-windows-64: 0.15.14 - esbuild-windows-arm64: 0.15.14 + '@esbuild/android-arm': 0.15.15 + '@esbuild/linux-loong64': 0.15.15 + esbuild-android-64: 0.15.15 + esbuild-android-arm64: 0.15.15 + esbuild-darwin-64: 0.15.15 + esbuild-darwin-arm64: 0.15.15 + esbuild-freebsd-64: 0.15.15 + esbuild-freebsd-arm64: 0.15.15 + esbuild-linux-32: 0.15.15 + esbuild-linux-64: 0.15.15 + esbuild-linux-arm: 0.15.15 + esbuild-linux-arm64: 0.15.15 + esbuild-linux-mips64le: 0.15.15 + esbuild-linux-ppc64le: 0.15.15 + esbuild-linux-riscv64: 0.15.15 + esbuild-linux-s390x: 0.15.15 + esbuild-netbsd-64: 0.15.15 + esbuild-openbsd-64: 0.15.15 + esbuild-sunos-64: 0.15.15 + esbuild-windows-32: 0.15.15 + esbuild-windows-64: 0.15.15 + esbuild-windows-arm64: 0.15.15 dev: true /escalade/3.1.1: @@ -9436,7 +9436,7 @@ packages: optional: true dependencies: '@types/node': 18.11.9 - esbuild: 0.15.14 + esbuild: 0.15.15 postcss: 8.4.18 resolve: 1.22.1 rollup: 2.79.1 From 3481f89e2322ec7fa9028991c7cb2bc3d4578298 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Nov 2022 03:20:30 +0000 Subject: [PATCH 05/32] build(deps): update typescript-eslint monorepo to v5.44.0 (#4415) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 4 +- web/pnpm-lock.yaml | 102 ++++++++++++++++++++++----------------------- 2 files changed, 53 insertions(+), 53 deletions(-) diff --git a/web/package.json b/web/package.json index bd21bb84e..99c34890c 100644 --- a/web/package.json +++ b/web/package.json @@ -153,8 +153,8 @@ "@types/react": "18.0.25", "@types/react-dom": "18.0.9", "@types/zxcvbn": "4.4.1", - "@typescript-eslint/eslint-plugin": "5.43.0", - "@typescript-eslint/parser": "5.43.0", + "@typescript-eslint/eslint-plugin": "5.44.0", + "@typescript-eslint/parser": "5.44.0", "@vitejs/plugin-react": "2.2.0", "esbuild": "0.15.15", "esbuild-jest": "0.5.0", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 735f0320d..e7af1647b 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -21,8 +21,8 @@ specifiers: '@types/react': 18.0.25 '@types/react-dom': 18.0.9 '@types/zxcvbn': 4.4.1 - '@typescript-eslint/eslint-plugin': 5.43.0 - '@typescript-eslint/parser': 5.43.0 + '@typescript-eslint/eslint-plugin': 5.44.0 + '@typescript-eslint/parser': 5.44.0 '@vitejs/plugin-react': 2.2.0 axios: 1.1.3 broadcast-channel: 4.18.1 @@ -103,8 +103,8 @@ devDependencies: '@types/react': 18.0.25 '@types/react-dom': 18.0.9 '@types/zxcvbn': 4.4.1 - '@typescript-eslint/eslint-plugin': 5.43.0_nqj4bdx4ekws7aecttskpih4py - '@typescript-eslint/parser': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/eslint-plugin': 5.44.0_fnsv2sbzcckq65bwfk7a5xwslu + '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a '@vitejs/plugin-react': 2.2.0_vite@3.2.4 esbuild: 0.15.15 esbuild-jest: 0.5.0_esbuild@0.15.15 @@ -113,7 +113,7 @@ devDependencies: eslint-config-react-app: 7.0.1_ffu622cxxp5swe5tqcog7svb5i eslint-formatter-rdjson: 1.0.5 eslint-import-resolver-typescript: 3.5.2_ktrec6dplf4now6nlbc6d67jee - eslint-plugin-import: 2.26.0_d5vn4nsvkp5ugznurcfxmdkaeu + eslint-plugin-import: 2.26.0_vc54pluhgv7booofyyjouvuf74 eslint-plugin-jsx-a11y: 6.6.1_eslint@8.28.0 eslint-plugin-prettier: 4.2.1_pgxuib4rd7wiymfktharf5ydt4 eslint-plugin-react: 7.31.11_eslint@8.28.0 @@ -3639,8 +3639,8 @@ packages: resolution: {integrity: sha512-3NoqvZC2W5gAC5DZbTpCeJ251vGQmgcWIHQJGq2J240HY6ErQ9aWKkwfoKJlHLx+A83WPNTZ9+3cd2ILxbvr1w==} dev: true - /@typescript-eslint/eslint-plugin/5.43.0_nqj4bdx4ekws7aecttskpih4py: - resolution: {integrity: sha512-wNPzG+eDR6+hhW4yobEmpR36jrqqQv1vxBq5LJO3fBAktjkvekfr4BRl+3Fn1CM/A+s8/EiGUbOMDoYqWdbtXA==} + /@typescript-eslint/eslint-plugin/5.44.0_fnsv2sbzcckq65bwfk7a5xwslu: + resolution: {integrity: sha512-j5ULd7FmmekcyWeArx+i8x7sdRHzAtXTkmDPthE4amxZOWKFK7bomoJ4r7PJ8K7PoMzD16U8MmuZFAonr1ERvw==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: '@typescript-eslint/parser': ^5.0.0 @@ -3650,10 +3650,10 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/parser': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a - '@typescript-eslint/scope-manager': 5.43.0 - '@typescript-eslint/type-utils': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a - '@typescript-eslint/utils': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/scope-manager': 5.44.0 + '@typescript-eslint/type-utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a debug: 4.3.4 eslint: 8.28.0 ignore: 5.2.0 @@ -3679,8 +3679,8 @@ packages: - typescript dev: true - /@typescript-eslint/parser/5.43.0_hsf322ms6xhhd4b5ne6lb74y4a: - resolution: {integrity: sha512-2iHUK2Lh7PwNUlhFxxLI2haSDNyXvebBO9izhjhMoDC+S3XI9qt2DGFUsiJ89m2k7gGYch2aEpYqV5F/+nwZug==} + /@typescript-eslint/parser/5.44.0_hsf322ms6xhhd4b5ne6lb74y4a: + resolution: {integrity: sha512-H7LCqbZnKqkkgQHaKLGC6KUjt3pjJDx8ETDqmwncyb6PuoigYajyAwBGz08VU/l86dZWZgI4zm5k2VaKqayYyA==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: eslint: ^6.0.0 || ^7.0.0 || ^8.0.0 @@ -3689,9 +3689,9 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/scope-manager': 5.43.0 - '@typescript-eslint/types': 5.43.0 - '@typescript-eslint/typescript-estree': 5.43.0_typescript@4.9.3 + '@typescript-eslint/scope-manager': 5.44.0 + '@typescript-eslint/types': 5.44.0 + '@typescript-eslint/typescript-estree': 5.44.0_typescript@4.9.3 debug: 4.3.4 eslint: 8.28.0 typescript: 4.9.3 @@ -3707,16 +3707,16 @@ packages: '@typescript-eslint/visitor-keys': 5.30.6 dev: true - /@typescript-eslint/scope-manager/5.43.0: - resolution: {integrity: sha512-XNWnGaqAtTJsUiZaoiGIrdJYHsUOd3BZ3Qj5zKp9w6km6HsrjPk/TGZv0qMTWyWj0+1QOqpHQ2gZOLXaGA9Ekw==} + /@typescript-eslint/scope-manager/5.44.0: + resolution: {integrity: sha512-2pKml57KusI0LAhgLKae9kwWeITZ7IsZs77YxyNyIVOwQ1kToyXRaJLl+uDEXzMN5hnobKUOo2gKntK9H1YL8g==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dependencies: - '@typescript-eslint/types': 5.43.0 - '@typescript-eslint/visitor-keys': 5.43.0 + '@typescript-eslint/types': 5.44.0 + '@typescript-eslint/visitor-keys': 5.44.0 dev: true - /@typescript-eslint/type-utils/5.43.0_hsf322ms6xhhd4b5ne6lb74y4a: - resolution: {integrity: sha512-K21f+KY2/VvYggLf5Pk4tgBOPs2otTaIHy2zjclo7UZGLyFH86VfUOm5iq+OtDtxq/Zwu2I3ujDBykVW4Xtmtg==} + /@typescript-eslint/type-utils/5.44.0_hsf322ms6xhhd4b5ne6lb74y4a: + resolution: {integrity: sha512-A1u0Yo5wZxkXPQ7/noGkRhV4J9opcymcr31XQtOzcc5nO/IHN2E2TPMECKWYpM3e6olWEM63fq/BaL1wEYnt/w==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: eslint: '*' @@ -3725,8 +3725,8 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/typescript-estree': 5.43.0_typescript@4.9.3 - '@typescript-eslint/utils': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/typescript-estree': 5.44.0_typescript@4.9.3 + '@typescript-eslint/utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a debug: 4.3.4 eslint: 8.28.0 tsutils: 3.21.0_typescript@4.9.3 @@ -3740,8 +3740,8 @@ packages: engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dev: true - /@typescript-eslint/types/5.43.0: - resolution: {integrity: sha512-jpsbcD0x6AUvV7tyOlyvon0aUsQpF8W+7TpJntfCUWU1qaIKu2K34pMwQKSzQH8ORgUrGYY6pVIh1Pi8TNeteg==} + /@typescript-eslint/types/5.44.0: + resolution: {integrity: sha512-Tp+zDnHmGk4qKR1l+Y1rBvpjpm5tGXX339eAlRBDg+kgZkz9Bw+pqi4dyseOZMsGuSH69fYfPJCBKBrbPCxYFQ==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dev: true @@ -3766,8 +3766,8 @@ packages: - supports-color dev: true - /@typescript-eslint/typescript-estree/5.43.0_typescript@4.9.3: - resolution: {integrity: sha512-BZ1WVe+QQ+igWal2tDbNg1j2HWUkAa+CVqdU79L4HP9izQY6CNhXfkNwd1SS4+sSZAP/EthI1uiCSY/+H0pROg==} + /@typescript-eslint/typescript-estree/5.44.0_typescript@4.9.3: + resolution: {integrity: sha512-M6Jr+RM7M5zeRj2maSfsZK2660HKAJawv4Ud0xT+yauyvgrsHu276VtXlKDFnEmhG+nVEd0fYZNXGoAgxwDWJw==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: typescript: '*' @@ -3775,8 +3775,8 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/types': 5.43.0 - '@typescript-eslint/visitor-keys': 5.43.0 + '@typescript-eslint/types': 5.44.0 + '@typescript-eslint/visitor-keys': 5.44.0 debug: 4.3.4 globby: 11.1.0 is-glob: 4.0.3 @@ -3805,17 +3805,17 @@ packages: - typescript dev: true - /@typescript-eslint/utils/5.43.0_hsf322ms6xhhd4b5ne6lb74y4a: - resolution: {integrity: sha512-8nVpA6yX0sCjf7v/NDfeaOlyaIIqL7OaIGOWSPFqUKK59Gnumd3Wa+2l8oAaYO2lk0sO+SbWFWRSvhu8gLGv4A==} + /@typescript-eslint/utils/5.44.0_hsf322ms6xhhd4b5ne6lb74y4a: + resolution: {integrity: sha512-fMzA8LLQ189gaBjS0MZszw5HBdZgVwxVFShCO3QN+ws3GlPkcy9YuS3U4wkT6su0w+Byjq3mS3uamy9HE4Yfjw==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: eslint: ^6.0.0 || ^7.0.0 || ^8.0.0 dependencies: '@types/json-schema': 7.0.11 '@types/semver': 7.3.12 - '@typescript-eslint/scope-manager': 5.43.0 - '@typescript-eslint/types': 5.43.0 - '@typescript-eslint/typescript-estree': 5.43.0_typescript@4.9.3 + '@typescript-eslint/scope-manager': 5.44.0 + '@typescript-eslint/types': 5.44.0 + '@typescript-eslint/typescript-estree': 5.44.0_typescript@4.9.3 eslint: 8.28.0 eslint-scope: 5.1.1 eslint-utils: 3.0.0_eslint@8.28.0 @@ -3833,11 +3833,11 @@ packages: eslint-visitor-keys: 3.3.0 dev: true - /@typescript-eslint/visitor-keys/5.43.0: - resolution: {integrity: sha512-icl1jNH/d18OVHLfcwdL3bWUKsBeIiKYTGxMJCoGe7xFht+E4QgzOqoWYrU8XSLJWhVw8nTacbm03v23J/hFTg==} + /@typescript-eslint/visitor-keys/5.44.0: + resolution: {integrity: sha512-a48tLG8/4m62gPFbJ27FxwCOqPKxsb8KC3HkmYoq2As/4YyjQl1jDbRr1s63+g4FS/iIehjmN3L5UjmKva1HzQ==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dependencies: - '@typescript-eslint/types': 5.43.0 + '@typescript-eslint/types': 5.44.0 eslint-visitor-keys: 3.3.0 dev: true @@ -5365,14 +5365,14 @@ packages: '@babel/core': 7.18.6 '@babel/eslint-parser': 7.18.2_e6dejpcwcc66ssvjscxl7tagl4 '@rushstack/eslint-patch': 1.1.4 - '@typescript-eslint/eslint-plugin': 5.43.0_nqj4bdx4ekws7aecttskpih4py - '@typescript-eslint/parser': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/eslint-plugin': 5.44.0_fnsv2sbzcckq65bwfk7a5xwslu + '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a babel-preset-react-app: 10.0.1 confusing-browser-globals: 1.0.11 eslint: 8.28.0 eslint-plugin-flowtype: 8.0.3_eslint@8.28.0 - eslint-plugin-import: 2.26.0_d5vn4nsvkp5ugznurcfxmdkaeu - eslint-plugin-jest: 25.7.0_nlk4gf27wwh5udaenqwmulwkme + eslint-plugin-import: 2.26.0_vc54pluhgv7booofyyjouvuf74 + eslint-plugin-jest: 25.7.0_bifecjdquhom2xjmkl7gfpj6ma eslint-plugin-jsx-a11y: 6.6.1_eslint@8.28.0 eslint-plugin-react: 7.31.11_eslint@8.28.0 eslint-plugin-react-hooks: 4.6.0_eslint@8.28.0 @@ -5410,7 +5410,7 @@ packages: debug: 4.3.4 enhanced-resolve: 5.10.0 eslint: 8.28.0 - eslint-plugin-import: 2.26.0_d5vn4nsvkp5ugznurcfxmdkaeu + eslint-plugin-import: 2.26.0_vc54pluhgv7booofyyjouvuf74 get-tsconfig: 4.2.0 globby: 13.1.2 is-core-module: 2.10.0 @@ -5420,7 +5420,7 @@ packages: - supports-color dev: true - /eslint-module-utils/2.7.3_clahhyedowhj7lywpxe6ohktxi: + /eslint-module-utils/2.7.3_nkdimya4zmerbrybxnwpev2imm: resolution: {integrity: sha512-088JEC7O3lDZM9xGe0RerkOMd0EjFl+Yvd1jPWIkMT5u3H9+HC34mWWPnqPrN13gieT9pBOO+Qt07Nb/6TresQ==} engines: {node: '>=4'} peerDependencies: @@ -5438,7 +5438,7 @@ packages: eslint-import-resolver-webpack: optional: true dependencies: - '@typescript-eslint/parser': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a debug: 3.2.7 eslint-import-resolver-node: 0.3.6 eslint-import-resolver-typescript: 3.5.2_ktrec6dplf4now6nlbc6d67jee @@ -5465,7 +5465,7 @@ packages: string-natural-compare: 3.0.1 dev: true - /eslint-plugin-import/2.26.0_d5vn4nsvkp5ugznurcfxmdkaeu: + /eslint-plugin-import/2.26.0_vc54pluhgv7booofyyjouvuf74: resolution: {integrity: sha512-hYfi3FXaM8WPLf4S1cikh/r4IxnO6zrhZbEGz2b660EJRbuxgpDS5gkCuYgGWg2xxh2rBuIr4Pvhve/7c31koA==} engines: {node: '>=4'} peerDependencies: @@ -5475,14 +5475,14 @@ packages: '@typescript-eslint/parser': optional: true dependencies: - '@typescript-eslint/parser': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a array-includes: 3.1.5 array.prototype.flat: 1.3.0 debug: 2.6.9 doctrine: 2.1.0 eslint: 8.28.0 eslint-import-resolver-node: 0.3.6 - eslint-module-utils: 2.7.3_clahhyedowhj7lywpxe6ohktxi + eslint-module-utils: 2.7.3_nkdimya4zmerbrybxnwpev2imm has: 1.0.3 is-core-module: 2.9.0 is-glob: 4.0.3 @@ -5496,7 +5496,7 @@ packages: - supports-color dev: true - /eslint-plugin-jest/25.7.0_nlk4gf27wwh5udaenqwmulwkme: + /eslint-plugin-jest/25.7.0_bifecjdquhom2xjmkl7gfpj6ma: resolution: {integrity: sha512-PWLUEXeeF7C9QGKqvdSbzLOiLTx+bno7/HC9eefePfEb257QFHg7ye3dh80AZVkaa/RQsBB1Q/ORQvg2X7F0NQ==} engines: {node: ^12.13.0 || ^14.15.0 || >=16.0.0} peerDependencies: @@ -5509,7 +5509,7 @@ packages: jest: optional: true dependencies: - '@typescript-eslint/eslint-plugin': 5.43.0_nqj4bdx4ekws7aecttskpih4py + '@typescript-eslint/eslint-plugin': 5.44.0_fnsv2sbzcckq65bwfk7a5xwslu '@typescript-eslint/experimental-utils': 5.30.6_hsf322ms6xhhd4b5ne6lb74y4a eslint: 8.28.0 jest: 29.3.1_@types+node@18.11.9 @@ -5596,7 +5596,7 @@ packages: peerDependencies: eslint: ^7.5.0 || ^8.0.0 dependencies: - '@typescript-eslint/utils': 5.43.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a eslint: 8.28.0 transitivePeerDependencies: - supports-color From 76474f0e5574e40396633dda4449ffb5c8d6b3a5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Nov 2022 06:16:12 +0000 Subject: [PATCH 06/32] build(deps): update module github.com/go-rod/rod to v0.112.1 (#4416) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index b9f3ecd3c..b92f60a6d 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/go-asn1-ber/asn1-ber v1.5.4 github.com/go-crypt/crypt v0.1.14 github.com/go-ldap/ldap/v3 v3.4.4 - github.com/go-rod/rod v0.112.0 + github.com/go-rod/rod v0.112.1 github.com/go-sql-driver/mysql v1.6.0 github.com/go-webauthn/webauthn v0.5.0 github.com/golang-jwt/jwt/v4 v4.4.2 diff --git a/go.sum b/go.sum index d4dbd1d6f..0a2f9b9bd 100644 --- a/go.sum +++ b/go.sum @@ -182,8 +182,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI= github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo= -github.com/go-rod/rod v0.112.0 h1:U9Yc+quw4hxZ6GrdbWFBeylvaYElEKM9ijFW2LYkGlA= -github.com/go-rod/rod v0.112.0/go.mod h1:GZDtmEs6RpF6kBRYpGCZXxXlKNneKVPiKOjaMbmVVjE= +github.com/go-rod/rod v0.112.1 h1:FuItvJ4ysJjKR2JA5UDlyLJwWZpWwA4jcNd3BoU+ioQ= +github.com/go-rod/rod v0.112.1/go.mod h1:fwfpjm+CpFaGn50i+l/ieqATte/FY1cvi8nsrq8DJjA= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -613,8 +613,8 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= github.com/ysmood/goob v0.4.0/go.mod h1:u6yx7ZhS4Exf2MwciFr6nIM8knHQIE22lFpWHnfql18= -github.com/ysmood/got v0.31.3 h1:UvvF+TDVsZLO7MSzm/Bd/H4HVp+7S5YwsxgdwaKq8uA= -github.com/ysmood/got v0.31.3/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY= +github.com/ysmood/got v0.32.0 h1:aAHdQgfgMb/lo4v+OekM+SSqEJYFI035h5YYvLXsVyU= +github.com/ysmood/got v0.32.0/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY= github.com/ysmood/gotrace v0.6.0 h1:SyI1d4jclswLhg7SWTL6os3L1WOKeNn/ZtzVQF8QmdY= github.com/ysmood/gotrace v0.6.0/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM= github.com/ysmood/gson v0.7.1 h1:zKL2MTGtynxdBdlZjyGsvEOZ7dkxaY5TH6QhAbTgz0Q= From fd3dd4db51cd3b326d0cf118e8de35a6d18846e2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Nov 2022 09:54:15 +0000 Subject: [PATCH 07/32] build(deps): update module github.com/ory/x to v0.0.515 (#4413) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b92f60a6d..cb9f282bd 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/ory/fosite v0.43.0 github.com/ory/herodot v0.9.13 - github.com/ory/x v0.0.514 + github.com/ory/x v0.0.515 github.com/otiai10/copy v1.9.0 github.com/pkg/errors v0.9.1 github.com/pquerna/otp v1.3.0 diff --git a/go.sum b/go.sum index 0a2f9b9bd..934923cb1 100644 --- a/go.sum +++ b/go.sum @@ -460,8 +460,8 @@ github.com/ory/herodot v0.9.13 h1:cN/Z4eOkErl/9W7hDIDLb79IO/bfsH+8yscBjRpB4IU= github.com/ory/herodot v0.9.13/go.mod h1:IWDs9kSvFQqw/cQ8zi5ksyYvITiUU4dI7glUrhZcJYo= github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE= github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM= -github.com/ory/x v0.0.514 h1:QCRqmZbsqRTMIMA+mR1qjjpStdEeVGTXI0jMO0iTfVw= -github.com/ory/x v0.0.514/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= +github.com/ory/x v0.0.515 h1:Z4/zdA4yFaq+x46b/kdlE41fpyF2yHycmxkpzKWj/UA= +github.com/ory/x v0.0.515/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4= github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= From 4e1eb45cc52de5cfd7d1a2b84bc8e9b9e0e4cc8e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Nov 2022 13:18:39 +0000 Subject: [PATCH 08/32] build(deps): update commitlint monorepo to v17.3.0 (#4414) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 4 +- web/pnpm-lock.yaml | 96 +++++++++++++++++++++++++++++++++------------- 2 files changed, 71 insertions(+), 29 deletions(-) diff --git a/web/package.json b/web/package.json index 99c34890c..954b63782 100644 --- a/web/package.json +++ b/web/package.json @@ -143,8 +143,8 @@ ] }, "devDependencies": { - "@commitlint/cli": "17.2.0", - "@commitlint/config-conventional": "17.2.0", + "@commitlint/cli": "17.3.0", + "@commitlint/config-conventional": "17.3.0", "@testing-library/jest-dom": "5.16.5", "@testing-library/react": "13.4.0", "@types/jest": "29.2.3", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index e7af1647b..91eabdf5e 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -1,8 +1,8 @@ lockfileVersion: 5.4 specifiers: - '@commitlint/cli': 17.2.0 - '@commitlint/config-conventional': 17.2.0 + '@commitlint/cli': 17.3.0 + '@commitlint/config-conventional': 17.3.0 '@emotion/cache': 11.10.5 '@emotion/react': 11.10.5 '@emotion/styled': 11.10.5 @@ -93,8 +93,8 @@ dependencies: zxcvbn: 4.4.2 devDependencies: - '@commitlint/cli': 17.2.0 - '@commitlint/config-conventional': 17.2.0 + '@commitlint/cli': 17.3.0 + '@commitlint/config-conventional': 17.3.0 '@testing-library/jest-dom': 5.16.5 '@testing-library/react': 13.4.0_biqbaboplfbrettd7655fr4n2y '@types/jest': 29.2.3 @@ -2142,18 +2142,18 @@ packages: minimist: 1.2.6 dev: true - /@commitlint/cli/17.2.0: - resolution: {integrity: sha512-kd1zykcrjIKyDRftWW1E1TJqkgzeosEkv1BiYPCdzkb/g/3BrfgwZUHR1vg+HO3qKUb/0dN+jNXArhGGAHpmaQ==} + /@commitlint/cli/17.3.0: + resolution: {integrity: sha512-/H0md7TsKflKzVPz226VfXzVafJFO1f9+r2KcFvmBu08V0T56lZU1s8WL7/xlxqLMqBTVaBf7Ixtc4bskdEEZg==} engines: {node: '>=v14'} hasBin: true dependencies: '@commitlint/format': 17.0.0 - '@commitlint/lint': 17.2.0 - '@commitlint/load': 17.2.0 + '@commitlint/lint': 17.3.0 + '@commitlint/load': 17.3.0 '@commitlint/read': 17.2.0 '@commitlint/types': 17.0.0 execa: 5.1.1 - lodash: 4.17.21 + lodash.isfunction: 3.0.9 resolve-from: 5.0.0 resolve-global: 1.0.0 yargs: 17.5.1 @@ -2162,8 +2162,8 @@ packages: - '@swc/wasm' dev: true - /@commitlint/config-conventional/17.2.0: - resolution: {integrity: sha512-g5hQqRa80f++SYS233dbDSg16YdyounMTAhVcmqtInNeY/GF3aA4st9SVtJxpeGrGmueMrU4L+BBb+6Vs5wrcg==} + /@commitlint/config-conventional/17.3.0: + resolution: {integrity: sha512-hgI+fN5xF8nhS9uG/V06xyT0nlcyvHHMkq0kwRSr96vl5BFlRGaL2C0/YY4kQagfU087tmj01bJkG9Ek98Wllw==} engines: {node: '>=v14'} dependencies: conventional-changelog-conventionalcommits: 5.0.0 @@ -2177,12 +2177,16 @@ packages: ajv: 8.11.0 dev: true - /@commitlint/ensure/17.0.0: - resolution: {integrity: sha512-M2hkJnNXvEni59S0QPOnqCKIK52G1XyXBGw51mvh7OXDudCmZ9tZiIPpU882p475Mhx48Ien1MbWjCP1zlyC0A==} + /@commitlint/ensure/17.3.0: + resolution: {integrity: sha512-kWbrQHDoW5veIUQx30gXoLOCjWvwC6OOEofhPCLl5ytRPBDAQObMbxTha1Bt2aSyNE/IrJ0s0xkdZ1Gi3wJwQg==} engines: {node: '>=v14'} dependencies: '@commitlint/types': 17.0.0 - lodash: 4.17.21 + lodash.camelcase: 4.3.0 + lodash.kebabcase: 4.1.1 + lodash.snakecase: 4.1.1 + lodash.startcase: 4.4.0 + lodash.upperfirst: 4.3.1 dev: true /@commitlint/execute-rule/17.0.0: @@ -2206,29 +2210,31 @@ packages: semver: 7.3.7 dev: true - /@commitlint/lint/17.2.0: - resolution: {integrity: sha512-N2oLn4Dj672wKH5qJ4LGO+73UkYXGHO+NTVUusGw83SjEv7GjpqPGKU6KALW2kFQ/GsDefSvOjpSi3CzWHQBDg==} + /@commitlint/lint/17.3.0: + resolution: {integrity: sha512-VilOTPg0i9A7CCWM49E9bl5jytfTvfTxf9iwbWAWNjxJ/A5mhPKbm3sHuAdwJ87tDk1k4j8vomYfH23iaY+1Rw==} engines: {node: '>=v14'} dependencies: '@commitlint/is-ignored': 17.2.0 '@commitlint/parse': 17.2.0 - '@commitlint/rules': 17.2.0 + '@commitlint/rules': 17.3.0 '@commitlint/types': 17.0.0 dev: true - /@commitlint/load/17.2.0: - resolution: {integrity: sha512-HDD57qSqNrk399R4TIjw31AWBG8dBjNj1MrDKZKmC/wvimtnIFlqzcu1+sxfXIOHj/+M6tcMWDtvknGUd7SU+g==} + /@commitlint/load/17.3.0: + resolution: {integrity: sha512-u/pV6rCAJrCUN+HylBHLzZ4qj1Ew3+eN9GBPhNi9otGxtOfA8b+8nJSxaNbcC23Ins/kcpjGf9zPSVW7628Umw==} engines: {node: '>=v14'} dependencies: '@commitlint/config-validator': 17.1.0 '@commitlint/execute-rule': 17.0.0 - '@commitlint/resolve-extends': 17.1.0 + '@commitlint/resolve-extends': 17.3.0 '@commitlint/types': 17.0.0 '@types/node': 14.18.26 chalk: 4.1.2 cosmiconfig: 7.0.1 cosmiconfig-typescript-loader: 4.0.0_cs4q7g5uavsvvdjjkl2t6wi57a - lodash: 4.17.21 + lodash.isplainobject: 4.0.6 + lodash.merge: 4.6.2 + lodash.uniq: 4.5.0 resolve-from: 5.0.0 ts-node: 10.9.0_omfyfib2yqj7pu7wtuw6wjyhwa typescript: 4.9.3 @@ -2262,23 +2268,23 @@ packages: minimist: 1.2.6 dev: true - /@commitlint/resolve-extends/17.1.0: - resolution: {integrity: sha512-jqKm00LJ59T0O8O4bH4oMa4XyJVEOK4GzH8Qye9XKji+Q1FxhZznxMV/bDLyYkzbTodBt9sL0WLql8wMtRTbqQ==} + /@commitlint/resolve-extends/17.3.0: + resolution: {integrity: sha512-Lf3JufJlc5yVEtJWC8o4IAZaB8FQAUaVlhlAHRACd0TTFizV2Lk2VH70et23KgvbQNf7kQzHs/2B4QZalBv6Cg==} engines: {node: '>=v14'} dependencies: '@commitlint/config-validator': 17.1.0 '@commitlint/types': 17.0.0 import-fresh: 3.3.0 - lodash: 4.17.21 + lodash.mergewith: 4.6.2 resolve-from: 5.0.0 resolve-global: 1.0.0 dev: true - /@commitlint/rules/17.2.0: - resolution: {integrity: sha512-1YynwD4Eh7HXZNpqG8mtUlL2pSX2jBy61EejYJv4ooZPcg50Ak7LPOyD3a9UZnsE76AXWFBz+yo9Hv4MIpAa0Q==} + /@commitlint/rules/17.3.0: + resolution: {integrity: sha512-s2UhDjC5yP2utx3WWqsnZRzjgzAX8BMwr1nltC0u0p8T/nzpkx4TojEfhlsOUj1t7efxzZRjUAV0NxNwdJyk+g==} engines: {node: '>=v14'} dependencies: - '@commitlint/ensure': 17.0.0 + '@commitlint/ensure': 17.3.0 '@commitlint/message': 17.2.0 '@commitlint/to-lines': 17.0.0 '@commitlint/types': 17.0.0 @@ -7484,14 +7490,50 @@ packages: p-locate: 5.0.0 dev: true + /lodash.camelcase/4.3.0: + resolution: {integrity: sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA==} + dev: true + /lodash.debounce/4.0.8: resolution: {integrity: sha512-FT1yDzDYEoYWhnSGnpE/4Kj1fLZkDFyqRb7fNt6FdYOSxlUWAtp42Eh6Wb0rGIv/m9Bgo7x4GhQbm5Ys4SG5ow==} dev: true + /lodash.isfunction/3.0.9: + resolution: {integrity: sha512-AirXNj15uRIMMPihnkInB4i3NHeb4iBtNg9WRWuK2o31S+ePwwNmDPaTL3o7dTJ+VXNZim7rFs4rxN4YU1oUJw==} + dev: true + + /lodash.isplainobject/4.0.6: + resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==} + dev: true + + /lodash.kebabcase/4.1.1: + resolution: {integrity: sha512-N8XRTIMMqqDgSy4VLKPnJ/+hpGZN+PHQiJnSenYqPaVV/NCqEogTnAdZLQiGKhxX+JCs8waWq2t1XHWKOmlY8g==} + dev: true + /lodash.merge/4.6.2: resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==} dev: true + /lodash.mergewith/4.6.2: + resolution: {integrity: sha512-GK3g5RPZWTRSeLSpgP8Xhra+pnjBC56q9FZYe1d5RN3TJ35dbkGy3YqBSMbyCrlbi+CM9Z3Jk5yTL7RCsqboyQ==} + dev: true + + /lodash.snakecase/4.1.1: + resolution: {integrity: sha512-QZ1d4xoBHYUeuouhEq3lk3Uq7ldgyFXGBhg04+oRLnIz8o9T65Eh+8YdroUwn846zchkA9yDsDl5CVVaV2nqYw==} + dev: true + + /lodash.startcase/4.4.0: + resolution: {integrity: sha512-+WKqsK294HMSc2jEbNgpHpd0JfIBhp7rEV4aqXWqFr6AlXov+SlcgB1Fv01y2kGe3Gc8nMW7VA0SrGuSkRfIEg==} + dev: true + + /lodash.uniq/4.5.0: + resolution: {integrity: sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==} + dev: true + + /lodash.upperfirst/4.3.1: + resolution: {integrity: sha512-sReKOYJIJf74dhJONhU4e0/shzi1trVbSWDOhKYE5XV2O+H7Sb2Dihwuc7xWxVl+DgFPyTqIN3zMfT9cq5iWDg==} + dev: true + /lodash/4.17.21: resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==} dev: true From c6d3ce4d29a5f2290d7a643576d75515e1c7661f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Nov 2022 17:03:04 +0000 Subject: [PATCH 09/32] build(deps): update material-ui monorepo to v5.10.15 (#4418) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 6 ++--- web/pnpm-lock.yaml | 66 +++++++++++++++++++++++----------------------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/web/package.json b/web/package.json index 954b63782..8741cdb4e 100644 --- a/web/package.json +++ b/web/package.json @@ -25,9 +25,9 @@ "@fortawesome/free-regular-svg-icons": "6.2.1", "@fortawesome/free-solid-svg-icons": "6.2.1", "@fortawesome/react-fontawesome": "0.2.0", - "@mui/icons-material": "5.10.14", - "@mui/material": "5.10.14", - "@mui/styles": "5.10.14", + "@mui/icons-material": "5.10.15", + "@mui/material": "5.10.15", + "@mui/styles": "5.10.15", "axios": "1.1.3", "broadcast-channel": "4.18.1", "classnames": "2.3.2", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 91eabdf5e..181385d6f 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -10,9 +10,9 @@ specifiers: '@fortawesome/free-regular-svg-icons': 6.2.1 '@fortawesome/free-solid-svg-icons': 6.2.1 '@fortawesome/react-fontawesome': 0.2.0 - '@mui/icons-material': 5.10.14 - '@mui/material': 5.10.14 - '@mui/styles': 5.10.14 + '@mui/icons-material': 5.10.15 + '@mui/material': 5.10.15 + '@mui/styles': 5.10.15 '@testing-library/jest-dom': 5.16.5 '@testing-library/react': 13.4.0 '@types/jest': 29.2.3 @@ -73,9 +73,9 @@ dependencies: '@fortawesome/free-regular-svg-icons': 6.2.1 '@fortawesome/free-solid-svg-icons': 6.2.1 '@fortawesome/react-fontawesome': 0.2.0_z27bm67dtmuyyvss23ckjdrcuy - '@mui/icons-material': 5.10.14_edp4dc7hnxdrqofuyrrjp2id7y - '@mui/material': 5.10.14_thp4wrxo45nyllusrnt46mid4u - '@mui/styles': 5.10.14_fan5qbzahqtxlm5dzefqlqx5ia + '@mui/icons-material': 5.10.15_oev7u2jo7ua7d3mgxqd6sscfw4 + '@mui/material': 5.10.15_thp4wrxo45nyllusrnt46mid4u + '@mui/styles': 5.10.15_fan5qbzahqtxlm5dzefqlqx5ia axios: 1.1.3 broadcast-channel: 4.18.1 classnames: 2.3.2 @@ -2853,8 +2853,8 @@ packages: '@jridgewell/sourcemap-codec': 1.4.14 dev: true - /@mui/base/5.0.0-alpha.106_2zx2umvpluuhvlq44va5bta2da: - resolution: {integrity: sha512-xJQQtwPCPwr6hGWTBdvDwHYwExn3Bw7nPQkN8Fuz8kHpZqoMVWQvvaFS557AIkkI2AFLV3DxVIMjbCvrIntBWg==} + /@mui/base/5.0.0-alpha.107_2zx2umvpluuhvlq44va5bta2da: + resolution: {integrity: sha512-HX/BD8CSe+Y/dpbZ5aKJScJhKQ/Hw6du2yd68Upv2cO67bwixyZ64h3aNcdDu7RQzI7nrZQm0JykffP1Orgq0g==} engines: {node: '>=12.0.0'} peerDependencies: '@types/react': ^17.0.0 || ^18.0.0 || 18 @@ -2867,7 +2867,7 @@ packages: '@babel/runtime': 7.20.1 '@emotion/is-prop-valid': 1.2.0 '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.14_react@18.2.0 + '@mui/utils': 5.10.15_react@18.2.0 '@popperjs/core': 2.11.6 '@types/react': 18.0.25 clsx: 1.2.1 @@ -2877,12 +2877,12 @@ packages: react-is: 18.2.0 dev: false - /@mui/core-downloads-tracker/5.10.14: - resolution: {integrity: sha512-qLgIJNOR9Dre8JiZ/neVzOf4jf88J6YtOkQqugtMrleLjbfRVUSS4LWl9CSOjNq76quYdmYWnSDgfQqOooT2cQ==} + /@mui/core-downloads-tracker/5.10.15: + resolution: {integrity: sha512-xFcS0LpdF0Q1qJrrNsYUv9PU+ovvhCEPTOMw2jcpEFtl3CA87dLpvztORR5oE2UBFjWF7qLQLOwboQU1+xC7Cw==} dev: false - /@mui/icons-material/5.10.14_edp4dc7hnxdrqofuyrrjp2id7y: - resolution: {integrity: sha512-qtH60slQa+7MZRn6kyui8rKuoGDglPqaHX+pzBKNvd8JCOlrnfY5DmGGDdToTXyXl8xJ8nhANZbrbpg7UVKq/Q==} + /@mui/icons-material/5.10.15_oev7u2jo7ua7d3mgxqd6sscfw4: + resolution: {integrity: sha512-fXkz7CtYTt4AH4YYT67VFhM/A3YCUqZGGLp/3BlzRPQRNEfFKknw3MgG1S5UYrY5weti8jxMx3mwwfhVP8OMhQ==} engines: {node: '>=12.0.0'} peerDependencies: '@mui/material': ^5.0.0 @@ -2893,13 +2893,13 @@ packages: optional: true dependencies: '@babel/runtime': 7.20.1 - '@mui/material': 5.10.14_thp4wrxo45nyllusrnt46mid4u + '@mui/material': 5.10.15_thp4wrxo45nyllusrnt46mid4u '@types/react': 18.0.25 react: 18.2.0 dev: false - /@mui/material/5.10.14_thp4wrxo45nyllusrnt46mid4u: - resolution: {integrity: sha512-HWzKVAykePMx54WtxVwZyL1W4k3xlHYIqwMw0CaXAvgB3UE9yjABZuuGr8vG5Z6CSNWamzd+s1x8u7pQPFl9og==} + /@mui/material/5.10.15_thp4wrxo45nyllusrnt46mid4u: + resolution: {integrity: sha512-OqoHfUtVMppFHgk2M95j+pR8MWfLKhzSdz4aKEfIpFrHIHbYang+oY7Iy/exX+vqpZSEGHgHQ0cGX0hGTGx9cg==} engines: {node: '>=12.0.0'} peerDependencies: '@emotion/react': ^11.5.0 @@ -2918,11 +2918,11 @@ packages: '@babel/runtime': 7.20.1 '@emotion/react': 11.10.5_fan5qbzahqtxlm5dzefqlqx5ia '@emotion/styled': 11.10.5_otcjdfkheatawhug6fwk7ldzni - '@mui/base': 5.0.0-alpha.106_2zx2umvpluuhvlq44va5bta2da - '@mui/core-downloads-tracker': 5.10.14 - '@mui/system': 5.10.14_v64nlmo6pkqfmpmxge6otzlg54 + '@mui/base': 5.0.0-alpha.107_2zx2umvpluuhvlq44va5bta2da + '@mui/core-downloads-tracker': 5.10.15 + '@mui/system': 5.10.15_v64nlmo6pkqfmpmxge6otzlg54 '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.14_react@18.2.0 + '@mui/utils': 5.10.15_react@18.2.0 '@types/react': 18.0.25 '@types/react-transition-group': 4.4.5 clsx: 1.2.1 @@ -2934,8 +2934,8 @@ packages: react-transition-group: 4.4.5_biqbaboplfbrettd7655fr4n2y dev: false - /@mui/private-theming/5.10.14_fan5qbzahqtxlm5dzefqlqx5ia: - resolution: {integrity: sha512-3aIBe8WK65CwAPDY8nB11hYnzE1CZMymi76UnaFrA/DdGDwl5Y8F6uB+StKrkVmsqF1po7Mp2odqVkHj320gXw==} + /@mui/private-theming/5.10.15_fan5qbzahqtxlm5dzefqlqx5ia: + resolution: {integrity: sha512-l7CsUj5kYdYz118/JHSvZZTYE9WnIWwln0td5jYATnYw9cNX4ygD6AkKOUYZ1Jitp1YLJqcO8jCP9E5/Nql9IQ==} engines: {node: '>=12.0.0'} peerDependencies: '@types/react': ^17.0.0 || ^18.0.0 || 18 @@ -2945,7 +2945,7 @@ packages: optional: true dependencies: '@babel/runtime': 7.20.1 - '@mui/utils': 5.10.14_react@18.2.0 + '@mui/utils': 5.10.15_react@18.2.0 '@types/react': 18.0.25 prop-types: 15.8.1 react: 18.2.0 @@ -2973,8 +2973,8 @@ packages: react: 18.2.0 dev: false - /@mui/styles/5.10.14_fan5qbzahqtxlm5dzefqlqx5ia: - resolution: {integrity: sha512-efmROE5O+9qV1Wj7Q/Cz3ZplsuqSwqWRFTUWwTuTedoLetAO6ExgV4vGD1bkFsr9+VkAfJV/Zy4KPM0ouok7aA==} + /@mui/styles/5.10.15_fan5qbzahqtxlm5dzefqlqx5ia: + resolution: {integrity: sha512-q8OW8Cyq2C9wGJMcDWXYtFa7qgIIZPAZ15JShDQXBLvyib4qDop5wV3+olQoJdwU5ARjmfPd67IsbORWxG3abQ==} engines: {node: '>=12.0.0'} peerDependencies: '@types/react': ^17.0.0 || 18 @@ -2985,9 +2985,9 @@ packages: dependencies: '@babel/runtime': 7.20.1 '@emotion/hash': 0.9.0 - '@mui/private-theming': 5.10.14_fan5qbzahqtxlm5dzefqlqx5ia + '@mui/private-theming': 5.10.15_fan5qbzahqtxlm5dzefqlqx5ia '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.14_react@18.2.0 + '@mui/utils': 5.10.15_react@18.2.0 '@types/react': 18.0.25 clsx: 1.2.1 csstype: 3.1.1 @@ -3004,8 +3004,8 @@ packages: react: 18.2.0 dev: false - /@mui/system/5.10.14_v64nlmo6pkqfmpmxge6otzlg54: - resolution: {integrity: sha512-2de7XCjRb1j8Od0Stmo0LwFMLpOMNT4wzfINuExXI1TVSuyxXIXUxiC5FEgJW3GMvf/a7SUR8VOiMoKlKWzukw==} + /@mui/system/5.10.15_v64nlmo6pkqfmpmxge6otzlg54: + resolution: {integrity: sha512-WZmgmpYTMXAaD++QetaaM/miwhNh1JJY1dH7MJH/3Fuv3r3gnhfzE6A55lDqWxkQmlWUO2DCn/cnNZ0FkSdZUg==} engines: {node: '>=12.0.0'} peerDependencies: '@emotion/react': ^11.5.0 @@ -3023,10 +3023,10 @@ packages: '@babel/runtime': 7.20.1 '@emotion/react': 11.10.5_fan5qbzahqtxlm5dzefqlqx5ia '@emotion/styled': 11.10.5_otcjdfkheatawhug6fwk7ldzni - '@mui/private-theming': 5.10.14_fan5qbzahqtxlm5dzefqlqx5ia + '@mui/private-theming': 5.10.15_fan5qbzahqtxlm5dzefqlqx5ia '@mui/styled-engine': 5.10.14_dovxhg2tvkkxkdnqyoum6wzcxm '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.14_react@18.2.0 + '@mui/utils': 5.10.15_react@18.2.0 '@types/react': 18.0.25 clsx: 1.2.1 csstype: 3.1.1 @@ -3045,8 +3045,8 @@ packages: '@types/react': 18.0.25 dev: false - /@mui/utils/5.10.14_react@18.2.0: - resolution: {integrity: sha512-12p59+wDZpA++XVJmKwqsZmrA1nmUQ5d0a1yQWtcDjxNyER1EDzozYN/db+FY2i5ceQh2TynPTEwGms2mXDwFg==} + /@mui/utils/5.10.15_react@18.2.0: + resolution: {integrity: sha512-6AW4MLBUijJi31hxx+6utTJM2q/4hbO+QiMdtwM+f4Iy+BfFnh/elhb08apxNYLfuugPnXXpkDmzEjg+8uDU9g==} engines: {node: '>=12.0.0'} peerDependencies: react: ^17.0.0 || ^18.0.0 || 18 From 1c39512928a88d71b76121017add400e56a55ab7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 22 Nov 2022 22:49:19 +0000 Subject: [PATCH 10/32] build(deps): update dependency axios to v1.2.0 (#4420) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 2 +- web/pnpm-lock.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/web/package.json b/web/package.json index 8741cdb4e..c56131766 100644 --- a/web/package.json +++ b/web/package.json @@ -28,7 +28,7 @@ "@mui/icons-material": "5.10.15", "@mui/material": "5.10.15", "@mui/styles": "5.10.15", - "axios": "1.1.3", + "axios": "1.2.0", "broadcast-channel": "4.18.1", "classnames": "2.3.2", "i18next": "22.0.6", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 181385d6f..1d7de905e 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -24,7 +24,7 @@ specifiers: '@typescript-eslint/eslint-plugin': 5.44.0 '@typescript-eslint/parser': 5.44.0 '@vitejs/plugin-react': 2.2.0 - axios: 1.1.3 + axios: 1.2.0 broadcast-channel: 4.18.1 classnames: 2.3.2 esbuild: 0.15.15 @@ -76,7 +76,7 @@ dependencies: '@mui/icons-material': 5.10.15_oev7u2jo7ua7d3mgxqd6sscfw4 '@mui/material': 5.10.15_thp4wrxo45nyllusrnt46mid4u '@mui/styles': 5.10.15_fan5qbzahqtxlm5dzefqlqx5ia - axios: 1.1.3 + axios: 1.2.0 broadcast-channel: 4.18.1 classnames: 2.3.2 i18next: 22.0.6 @@ -4136,8 +4136,8 @@ packages: engines: {node: '>=4'} dev: true - /axios/1.1.3: - resolution: {integrity: sha512-00tXVRwKx/FZr/IDVFt4C+f9FYairX517WoGCL6dpOntqLkZofjhu43F/Xl44UOpqa+9sLFDrG/XAnFsUYgkDA==} + /axios/1.2.0: + resolution: {integrity: sha512-zT7wZyNYu3N5Bu0wuZ6QccIf93Qk1eV8LOewxgjOZFd2DenOs98cJ7+Y6703d0wkaXGY6/nZd4EweJaHz9uzQw==} dependencies: follow-redirects: 1.15.1 form-data: 4.0.0 From 66807b5a8c74df9e9063b7aaf01a7304a9e6c83f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 23 Nov 2022 00:58:19 +0000 Subject: [PATCH 11/32] build(deps): update alpine docker tag to v3.17.0 (#4422) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.coverage | 2 +- Dockerfile.dev | 2 +- internal/suites/example/compose/kind/Dockerfile | 2 +- internal/suites/example/compose/samba/Dockerfile | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index a67b3bf24..7bb7a5497 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # =================================== # ===== Authelia official image ===== # =================================== -FROM alpine:3.16.3 +FROM alpine:3.17.0 ARG TARGETOS ARG TARGETARCH diff --git a/Dockerfile.coverage b/Dockerfile.coverage index 6bbf18aa3..ee1c9b0b6 100644 --- a/Dockerfile.coverage +++ b/Dockerfile.coverage @@ -46,7 +46,7 @@ CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LD # =================================== # ===== Authelia official image ===== # =================================== -FROM alpine:3.16.3 +FROM alpine:3.17.0 RUN apk --no-cache add ca-certificates tzdata diff --git a/Dockerfile.dev b/Dockerfile.dev index c144b90fe..90988e0c5 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -43,7 +43,7 @@ CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LD # =================================== # ===== Authelia official image ===== # =================================== -FROM alpine:3.16.3 +FROM alpine:3.17.0 WORKDIR /app diff --git a/internal/suites/example/compose/kind/Dockerfile b/internal/suites/example/compose/kind/Dockerfile index 21b9689a0..5051892d2 100644 --- a/internal/suites/example/compose/kind/Dockerfile +++ b/internal/suites/example/compose/kind/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16.3 +FROM alpine:3.17.0 WORKDIR /kind diff --git a/internal/suites/example/compose/samba/Dockerfile b/internal/suites/example/compose/samba/Dockerfile index e193cf410..a70b05d15 100644 --- a/internal/suites/example/compose/samba/Dockerfile +++ b/internal/suites/example/compose/samba/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.16.3 +FROM alpine:3.17.0 RUN \ apk add --no-cache \ From b295bf55a9f2f3b7858fd9c25bfb61cf0c8aa3b2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 23 Nov 2022 09:45:12 +0000 Subject: [PATCH 12/32] build(deps): update dependency prettier to v2.8.0 (#4423) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 2 +- web/pnpm-lock.yaml | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/web/package.json b/web/package.json index c56131766..05b90d7fc 100644 --- a/web/package.json +++ b/web/package.json @@ -173,7 +173,7 @@ "jest-environment-jsdom": "29.3.1", "jest-transform-stub": "2.0.0", "jest-watch-typeahead": "2.2.1", - "prettier": "2.7.1", + "prettier": "2.8.0", "react-test-renderer": "18.2.0", "typescript": "4.9.3", "vite": "3.2.4", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 1d7de905e..a4e016c90 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -47,7 +47,7 @@ specifiers: jest-environment-jsdom: 29.3.1 jest-transform-stub: 2.0.0 jest-watch-typeahead: 2.2.1 - prettier: 2.7.1 + prettier: 2.8.0 qrcode.react: 3.1.0 query-string: 7.1.1 react: 18.2.0 @@ -115,7 +115,7 @@ devDependencies: eslint-import-resolver-typescript: 3.5.2_ktrec6dplf4now6nlbc6d67jee eslint-plugin-import: 2.26.0_vc54pluhgv7booofyyjouvuf74 eslint-plugin-jsx-a11y: 6.6.1_eslint@8.28.0 - eslint-plugin-prettier: 4.2.1_pgxuib4rd7wiymfktharf5ydt4 + eslint-plugin-prettier: 4.2.1_cwlo2dingkvfydnaculr42urve eslint-plugin-react: 7.31.11_eslint@8.28.0 eslint-plugin-react-hooks: 4.6.0_eslint@8.28.0 husky: 8.0.2 @@ -123,7 +123,7 @@ devDependencies: jest-environment-jsdom: 29.3.1 jest-transform-stub: 2.0.0 jest-watch-typeahead: 2.2.1_jest@29.3.1 - prettier: 2.7.1 + prettier: 2.8.0 react-test-renderer: 18.2.0_react@18.2.0 typescript: 4.9.3 vite: 3.2.4_@types+node@18.11.9 @@ -5546,7 +5546,7 @@ packages: semver: 6.3.0 dev: true - /eslint-plugin-prettier/4.2.1_pgxuib4rd7wiymfktharf5ydt4: + /eslint-plugin-prettier/4.2.1_cwlo2dingkvfydnaculr42urve: resolution: {integrity: sha512-f/0rXLXUt0oFYs8ra4w49wYZBG5GKZpAYsJSm6rnYL5uVDjd+zowwMwVZHnAjf4edNrKpCDYfXDgmRE/Ak7QyQ==} engines: {node: '>=12.0.0'} peerDependencies: @@ -5559,7 +5559,7 @@ packages: dependencies: eslint: 8.28.0 eslint-config-prettier: 8.5.0_eslint@8.28.0 - prettier: 2.7.1 + prettier: 2.8.0 prettier-linter-helpers: 1.0.0 dev: true @@ -8149,8 +8149,8 @@ packages: fast-diff: 1.2.0 dev: true - /prettier/2.7.1: - resolution: {integrity: sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g==} + /prettier/2.8.0: + resolution: {integrity: sha512-9Lmg8hTFZKG0Asr/kW9Bp8tJjRVluO8EJQVfY2T7FMw9T5jy4I/Uvx0Rca/XWf50QQ1/SS48+6IJWnrb+2yemA==} engines: {node: '>=10.13.0'} hasBin: true dev: true From 203cb19c2f2da02eb1fdfcd1ead13f10f5f05e8f Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 24 Nov 2022 10:16:23 +1100 Subject: [PATCH 13/32] fix(configuration): missing warning about session domain (#4417) This adds some helpful configuration warnings and fixes a few misconfiguration issues. --- .../configuration/security/access-control.md | 4 +- .../configuration/validator/access_control.go | 16 +- .../validator/access_control_test.go | 16 ++ .../validator/identity_providers.go | 182 +++++++++--------- .../validator/identity_providers_test.go | 63 ++++++ internal/configuration/validator/session.go | 2 + .../configuration/validator/session_test.go | 14 ++ 7 files changed, 202 insertions(+), 95 deletions(-) diff --git a/docs/content/en/configuration/security/access-control.md b/docs/content/en/configuration/security/access-control.md index 4be5546a2..011cec776 100644 --- a/docs/content/en/configuration/security/access-control.md +++ b/docs/content/en/configuration/security/access-control.md @@ -542,14 +542,14 @@ if they have a path of exactly `/api` or if they start with `/api/`. This means a match for that request. ```yaml -- domains: +- domain: - 'example.com' - '*.example.com' policy: bypass resources: - '^/api$' - '^/api/' -- domains: +- domain: - 'app.example.com' policy: two_factor ``` diff --git a/internal/configuration/validator/access_control.go b/internal/configuration/validator/access_control.go index 9509c4cab..994d7559c 100644 --- a/internal/configuration/validator/access_control.go +++ b/internal/configuration/validator/access_control.go @@ -90,9 +90,7 @@ func ValidateRules(config *schema.Configuration, validator *schema.StructValidat for i, rule := range config.AccessControl.Rules { rulePosition := i + 1 - if len(rule.Domains)+len(rule.DomainsRegex) == 0 { - validator.Push(fmt.Errorf(errFmtAccessControlRuleNoDomains, ruleDescriptor(rulePosition, rule))) - } + validateDomains(rulePosition, rule, validator) if !IsPolicyValid(rule.Policy) { validator.Push(fmt.Errorf(errFmtAccessControlRuleInvalidPolicy, ruleDescriptor(rulePosition, rule), rule.Policy)) @@ -125,6 +123,18 @@ func validateBypass(rulePosition int, rule schema.ACLRule, validator *schema.Str } } +func validateDomains(rulePosition int, rule schema.ACLRule, validator *schema.StructValidator) { + if len(rule.Domains)+len(rule.DomainsRegex) == 0 { + validator.Push(fmt.Errorf(errFmtAccessControlRuleNoDomains, ruleDescriptor(rulePosition, rule))) + } + + for i, domain := range rule.Domains { + if len(domain) > 1 && domain[0] == '*' && domain[1] != '.' { + validator.PushWarning(fmt.Errorf("access control: rule #%d: domain #%d: domain '%s' is ineffective and should probably be '%s' instead", rulePosition, i+1, domain, fmt.Sprintf("*.%s", domain[1:]))) + } + } +} + func validateNetworks(rulePosition int, rule schema.ACLRule, config schema.AccessControlConfiguration, validator *schema.StructValidator) { for _, network := range rule.Networks { if !IsNetworkValid(network) { diff --git a/internal/configuration/validator/access_control_test.go b/internal/configuration/validator/access_control_test.go index ae7dabb18..0671455a1 100644 --- a/internal/configuration/validator/access_control_test.go +++ b/internal/configuration/validator/access_control_test.go @@ -88,6 +88,22 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidNetworkGroupNetwork() { suite.Assert().EqualError(suite.validator.Errors()[0], "access control: networks: network group 'internal' is invalid: the network 'abc.def.ghi.jkl' is not a valid IP or CIDR notation") } +func (suite *AccessControl) TestShouldRaiseWarningOnBadDomain() { + suite.config.AccessControl.Rules = []schema.ACLRule{ + { + Domains: []string{"*example.com"}, + Policy: "one_factor", + }, + } + + ValidateRules(suite.config, suite.validator) + + suite.Assert().Len(suite.validator.Warnings(), 1) + suite.Require().Len(suite.validator.Errors(), 0) + + suite.Assert().EqualError(suite.validator.Warnings()[0], "access control: rule #1: domain #1: domain '*example.com' is ineffective and should probably be '*.example.com' instead") +} + func (suite *AccessControl) TestShouldRaiseErrorWithNoRulesDefined() { suite.config.AccessControl.Rules = []schema.ACLRule{} diff --git a/internal/configuration/validator/identity_providers.go b/internal/configuration/validator/identity_providers.go index 3bea1c63b..23a797153 100644 --- a/internal/configuration/validator/identity_providers.go +++ b/internal/configuration/validator/identity_providers.go @@ -12,11 +12,11 @@ import ( ) // ValidateIdentityProviders validates and updates the IdentityProviders configuration. -func ValidateIdentityProviders(config *schema.IdentityProvidersConfiguration, validator *schema.StructValidator) { - validateOIDC(config.OIDC, validator) +func ValidateIdentityProviders(config *schema.IdentityProvidersConfiguration, val *schema.StructValidator) { + validateOIDC(config.OIDC, val) } -func validateOIDC(config *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { +func validateOIDC(config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { if config == nil { return } @@ -25,37 +25,37 @@ func validateOIDC(config *schema.OpenIDConnectConfiguration, validator *schema.S switch { case config.IssuerPrivateKey == nil: - validator.Push(fmt.Errorf(errFmtOIDCNoPrivateKey)) + val.Push(fmt.Errorf(errFmtOIDCNoPrivateKey)) default: if config.IssuerCertificateChain.HasCertificates() { if !config.IssuerCertificateChain.EqualKey(config.IssuerPrivateKey) { - validator.Push(fmt.Errorf(errFmtOIDCCertificateMismatch)) + val.Push(fmt.Errorf(errFmtOIDCCertificateMismatch)) } if err := config.IssuerCertificateChain.Validate(); err != nil { - validator.Push(fmt.Errorf(errFmtOIDCCertificateChain, err)) + val.Push(fmt.Errorf(errFmtOIDCCertificateChain, err)) } } if config.IssuerPrivateKey.Size()*8 < 2048 { - validator.Push(fmt.Errorf(errFmtOIDCInvalidPrivateKeyBitSize, 2048, config.IssuerPrivateKey.Size()*8)) + val.Push(fmt.Errorf(errFmtOIDCInvalidPrivateKeyBitSize, 2048, config.IssuerPrivateKey.Size()*8)) } } if config.MinimumParameterEntropy != 0 && config.MinimumParameterEntropy < 8 { - validator.PushWarning(fmt.Errorf(errFmtOIDCServerInsecureParameterEntropy, config.MinimumParameterEntropy)) + val.PushWarning(fmt.Errorf(errFmtOIDCServerInsecureParameterEntropy, config.MinimumParameterEntropy)) } if config.EnforcePKCE != "never" && config.EnforcePKCE != "public_clients_only" && config.EnforcePKCE != "always" { - validator.Push(fmt.Errorf(errFmtOIDCEnforcePKCEInvalidValue, config.EnforcePKCE)) + val.Push(fmt.Errorf(errFmtOIDCEnforcePKCEInvalidValue, config.EnforcePKCE)) } - validateOIDCOptionsCORS(config, validator) + validateOIDCOptionsCORS(config, val) if len(config.Clients) == 0 { - validator.Push(fmt.Errorf(errFmtOIDCNoClientsConfigured)) + val.Push(fmt.Errorf(errFmtOIDCNoClientsConfigured)) } else { - validateOIDCClients(config, validator) + validateOIDCClients(config, val) } } @@ -91,26 +91,26 @@ func validateOIDCOptionsCORS(config *schema.OpenIDConnectConfiguration, validato validateOIDCOptionsCORSEndpoints(config, validator) } -func validateOIDCOptionsCORSAllowedOrigins(config *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { +func validateOIDCOptionsCORSAllowedOrigins(config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { for _, origin := range config.CORS.AllowedOrigins { if origin.String() == "*" { if len(config.CORS.AllowedOrigins) != 1 { - validator.Push(fmt.Errorf(errFmtOIDCCORSInvalidOriginWildcard)) + val.Push(fmt.Errorf(errFmtOIDCCORSInvalidOriginWildcard)) } if config.CORS.AllowedOriginsFromClientRedirectURIs { - validator.Push(fmt.Errorf(errFmtOIDCCORSInvalidOriginWildcardWithClients)) + val.Push(fmt.Errorf(errFmtOIDCCORSInvalidOriginWildcardWithClients)) } continue } if origin.Path != "" { - validator.Push(fmt.Errorf(errFmtOIDCCORSInvalidOrigin, origin.String(), "path")) + val.Push(fmt.Errorf(errFmtOIDCCORSInvalidOrigin, origin.String(), "path")) } if origin.RawQuery != "" { - validator.Push(fmt.Errorf(errFmtOIDCCORSInvalidOrigin, origin.String(), "query string")) + val.Push(fmt.Errorf(errFmtOIDCCORSInvalidOrigin, origin.String(), "query string")) } } } @@ -132,16 +132,15 @@ func validateOIDCOptionsCORSAllowedOriginsFromClientRedirectURIs(config *schema. } } -func validateOIDCOptionsCORSEndpoints(config *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { +func validateOIDCOptionsCORSEndpoints(config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { for _, endpoint := range config.CORS.Endpoints { if !utils.IsStringInSlice(endpoint, validOIDCCORSEndpoints) { - validator.Push(fmt.Errorf(errFmtOIDCCORSInvalidEndpoint, endpoint, strings.Join(validOIDCCORSEndpoints, "', '"))) + val.Push(fmt.Errorf(errFmtOIDCCORSInvalidEndpoint, endpoint, strings.Join(validOIDCCORSEndpoints, "', '"))) } } } -//nolint:gocyclo // TODO: Refactor. -func validateOIDCClients(config *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { +func validateOIDCClients(config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { invalidID, duplicateIDs := false, false var ids []string @@ -162,176 +161,179 @@ func validateOIDCClients(config *schema.OpenIDConnectConfiguration, validator *s if client.Public { if client.Secret != nil { - validator.Push(fmt.Errorf(errFmtOIDCClientPublicInvalidSecret, client.ID)) + val.Push(fmt.Errorf(errFmtOIDCClientPublicInvalidSecret, client.ID)) } } else { if client.Secret == nil { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSecret, client.ID)) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSecret, client.ID)) } } if client.Policy == "" { config.Clients[c].Policy = schema.DefaultOpenIDConnectClientConfiguration.Policy } else if client.Policy != policyOneFactor && client.Policy != policyTwoFactor { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidPolicy, client.ID, client.Policy)) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidPolicy, client.ID, client.Policy)) } - switch { - case utils.IsStringInSlice(client.ConsentMode, []string{"", "auto"}): - if client.ConsentPreConfiguredDuration != nil { - config.Clients[c].ConsentMode = oidc.ClientConsentModePreConfigured.String() - } else { - config.Clients[c].ConsentMode = oidc.ClientConsentModeExplicit.String() - } - case utils.IsStringInSlice(client.ConsentMode, validOIDCClientConsentModes): - break - default: - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidConsentMode, client.ID, strings.Join(append(validOIDCClientConsentModes, "auto"), "', '"), client.ConsentMode)) - } - - if client.ConsentPreConfiguredDuration == nil { - config.Clients[c].ConsentPreConfiguredDuration = schema.DefaultOpenIDConnectClientConfiguration.ConsentPreConfiguredDuration - } - - validateOIDCClientSectorIdentifier(client, validator) - validateOIDCClientScopes(c, config, validator) - validateOIDCClientGrantTypes(c, config, validator) - validateOIDCClientResponseTypes(c, config, validator) - validateOIDCClientResponseModes(c, config, validator) - validateOIDDClientUserinfoAlgorithm(c, config, validator) - validateOIDCClientRedirectURIs(client, validator) + validateOIDCClientConsentMode(c, config, val) + validateOIDCClientSectorIdentifier(client, val) + validateOIDCClientScopes(c, config, val) + validateOIDCClientGrantTypes(c, config, val) + validateOIDCClientResponseTypes(c, config, val) + validateOIDCClientResponseModes(c, config, val) + validateOIDDClientUserinfoAlgorithm(c, config, val) + validateOIDCClientRedirectURIs(client, val) } if invalidID { - validator.Push(fmt.Errorf(errFmtOIDCClientsWithEmptyID)) + val.Push(fmt.Errorf(errFmtOIDCClientsWithEmptyID)) } if duplicateIDs { - validator.Push(fmt.Errorf(errFmtOIDCClientsDuplicateID)) + val.Push(fmt.Errorf(errFmtOIDCClientsDuplicateID)) } } -func validateOIDCClientSectorIdentifier(client schema.OpenIDConnectClientConfiguration, validator *schema.StructValidator) { +func validateOIDCClientSectorIdentifier(client schema.OpenIDConnectClientConfiguration, val *schema.StructValidator) { if client.SectorIdentifier.String() != "" { if utils.IsURLHostComponent(client.SectorIdentifier) || utils.IsURLHostComponentWithPort(client.SectorIdentifier) { return } if client.SectorIdentifier.Scheme != "" { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "scheme", client.SectorIdentifier.Scheme)) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "scheme", client.SectorIdentifier.Scheme)) if client.SectorIdentifier.Path != "" { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "path", client.SectorIdentifier.Path)) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "path", client.SectorIdentifier.Path)) } if client.SectorIdentifier.RawQuery != "" { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "query", client.SectorIdentifier.RawQuery)) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "query", client.SectorIdentifier.RawQuery)) } if client.SectorIdentifier.Fragment != "" { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "fragment", client.SectorIdentifier.Fragment)) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "fragment", client.SectorIdentifier.Fragment)) } if client.SectorIdentifier.User != nil { if client.SectorIdentifier.User.Username() != "" { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "username", client.SectorIdentifier.User.Username())) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "username", client.SectorIdentifier.User.Username())) } if _, set := client.SectorIdentifier.User.Password(); set { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifierWithoutValue, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "password")) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifierWithoutValue, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "password")) } } } else if client.SectorIdentifier.Host == "" { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifierHost, client.ID, client.SectorIdentifier.String())) + val.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifierHost, client.ID, client.SectorIdentifier.String())) } } } -func validateOIDCClientScopes(c int, configuration *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { - if len(configuration.Clients[c].Scopes) == 0 { - configuration.Clients[c].Scopes = schema.DefaultOpenIDConnectClientConfiguration.Scopes +func validateOIDCClientConsentMode(c int, config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { + switch { + case utils.IsStringInSlice(config.Clients[c].ConsentMode, []string{"", "auto"}): + if config.Clients[c].ConsentPreConfiguredDuration != nil { + config.Clients[c].ConsentMode = oidc.ClientConsentModePreConfigured.String() + } else { + config.Clients[c].ConsentMode = oidc.ClientConsentModeExplicit.String() + } + case utils.IsStringInSlice(config.Clients[c].ConsentMode, validOIDCClientConsentModes): + break + default: + val.Push(fmt.Errorf(errFmtOIDCClientInvalidConsentMode, config.Clients[c].ID, strings.Join(append(validOIDCClientConsentModes, "auto"), "', '"), config.Clients[c].ConsentMode)) + } + + if config.Clients[c].ConsentMode == oidc.ClientConsentModePreConfigured.String() && config.Clients[c].ConsentPreConfiguredDuration == nil { + config.Clients[c].ConsentPreConfiguredDuration = schema.DefaultOpenIDConnectClientConfiguration.ConsentPreConfiguredDuration + } +} + +func validateOIDCClientScopes(c int, config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { + if len(config.Clients[c].Scopes) == 0 { + config.Clients[c].Scopes = schema.DefaultOpenIDConnectClientConfiguration.Scopes return } - if !utils.IsStringInSlice(oidc.ScopeOpenID, configuration.Clients[c].Scopes) { - configuration.Clients[c].Scopes = append(configuration.Clients[c].Scopes, oidc.ScopeOpenID) + if !utils.IsStringInSlice(oidc.ScopeOpenID, config.Clients[c].Scopes) { + config.Clients[c].Scopes = append(config.Clients[c].Scopes, oidc.ScopeOpenID) } - for _, scope := range configuration.Clients[c].Scopes { + for _, scope := range config.Clients[c].Scopes { if !utils.IsStringInSlice(scope, validOIDCScopes) { - validator.Push(fmt.Errorf( + val.Push(fmt.Errorf( errFmtOIDCClientInvalidEntry, - configuration.Clients[c].ID, "scopes", strings.Join(validOIDCScopes, "', '"), scope)) + config.Clients[c].ID, "scopes", strings.Join(validOIDCScopes, "', '"), scope)) } } } -func validateOIDCClientGrantTypes(c int, configuration *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { - if len(configuration.Clients[c].GrantTypes) == 0 { - configuration.Clients[c].GrantTypes = schema.DefaultOpenIDConnectClientConfiguration.GrantTypes +func validateOIDCClientGrantTypes(c int, config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { + if len(config.Clients[c].GrantTypes) == 0 { + config.Clients[c].GrantTypes = schema.DefaultOpenIDConnectClientConfiguration.GrantTypes return } - for _, grantType := range configuration.Clients[c].GrantTypes { + for _, grantType := range config.Clients[c].GrantTypes { if !utils.IsStringInSlice(grantType, validOIDCGrantTypes) { - validator.Push(fmt.Errorf( + val.Push(fmt.Errorf( errFmtOIDCClientInvalidEntry, - configuration.Clients[c].ID, "grant_types", strings.Join(validOIDCGrantTypes, "', '"), grantType)) + config.Clients[c].ID, "grant_types", strings.Join(validOIDCGrantTypes, "', '"), grantType)) } } } -func validateOIDCClientResponseTypes(c int, configuration *schema.OpenIDConnectConfiguration, _ *schema.StructValidator) { - if len(configuration.Clients[c].ResponseTypes) == 0 { - configuration.Clients[c].ResponseTypes = schema.DefaultOpenIDConnectClientConfiguration.ResponseTypes +func validateOIDCClientResponseTypes(c int, config *schema.OpenIDConnectConfiguration, _ *schema.StructValidator) { + if len(config.Clients[c].ResponseTypes) == 0 { + config.Clients[c].ResponseTypes = schema.DefaultOpenIDConnectClientConfiguration.ResponseTypes return } } -func validateOIDCClientResponseModes(c int, configuration *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { - if len(configuration.Clients[c].ResponseModes) == 0 { - configuration.Clients[c].ResponseModes = schema.DefaultOpenIDConnectClientConfiguration.ResponseModes +func validateOIDCClientResponseModes(c int, config *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { + if len(config.Clients[c].ResponseModes) == 0 { + config.Clients[c].ResponseModes = schema.DefaultOpenIDConnectClientConfiguration.ResponseModes return } - for _, responseMode := range configuration.Clients[c].ResponseModes { + for _, responseMode := range config.Clients[c].ResponseModes { if !utils.IsStringInSlice(responseMode, validOIDCResponseModes) { validator.Push(fmt.Errorf( errFmtOIDCClientInvalidEntry, - configuration.Clients[c].ID, "response_modes", strings.Join(validOIDCResponseModes, "', '"), responseMode)) + config.Clients[c].ID, "response_modes", strings.Join(validOIDCResponseModes, "', '"), responseMode)) } } } -func validateOIDDClientUserinfoAlgorithm(c int, configuration *schema.OpenIDConnectConfiguration, validator *schema.StructValidator) { - if configuration.Clients[c].UserinfoSigningAlgorithm == "" { - configuration.Clients[c].UserinfoSigningAlgorithm = schema.DefaultOpenIDConnectClientConfiguration.UserinfoSigningAlgorithm - } else if !utils.IsStringInSlice(configuration.Clients[c].UserinfoSigningAlgorithm, validOIDCUserinfoAlgorithms) { - validator.Push(fmt.Errorf(errFmtOIDCClientInvalidUserinfoAlgorithm, - configuration.Clients[c].ID, strings.Join(validOIDCUserinfoAlgorithms, ", "), configuration.Clients[c].UserinfoSigningAlgorithm)) +func validateOIDDClientUserinfoAlgorithm(c int, config *schema.OpenIDConnectConfiguration, val *schema.StructValidator) { + if config.Clients[c].UserinfoSigningAlgorithm == "" { + config.Clients[c].UserinfoSigningAlgorithm = schema.DefaultOpenIDConnectClientConfiguration.UserinfoSigningAlgorithm + } else if !utils.IsStringInSlice(config.Clients[c].UserinfoSigningAlgorithm, validOIDCUserinfoAlgorithms) { + val.Push(fmt.Errorf(errFmtOIDCClientInvalidUserinfoAlgorithm, + config.Clients[c].ID, strings.Join(validOIDCUserinfoAlgorithms, ", "), config.Clients[c].UserinfoSigningAlgorithm)) } } -func validateOIDCClientRedirectURIs(client schema.OpenIDConnectClientConfiguration, validator *schema.StructValidator) { +func validateOIDCClientRedirectURIs(client schema.OpenIDConnectClientConfiguration, val *schema.StructValidator) { for _, redirectURI := range client.RedirectURIs { if redirectURI == oauth2InstalledApp { if client.Public { continue } - validator.Push(fmt.Errorf(errFmtOIDCClientRedirectURIPublic, client.ID, oauth2InstalledApp)) + val.Push(fmt.Errorf(errFmtOIDCClientRedirectURIPublic, client.ID, oauth2InstalledApp)) continue } parsedURL, err := url.Parse(redirectURI) if err != nil { - validator.Push(fmt.Errorf(errFmtOIDCClientRedirectURICantBeParsed, client.ID, redirectURI, err)) + val.Push(fmt.Errorf(errFmtOIDCClientRedirectURICantBeParsed, client.ID, redirectURI, err)) continue } if !parsedURL.IsAbs() || (!client.Public && parsedURL.Scheme == "") { - validator.Push(fmt.Errorf(errFmtOIDCClientRedirectURIAbsolute, client.ID, redirectURI)) + val.Push(fmt.Errorf(errFmtOIDCClientRedirectURIAbsolute, client.ID, redirectURI)) return } } diff --git a/internal/configuration/validator/identity_providers_test.go b/internal/configuration/validator/identity_providers_test.go index b07f9f29f..fad289432 100644 --- a/internal/configuration/validator/identity_providers_test.go +++ b/internal/configuration/validator/identity_providers_test.go @@ -7,6 +7,7 @@ import ( "errors" "fmt" "net/url" + "strings" "testing" "time" @@ -313,6 +314,23 @@ func TestShouldRaiseErrorWhenOIDCServerClientBadValues(t *testing.T) { fmt.Sprintf(errFmtOIDCClientInvalidSectorIdentifierHost, "client-invalid-sector", "example.com/path?query=abc#fragment"), }, }, + { + Name: "InvalidConsentMode", + Clients: []schema.OpenIDConnectClientConfiguration{ + { + ID: "client-bad-consent-mode", + Secret: MustDecodeSecret("$plaintext$a-secret"), + Policy: policyTwoFactor, + RedirectURIs: []string{ + "https://google.com", + }, + ConsentMode: "cap", + }, + }, + Errors: []string{ + fmt.Sprintf(errFmtOIDCClientInvalidConsentMode, "client-bad-consent-mode", strings.Join(append(validOIDCClientConsentModes, "auto"), "', '"), "cap"), + }, + }, } for _, tc := range testCases { @@ -633,6 +651,8 @@ func TestValidateIdentityProvidersShouldNotRaiseErrorsOnValidPublicClients(t *te } func TestValidateIdentityProvidersShouldSetDefaultValues(t *testing.T) { + timeDay := time.Hour * 24 + validator := schema.NewStructValidator() config := &schema.IdentityProvidersConfiguration{ OIDC: &schema.OpenIDConnectConfiguration{ @@ -645,6 +665,7 @@ func TestValidateIdentityProvidersShouldSetDefaultValues(t *testing.T) { RedirectURIs: []string{ "https://google.com", }, + ConsentPreConfiguredDuration: &timeDay, }, { ID: "b-client", @@ -670,6 +691,30 @@ func TestValidateIdentityProvidersShouldSetDefaultValues(t *testing.T) { "fragment", }, }, + { + ID: "c-client", + Secret: MustDecodeSecret("$plaintext$a-client-secret"), + RedirectURIs: []string{ + "https://google.com", + }, + ConsentMode: "implicit", + }, + { + ID: "d-client", + Secret: MustDecodeSecret("$plaintext$a-client-secret"), + RedirectURIs: []string{ + "https://google.com", + }, + ConsentMode: "explicit", + }, + { + ID: "e-client", + Secret: MustDecodeSecret("$plaintext$a-client-secret"), + RedirectURIs: []string{ + "https://google.com", + }, + ConsentMode: "pre-configured", + }, }, }, } @@ -702,6 +747,15 @@ func TestValidateIdentityProvidersShouldSetDefaultValues(t *testing.T) { assert.Equal(t, "groups", config.OIDC.Clients[1].Scopes[0]) assert.Equal(t, "openid", config.OIDC.Clients[1].Scopes[1]) + // Assert Clients[0] ends up configured with the correct consent mode. + require.NotNil(t, config.OIDC.Clients[0].ConsentPreConfiguredDuration) + assert.Equal(t, time.Hour*24, *config.OIDC.Clients[0].ConsentPreConfiguredDuration) + assert.Equal(t, "pre-configured", config.OIDC.Clients[0].ConsentMode) + + // Assert Clients[1] ends up configured with the correct consent mode. + assert.Nil(t, config.OIDC.Clients[1].ConsentPreConfiguredDuration) + assert.Equal(t, "explicit", config.OIDC.Clients[1].ConsentMode) + // Assert Clients[0] ends up configured with the default GrantTypes. require.Len(t, config.OIDC.Clients[0].GrantTypes, 2) assert.Equal(t, "refresh_token", config.OIDC.Clients[0].GrantTypes[0]) @@ -736,6 +790,15 @@ func TestValidateIdentityProvidersShouldSetDefaultValues(t *testing.T) { assert.Equal(t, time.Minute, config.OIDC.AuthorizeCodeLifespan) assert.Equal(t, time.Hour, config.OIDC.IDTokenLifespan) assert.Equal(t, time.Minute*90, config.OIDC.RefreshTokenLifespan) + + assert.Equal(t, "implicit", config.OIDC.Clients[2].ConsentMode) + assert.Nil(t, config.OIDC.Clients[2].ConsentPreConfiguredDuration) + + assert.Equal(t, "explicit", config.OIDC.Clients[3].ConsentMode) + assert.Nil(t, config.OIDC.Clients[3].ConsentPreConfiguredDuration) + + assert.Equal(t, "pre-configured", config.OIDC.Clients[4].ConsentMode) + assert.Equal(t, schema.DefaultOpenIDConnectClientConfiguration.ConsentPreConfiguredDuration, config.OIDC.Clients[4].ConsentPreConfiguredDuration) } // All valid schemes are supported as defined in https://datatracker.ietf.org/doc/html/rfc8252#section-7.1 diff --git a/internal/configuration/validator/session.go b/internal/configuration/validator/session.go index 7cf7a84b0..17917661d 100644 --- a/internal/configuration/validator/session.go +++ b/internal/configuration/validator/session.go @@ -41,6 +41,8 @@ func validateSession(config *schema.SessionConfiguration, validator *schema.Stru if config.Domain == "" { validator.Push(fmt.Errorf(errFmtSessionOptionRequired, "domain")) + } else if strings.HasPrefix(config.Domain, ".") { + validator.PushWarning(fmt.Errorf("session: option 'domain' has a prefix of '.' which is not supported or intended behaviour: you can use this at your own risk but we recommend removing it")) } if strings.HasPrefix(config.Domain, "*.") { diff --git a/internal/configuration/validator/session_test.go b/internal/configuration/validator/session_test.go index 29ef3d91f..5a08f988a 100644 --- a/internal/configuration/validator/session_test.go +++ b/internal/configuration/validator/session_test.go @@ -49,6 +49,20 @@ func TestShouldSetDefaultSessionValuesWhenNegative(t *testing.T) { assert.Equal(t, schema.DefaultSessionConfiguration.RememberMeDuration, config.RememberMeDuration) } +func TestShouldWarnSessionValuesWhenPotentiallyInvalid(t *testing.T) { + validator := schema.NewStructValidator() + config := newDefaultSessionConfig() + + config.Domain = ".example.com" + + ValidateSession(&config, validator) + + require.Len(t, validator.Warnings(), 1) + assert.Len(t, validator.Errors(), 0) + + assert.EqualError(t, validator.Warnings()[0], "session: option 'domain' has a prefix of '.' which is not supported or intended behaviour: you can use this at your own risk but we recommend removing it") +} + func TestShouldHandleRedisConfigSuccessfully(t *testing.T) { validator := schema.NewStructValidator() config := newDefaultSessionConfig() From 8a0bd6fedfcb3fff996b604966e4d75cd3e4a456 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 24 Nov 2022 15:03:45 +1100 Subject: [PATCH 14/32] build(deps): update module github.com/go-rod/rod to v0.112.2 (#4424) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index cb9f282bd..90c0783e3 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/go-asn1-ber/asn1-ber v1.5.4 github.com/go-crypt/crypt v0.1.14 github.com/go-ldap/ldap/v3 v3.4.4 - github.com/go-rod/rod v0.112.1 + github.com/go-rod/rod v0.112.2 github.com/go-sql-driver/mysql v1.6.0 github.com/go-webauthn/webauthn v0.5.0 github.com/golang-jwt/jwt/v4 v4.4.2 @@ -104,7 +104,7 @@ require ( github.com/valyala/bytebufferpool v1.0.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/ysmood/goob v0.4.0 // indirect - github.com/ysmood/gson v0.7.1 // indirect + github.com/ysmood/gson v0.7.3 // indirect github.com/ysmood/leakless v0.8.0 // indirect golang.org/x/crypto v0.1.0 // indirect golang.org/x/mod v0.6.0 // indirect diff --git a/go.sum b/go.sum index 934923cb1..7d32ce10b 100644 --- a/go.sum +++ b/go.sum @@ -182,8 +182,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI= github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo= -github.com/go-rod/rod v0.112.1 h1:FuItvJ4ysJjKR2JA5UDlyLJwWZpWwA4jcNd3BoU+ioQ= -github.com/go-rod/rod v0.112.1/go.mod h1:fwfpjm+CpFaGn50i+l/ieqATte/FY1cvi8nsrq8DJjA= +github.com/go-rod/rod v0.112.2 h1:dwauKYC/H2em8/BcGk3gC0LTzZHf5MIDKf2DVM4z9gU= +github.com/go-rod/rod v0.112.2/go.mod h1:ElViL9ABbcshNQw93+11FrYRH92RRhMKleuILo6+5V0= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -617,8 +617,8 @@ github.com/ysmood/got v0.32.0 h1:aAHdQgfgMb/lo4v+OekM+SSqEJYFI035h5YYvLXsVyU= github.com/ysmood/got v0.32.0/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY= github.com/ysmood/gotrace v0.6.0 h1:SyI1d4jclswLhg7SWTL6os3L1WOKeNn/ZtzVQF8QmdY= github.com/ysmood/gotrace v0.6.0/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM= -github.com/ysmood/gson v0.7.1 h1:zKL2MTGtynxdBdlZjyGsvEOZ7dkxaY5TH6QhAbTgz0Q= -github.com/ysmood/gson v0.7.1/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= +github.com/ysmood/gson v0.7.3 h1:QFkWbTH8MxyUTKPkVWAENJhxqdBa4lYTQWqZCiLG6kE= +github.com/ysmood/gson v0.7.3/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= github.com/ysmood/leakless v0.8.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= From e1f9718e173d3ab77822889c4861b0a1f63f0830 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 24 Nov 2022 20:32:57 +1100 Subject: [PATCH 15/32] fix(configuration): max tls ver not correctly derived (#4428) This fixes an issue where the maximum version if unset is derived from the minimum version erroneously. Fixes #4425 --- internal/utils/crypto.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/utils/crypto.go b/internal/utils/crypto.go index 2e2dbab2d..6d74fc8ea 100644 --- a/internal/utils/crypto.go +++ b/internal/utils/crypto.go @@ -235,10 +235,10 @@ func IsX509PrivateKey(i any) bool { } // NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool. -func NewTLSConfig(config *schema.TLSConfig, caCertPool *x509.CertPool) (tlsConfig *tls.Config) { +func NewTLSConfig(config *schema.TLSConfig, rootCAs *x509.CertPool) (tlsConfig *tls.Config) { var certificates []tls.Certificate - if config.CertificateChain.HasCertificates() && config.PrivateKey != nil { + if config.PrivateKey != nil && config.CertificateChain.HasCertificates() { certificates = []tls.Certificate{ { Certificate: config.CertificateChain.CertificatesRaw(), @@ -252,8 +252,8 @@ func NewTLSConfig(config *schema.TLSConfig, caCertPool *x509.CertPool) (tlsConfi ServerName: config.ServerName, InsecureSkipVerify: config.SkipVerify, //nolint:gosec // Informed choice by user. Off by default. MinVersion: config.MinimumVersion.MinVersion(), - MaxVersion: config.MinimumVersion.MaxVersion(), - RootCAs: caCertPool, + MaxVersion: config.MaximumVersion.MaxVersion(), + RootCAs: rootCAs, Certificates: certificates, } } From a572063bfbe532df54a22a8721ea9b93e4a139da Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 24 Nov 2022 18:51:15 +0000 Subject: [PATCH 16/32] build(deps): update module github.com/valyala/fasthttp to v1.42.0 (#4431) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 90c0783e3..d873b9773 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.1 github.com/trustelem/zxcvbn v1.0.1 - github.com/valyala/fasthttp v1.41.0 + github.com/valyala/fasthttp v1.42.0 golang.org/x/sync v0.1.0 golang.org/x/term v0.2.0 golang.org/x/text v0.4.0 diff --git a/go.sum b/go.sum index 7d32ce10b..945a6e97f 100644 --- a/go.sum +++ b/go.sum @@ -604,8 +604,9 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.40.0/go.mod h1:t/G+3rLek+CyY9bnIE+YlMRddxVAAGjhxndDB4i4C0I= -github.com/valyala/fasthttp v1.41.0 h1:zeR0Z1my1wDHTRiamBCXVglQdbUwgb9uWG3k1HQz6jY= github.com/valyala/fasthttp v1.41.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY= +github.com/valyala/fasthttp v1.42.0 h1:LBMyqvJR8DEBgN79oI8dGbkuj5Lm9jbHESxH131TTN8= +github.com/valyala/fasthttp v1.42.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY= github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= From d29210ff37f618ceda57ac1320aa1e642ada8b94 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 24 Nov 2022 21:44:42 +0000 Subject: [PATCH 17/32] build(deps): update module github.com/ory/x to v0.0.516 (#4430) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d873b9773..c3b10fa07 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/ory/fosite v0.43.0 github.com/ory/herodot v0.9.13 - github.com/ory/x v0.0.515 + github.com/ory/x v0.0.516 github.com/otiai10/copy v1.9.0 github.com/pkg/errors v0.9.1 github.com/pquerna/otp v1.3.0 diff --git a/go.sum b/go.sum index 945a6e97f..23f5bb9ea 100644 --- a/go.sum +++ b/go.sum @@ -460,8 +460,8 @@ github.com/ory/herodot v0.9.13 h1:cN/Z4eOkErl/9W7hDIDLb79IO/bfsH+8yscBjRpB4IU= github.com/ory/herodot v0.9.13/go.mod h1:IWDs9kSvFQqw/cQ8zi5ksyYvITiUU4dI7glUrhZcJYo= github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE= github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM= -github.com/ory/x v0.0.515 h1:Z4/zdA4yFaq+x46b/kdlE41fpyF2yHycmxkpzKWj/UA= -github.com/ory/x v0.0.515/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= +github.com/ory/x v0.0.516 h1:haNWvY0HU8mDXzWVXgAxkWIxbB9H3G/934udclempV0= +github.com/ory/x v0.0.516/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4= github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= From 3c291b5685212813f98f365c8d963e0f107860cb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 25 Nov 2022 02:04:18 +0000 Subject: [PATCH 18/32] build(deps): update module github.com/fasthttp/router to v1.4.14 (#4432) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index c3b10fa07..0cd7e9f38 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d github.com/deckarep/golang-set v1.8.0 github.com/duosecurity/duo_api_golang v0.0.0-20221117185402-091daa09e19d - github.com/fasthttp/router v1.4.13 + github.com/fasthttp/router v1.4.14 github.com/fasthttp/session/v2 v2.4.13 github.com/fsnotify/fsnotify v1.6.0 github.com/go-asn1-ber/asn1-ber v1.5.4 diff --git a/go.sum b/go.sum index 23f5bb9ea..79798f010 100644 --- a/go.sum +++ b/go.sum @@ -144,8 +144,8 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go. github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg= -github.com/fasthttp/router v1.4.13 h1:42M7+7tNO6clb5seb4HhXlBIX1lnNv8DLhiT6jUv75A= -github.com/fasthttp/router v1.4.13/go.mod h1:mVhHMaSQA2Hi1HeuL/ZMuZpsZWk5bya75EpaDr3fO7E= +github.com/fasthttp/router v1.4.14 h1:+W65VCKgyI4BZszhDiCRfONoFieePZIoQ7D8vGhiuzM= +github.com/fasthttp/router v1.4.14/go.mod h1:+svLaOvqF9Lc0yjX9aHAD4NUMf+mggLPOT4UMdS6fjM= github.com/fasthttp/session/v2 v2.4.13 h1:I/j3w8UrXX1haXE+iraAbQuGihNVeTq6b8sp6L3ZJ6Q= github.com/fasthttp/session/v2 v2.4.13/go.mod h1:bAE6Bjl6ofQbkOpqcSuOVt/1R1LnbNLnFMHjGQcYP5M= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= @@ -604,7 +604,6 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.40.0/go.mod h1:t/G+3rLek+CyY9bnIE+YlMRddxVAAGjhxndDB4i4C0I= -github.com/valyala/fasthttp v1.41.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY= github.com/valyala/fasthttp v1.42.0 h1:LBMyqvJR8DEBgN79oI8dGbkuj5Lm9jbHESxH131TTN8= github.com/valyala/fasthttp v1.42.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY= github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= From 3e4ac7821d51ac447bb39e7e1ea3c385dc3084d9 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Fri, 25 Nov 2022 23:44:55 +1100 Subject: [PATCH 19/32] refactor: remove pre1 migration path (#4356) This removes pre1 migrations and improves a lot of tooling. --- config.template.yml | 3 +- .../guidelines/database-schema.md | 2 +- .../authelia/authelia_storage_migrate_down.md | 1 - .../integrations/database-integrations.md | 2 +- .../en/reference/integrations/introduction.md | 2 +- internal/commands/const.go | 40 ++ internal/commands/crypto_hash.go | 23 +- internal/commands/errors.go | 8 + internal/commands/storage.go | 77 ++- internal/commands/storage_run.go | 160 +++--- internal/commands/util.go | 37 ++ internal/configuration/config.template.yml | 3 +- internal/mocks/storage.go | 7 +- internal/storage/const.go | 48 +- internal/storage/errors.go | 8 +- internal/storage/migrations.go | 36 -- .../V0005.ConsentSubjectNULL.sqlite.down.sql | 4 - .../V0005.ConsentSubjectNULL.sqlite.up.sql | 4 - .../V0007.ConsistencyFixes.sqlite.down.sql | 4 - .../V0007.ConsistencyFixes.sqlite.up.sql | 4 - internal/storage/provider.go | 4 +- internal/storage/sql_provider.go | 48 +- .../storage/sql_provider_backend_postgres.go | 4 - internal/storage/sql_provider_encryption.go | 437 +++++++++------- internal/storage/sql_provider_queries.go | 28 +- .../storage/sql_provider_queries_special.go | 108 +--- internal/storage/sql_provider_schema.go | 393 ++++++++------- internal/storage/sql_provider_schema_pre1.go | 470 ------------------ internal/storage/sql_provider_schema_test.go | 15 +- internal/storage/types.go | 95 ++++ internal/suites/suite_cli_test.go | 12 +- 31 files changed, 871 insertions(+), 1216 deletions(-) create mode 100644 internal/commands/errors.go delete mode 100644 internal/storage/sql_provider_schema_pre1.go create mode 100644 internal/storage/types.go diff --git a/config.template.yml b/config.template.yml index 4940b3f33..3cb29ac83 100644 --- a/config.template.yml +++ b/config.template.yml @@ -863,7 +863,8 @@ regulation: ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. # storage: ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum - ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it. + ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use + ## the CLI to change this in the database if you want to change it from a previously configured value. # encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this ## diff --git a/docs/content/en/contributing/guidelines/database-schema.md b/docs/content/en/contributing/guidelines/database-schema.md index bf8ea664b..fa2109a7d 100644 --- a/docs/content/en/contributing/guidelines/database-schema.md +++ b/docs/content/en/contributing/guidelines/database-schema.md @@ -2,7 +2,7 @@ title: "Database Schema" description: "Authelia Development Database Schema Guidelines" lead: "This section covers the database schema guidelines we use for development." -date: 2022-11-09T09:20:18+11:00 +date: 2022-11-19T16:47:09+11:00 draft: false images: [] menu: diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md index 373e76886..fa2e602fe 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md @@ -40,7 +40,6 @@ authelia storage migrate down --target 20 --encryption-key b3453fde-ecc2-4a1f-94 ``` --destroy-data confirms you want to destroy data with this migration -h, --help help for down - --pre1 sets pre1 as the version to migrate to -t, --target int sets the version to migrate to ``` diff --git a/docs/content/en/reference/integrations/database-integrations.md b/docs/content/en/reference/integrations/database-integrations.md index 67de3b070..d3f11103e 100644 --- a/docs/content/en/reference/integrations/database-integrations.md +++ b/docs/content/en/reference/integrations/database-integrations.md @@ -2,7 +2,7 @@ title: "Database Integrations" description: "A database integration reference guide" lead: "This section contains a database integration reference guide for Authelia." -date: 2022-11-10T11:03:47+11:00 +date: 2022-11-19T16:47:09+11:00 draft: false images: [] menu: diff --git a/docs/content/en/reference/integrations/introduction.md b/docs/content/en/reference/integrations/introduction.md index 42f0a7e4c..6fa51a4d9 100644 --- a/docs/content/en/reference/integrations/introduction.md +++ b/docs/content/en/reference/integrations/introduction.md @@ -2,7 +2,7 @@ title: "Integrations" description: "A collection of integration reference guides" lead: "This section contains integration reference guides for Authelia." -date: 2022-11-10T11:03:47+11:00 +date: 2022-11-19T16:47:09+11:00 draft: false images: [] menu: diff --git a/internal/commands/const.go b/internal/commands/const.go index fad673679..107843555 100644 --- a/internal/commands/const.go +++ b/internal/commands/const.go @@ -554,6 +554,45 @@ const ( cmdFlagUsageCharacters = "sets the explicit characters for the random string" cmdFlagNameLength = "length" cmdFlagUsageLength = "sets the character length for the random string" + + cmdFlagNameNewEncryptionKey = "new-encryption-key" + + cmdFlagNameFile = "file" + cmdFlagNameUsers = "users" + cmdFlagNameServices = "services" + cmdFlagNameSectors = "sectors" + cmdFlagNameIdentifier = "identifier" + cmdFlagNameService = "service" + cmdFlagNameSector = "sector" + cmdFlagNameDescription = "description" + cmdFlagNameAll = "all" + cmdFlagNameKeyID = "kid" + cmdFlagNameVerbose = "verbose" + cmdFlagNameSecret = "secret" + cmdFlagNameSecretSize = "secret-size" + cmdFlagNamePeriod = "period" + cmdFlagNameDigits = "digits" + cmdFlagNameAlgorithm = "algorithm" + cmdFlagNameIssuer = "issuer" + cmdFlagNameForce = "force" + cmdFlagNameFormat = "format" + cmdFlagNamePath = "path" + cmdFlagNameTarget = "target" + cmdFlagNameDestroyData = "destroy-data" + + cmdFlagNameEncryptionKey = "encryption-key" + cmdFlagNameSQLite3Path = "sqlite.path" + cmdFlagNameMySQLHost = "mysql.host" + cmdFlagNameMySQLPort = "mysql.port" + cmdFlagNameMySQLDatabase = "mysql.database" + cmdFlagNameMySQLUsername = "mysql.username" + cmdFlagNameMySQLPassword = "mysql.password" + cmdFlagNamePostgreSQLHost = "postgres.host" + cmdFlagNamePostgreSQLPort = "postgres.port" + cmdFlagNamePostgreSQLDatabase = "postgres.database" + cmdFlagNamePostgreSQLSchema = "postgres.schema" + cmdFlagNamePostgreSQLUsername = "postgres.username" + cmdFlagNamePostgreSQLPassword = "postgres.password" ) const ( @@ -591,6 +630,7 @@ var ( const ( identifierServiceOpenIDConnect = "openid" + invalid = "invalid" ) var ( diff --git a/internal/commands/crypto_hash.go b/internal/commands/crypto_hash.go index ec5ce26eb..282abbd45 100644 --- a/internal/commands/crypto_hash.go +++ b/internal/commands/crypto_hash.go @@ -3,12 +3,10 @@ package commands import ( "fmt" "strings" - "syscall" "github.com/go-crypt/crypt" "github.com/spf13/cobra" "github.com/spf13/pflag" - "golang.org/x/term" "github.com/authelia/authelia/v4/internal/authentication" "github.com/authelia/authelia/v4/internal/configuration" @@ -433,7 +431,7 @@ func cmdCryptoHashGetPassword(cmd *cobra.Command, args []string, useArgs, useRan noConfirm bool ) - if data, err = hashReadPasswordWithPrompt("Enter Password: "); err != nil { + if data, err = termReadPasswordWithPrompt("Enter Password: ", "password"); err != nil { err = fmt.Errorf("failed to read the password from the terminal: %w", err) return @@ -448,8 +446,7 @@ func cmdCryptoHashGetPassword(cmd *cobra.Command, args []string, useArgs, useRan } if noConfirm, err = cmd.Flags().GetBool(cmdFlagNameNoConfirm); err == nil && !noConfirm { - if data, err = hashReadPasswordWithPrompt("Confirm Password: "); err != nil { - err = fmt.Errorf("failed to read the password from the terminal: %w", err) + if data, err = termReadPasswordWithPrompt("Confirm Password: ", ""); err != nil { return } @@ -467,22 +464,6 @@ func cmdCryptoHashGetPassword(cmd *cobra.Command, args []string, useArgs, useRan return } -func hashReadPasswordWithPrompt(prompt string) (data []byte, err error) { - fmt.Print(prompt) - - if data, err = term.ReadPassword(int(syscall.Stdin)); err != nil { //nolint:unconvert,nolintlint - if err.Error() == "inappropriate ioctl for device" { - return nil, fmt.Errorf("the terminal doesn't appear to be interactive either use the '--password' flag or use an interactive terminal: %w", err) - } - - return nil, err - } - - fmt.Println("") - - return data, nil -} - func cmdFlagConfig(cmd *cobra.Command) { cmd.PersistentFlags().StringSliceP(cmdFlagNameConfig, "c", []string{"configuration.yml"}, "configuration files to load") } diff --git a/internal/commands/errors.go b/internal/commands/errors.go new file mode 100644 index 000000000..481053c33 --- /dev/null +++ b/internal/commands/errors.go @@ -0,0 +1,8 @@ +package commands + +import ( + "errors" +) + +// ErrStdinIsNotTerminal is returned when Stdin is not an interactive terminal. +var ErrStdinIsNotTerminal = errors.New("stdin is not a terminal") diff --git a/internal/commands/storage.go b/internal/commands/storage.go index 92190149a..41ca5f227 100644 --- a/internal/commands/storage.go +++ b/internal/commands/storage.go @@ -23,22 +23,22 @@ func newStorageCmd() (cmd *cobra.Command) { cmdWithConfigFlags(cmd, true, []string{"configuration.yml"}) - cmd.PersistentFlags().String("encryption-key", "", "the storage encryption key to use") + cmd.PersistentFlags().String(cmdFlagNameEncryptionKey, "", "the storage encryption key to use") - cmd.PersistentFlags().String("sqlite.path", "", "the SQLite database path") + cmd.PersistentFlags().String(cmdFlagNameSQLite3Path, "", "the SQLite database path") - cmd.PersistentFlags().String("mysql.host", "", "the MySQL hostname") - cmd.PersistentFlags().Int("mysql.port", 3306, "the MySQL port") - cmd.PersistentFlags().String("mysql.database", "authelia", "the MySQL database name") - cmd.PersistentFlags().String("mysql.username", "authelia", "the MySQL username") - cmd.PersistentFlags().String("mysql.password", "", "the MySQL password") + cmd.PersistentFlags().String(cmdFlagNameMySQLHost, "", "the MySQL hostname") + cmd.PersistentFlags().Int(cmdFlagNameMySQLPort, 3306, "the MySQL port") + cmd.PersistentFlags().String(cmdFlagNameMySQLDatabase, "authelia", "the MySQL database name") + cmd.PersistentFlags().String(cmdFlagNameMySQLUsername, "authelia", "the MySQL username") + cmd.PersistentFlags().String(cmdFlagNameMySQLPassword, "", "the MySQL password") - cmd.PersistentFlags().String("postgres.host", "", "the PostgreSQL hostname") - cmd.PersistentFlags().Int("postgres.port", 5432, "the PostgreSQL port") - cmd.PersistentFlags().String("postgres.database", "authelia", "the PostgreSQL database name") - cmd.PersistentFlags().String("postgres.schema", "public", "the PostgreSQL schema name") - cmd.PersistentFlags().String("postgres.username", "authelia", "the PostgreSQL username") - cmd.PersistentFlags().String("postgres.password", "", "the PostgreSQL password") + cmd.PersistentFlags().String(cmdFlagNamePostgreSQLHost, "", "the PostgreSQL hostname") + cmd.PersistentFlags().Int(cmdFlagNamePostgreSQLPort, 5432, "the PostgreSQL port") + cmd.PersistentFlags().String(cmdFlagNamePostgreSQLDatabase, "authelia", "the PostgreSQL database name") + cmd.PersistentFlags().String(cmdFlagNamePostgreSQLSchema, "public", "the PostgreSQL schema name") + cmd.PersistentFlags().String(cmdFlagNamePostgreSQLUsername, "authelia", "the PostgreSQL username") + cmd.PersistentFlags().String(cmdFlagNamePostgreSQLPassword, "", "the PostgreSQL password") cmd.PersistentFlags().String("postgres.ssl.mode", "disable", "the PostgreSQL ssl mode") cmd.PersistentFlags().String("postgres.ssl.root_certificate", "", "the PostgreSQL ssl root certificate file location") cmd.PersistentFlags().String("postgres.ssl.certificate", "", "the PostgreSQL ssl certificate file location") @@ -83,7 +83,7 @@ func newStorageEncryptionCheckCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().Bool("verbose", false, "enables verbose checking of every row of encrypted data") + cmd.Flags().Bool(cmdFlagNameVerbose, false, "enables verbose checking of every row of encrypted data") return cmd } @@ -99,7 +99,7 @@ func newStorageEncryptionChangeKeyCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().String("new-encryption-key", "", "the new key to encrypt the data with") + cmd.Flags().String(cmdFlagNameNewEncryptionKey, "", "the new key to encrypt the data with") return cmd } @@ -154,7 +154,7 @@ func newStorageUserIdentifiersExportCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().StringP("file", "f", "user-opaque-identifiers.yml", "The file name for the YAML export") + cmd.Flags().StringP(cmdFlagNameFile, "f", "user-opaque-identifiers.yml", "The file name for the YAML export") return cmd } @@ -170,7 +170,7 @@ func newStorageUserIdentifiersImportCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().StringP("file", "f", "user-opaque-identifiers.yml", "The file name for the YAML import") + cmd.Flags().StringP(cmdFlagNameFile, "f", "user-opaque-identifiers.yml", "The file name for the YAML import") return cmd } @@ -186,9 +186,9 @@ func newStorageUserIdentifiersGenerateCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().StringSlice("users", nil, "The list of users to generate the opaque identifiers for") - cmd.Flags().StringSlice("services", []string{identifierServiceOpenIDConnect}, fmt.Sprintf("The list of services to generate the opaque identifiers for, valid values are: %s", strings.Join(validIdentifierServices, ", "))) - cmd.Flags().StringSlice("sectors", []string{""}, "The list of sectors to generate identifiers for") + cmd.Flags().StringSlice(cmdFlagNameUsers, nil, "The list of users to generate the opaque identifiers for") + cmd.Flags().StringSlice(cmdFlagNameServices, []string{identifierServiceOpenIDConnect}, fmt.Sprintf("The list of services to generate the opaque identifiers for, valid values are: %s", strings.Join(validIdentifierServices, ", "))) + cmd.Flags().StringSlice(cmdFlagNameSectors, []string{""}, "The list of sectors to generate identifiers for") return cmd } @@ -205,9 +205,9 @@ func newStorageUserIdentifiersAddCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().String("identifier", "", "The optional version 4 UUID to use, if not set a random one will be used") - cmd.Flags().String("service", identifierServiceOpenIDConnect, fmt.Sprintf("The service to add the identifier for, valid values are: %s", strings.Join(validIdentifierServices, ", "))) - cmd.Flags().String("sector", "", "The sector identifier to use (should usually be blank)") + cmd.Flags().String(cmdFlagNameIdentifier, "", "The optional version 4 UUID to use, if not set a random one will be used") + cmd.Flags().String(cmdFlagNameService, identifierServiceOpenIDConnect, fmt.Sprintf("The service to add the identifier for, valid values are: %s", strings.Join(validIdentifierServices, ", "))) + cmd.Flags().String(cmdFlagNameSector, "", "The sector identifier to use (should usually be blank)") return cmd } @@ -257,9 +257,9 @@ func newStorageUserWebAuthnDeleteCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().Bool("all", false, "delete all of the users webauthn devices") - cmd.Flags().String("description", "", "delete a users webauthn device by description") - cmd.Flags().String("kid", "", "delete a users webauthn device by key id") + cmd.Flags().Bool(cmdFlagNameAll, false, "delete all of the users webauthn devices") + cmd.Flags().String(cmdFlagNameDescription, "", "delete a users webauthn device by description") + cmd.Flags().String(cmdFlagNameKeyID, "", "delete a users webauthn device by key id") return cmd } @@ -295,14 +295,14 @@ func newStorageUserTOTPGenerateCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().String("secret", "", "Optionally set the TOTP shared secret as base32 encoded bytes (no padding), it's recommended to not set this option unless you're restoring an TOTP config") - cmd.Flags().Uint("secret-size", schema.TOTPSecretSizeDefault, "set the TOTP secret size") - cmd.Flags().Uint("period", 30, "set the TOTP period") - cmd.Flags().Uint("digits", 6, "set the TOTP digits") - cmd.Flags().String("algorithm", "SHA1", "set the TOTP algorithm") - cmd.Flags().String("issuer", "Authelia", "set the TOTP issuer") - cmd.Flags().BoolP("force", "f", false, "forces the TOTP configuration to be generated regardless if it exists or not") - cmd.Flags().StringP("path", "p", "", "path to a file to create a PNG file with the QR code (optional)") + cmd.Flags().String(cmdFlagNameSecret, "", "set the shared secret as base32 encoded bytes (no padding), it's recommended that you do not use this option unless you're restoring a configuration") + cmd.Flags().Uint(cmdFlagNameSecretSize, schema.TOTPSecretSizeDefault, "set the secret size") + cmd.Flags().Uint(cmdFlagNamePeriod, 30, "set the period between rotations") + cmd.Flags().Uint(cmdFlagNameDigits, 6, "set the number of digits") + cmd.Flags().String(cmdFlagNameAlgorithm, "SHA1", "set the algorithm to either SHA1 (supported by most applications), SHA256, or SHA512") + cmd.Flags().String(cmdFlagNameIssuer, "Authelia", "set the issuer description") + cmd.Flags().BoolP(cmdFlagNameForce, "f", false, "forces the configuration to be generated regardless if it exists or not") + cmd.Flags().StringP(cmdFlagNamePath, "p", "", "path to a file to create a PNG file with the QR code (optional)") return cmd } @@ -333,7 +333,7 @@ func newStorageUserTOTPExportCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().String("format", storageTOTPExportFormatURI, fmt.Sprintf("sets the output format, valid values are: %s", strings.Join(validStorageTOTPExportFormats, ", "))) + cmd.Flags().String(cmdFlagNameFormat, storageTOTPExportFormatURI, fmt.Sprintf("sets the output format, valid values are: %s", strings.Join(validStorageTOTPExportFormats, ", "))) cmd.Flags().String("dir", "", "used with the png output format to specify which new directory to save the files in") return cmd @@ -431,7 +431,7 @@ func newStorageMigrateUpCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().IntP("target", "t", 0, "sets the version to migrate to, by default this is the latest version") + cmd.Flags().IntP(cmdFlagNameTarget, "t", 0, "sets the version to migrate to, by default this is the latest version") return cmd } @@ -448,9 +448,8 @@ func newStorageMigrateDownCmd() (cmd *cobra.Command) { DisableAutoGenTag: true, } - cmd.Flags().IntP("target", "t", 0, "sets the version to migrate to") - cmd.Flags().Bool("pre1", false, "sets pre1 as the version to migrate to") - cmd.Flags().Bool("destroy-data", false, "confirms you want to destroy data with this migration") + cmd.Flags().IntP(cmdFlagNameTarget, "t", 0, "sets the version to migrate to") + cmd.Flags().Bool(cmdFlagNameDestroyData, false, "confirms you want to destroy data with this migration") return cmd } diff --git a/internal/commands/storage_run.go b/internal/commands/storage_run.go index 4b11c5e72..6c0c89c5f 100644 --- a/internal/commands/storage_run.go +++ b/internal/commands/storage_run.go @@ -10,6 +10,7 @@ import ( "image/png" "os" "path/filepath" + "sort" "strings" "github.com/google/uuid" @@ -48,31 +49,32 @@ func storagePersistentPreRunE(cmd *cobra.Command, _ []string) (err error) { } mapping := map[string]string{ - "encryption-key": "storage.encryption_key", - "sqlite.path": "storage.local.path", + cmdFlagNameEncryptionKey: "storage.encryption_key", - "mysql.host": "storage.mysql.host", - "mysql.port": "storage.mysql.port", - "mysql.database": "storage.mysql.database", - "mysql.username": "storage.mysql.username", - "mysql.password": "storage.mysql.password", + cmdFlagNameSQLite3Path: "storage.local.path", - "postgres.host": "storage.postgres.host", - "postgres.port": "storage.postgres.port", - "postgres.database": "storage.postgres.database", - "postgres.schema": "storage.postgres.schema", - "postgres.username": "storage.postgres.username", - "postgres.password": "storage.postgres.password", + cmdFlagNameMySQLHost: "storage.mysql.host", + cmdFlagNameMySQLPort: "storage.mysql.port", + cmdFlagNameMySQLDatabase: "storage.mysql.database", + cmdFlagNameMySQLUsername: "storage.mysql.username", + cmdFlagNameMySQLPassword: "storage.mysql.password", + + cmdFlagNamePostgreSQLHost: "storage.postgres.host", + cmdFlagNamePostgreSQLPort: "storage.postgres.port", + cmdFlagNamePostgreSQLDatabase: "storage.postgres.database", + cmdFlagNamePostgreSQLSchema: "storage.postgres.schema", + cmdFlagNamePostgreSQLUsername: "storage.postgres.username", + cmdFlagNamePostgreSQLPassword: "storage.postgres.password", "postgres.ssl.mode": "storage.postgres.ssl.mode", "postgres.ssl.root_certificate": "storage.postgres.ssl.root_certificate", "postgres.ssl.certificate": "storage.postgres.ssl.certificate", "postgres.ssl.key": "storage.postgres.ssl.key", - "period": "totp.period", - "digits": "totp.digits", - "algorithm": "totp.algorithm", - "issuer": "totp.issuer", - "secret-size": "totp.secret_size", + cmdFlagNamePeriod: "totp.period", + cmdFlagNameDigits: "totp.digits", + cmdFlagNameAlgorithm: "totp.algorithm", + cmdFlagNameIssuer: "totp.issuer", + cmdFlagNameSecretSize: "totp.secret_size", } sources = append(sources, configuration.NewEnvironmentSource(configuration.DefaultEnvPrefix, configuration.DefaultEnvDelimiter)) @@ -128,6 +130,7 @@ func storageSchemaEncryptionCheckRunE(cmd *cobra.Command, args []string) (err er var ( provider storage.Provider verbose bool + result storage.EncryptionValidationResult ctx = context.Background() ) @@ -138,21 +141,43 @@ func storageSchemaEncryptionCheckRunE(cmd *cobra.Command, args []string) (err er _ = provider.Close() }() - if verbose, err = cmd.Flags().GetBool("verbose"); err != nil { + if verbose, err = cmd.Flags().GetBool(cmdFlagNameVerbose); err != nil { return err } - if err = provider.SchemaEncryptionCheckKey(ctx, verbose); err != nil { + if result, err = provider.SchemaEncryptionCheckKey(ctx, verbose); err != nil { switch { case errors.Is(err, storage.ErrSchemaEncryptionVersionUnsupported): - fmt.Printf("Could not check encryption key for validity. The schema version doesn't support encryption.\n") - case errors.Is(err, storage.ErrSchemaEncryptionInvalidKey): - fmt.Printf("Encryption key validation: failed.\n\nError: %v.\n", err) + fmt.Printf("Storage Encryption Key Validation: FAILURE\n\n\tCause: The schema version doesn't support encryption.\n") default: - fmt.Printf("Could not check encryption key for validity.\n\nError: %v.\n", err) + fmt.Printf("Storage Encryption Key Validation: UNKNOWN\n\n\tCause: %v.\n", err) } } else { - fmt.Println("Encryption key validation: success.") + if result.Success() { + fmt.Println("Storage Encryption Key Validation: SUCCESS") + } else { + fmt.Printf("Storage Encryption Key Validation: FAILURE\n\n\tCause: %v.\n", storage.ErrSchemaEncryptionInvalidKey) + } + + if verbose { + fmt.Printf("\nTables:") + + tables := make([]string, 0, len(result.Tables)) + + for name := range result.Tables { + tables = append(tables, name) + } + + sort.Strings(tables) + + for _, name := range tables { + table := result.Tables[name] + + fmt.Printf("\n\n\tTable (%s): %s\n\t\tInvalid Rows: %d\n\t\tTotal Rows: %d", name, table.ResultDescriptor(), table.Invalid, table.Total) + } + + fmt.Printf("\n") + } } return nil @@ -185,13 +210,22 @@ func storageSchemaEncryptionChangeKeyRunE(cmd *cobra.Command, args []string) (er return errors.New("schema version must be at least version 1 to change the encryption key") } - key, err = cmd.Flags().GetString("new-encryption-key") + useFlag := cmd.Flags().Changed(cmdFlagNameNewEncryptionKey) + if useFlag { + if key, err = cmd.Flags().GetString(cmdFlagNameNewEncryptionKey); err != nil { + return err + } + } + + if !useFlag || key == "" { + if key, err = termReadPasswordStrWithPrompt("Enter New Storage Encryption Key: ", cmdFlagNameNewEncryptionKey); err != nil { + return err + } + } switch { - case err != nil: - return err case key == "": - return errors.New("you must set the --new-encryption-key flag") + return errors.New("the new encryption key must not be blank") case len(key) < 20: return errors.New("the new encryption key must be at least 20 characters") } @@ -341,24 +375,24 @@ func storageWebAuthnDeleteGetAndValidateConfig(cmd *cobra.Command, args []string flags := 0 - if cmd.Flags().Changed("all") { - if all, err = cmd.Flags().GetBool("all"); err != nil { + if cmd.Flags().Changed(cmdFlagNameAll) { + if all, err = cmd.Flags().GetBool(cmdFlagNameAll); err != nil { return } flags++ } - if cmd.Flags().Changed("description") { - if description, err = cmd.Flags().GetString("description"); err != nil { + if cmd.Flags().Changed(cmdFlagNameDescription) { + if description, err = cmd.Flags().GetString(cmdFlagNameDescription); err != nil { return } flags++ } - if byKID = cmd.Flags().Changed("kid"); byKID { - if kid, err = cmd.Flags().GetString("kid"); err != nil { + if byKID = cmd.Flags().Changed(cmdFlagNameKeyID); byKID { + if kid, err = cmd.Flags().GetString(cmdFlagNameKeyID); err != nil { return } @@ -574,7 +608,7 @@ func storageTOTPExportRunE(cmd *cobra.Command, args []string) (err error) { } func storageTOTPExportGetConfigFromFlags(cmd *cobra.Command) (format, dir string, err error) { - if format, err = cmd.Flags().GetString("format"); err != nil { + if format, err = cmd.Flags().GetString(cmdFlagNameFormat); err != nil { return "", "", err } @@ -694,7 +728,6 @@ func newStorageMigrationRunE(up bool) func(cmd *cobra.Command, args []string) (e var ( provider storage.Provider target int - pre1 bool ctx = context.Background() ) @@ -705,37 +738,28 @@ func newStorageMigrationRunE(up bool) func(cmd *cobra.Command, args []string) (e _ = provider.Close() }() - if target, err = cmd.Flags().GetInt("target"); err != nil { + if target, err = cmd.Flags().GetInt(cmdFlagNameTarget); err != nil { return err } switch { case up: - switch cmd.Flags().Changed("target") { + switch cmd.Flags().Changed(cmdFlagNameTarget) { case true: return provider.SchemaMigrate(ctx, true, target) default: return provider.SchemaMigrate(ctx, true, storage.SchemaLatest) } default: - if pre1, err = cmd.Flags().GetBool("pre1"); err != nil { - return err - } - - if !cmd.Flags().Changed("target") && !pre1 { - return errors.New("must set target") + if !cmd.Flags().Changed(cmdFlagNameTarget) { + return errors.New("you must set a target version") } if err = storageMigrateDownConfirmDestroy(cmd); err != nil { return err } - switch { - case pre1: - return provider.SchemaMigrate(ctx, false, -1) - default: - return provider.SchemaMigrate(ctx, false, target) - } + return provider.SchemaMigrate(ctx, false, target) } } } @@ -743,7 +767,7 @@ func newStorageMigrationRunE(up bool) func(cmd *cobra.Command, args []string) (e func storageMigrateDownConfirmDestroy(cmd *cobra.Command) (err error) { var destroy bool - if destroy, err = cmd.Flags().GetBool("destroy-data"); err != nil { + if destroy, err = cmd.Flags().GetBool(cmdFlagNameDestroyData); err != nil { return err } @@ -803,15 +827,21 @@ func storageSchemaInfoRunE(_ *cobra.Command, _ []string) (err error) { upgradeStr = "no" } - var encryption string + var ( + encryption string + result storage.EncryptionValidationResult + ) - if err = provider.SchemaEncryptionCheckKey(ctx, false); err != nil { + switch result, err = provider.SchemaEncryptionCheckKey(ctx, false); { + case err != nil: if errors.Is(err, storage.ErrSchemaEncryptionVersionUnsupported) { encryption = "unsupported (schema version)" } else { - encryption = "invalid" + encryption = invalid } - } else { + case !result.Success(): + encryption = invalid + default: encryption = "valid" } @@ -847,7 +877,7 @@ func storageUserIdentifiersExport(cmd *cobra.Command, _ []string) (err error) { file string ) - if file, err = cmd.Flags().GetString("file"); err != nil { + if file, err = cmd.Flags().GetString(cmdFlagNameFile); err != nil { return err } @@ -899,7 +929,7 @@ func storageUserIdentifiersImport(cmd *cobra.Command, _ []string) (err error) { stat os.FileInfo ) - if file, err = cmd.Flags().GetString("file"); err != nil { + if file, err = cmd.Flags().GetString(cmdFlagNameFile); err != nil { return err } @@ -967,15 +997,15 @@ func storageUserIdentifiersGenerate(cmd *cobra.Command, _ []string) (err error) return fmt.Errorf("can't load the existing identifiers: %w", err) } - if users, err = cmd.Flags().GetStringSlice("users"); err != nil { + if users, err = cmd.Flags().GetStringSlice(cmdFlagNameUsers); err != nil { return err } - if services, err = cmd.Flags().GetStringSlice("services"); err != nil { + if services, err = cmd.Flags().GetStringSlice(cmdFlagNameServices); err != nil { return err } - if sectors, err = cmd.Flags().GetStringSlice("sectors"); err != nil { + if sectors, err = cmd.Flags().GetStringSlice(cmdFlagNameSectors); err != nil { return err } @@ -1036,7 +1066,7 @@ func storageUserIdentifiersAdd(cmd *cobra.Command, args []string) (err error) { service, sector string ) - if service, err = cmd.Flags().GetString("service"); err != nil { + if service, err = cmd.Flags().GetString(cmdFlagNameService); err != nil { return err } @@ -1046,7 +1076,7 @@ func storageUserIdentifiersAdd(cmd *cobra.Command, args []string) (err error) { return fmt.Errorf("the service name '%s' is invalid, the valid values are: '%s'", service, strings.Join(validIdentifierServices, "', '")) } - if sector, err = cmd.Flags().GetString("sector"); err != nil { + if sector, err = cmd.Flags().GetString(cmdFlagNameSector); err != nil { return err } @@ -1056,10 +1086,10 @@ func storageUserIdentifiersAdd(cmd *cobra.Command, args []string) (err error) { SectorID: sector, } - if cmd.Flags().Changed("identifier") { + if cmd.Flags().Changed(cmdFlagNameIdentifier) { var identifierStr string - if identifierStr, err = cmd.Flags().GetString("identifier"); err != nil { + if identifierStr, err = cmd.Flags().GetString(cmdFlagNameIdentifier); err != nil { return err } diff --git a/internal/commands/util.go b/internal/commands/util.go index e4af026b4..1534b4bb3 100644 --- a/internal/commands/util.go +++ b/internal/commands/util.go @@ -3,8 +3,10 @@ package commands import ( "fmt" "os" + "syscall" "github.com/spf13/pflag" + "golang.org/x/term" "github.com/authelia/authelia/v4/internal/utils" ) @@ -99,3 +101,38 @@ func flagsGetRandomCharacters(flags *pflag.FlagSet, flagNameLength, flagNameChar return utils.RandomString(n, charset, true), nil } + +func termReadPasswordStrWithPrompt(prompt, flag string) (data string, err error) { + var d []byte + + if d, err = termReadPasswordWithPrompt(prompt, flag); err != nil { + return "", err + } + + return string(d), nil +} + +func termReadPasswordWithPrompt(prompt, flag string) (data []byte, err error) { + fd := int(syscall.Stdin) //nolint:unconvert,nolintlint + + if isTerm := term.IsTerminal(fd); !isTerm { + switch len(flag) { + case 0: + return nil, ErrStdinIsNotTerminal + case 1: + return nil, fmt.Errorf("you must either use an interactive terminal or use the -%s flag", flag) + default: + return nil, fmt.Errorf("you must either use an interactive terminal or use the --%s flag", flag) + } + } + + fmt.Print(prompt) + + if data, err = term.ReadPassword(fd); err != nil { + return nil, fmt.Errorf("failed to read the input from the terminal: %w", err) + } + + fmt.Println("") + + return data, nil +} diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml index 4940b3f33..3cb29ac83 100644 --- a/internal/configuration/config.template.yml +++ b/internal/configuration/config.template.yml @@ -863,7 +863,8 @@ regulation: ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. # storage: ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum - ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it. + ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use + ## the CLI to change this in the database if you want to change it from a previously configured value. # encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this ## diff --git a/internal/mocks/storage.go b/internal/mocks/storage.go index 2a20f8acc..11c5aea49 100644 --- a/internal/mocks/storage.go +++ b/internal/mocks/storage.go @@ -675,11 +675,12 @@ func (mr *MockStorageMockRecorder) SchemaEncryptionChangeKey(arg0, arg1 interfac } // SchemaEncryptionCheckKey mocks base method. -func (m *MockStorage) SchemaEncryptionCheckKey(arg0 context.Context, arg1 bool) error { +func (m *MockStorage) SchemaEncryptionCheckKey(arg0 context.Context, arg1 bool) (storage.EncryptionValidationResult, error) { m.ctrl.T.Helper() ret := m.ctrl.Call(m, "SchemaEncryptionCheckKey", arg0, arg1) - ret0, _ := ret[0].(error) - return ret0 + ret0, _ := ret[0].(storage.EncryptionValidationResult) + ret1, _ := ret[1].(error) + return ret0, ret1 } // SchemaEncryptionCheckKey indicates an expected call of SchemaEncryptionCheckKey. diff --git a/internal/storage/const.go b/internal/storage/const.go index d899c82f9..5ca7a644f 100644 --- a/internal/storage/const.go +++ b/internal/storage/const.go @@ -15,17 +15,16 @@ const ( tableOAuth2ConsentSession = "oauth2_consent_session" tableOAuth2ConsentPreConfiguration = "oauth2_consent_preconfiguration" - tableOAuth2AuthorizeCodeSession = "oauth2_authorization_code_session" - tableOAuth2AccessTokenSession = "oauth2_access_token_session" //nolint:gosec // This is not a hardcoded credential. - tableOAuth2RefreshTokenSession = "oauth2_refresh_token_session" //nolint:gosec // This is not a hardcoded credential. - tableOAuth2PKCERequestSession = "oauth2_pkce_request_session" - tableOAuth2OpenIDConnectSession = "oauth2_openid_connect_session" - tableOAuth2BlacklistedJTI = "oauth2_blacklisted_jti" + + tableOAuth2AuthorizeCodeSession = "oauth2_authorization_code_session" + tableOAuth2AccessTokenSession = "oauth2_access_token_session" //nolint:gosec // This is not a hardcoded credential. + tableOAuth2RefreshTokenSession = "oauth2_refresh_token_session" //nolint:gosec // This is not a hardcoded credential. + tableOAuth2PKCERequestSession = "oauth2_pkce_request_session" + tableOAuth2OpenIDConnectSession = "oauth2_openid_connect_session" + tableOAuth2BlacklistedJTI = "oauth2_blacklisted_jti" tableMigrations = "migrations" tableEncryption = "encryption" - - tablePrefixBackup = "_bkp_" ) // OAuth2SessionType represents the potential OAuth 2.0 session types. @@ -58,6 +57,24 @@ func (s OAuth2SessionType) String() string { } } +// Table returns the table name for this session type. +func (s OAuth2SessionType) Table() string { + switch s { + case OAuth2SessionTypeAuthorizeCode: + return tableOAuth2AuthorizeCodeSession + case OAuth2SessionTypeAccessToken: + return tableOAuth2AccessTokenSession + case OAuth2SessionTypeRefreshToken: + return tableOAuth2RefreshTokenSession + case OAuth2SessionTypePKCEChallenge: + return tableOAuth2PKCERequestSession + case OAuth2SessionTypeOpenIDConnect: + return tableOAuth2OpenIDConnectSession + default: + return "" + } +} + const ( sqlNetworkTypeTCP = "tcp" sqlNetworkTypeUnixSocket = "unix" @@ -72,16 +89,6 @@ const ( tablePre1TOTPSecrets = "totp_secrets" tablePre1IdentityVerificationTokens = "identity_verification_tokens" tablePre1U2FDevices = "u2f_devices" - - tablePre1Config = "config" - - tableAlphaAuthenticationLogs = "AuthenticationLogs" - tableAlphaIdentityVerificationTokens = "IdentityVerificationTokens" - tableAlphaPreferences = "Preferences" - tableAlphaPreferencesTableName = "PreferencesTableName" - tableAlphaSecondFactorPreferences = "SecondFactorPreferences" - tableAlphaTOTPSecrets = "TOTPSecrets" - tableAlphaU2FDeviceHandles = "U2FDeviceHandles" ) var tablesPre1 = []string{ @@ -114,3 +121,8 @@ const ( var ( reMigration = regexp.MustCompile(`^V(\d{4})\.([^.]+)\.(all|sqlite|postgres|mysql)\.(up|down)\.sql$`) ) + +const ( + na = "N/A" + invalid = "invalid" +) diff --git a/internal/storage/errors.go b/internal/storage/errors.go index 388b69130..f3098f643 100644 --- a/internal/storage/errors.go +++ b/internal/storage/errors.go @@ -35,7 +35,7 @@ var ( // ErrSchemaEncryptionInvalidKey is returned when the schema is checked if the encryption key is valid for // the database but the key doesn't appear to be valid. - ErrSchemaEncryptionInvalidKey = errors.New("the encryption key is not valid against the schema check value") + ErrSchemaEncryptionInvalidKey = errors.New("the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database") ) // Error formats for the storage provider. @@ -49,7 +49,6 @@ const ( const ( errFmtFailedMigration = "schema migration %d (%s) failed: %w" - errFmtFailedMigrationPre1 = "schema migration pre1 failed: %w" errFmtSchemaCurrentGreaterThanLatestKnown = "current schema version is greater than the latest known schema " + "version, you must downgrade to schema version %d before you can use this version of Authelia" ) @@ -59,3 +58,8 @@ const ( logFmtMigrationComplete = "Storage schema migration from %s to %s is complete" logFmtErrClosingConn = "Error occurred closing SQL connection: %v" ) + +const ( + errFmtMigrationPre1 = "schema migration %s pre1 is no longer supported: you must use an older version of authelia to perform this migration: %s" + errFmtMigrationPre1SuggestedVersion = "the suggested authelia version is 4.37.2" +) diff --git a/internal/storage/migrations.go b/internal/storage/migrations.go index bb527c942..f634bccdd 100644 --- a/internal/storage/migrations.go +++ b/internal/storage/migrations.go @@ -46,42 +46,6 @@ func latestMigrationVersion(providerName string) (version int, err error) { return version, nil } -func loadMigration(providerName string, version int, up bool) (migration *model.SchemaMigration, err error) { - entries, err := migrationsFS.ReadDir("migrations") - if err != nil { - return nil, err - } - - for _, entry := range entries { - if entry.IsDir() { - continue - } - - m, err := scanMigration(entry.Name()) - if err != nil { - return nil, err - } - - migration = &m - - if up != migration.Up { - continue - } - - if migration.Provider != providerAll && migration.Provider != providerName { - continue - } - - if version != migration.Version { - continue - } - - return migration, nil - } - - return nil, errors.New("migration not found") -} - // loadMigrations scans the migrations fs and loads the appropriate migrations for a given providerName, prior and // target versions. If the target version is -1 this indicates the latest version. If the target version is 0 // this indicates the database zero state. diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql index c736d6b87..fac319005 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql @@ -1,7 +1,5 @@ PRAGMA foreign_keys=off; -BEGIN TRANSACTION; - DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); @@ -261,6 +259,4 @@ ORDER BY id; DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_openid_connect_session; -COMMIT; - PRAGMA foreign_keys=on; diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql index c9347cb4d..8f35ee6ca 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql @@ -1,7 +1,5 @@ PRAGMA foreign_keys=off; -BEGIN TRANSACTION; - DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); @@ -255,6 +253,4 @@ ORDER BY id; DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_openid_connect_session; -COMMIT; - PRAGMA foreign_keys=on; diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql index b5a31858d..76f7d68e8 100644 --- a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql +++ b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql @@ -1,7 +1,5 @@ PRAGMA foreign_keys=off; -BEGIN TRANSACTION; - ALTER TABLE webauthn_devices RENAME TO _bkp_DOWN_V0007_webauthn_devices; @@ -612,6 +610,4 @@ ORDER BY id; DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_openid_connect_session; -COMMIT; - PRAGMA foreign_keys=on; diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql index 80847f593..1af55ed6b 100644 --- a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql +++ b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql @@ -1,7 +1,5 @@ PRAGMA foreign_keys=off; -BEGIN TRANSACTION; - DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; DROP TABLE IF EXISTS totp_secrets; @@ -662,6 +660,4 @@ ORDER BY id; DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_openid_connect_session; -COMMIT; - PRAGMA foreign_keys=on; diff --git a/internal/storage/provider.go b/internal/storage/provider.go index ecfe104b0..d3c9f3b5a 100644 --- a/internal/storage/provider.go +++ b/internal/storage/provider.go @@ -77,8 +77,8 @@ type Provider interface { SchemaMigrationsUp(ctx context.Context, version int) (migrations []model.SchemaMigration, err error) SchemaMigrationsDown(ctx context.Context, version int) (migrations []model.SchemaMigration, err error) - SchemaEncryptionChangeKey(ctx context.Context, encryptionKey string) (err error) - SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (err error) + SchemaEncryptionChangeKey(ctx context.Context, key string) (err error) + SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (result EncryptionValidationResult, err error) Close() (err error) } diff --git a/internal/storage/sql_provider.go b/internal/storage/sql_provider.go index fd6943e1a..a55a41cea 100644 --- a/internal/storage/sql_provider.go +++ b/internal/storage/sql_provider.go @@ -43,8 +43,6 @@ func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceNa sqlSelectTOTPConfig: fmt.Sprintf(queryFmtSelectTOTPConfiguration, tableTOTPConfigurations), sqlSelectTOTPConfigs: fmt.Sprintf(queryFmtSelectTOTPConfigurations, tableTOTPConfigurations), - sqlUpdateTOTPConfigSecret: fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecret, tableTOTPConfigurations), - sqlUpdateTOTPConfigSecretByUsername: fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecretByUsername, tableTOTPConfigurations), sqlUpdateTOTPConfigRecordSignIn: fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignIn, tableTOTPConfigurations), sqlUpdateTOTPConfigRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignInByUsername, tableTOTPConfigurations), @@ -52,8 +50,6 @@ func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceNa sqlSelectWebauthnDevices: fmt.Sprintf(queryFmtSelectWebauthnDevices, tableWebauthnDevices), sqlSelectWebauthnDevicesByUsername: fmt.Sprintf(queryFmtSelectWebauthnDevicesByUsername, tableWebauthnDevices), - sqlUpdateWebauthnDevicePublicKey: fmt.Sprintf(queryFmtUpdateWebauthnDevicePublicKey, tableWebauthnDevices), - sqlUpdateWebauthnDevicePublicKeyByUsername: fmt.Sprintf(queryFmtUpdateUpdateWebauthnDevicePublicKeyByUsername, tableWebauthnDevices), sqlUpdateWebauthnDeviceRecordSignIn: fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignIn, tableWebauthnDevices), sqlUpdateWebauthnDeviceRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignInByUsername, tableWebauthnDevices), @@ -161,8 +157,6 @@ type SQLProvider struct { sqlSelectTOTPConfig string sqlSelectTOTPConfigs string - sqlUpdateTOTPConfigSecret string - sqlUpdateTOTPConfigSecretByUsername string sqlUpdateTOTPConfigRecordSignIn string sqlUpdateTOTPConfigRecordSignInByUsername string @@ -171,8 +165,6 @@ type SQLProvider struct { sqlSelectWebauthnDevices string sqlSelectWebauthnDevicesByUsername string - sqlUpdateWebauthnDevicePublicKey string - sqlUpdateWebauthnDevicePublicKeyByUsername string sqlUpdateWebauthnDeviceRecordSignIn string sqlUpdateWebauthnDeviceRecordSignInByUsername string @@ -292,13 +284,17 @@ func (p *SQLProvider) StartupCheck() (err error) { ctx := context.Background() - if err = p.SchemaEncryptionCheckKey(ctx, false); err != nil && !errors.Is(err, ErrSchemaEncryptionVersionUnsupported) { + var result EncryptionValidationResult + + if result, err = p.SchemaEncryptionCheckKey(ctx, false); err != nil && !errors.Is(err, ErrSchemaEncryptionVersionUnsupported) { return err } - err = p.SchemaMigrate(ctx, true, SchemaLatest) + if !result.Success() { + return ErrSchemaEncryptionInvalidKey + } - switch err { + switch err = p.SchemaMigrate(ctx, true, SchemaLatest); err { case ErrSchemaAlreadyUpToDate: p.log.Infof("Storage schema is already up to date") return nil @@ -837,21 +833,6 @@ func (p *SQLProvider) LoadTOTPConfigurations(ctx context.Context, limit, page in return configs, nil } -func (p *SQLProvider) updateTOTPConfigurationSecret(ctx context.Context, config model.TOTPConfiguration) (err error) { - switch config.ID { - case 0: - _, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecretByUsername, config.Secret, config.Username) - default: - _, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecret, config.Secret, config.ID) - } - - if err != nil { - return fmt.Errorf("error updating TOTP configuration secret for user '%s': %w", config.Username, err) - } - - return nil -} - // SaveWebauthnDevice saves a registered Webauthn device. func (p *SQLProvider) SaveWebauthnDevice(ctx context.Context, device model.WebauthnDevice) (err error) { if device.PublicKey, err = p.encrypt(device.PublicKey); err != nil { @@ -947,21 +928,6 @@ func (p *SQLProvider) LoadWebauthnDevicesByUsername(ctx context.Context, usernam return devices, nil } -func (p *SQLProvider) updateWebauthnDevicePublicKey(ctx context.Context, device model.WebauthnDevice) (err error) { - switch device.ID { - case 0: - _, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKeyByUsername, device.PublicKey, device.Username, device.KID) - default: - _, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKey, device.PublicKey, device.ID) - } - - if err != nil { - return fmt.Errorf("error updating Webauthn public key for user '%s' kid '%x': %w", device.Username, device.KID, err) - } - - return nil -} - // SavePreferredDuoDevice saves a Duo device. func (p *SQLProvider) SavePreferredDuoDevice(ctx context.Context, device model.DuoDevice) (err error) { if _, err = p.db.ExecContext(ctx, p.sqlUpsertDuoDevice, device.Username, device.Device, device.Method); err != nil { diff --git a/internal/storage/sql_provider_backend_postgres.go b/internal/storage/sql_provider_backend_postgres.go index e8834db44..9e0c127a1 100644 --- a/internal/storage/sql_provider_backend_postgres.go +++ b/internal/storage/sql_provider_backend_postgres.go @@ -58,13 +58,9 @@ func NewPostgreSQLProvider(config *schema.Configuration, caCertPool *x509.CertPo provider.sqlUpdateTOTPConfigRecordSignInByUsername = provider.db.Rebind(provider.sqlUpdateTOTPConfigRecordSignInByUsername) provider.sqlDeleteTOTPConfig = provider.db.Rebind(provider.sqlDeleteTOTPConfig) provider.sqlSelectTOTPConfigs = provider.db.Rebind(provider.sqlSelectTOTPConfigs) - provider.sqlUpdateTOTPConfigSecret = provider.db.Rebind(provider.sqlUpdateTOTPConfigSecret) - provider.sqlUpdateTOTPConfigSecretByUsername = provider.db.Rebind(provider.sqlUpdateTOTPConfigSecretByUsername) provider.sqlSelectWebauthnDevices = provider.db.Rebind(provider.sqlSelectWebauthnDevices) provider.sqlSelectWebauthnDevicesByUsername = provider.db.Rebind(provider.sqlSelectWebauthnDevicesByUsername) - provider.sqlUpdateWebauthnDevicePublicKey = provider.db.Rebind(provider.sqlUpdateWebauthnDevicePublicKey) - provider.sqlUpdateWebauthnDevicePublicKeyByUsername = provider.db.Rebind(provider.sqlUpdateWebauthnDevicePublicKeyByUsername) provider.sqlUpdateWebauthnDeviceRecordSignIn = provider.db.Rebind(provider.sqlUpdateWebauthnDeviceRecordSignIn) provider.sqlUpdateWebauthnDeviceRecordSignInByUsername = provider.db.Rebind(provider.sqlUpdateWebauthnDeviceRecordSignInByUsername) provider.sqlDeleteWebauthnDevice = provider.db.Rebind(provider.sqlDeleteWebauthnDevice) diff --git a/internal/storage/sql_provider_encryption.go b/internal/storage/sql_provider_encryption.go index 338bb27bf..29d334510 100644 --- a/internal/storage/sql_provider_encryption.go +++ b/internal/storage/sql_provider_encryption.go @@ -1,38 +1,65 @@ package storage import ( + "bytes" "context" "crypto/sha256" + "database/sql" + "errors" "fmt" "github.com/google/uuid" "github.com/jmoiron/sqlx" - "github.com/authelia/authelia/v4/internal/model" "github.com/authelia/authelia/v4/internal/utils" ) // SchemaEncryptionChangeKey uses the currently configured key to decrypt values in the database and the key provided // by this command to encrypt the values again and update them using a transaction. -func (p *SQLProvider) SchemaEncryptionChangeKey(ctx context.Context, encryptionKey string) (err error) { +func (p *SQLProvider) SchemaEncryptionChangeKey(ctx context.Context, key string) (err error) { + skey := sha256.Sum256([]byte(key)) + + if bytes.Equal(skey[:], p.key[:]) { + return fmt.Errorf("error changing the storage encryption key: the old key and the new key are the same") + } + + if _, err = p.SchemaEncryptionCheckKey(ctx, false); err != nil { + return fmt.Errorf("error changing the storage encryption key: %w", err) + } + tx, err := p.db.Beginx() if err != nil { return fmt.Errorf("error beginning transaction to change encryption key: %w", err) } - key := sha256.Sum256([]byte(encryptionKey)) - - if err = p.schemaEncryptionChangeKeyTOTP(ctx, tx, key); err != nil { - return err + encChangeFuncs := []EncryptionChangeKeyFunc{ + schemaEncryptionChangeKeyTOTP, + schemaEncryptionChangeKeyWebauthn, } - if err = p.schemaEncryptionChangeKeyWebauthn(ctx, tx, key); err != nil { - return err + for i := 0; true; i++ { + typeOAuth2Session := OAuth2SessionType(i) + + if typeOAuth2Session.Table() == "" { + break + } + + encChangeFuncs = append(encChangeFuncs, schemaEncryptionChangeKeyOpenIDConnect(typeOAuth2Session)) } - if err = p.setNewEncryptionCheckValue(ctx, &key, tx); err != nil { - if rollbackErr := tx.Rollback(); rollbackErr != nil { - return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err) + for _, encChangeFunc := range encChangeFuncs { + if err = encChangeFunc(ctx, p, tx, skey); err != nil { + if rerr := tx.Rollback(); rerr != nil { + return fmt.Errorf("rollback error %v: rollback due to error: %w", rerr, err) + } + + return fmt.Errorf("rollback due to error: %w", err) + } + } + + if err = p.setNewEncryptionCheckValue(ctx, tx, &skey); err != nil { + if rerr := tx.Rollback(); rerr != nil { + return fmt.Errorf("rollback error %v: rollback due to error: %w", rerr, err) } return fmt.Errorf("rollback due to error: %w", err) @@ -41,222 +68,262 @@ func (p *SQLProvider) SchemaEncryptionChangeKey(ctx context.Context, encryptionK return tx.Commit() } -func (p *SQLProvider) schemaEncryptionChangeKeyTOTP(ctx context.Context, tx *sqlx.Tx, key [32]byte) (err error) { - var configs []model.TOTPConfiguration - - for page := 0; true; page++ { - if configs, err = p.LoadTOTPConfigurations(ctx, 10, page); err != nil { - if rollbackErr := tx.Rollback(); rollbackErr != nil { - return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err) - } - - return fmt.Errorf("rollback due to error: %w", err) - } - - for _, config := range configs { - if config.Secret, err = utils.Encrypt(config.Secret, &key); err != nil { - if rollbackErr := tx.Rollback(); rollbackErr != nil { - return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err) - } - - return fmt.Errorf("rollback due to error: %w", err) - } - - if err = p.updateTOTPConfigurationSecret(ctx, config); err != nil { - if rollbackErr := tx.Rollback(); rollbackErr != nil { - return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err) - } - - return fmt.Errorf("rollback due to error: %w", err) - } - } - - if len(configs) != 10 { - break - } - } - - return nil -} - -func (p *SQLProvider) schemaEncryptionChangeKeyWebauthn(ctx context.Context, tx *sqlx.Tx, key [32]byte) (err error) { - var devices []model.WebauthnDevice - - for page := 0; true; page++ { - if devices, err = p.LoadWebauthnDevices(ctx, 10, page); err != nil { - if rollbackErr := tx.Rollback(); rollbackErr != nil { - return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err) - } - - return fmt.Errorf("rollback due to error: %w", err) - } - - for _, device := range devices { - if device.PublicKey, err = utils.Encrypt(device.PublicKey, &key); err != nil { - if rollbackErr := tx.Rollback(); rollbackErr != nil { - return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err) - } - - return fmt.Errorf("rollback due to error: %w", err) - } - - if err = p.updateWebauthnDevicePublicKey(ctx, device); err != nil { - if rollbackErr := tx.Rollback(); rollbackErr != nil { - return fmt.Errorf("rollback error %v: rollback due to error: %w", rollbackErr, err) - } - - return fmt.Errorf("rollback due to error: %w", err) - } - } - - if len(devices) != 10 { - break - } - } - - return nil -} - // SchemaEncryptionCheckKey checks the encryption key configured is valid for the database. -func (p *SQLProvider) SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (err error) { +func (p *SQLProvider) SchemaEncryptionCheckKey(ctx context.Context, verbose bool) (result EncryptionValidationResult, err error) { version, err := p.SchemaVersion(ctx) if err != nil { - return err + return result, err } if version < 1 { - return ErrSchemaEncryptionVersionUnsupported + return result, ErrSchemaEncryptionVersionUnsupported } - var errs []error + result = EncryptionValidationResult{ + Tables: map[string]EncryptionValidationTableResult{}, + } if _, err = p.getEncryptionValue(ctx, encryptionNameCheck); err != nil { - errs = append(errs, ErrSchemaEncryptionInvalidKey) + result.InvalidCheckValue = true } if verbose { - if err = p.schemaEncryptionCheckTOTP(ctx); err != nil { - errs = append(errs, err) + encCheckFuncs := []EncryptionCheckKeyFunc{ + schemaEncryptionCheckKeyTOTP, + schemaEncryptionCheckKeyWebauthn, } - if err = p.schemaEncryptionCheckWebauthn(ctx); err != nil { - errs = append(errs, err) + for i := 0; true; i++ { + typeOAuth2Session := OAuth2SessionType(i) + + if typeOAuth2Session.Table() == "" { + break + } + + encCheckFuncs = append(encCheckFuncs, schemaEncryptionCheckKeyOpenIDConnect(typeOAuth2Session)) + } + + for _, encCheckFunc := range encCheckFuncs { + table, tableResult := encCheckFunc(ctx, p) + + result.Tables[table] = tableResult } } - if len(errs) != 0 { - for i, e := range errs { - if i == 0 { - err = e + return result, nil +} - continue - } - - err = fmt.Errorf("%w, %v", err, e) - } +func schemaEncryptionChangeKeyTOTP(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error) { + var count int + if err = tx.GetContext(ctx, &count, fmt.Sprintf(queryFmtSelectRowCount, tableTOTPConfigurations)); err != nil { return err } - return nil -} - -func (p *SQLProvider) schemaEncryptionCheckTOTP(ctx context.Context) (err error) { - var ( - config model.TOTPConfiguration - row int - invalid int - total int - ) - - pageSize := 10 - - var rows *sqlx.Rows - - for page := 0; true; page++ { - if rows, err = p.db.QueryxContext(ctx, p.sqlSelectTOTPConfigs, pageSize, pageSize*page); err != nil { - _ = rows.Close() - - return fmt.Errorf("error selecting TOTP configurations: %w", err) - } - - row = 0 - - for rows.Next() { - total++ - row++ - - if err = rows.StructScan(&config); err != nil { - _ = rows.Close() - return fmt.Errorf("error scanning TOTP configuration to struct: %w", err) - } - - if _, err = p.decrypt(config.Secret); err != nil { - invalid++ - } - } - - _ = rows.Close() - - if row < pageSize { - break - } + if count == 0 { + return nil } - if invalid != 0 { - return fmt.Errorf("%d of %d total TOTP secrets were invalid", invalid, total) + configs := make([]encTOTPConfiguration, 0, count) + + if err = tx.SelectContext(ctx, &configs, fmt.Sprintf(queryFmtSelectTOTPConfigurationsEncryptedData, tableTOTPConfigurations)); err != nil { + if errors.Is(err, sql.ErrNoRows) { + return nil + } + + return fmt.Errorf("error selecting TOTP configurations: %w", err) + } + + query := provider.db.Rebind(fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecret, tableTOTPConfigurations)) + + for _, c := range configs { + if c.Secret, err = provider.decrypt(c.Secret); err != nil { + return fmt.Errorf("error decrypting TOTP configuration secret with id '%d': %w", c.ID, err) + } + + if c.Secret, err = utils.Encrypt(c.Secret, &key); err != nil { + return fmt.Errorf("error encrypting TOTP configuration secret with id '%d': %w", c.ID, err) + } + + if _, err = tx.ExecContext(ctx, query, c.Secret, c.ID); err != nil { + return fmt.Errorf("error updating TOTP configuration secret with id '%d': %w", c.ID, err) + } } return nil } -func (p *SQLProvider) schemaEncryptionCheckWebauthn(ctx context.Context) (err error) { - var ( - device model.WebauthnDevice - row int - invalid int - total int - ) +func schemaEncryptionChangeKeyWebauthn(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error) { + var count int - pageSize := 10 + if err = tx.GetContext(ctx, &count, fmt.Sprintf(queryFmtSelectRowCount, tableWebauthnDevices)); err != nil { + return err + } - var rows *sqlx.Rows + if count == 0 { + return nil + } - for page := 0; true; page++ { - if rows, err = p.db.QueryxContext(ctx, p.sqlSelectWebauthnDevices, pageSize, pageSize*page); err != nil { - _ = rows.Close() + devices := make([]encWebauthnDevice, 0, count) - return fmt.Errorf("error selecting Webauthn devices: %w", err) + if err = tx.SelectContext(ctx, &devices, fmt.Sprintf(queryFmtSelectWebauthnDevicesEncryptedData, tableWebauthnDevices)); err != nil { + if errors.Is(err, sql.ErrNoRows) { + return nil } - row = 0 + return fmt.Errorf("error selecting Webauthn devices: %w", err) + } - for rows.Next() { - total++ - row++ + query := provider.db.Rebind(fmt.Sprintf(queryFmtUpdateWebauthnDevicePublicKey, tableWebauthnDevices)) - if err = rows.StructScan(&device); err != nil { - _ = rows.Close() - return fmt.Errorf("error scanning Webauthn device to struct: %w", err) + for _, d := range devices { + if d.PublicKey, err = provider.decrypt(d.PublicKey); err != nil { + return fmt.Errorf("error decrypting Webauthn device public key with id '%d': %w", d.ID, err) + } + + if d.PublicKey, err = utils.Encrypt(d.PublicKey, &key); err != nil { + return fmt.Errorf("error encrypting Webauthn device public key with id '%d': %w", d.ID, err) + } + + if _, err = tx.ExecContext(ctx, query, d.PublicKey, d.ID); err != nil { + return fmt.Errorf("error updating Webauthn device public key with id '%d': %w", d.ID, err) + } + } + + return nil +} + +func schemaEncryptionChangeKeyOpenIDConnect(typeOAuth2Session OAuth2SessionType) EncryptionChangeKeyFunc { + return func(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error) { + var count int + + if err = tx.GetContext(ctx, &count, fmt.Sprintf(queryFmtSelectRowCount, typeOAuth2Session.Table())); err != nil { + return err + } + + if count == 0 { + return nil + } + + sessions := make([]encOAuth2Session, 0, count) + + if err = tx.SelectContext(ctx, &sessions, fmt.Sprintf(queryFmtSelectOAuth2SessionEncryptedData, typeOAuth2Session.Table())); err != nil { + return fmt.Errorf("error selecting oauth2 %s sessions: %w", typeOAuth2Session.String(), err) + } + + query := provider.db.Rebind(fmt.Sprintf(queryFmtUpdateOAuth2ConsentSessionSessionData, typeOAuth2Session.Table())) + + for _, s := range sessions { + if s.Session, err = provider.decrypt(s.Session); err != nil { + return fmt.Errorf("error decrypting oauth2 %s session data with id '%d': %w", typeOAuth2Session.String(), s.ID, err) } - if _, err = p.decrypt(device.PublicKey); err != nil { - invalid++ + if s.Session, err = utils.Encrypt(s.Session, &key); err != nil { + return fmt.Errorf("error encrypting oauth2 %s session data with id '%d': %w", typeOAuth2Session.String(), s.ID, err) + } + + if _, err = tx.ExecContext(ctx, query, s.Session, s.ID); err != nil { + return fmt.Errorf("error updating oauth2 %s session data with id '%d': %w", typeOAuth2Session.String(), s.ID, err) + } + } + + return nil + } +} + +func schemaEncryptionCheckKeyTOTP(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult) { + var ( + rows *sqlx.Rows + err error + ) + + if rows, err = provider.db.QueryxContext(ctx, fmt.Sprintf(queryFmtSelectTOTPConfigurationsEncryptedData, tableTOTPConfigurations)); err != nil { + return tableTOTPConfigurations, EncryptionValidationTableResult{Error: fmt.Errorf("error selecting TOTP configurations: %w", err)} + } + + var config encTOTPConfiguration + + for rows.Next() { + result.Total++ + + if err = rows.StructScan(&config); err != nil { + _ = rows.Close() + + return tableTOTPConfigurations, EncryptionValidationTableResult{Error: fmt.Errorf("error scanning TOTP configuration to struct: %w", err)} + } + + if _, err = provider.decrypt(config.Secret); err != nil { + result.Invalid++ + } + } + + _ = rows.Close() + + return tableTOTPConfigurations, result +} + +func schemaEncryptionCheckKeyWebauthn(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult) { + var ( + rows *sqlx.Rows + err error + ) + + if rows, err = provider.db.QueryxContext(ctx, fmt.Sprintf(queryFmtSelectWebauthnDevicesEncryptedData, tableWebauthnDevices)); err != nil { + return tableWebauthnDevices, EncryptionValidationTableResult{Error: fmt.Errorf("error selecting Webauthn devices: %w", err)} + } + + var device encWebauthnDevice + + for rows.Next() { + result.Total++ + + if err = rows.StructScan(&device); err != nil { + _ = rows.Close() + + return tableWebauthnDevices, EncryptionValidationTableResult{Error: fmt.Errorf("error scanning Webauthn device to struct: %w", err)} + } + + if _, err = provider.decrypt(device.PublicKey); err != nil { + result.Invalid++ + } + } + + _ = rows.Close() + + return tableWebauthnDevices, result +} + +func schemaEncryptionCheckKeyOpenIDConnect(typeOAuth2Session OAuth2SessionType) EncryptionCheckKeyFunc { + return func(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult) { + var ( + rows *sqlx.Rows + err error + ) + + if rows, err = provider.db.QueryxContext(ctx, fmt.Sprintf(queryFmtSelectOAuth2SessionEncryptedData, typeOAuth2Session.Table())); err != nil { + return typeOAuth2Session.Table(), EncryptionValidationTableResult{Error: fmt.Errorf("error selecting oauth2 %s sessions: %w", typeOAuth2Session.String(), err)} + } + + var session encOAuth2Session + + for rows.Next() { + result.Total++ + + if err = rows.StructScan(&session); err != nil { + _ = rows.Close() + + return typeOAuth2Session.Table(), EncryptionValidationTableResult{Error: fmt.Errorf("error scanning oauth2 %s session to struct: %w", typeOAuth2Session.String(), err)} + } + + if _, err = provider.decrypt(session.Session); err != nil { + result.Invalid++ } } _ = rows.Close() - if row < pageSize { - break - } + return typeOAuth2Session.Table(), result } - - if invalid != 0 { - return fmt.Errorf("%d of %d total Webauthn devices were invalid", invalid, total) - } - - return nil } func (p *SQLProvider) encrypt(clearText []byte) (cipherText []byte, err error) { @@ -278,7 +345,7 @@ func (p *SQLProvider) getEncryptionValue(ctx context.Context, name string) (valu return p.decrypt(encryptedValue) } -func (p *SQLProvider) setNewEncryptionCheckValue(ctx context.Context, key *[32]byte, e sqlx.ExecerContext) (err error) { +func (p *SQLProvider) setNewEncryptionCheckValue(ctx context.Context, conn SQLXConnection, key *[32]byte) (err error) { valueClearText, err := uuid.NewRandom() if err != nil { return err @@ -289,11 +356,7 @@ func (p *SQLProvider) setNewEncryptionCheckValue(ctx context.Context, key *[32]b return err } - if e != nil { - _, err = e.ExecContext(ctx, p.sqlUpsertEncryptionValue, encryptionNameCheck, value) - } else { - _, err = p.db.ExecContext(ctx, p.sqlUpsertEncryptionValue, encryptionNameCheck, value) - } + _, err = conn.ExecContext(ctx, p.sqlUpsertEncryptionValue, encryptionNameCheck, value) return err } diff --git a/internal/storage/sql_provider_queries.go b/internal/storage/sql_provider_queries.go index 327ab546f..f062f8afb 100644 --- a/internal/storage/sql_provider_queries.go +++ b/internal/storage/sql_provider_queries.go @@ -83,18 +83,16 @@ const ( LIMIT ? OFFSET ?;` + queryFmtSelectTOTPConfigurationsEncryptedData = ` + SELECT id, secret + FROM %s;` + //nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials. queryFmtUpdateTOTPConfigurationSecret = ` UPDATE %s SET secret = ? WHERE id = ?;` - //nolint:gosec // These are not hardcoded credentials it's a query to obtain credentials. - queryFmtUpdateTOTPConfigurationSecretByUsername = ` - UPDATE %s - SET secret = ? - WHERE username = ?;` - queryFmtUpsertTOTPConfiguration = ` REPLACE INTO %s (created_at, last_used_at, username, issuer, algorithm, digits, period, secret) VALUES (?, ?, ?, ?, ?, ?, ?, ?);` @@ -127,6 +125,10 @@ const ( LIMIT ? OFFSET ?;` + queryFmtSelectWebauthnDevicesEncryptedData = ` + SELECT id, public_key + FROM %s;` + queryFmtSelectWebauthnDevicesByUsername = ` SELECT id, created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning FROM %s @@ -137,11 +139,6 @@ const ( SET public_key = ? WHERE id = ?;` - queryFmtUpdateUpdateWebauthnDevicePublicKeyByUsername = ` - UPDATE %s - SET public_key = ? - WHERE username = ? AND kid = ?;` - queryFmtUpdateWebauthnDeviceRecordSignIn = ` UPDATE %s SET @@ -265,6 +262,11 @@ const ( SET subject = ? WHERE id = ?;` + queryFmtUpdateOAuth2ConsentSessionSessionData = ` + UPDATE %s + SET session_data = ? + WHERE id = ?;` + queryFmtUpdateOAuth2ConsentSessionResponse = ` UPDATE %s SET authorized = ?, responded_at = CURRENT_TIMESTAMP, granted_scopes = ?, granted_audience = ?, preconfiguration = ? @@ -282,6 +284,10 @@ const ( FROM %s WHERE signature = ? AND revoked = FALSE;` + queryFmtSelectOAuth2SessionEncryptedData = ` + SELECT id, session_data + FROM %s;` + queryFmtInsertOAuth2Session = ` INSERT INTO %s (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, diff --git a/internal/storage/sql_provider_queries_special.go b/internal/storage/sql_provider_queries_special.go index 3023191ad..9b85e9150 100644 --- a/internal/storage/sql_provider_queries_special.go +++ b/internal/storage/sql_provider_queries_special.go @@ -1,8 +1,6 @@ package storage const ( - queryFmtDropTableIfExists = `DROP TABLE IF EXISTS %s;` - queryFmtRenameTable = ` ALTER TABLE %s RENAME TO %s;` @@ -10,104 +8,10 @@ const ( queryFmtMySQLRenameTable = ` ALTER TABLE %s RENAME %s;` -) - -// Pre1 migration constants. -const ( - queryFmtPre1To1SelectAuthenticationLogs = ` - SELECT username, successful, time - FROM %s - ORDER BY time ASC - LIMIT 100 OFFSET ?;` - - queryFmtPre1To1InsertAuthenticationLogs = ` - INSERT INTO %s (username, successful, time, request_uri) - VALUES (?, ?, ?, '');` - - queryFmtPre1InsertUserPreferencesFromSelect = ` - INSERT INTO %s (username, second_factor_method) - SELECT username, second_factor_method - FROM %s - ORDER BY username ASC;` - - queryFmtPre1SelectTOTPConfigurations = ` - SELECT username, secret - FROM %s - ORDER BY username ASC;` - - queryFmtPre1To1InsertTOTPConfiguration = ` - INSERT INTO %s (username, issuer, period, secret) - VALUES (?, ?, ?, ?);` - - queryFmt1ToPre1InsertTOTPConfiguration = ` - INSERT INTO %s (username, secret) - VALUES (?, ?);` - - queryFmtPre1To1SelectU2FDevices = ` - SELECT username, keyHandle, publicKey - FROM %s - ORDER BY username ASC;` - - queryFmtPre1To1InsertU2FDevice = ` - INSERT INTO %s (username, key_handle, public_key) - VALUES (?, ?, ?);` - - queryFmt1ToPre1InsertAuthenticationLogs = ` - INSERT INTO %s (username, successful, time) - VALUES (?, ?, ?);` - - queryFmt1ToPre1SelectAuthenticationLogs = ` - SELECT username, successful, time - FROM %s - ORDER BY id ASC - LIMIT 100 OFFSET ?;` - - queryFmt1ToPre1SelectU2FDevices = ` - SELECT username, key_handle, public_key - FROM %s - ORDER BY username ASC;` - - queryFmt1ToPre1InsertU2FDevice = ` - INSERT INTO %s (username, keyHandle, publicKey) - VALUES (?, ?, ?);` - - queryCreatePre1 = ` - CREATE TABLE user_preferences ( - username VARCHAR(100), - second_factor_method VARCHAR(11), - PRIMARY KEY (username) - ); - - CREATE TABLE identity_verification_tokens ( - token VARCHAR(512) - ); - - CREATE TABLE totp_secrets ( - username VARCHAR(100), - secret VARCHAR(64), - PRIMARY KEY (username) - ); - - CREATE TABLE u2f_devices ( - username VARCHAR(100), - keyHandle TEXT, - publicKey TEXT, - PRIMARY KEY (username) - ); - - CREATE TABLE authentication_logs ( - username VARCHAR(100), - successful BOOL, - time INTEGER - ); - - CREATE TABLE config ( - category VARCHAR(32) NOT NULL, - key_name VARCHAR(32) NOT NULL, - value TEXT, - PRIMARY KEY (category, key_name) - ); - - INSERT INTO config (category, key_name, value) - VALUES ('schema', 'version', '1');` + + queryFmtPostgreSQLLockTable = `LOCK TABLE %s IN %s MODE;` + + queryFmtSelectRowCount = ` + SELECT COUNT(id) + FROM %s;` ) diff --git a/internal/storage/sql_provider_schema.go b/internal/storage/sql_provider_schema.go index e01aee1ad..8c015e963 100644 --- a/internal/storage/sql_provider_schema.go +++ b/internal/storage/sql_provider_schema.go @@ -81,184 +81,9 @@ func (p *SQLProvider) SchemaVersion(ctx context.Context) (version int, err error return 0, nil } -func (p *SQLProvider) schemaLatestMigration(ctx context.Context) (migration *model.Migration, err error) { - migration = &model.Migration{} - - err = p.db.QueryRowxContext(ctx, p.sqlSelectLatestMigration).StructScan(migration) - if err != nil { - return nil, err - } - - return migration, nil -} - -// SchemaMigrationHistory returns migration history rows. -func (p *SQLProvider) SchemaMigrationHistory(ctx context.Context) (migrations []model.Migration, err error) { - rows, err := p.db.QueryxContext(ctx, p.sqlSelectMigrations) - if err != nil { - return nil, err - } - - defer func() { - if err := rows.Close(); err != nil { - p.log.Errorf(logFmtErrClosingConn, err) - } - }() - - var migration model.Migration - - for rows.Next() { - err = rows.StructScan(&migration) - if err != nil { - return nil, err - } - - migrations = append(migrations, migration) - } - - return migrations, nil -} - -// SchemaMigrate migrates from the current version to the provided version. -func (p *SQLProvider) SchemaMigrate(ctx context.Context, up bool, version int) (err error) { - currentVersion, err := p.SchemaVersion(ctx) - if err != nil { - return err - } - - if err = schemaMigrateChecks(p.name, up, version, currentVersion); err != nil { - return err - } - - return p.schemaMigrate(ctx, currentVersion, version) -} - -//nolint:gocyclo // TODO: Consider refactoring time permitting. -func (p *SQLProvider) schemaMigrate(ctx context.Context, prior, target int) (err error) { - migrations, err := loadMigrations(p.name, prior, target) - if err != nil { - return err - } - - if len(migrations) == 0 && (prior != 1 || target != -1) { - return ErrNoMigrationsFound - } - - switch { - case prior == -1: - p.log.Infof(logFmtMigrationFromTo, "pre1", strconv.Itoa(migrations[len(migrations)-1].After())) - - err = p.schemaMigratePre1To1(ctx) - if err != nil { - if errRollback := p.schemaMigratePre1To1Rollback(ctx, true); errRollback != nil { - return fmt.Errorf(errFmtFailedMigrationPre1, err) - } - - return fmt.Errorf(errFmtFailedMigrationPre1, err) - } - case target == -1: - p.log.Infof(logFmtMigrationFromTo, strconv.Itoa(prior), "pre1") - default: - p.log.Infof(logFmtMigrationFromTo, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After())) - } - - for _, migration := range migrations { - if prior == -1 && migration.Version == 1 { - // Skip migration version 1 when upgrading from pre1 as it's applied as part of the pre1 upgrade. - continue - } - - err = p.schemaMigrateApply(ctx, migration) - if err != nil { - return p.schemaMigrateRollback(ctx, prior, migration.After(), err) - } - } - - switch { - case prior == -1: - p.log.Infof(logFmtMigrationComplete, "pre1", strconv.Itoa(migrations[len(migrations)-1].After())) - case target == -1: - err = p.schemaMigrate1ToPre1(ctx) - if err != nil { - if errRollback := p.schemaMigratePre1To1Rollback(ctx, false); errRollback != nil { - return fmt.Errorf(errFmtFailedMigrationPre1, err) - } - - return fmt.Errorf(errFmtFailedMigrationPre1, err) - } - - p.log.Infof(logFmtMigrationComplete, strconv.Itoa(prior), "pre1") - default: - p.log.Infof(logFmtMigrationComplete, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After())) - } - - return nil -} - -func (p *SQLProvider) schemaMigrateRollback(ctx context.Context, prior, after int, migrateErr error) (err error) { - migrations, err := loadMigrations(p.name, after, prior) - if err != nil { - return fmt.Errorf("error loading migrations from version %d to version %d for rollback: %+v. rollback caused by: %+v", prior, after, err, migrateErr) - } - - for _, migration := range migrations { - if prior == -1 && !migration.Up && migration.Version == 1 { - continue - } - - err = p.schemaMigrateApply(ctx, migration) - if err != nil { - return fmt.Errorf("error applying migration version %d to version %d for rollback: %+v. rollback caused by: %+v", migration.Before(), migration.After(), err, migrateErr) - } - } - - if prior == -1 { - if err = p.schemaMigrate1ToPre1(ctx); err != nil { - return fmt.Errorf("error applying migration version 1 to version pre1 for rollback: %+v. rollback caused by: %+v", err, migrateErr) - } - } - - return fmt.Errorf("migration rollback complete. rollback caused by: %+v", migrateErr) -} - -func (p *SQLProvider) schemaMigrateApply(ctx context.Context, migration model.SchemaMigration) (err error) { - _, err = p.db.ExecContext(ctx, migration.Query) - if err != nil { - return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err) - } - - if migration.Version == 1 { - // Skip the migration history insertion in a migration to v0. - if !migration.Up { - return nil - } - - // Add the schema encryption value if upgrading to v1. - if err = p.setNewEncryptionCheckValue(ctx, &p.key, nil); err != nil { - return err - } - } - - if migration.Version == 1 && !migration.Up { - return nil - } - - return p.schemaMigrateFinalize(ctx, migration) -} - -func (p *SQLProvider) schemaMigrateFinalize(ctx context.Context, migration model.SchemaMigration) (err error) { - return p.schemaMigrateFinalizeAdvanced(ctx, migration.Before(), migration.After()) -} - -func (p *SQLProvider) schemaMigrateFinalizeAdvanced(ctx context.Context, before, after int) (err error) { - _, err = p.db.ExecContext(ctx, p.sqlInsertMigration, time.Now(), before, after, utils.Version()) - if err != nil { - return err - } - - p.log.Debugf("Storage schema migrated from version %d to %d", before, after) - - return nil +// SchemaLatestVersion returns the latest version available for migration. +func (p *SQLProvider) SchemaLatestVersion() (version int, err error) { + return latestMigrationVersion(p.name) } // SchemaMigrationsUp returns a list of migrations up available between the current version and the provided version. @@ -293,12 +118,214 @@ func (p *SQLProvider) SchemaMigrationsDown(ctx context.Context, version int) (mi return loadMigrations(p.name, current, version) } -// SchemaLatestVersion returns the latest version available for migration. -func (p *SQLProvider) SchemaLatestVersion() (version int, err error) { - return latestMigrationVersion(p.name) +// SchemaMigrationHistory returns migration history rows. +func (p *SQLProvider) SchemaMigrationHistory(ctx context.Context) (migrations []model.Migration, err error) { + rows, err := p.db.QueryxContext(ctx, p.sqlSelectMigrations) + if err != nil { + return nil, err + } + + defer func() { + if err := rows.Close(); err != nil { + p.log.Errorf(logFmtErrClosingConn, err) + } + }() + + var migration model.Migration + + for rows.Next() { + err = rows.StructScan(&migration) + if err != nil { + return nil, err + } + + migrations = append(migrations, migration) + } + + return migrations, nil +} + +// SchemaMigrate migrates from the current version to the provided version. +func (p *SQLProvider) SchemaMigrate(ctx context.Context, up bool, version int) (err error) { + var ( + tx *sqlx.Tx + conn SQLXConnection + ) + + if p.name != providerMySQL { + if tx, err = p.db.BeginTxx(ctx, nil); err != nil { + return fmt.Errorf("failed to begin transaction: %w", err) + } + + conn = tx + } else { + conn = p.db + } + + currentVersion, err := p.SchemaVersion(ctx) + if err != nil { + return err + } + + if currentVersion != 0 { + if err = p.schemaMigrateLock(ctx, conn); err != nil { + return err + } + } + + if err = schemaMigrateChecks(p.name, up, version, currentVersion); err != nil { + if tx != nil { + _ = tx.Rollback() + } + + return err + } + + if err = p.schemaMigrate(ctx, conn, currentVersion, version); err != nil { + if tx != nil && err == ErrNoMigrationsFound { + _ = tx.Rollback() + } + + return err + } + + if tx != nil { + if err = tx.Commit(); err != nil { + if rerr := tx.Rollback(); rerr != nil { + return fmt.Errorf("failed to commit the transaction with: commit error: %w, rollback error: %+v", err, rerr) + } + + return fmt.Errorf("failed to commit the transaction but it has been rolled back: commit error: %w", err) + } + } + + return nil +} + +func (p *SQLProvider) schemaMigrate(ctx context.Context, conn SQLXConnection, prior, target int) (err error) { + migrations, err := loadMigrations(p.name, prior, target) + if err != nil { + return err + } + + if len(migrations) == 0 { + return ErrNoMigrationsFound + } + + p.log.Infof(logFmtMigrationFromTo, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After())) + + for i, migration := range migrations { + if migration.Up && prior == 0 && i == 1 { + if err = p.schemaMigrateLock(ctx, conn); err != nil { + return err + } + } + + if err = p.schemaMigrateApply(ctx, conn, migration); err != nil { + return p.schemaMigrateRollback(ctx, conn, prior, migration.After(), err) + } + } + + p.log.Infof(logFmtMigrationComplete, strconv.Itoa(prior), strconv.Itoa(migrations[len(migrations)-1].After())) + + return nil +} + +func (p *SQLProvider) schemaMigrateLock(ctx context.Context, conn SQLXConnection) (err error) { + if p.name != providerPostgres { + return nil + } + + if _, err = conn.ExecContext(ctx, fmt.Sprintf(queryFmtPostgreSQLLockTable, tableMigrations, "ACCESS EXCLUSIVE")); err != nil { + return fmt.Errorf("failed to lock tables: %w", err) + } + + return nil +} + +func (p *SQLProvider) schemaMigrateApply(ctx context.Context, conn SQLXConnection, migration model.SchemaMigration) (err error) { + if _, err = conn.ExecContext(ctx, migration.Query); err != nil { + return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err) + } + + if migration.Version == 1 && migration.Up { + // Add the schema encryption value if upgrading to v1. + if err = p.setNewEncryptionCheckValue(ctx, conn, &p.key); err != nil { + return err + } + } + + if err = p.schemaMigrateFinalize(ctx, conn, migration); err != nil { + return err + } + + return nil +} + +func (p *SQLProvider) schemaMigrateFinalize(ctx context.Context, conn SQLXConnection, migration model.SchemaMigration) (err error) { + if migration.Version == 1 && !migration.Up { + return nil + } + + if _, err = conn.ExecContext(ctx, p.sqlInsertMigration, time.Now(), migration.Before(), migration.After(), utils.Version()); err != nil { + return fmt.Errorf("failed inserting migration record: %w", err) + } + + p.log.Debugf("Storage schema migrated from version %d to %d", migration.Before(), migration.After()) + + return nil +} + +func (p *SQLProvider) schemaMigrateRollback(ctx context.Context, conn SQLXConnection, prior, after int, merr error) (err error) { + switch tx := conn.(type) { + case *sqlx.Tx: + return p.schemaMigrateRollbackWithTx(ctx, tx, merr) + default: + return p.schemaMigrateRollbackWithoutTx(ctx, prior, after, merr) + } +} + +func (p *SQLProvider) schemaMigrateRollbackWithTx(_ context.Context, tx *sqlx.Tx, merr error) (err error) { + if err = tx.Rollback(); err != nil { + return fmt.Errorf("error applying rollback %+v. rollback caused by: %w", err, merr) + } + + return fmt.Errorf("migration rollback complete. rollback caused by: %w", merr) +} + +func (p *SQLProvider) schemaMigrateRollbackWithoutTx(ctx context.Context, prior, after int, merr error) (err error) { + migrations, err := loadMigrations(p.name, after, prior) + if err != nil { + return fmt.Errorf("error loading migrations from version %d to version %d for rollback: %+v. rollback caused by: %w", prior, after, err, merr) + } + + for _, migration := range migrations { + if err = p.schemaMigrateApply(ctx, p.db, migration); err != nil { + return fmt.Errorf("error applying migration version %d to version %d for rollback: %+v. rollback caused by: %w", migration.Before(), migration.After(), err, merr) + } + } + + return fmt.Errorf("migration rollback complete. rollback caused by: %w", merr) +} + +func (p *SQLProvider) schemaLatestMigration(ctx context.Context) (migration *model.Migration, err error) { + migration = &model.Migration{} + + if err = p.db.QueryRowxContext(ctx, p.sqlSelectLatestMigration).StructScan(migration); err != nil { + return nil, err + } + + return migration, nil } func schemaMigrateChecks(providerName string, up bool, targetVersion, currentVersion int) (err error) { + switch { + case currentVersion == -1: + return fmt.Errorf(errFmtMigrationPre1, "up from", errFmtMigrationPre1SuggestedVersion) + case targetVersion == -1: + return fmt.Errorf(errFmtMigrationPre1, "down to", fmt.Sprintf("you should downgrade to schema version 1 using the current authelia version then use the suggested authelia version to downgrade to pre1: %s", errFmtMigrationPre1SuggestedVersion)) + } + if targetVersion == currentVersion { return fmt.Errorf(ErrFmtMigrateAlreadyOnTargetVersion, targetVersion, currentVersion) } @@ -325,7 +352,7 @@ func schemaMigrateChecks(providerName string, up bool, targetVersion, currentVer return fmt.Errorf(ErrFmtMigrateUpTargetGreaterThanLatest, targetVersion, latest) } } else { - if targetVersion < -1 { + if targetVersion < 0 { return fmt.Errorf(ErrFmtMigrateDownTargetLessThanMinimum, targetVersion) } @@ -345,7 +372,7 @@ func SchemaVersionToString(version int) (versionStr string) { case -1: return "pre1" case 0: - return "N/A" + return na default: return strconv.Itoa(version) } diff --git a/internal/storage/sql_provider_schema_pre1.go b/internal/storage/sql_provider_schema_pre1.go deleted file mode 100644 index 04587bfb7..000000000 --- a/internal/storage/sql_provider_schema_pre1.go +++ /dev/null @@ -1,470 +0,0 @@ -package storage - -import ( - "context" - "database/sql" - "encoding/base64" - "fmt" - "strings" - "time" - - "github.com/authelia/authelia/v4/internal/model" - "github.com/authelia/authelia/v4/internal/utils" -) - -// schemaMigratePre1To1 takes the v1 migration and migrates to this version. -func (p *SQLProvider) schemaMigratePre1To1(ctx context.Context) (err error) { - migration, err := loadMigration(p.name, 1, true) - if err != nil { - return err - } - - // Get Tables list. - tables, err := p.SchemaTables(ctx) - if err != nil { - return err - } - - tablesRename := []string{ - tablePre1Config, - tablePre1TOTPSecrets, - tablePre1IdentityVerificationTokens, - tablePre1U2FDevices, - tableUserPreferences, - tableAuthenticationLogs, - tableAlphaPreferences, - tableAlphaIdentityVerificationTokens, - tableAlphaAuthenticationLogs, - tableAlphaPreferencesTableName, - tableAlphaSecondFactorPreferences, - tableAlphaTOTPSecrets, - tableAlphaU2FDeviceHandles, - } - - if err = p.schemaMigratePre1Rename(ctx, tables, tablesRename); err != nil { - return err - } - - if _, err = p.db.ExecContext(ctx, migration.Query); err != nil { - return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err) - } - - if err = p.setNewEncryptionCheckValue(ctx, &p.key, nil); err != nil { - return err - } - - if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1InsertUserPreferencesFromSelect), - tableUserPreferences, tablePrefixBackup+tableUserPreferences)); err != nil { - return err - } - - if err = p.schemaMigratePre1To1AuthenticationLogs(ctx); err != nil { - return err - } - - if err = p.schemaMigratePre1To1U2F(ctx); err != nil { - return err - } - - if err = p.schemaMigratePre1To1TOTP(ctx); err != nil { - return err - } - - for _, table := range tablesRename { - if _, err = p.db.Exec(fmt.Sprintf(p.db.Rebind(queryFmtDropTableIfExists), tablePrefixBackup+table)); err != nil { - return err - } - } - - return p.schemaMigrateFinalizeAdvanced(ctx, -1, 1) -} - -func (p *SQLProvider) schemaMigratePre1Rename(ctx context.Context, tables, tablesRename []string) (err error) { - // Rename Tables and Indexes. - for _, table := range tables { - if !utils.IsStringInSlice(table, tablesRename) { - continue - } - - tableNew := tablePrefixBackup + table - - if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.sqlFmtRenameTable, table, tableNew)); err != nil { - return err - } - - if p.name == providerPostgres { - if table == tablePre1U2FDevices || table == tableUserPreferences { - if _, err = p.db.ExecContext(ctx, fmt.Sprintf(`ALTER TABLE %s RENAME CONSTRAINT %s_pkey TO %s_pkey;`, - tableNew, table, tableNew)); err != nil { - continue - } - } - } - } - - return nil -} - -func (p *SQLProvider) schemaMigratePre1To1Rollback(ctx context.Context, up bool) (err error) { - if up { - migration, err := loadMigration(p.name, 1, false) - if err != nil { - return err - } - - if _, err = p.db.ExecContext(ctx, migration.Query); err != nil { - return fmt.Errorf(errFmtFailedMigration, migration.Version, migration.Name, err) - } - } - - tables, err := p.SchemaTables(ctx) - if err != nil { - return err - } - - for _, table := range tables { - if !strings.HasPrefix(table, tablePrefixBackup) { - continue - } - - tableNew := strings.Replace(table, tablePrefixBackup, "", 1) - if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.sqlFmtRenameTable, table, tableNew)); err != nil { - return err - } - - if p.name == providerPostgres && (tableNew == tablePre1U2FDevices || tableNew == tableUserPreferences) { - if _, err = p.db.ExecContext(ctx, fmt.Sprintf(`ALTER TABLE %s RENAME CONSTRAINT %s_pkey TO %s_pkey;`, - tableNew, table, tableNew)); err != nil { - continue - } - } - } - - return nil -} - -func (p *SQLProvider) schemaMigratePre1To1AuthenticationLogs(ctx context.Context) (err error) { - for page := 0; true; page++ { - attempts, err := p.schemaMigratePre1To1AuthenticationLogsGetRows(ctx, page) - if err != nil { - if err == sql.ErrNoRows { - break - } - - return err - } - - for _, attempt := range attempts { - _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1InsertAuthenticationLogs), tableAuthenticationLogs), attempt.Username, attempt.Successful, attempt.Time) - if err != nil { - return err - } - } - - if len(attempts) != 100 { - break - } - } - - return nil -} - -func (p *SQLProvider) schemaMigratePre1To1AuthenticationLogsGetRows(ctx context.Context, page int) (attempts []model.AuthenticationAttempt, err error) { - rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1SelectAuthenticationLogs), tablePrefixBackup+tableAuthenticationLogs), page*100) - if err != nil { - return nil, err - } - - attempts = make([]model.AuthenticationAttempt, 0, 100) - - for rows.Next() { - var ( - username string - successful bool - timestamp int64 - ) - - err = rows.Scan(&username, &successful, ×tamp) - if err != nil { - return nil, err - } - - attempts = append(attempts, model.AuthenticationAttempt{Username: username, Successful: successful, Time: time.Unix(timestamp, 0)}) - } - - return attempts, nil -} - -func (p *SQLProvider) schemaMigratePre1To1TOTP(ctx context.Context) (err error) { - rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1SelectTOTPConfigurations), tablePrefixBackup+tablePre1TOTPSecrets)) - if err != nil { - return err - } - - var totpConfigs []model.TOTPConfiguration - - defer func() { - if err := rows.Close(); err != nil { - p.log.Errorf(logFmtErrClosingConn, err) - } - }() - - for rows.Next() { - var username, secret string - - err = rows.Scan(&username, &secret) - if err != nil { - return err - } - - encryptedSecret, err := p.encrypt([]byte(secret)) - if err != nil { - return err - } - - totpConfigs = append(totpConfigs, model.TOTPConfiguration{Username: username, Secret: encryptedSecret}) - } - - for _, config := range totpConfigs { - _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1InsertTOTPConfiguration), tableTOTPConfigurations), config.Username, p.config.TOTP.Issuer, p.config.TOTP.Period, config.Secret) - if err != nil { - return err - } - } - - return nil -} - -func (p *SQLProvider) schemaMigratePre1To1U2F(ctx context.Context) (err error) { - rows, err := p.db.Queryx(fmt.Sprintf(p.db.Rebind(queryFmtPre1To1SelectU2FDevices), tablePrefixBackup+tablePre1U2FDevices)) - if err != nil { - return err - } - - defer func() { - if err := rows.Close(); err != nil { - p.log.Errorf(logFmtErrClosingConn, err) - } - }() - - var devices []model.U2FDevice - - for rows.Next() { - var username, keyHandleBase64, publicKeyBase64 string - - err = rows.Scan(&username, &keyHandleBase64, &publicKeyBase64) - if err != nil { - return err - } - - keyHandle, err := base64.StdEncoding.DecodeString(keyHandleBase64) - if err != nil { - return err - } - - publicKey, err := base64.StdEncoding.DecodeString(publicKeyBase64) - if err != nil { - return err - } - - encryptedPublicKey, err := p.encrypt(publicKey) - if err != nil { - return err - } - - devices = append(devices, model.U2FDevice{Username: username, KeyHandle: keyHandle, PublicKey: encryptedPublicKey}) - } - - for _, device := range devices { - _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1To1InsertU2FDevice), tablePre1U2FDevices), device.Username, device.KeyHandle, device.PublicKey) - if err != nil { - return err - } - } - - return nil -} - -func (p *SQLProvider) schemaMigrate1ToPre1(ctx context.Context) (err error) { - tables, err := p.SchemaTables(ctx) - if err != nil { - return err - } - - tablesRename := []string{ - tableMigrations, - tableTOTPConfigurations, - tableIdentityVerification, - tablePre1U2FDevices, - tableDuoDevices, - tableUserPreferences, - tableAuthenticationLogs, - tableEncryption, - } - - if err = p.schemaMigratePre1Rename(ctx, tables, tablesRename); err != nil { - return err - } - - if _, err := p.db.ExecContext(ctx, queryCreatePre1); err != nil { - return err - } - - if _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1InsertUserPreferencesFromSelect), - tableUserPreferences, tablePrefixBackup+tableUserPreferences)); err != nil { - return err - } - - if err = p.schemaMigrate1ToPre1AuthenticationLogs(ctx); err != nil { - return err - } - - if err = p.schemaMigrate1ToPre1U2F(ctx); err != nil { - return err - } - - if err = p.schemaMigrate1ToPre1TOTP(ctx); err != nil { - return err - } - - queryFmtDropTableRebound := p.db.Rebind(queryFmtDropTableIfExists) - - for _, table := range tablesRename { - if _, err = p.db.Exec(fmt.Sprintf(queryFmtDropTableRebound, tablePrefixBackup+table)); err != nil { - return err - } - } - - return nil -} - -func (p *SQLProvider) schemaMigrate1ToPre1AuthenticationLogs(ctx context.Context) (err error) { - for page := 0; true; page++ { - attempts, err := p.schemaMigrate1ToPre1AuthenticationLogsGetRows(ctx, page) - if err != nil { - if err == sql.ErrNoRows { - break - } - - return err - } - - for _, attempt := range attempts { - _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1InsertAuthenticationLogs), tableAuthenticationLogs), attempt.Username, attempt.Successful, attempt.Time.Unix()) - if err != nil { - return err - } - } - - if len(attempts) != 100 { - break - } - } - - return nil -} - -func (p *SQLProvider) schemaMigrate1ToPre1AuthenticationLogsGetRows(ctx context.Context, page int) (attempts []model.AuthenticationAttempt, err error) { - rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1SelectAuthenticationLogs), tablePrefixBackup+tableAuthenticationLogs), page*100) - if err != nil { - return nil, err - } - - attempts = make([]model.AuthenticationAttempt, 0, 100) - - var attempt model.AuthenticationAttempt - for rows.Next() { - err = rows.StructScan(&attempt) - if err != nil { - return nil, err - } - - attempts = append(attempts, attempt) - } - - return attempts, nil -} - -func (p *SQLProvider) schemaMigrate1ToPre1TOTP(ctx context.Context) (err error) { - rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmtPre1SelectTOTPConfigurations), tablePrefixBackup+tableTOTPConfigurations)) - if err != nil { - return err - } - - var totpConfigs []model.TOTPConfiguration - - defer func() { - if err := rows.Close(); err != nil { - p.log.Errorf(logFmtErrClosingConn, err) - } - }() - - for rows.Next() { - var ( - username string - secretCipherText []byte - ) - - err = rows.Scan(&username, &secretCipherText) - if err != nil { - return err - } - - secretClearText, err := p.decrypt(secretCipherText) - if err != nil { - return err - } - - totpConfigs = append(totpConfigs, model.TOTPConfiguration{Username: username, Secret: secretClearText}) - } - - for _, config := range totpConfigs { - _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1InsertTOTPConfiguration), tablePre1TOTPSecrets), config.Username, config.Secret) - if err != nil { - return err - } - } - - return nil -} - -func (p *SQLProvider) schemaMigrate1ToPre1U2F(ctx context.Context) (err error) { - rows, err := p.db.QueryxContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1SelectU2FDevices), tablePrefixBackup+tablePre1U2FDevices)) - if err != nil { - return err - } - - defer func() { - if err := rows.Close(); err != nil { - p.log.Errorf(logFmtErrClosingConn, err) - } - }() - - var ( - devices []model.U2FDevice - device model.U2FDevice - ) - - for rows.Next() { - err = rows.StructScan(&device) - if err != nil { - return err - } - - device.PublicKey, err = p.decrypt(device.PublicKey) - if err != nil { - return err - } - - devices = append(devices, device) - } - - for _, device := range devices { - _, err = p.db.ExecContext(ctx, fmt.Sprintf(p.db.Rebind(queryFmt1ToPre1InsertU2FDevice), tablePre1U2FDevices), device.Username, base64.StdEncoding.EncodeToString(device.KeyHandle), base64.StdEncoding.EncodeToString(device.PublicKey)) - if err != nil { - return err - } - } - - return nil -} diff --git a/internal/storage/sql_provider_schema_test.go b/internal/storage/sql_provider_schema_test.go index 16352e451..c4e9868be 100644 --- a/internal/storage/sql_provider_schema_test.go +++ b/internal/storage/sql_provider_schema_test.go @@ -29,7 +29,7 @@ func TestShouldReturnErrOnTargetSameAsCurrent(t *testing.T) { fmt.Sprintf(ErrFmtMigrateAlreadyOnTargetVersion, 1, 1)) } -func TestShouldReturnErrOnUpMigrationTargetVersionLessTHanCurrent(t *testing.T) { +func TestShouldReturnErrOnUpMigrationTargetVersionLessThanCurrent(t *testing.T) { assert.EqualError(t, schemaMigrateChecks(providerPostgres, true, 0, LatestVersion), fmt.Sprintf(ErrFmtMigrateUpTargetLessThanCurrent, 0, LatestVersion)) @@ -80,7 +80,7 @@ func TestShouldReturnErrOnVersionDoesntExits(t *testing.T) { fmt.Sprintf(ErrFmtMigrateUpTargetGreaterThanLatest, SchemaLatest-1, LatestVersion)) } -func TestMigrationDownShouldReturnErrOnTargetLessThanPre1(t *testing.T) { +func TestMigrationDownShouldReturnErrOnTargetLessThan1(t *testing.T) { assert.EqualError(t, schemaMigrateChecks(providerSQLite, false, -4, LatestVersion), fmt.Sprintf(ErrFmtMigrateDownTargetLessThanMinimum, -4)) @@ -93,8 +93,15 @@ func TestMigrationDownShouldReturnErrOnTargetLessThanPre1(t *testing.T) { schemaMigrateChecks(providerPostgres, false, -2, LatestVersion), fmt.Sprintf(ErrFmtMigrateDownTargetLessThanMinimum, -2)) - assert.NoError(t, - schemaMigrateChecks(providerPostgres, false, -1, LatestVersion)) + assert.EqualError(t, + schemaMigrateChecks(providerPostgres, false, -1, LatestVersion), + "schema migration down to pre1 is no longer supported: you must use an older version of authelia to perform this migration: you should downgrade to schema version 1 using the current authelia version then use the suggested authelia version to downgrade to pre1: the suggested authelia version is 4.37.2") +} + +func TestMigrationDownShouldReturnErrOnCurrentLessThan0(t *testing.T) { + assert.EqualError(t, + schemaMigrateChecks(providerPostgres, true, LatestVersion, -1), + "schema migration up from pre1 is no longer supported: you must use an older version of authelia to perform this migration: the suggested authelia version is 4.37.2") } func TestMigrationDownShouldReturnErrOnTargetVersionGreaterThanCurrent(t *testing.T) { diff --git a/internal/storage/types.go b/internal/storage/types.go new file mode 100644 index 000000000..327f52c4d --- /dev/null +++ b/internal/storage/types.go @@ -0,0 +1,95 @@ +package storage + +import ( + "context" + + "github.com/jmoiron/sqlx" +) + +// SQLXConnection is a *sqlx.DB or *sqlx.Tx. +type SQLXConnection interface { + sqlx.Execer + sqlx.ExecerContext + + sqlx.Preparer + sqlx.PreparerContext + + sqlx.Queryer + sqlx.QueryerContext + + sqlx.Ext + sqlx.ExtContext +} + +// EncryptionChangeKeyFunc handles encryption key changes for a specific table or tables. +type EncryptionChangeKeyFunc func(ctx context.Context, provider *SQLProvider, tx *sqlx.Tx, key [32]byte) (err error) + +// EncryptionCheckKeyFunc handles encryption key checking for a specific table or tables. +type EncryptionCheckKeyFunc func(ctx context.Context, provider *SQLProvider) (table string, result EncryptionValidationTableResult) + +type encOAuth2Session struct { + ID int `db:"id"` + Session []byte `db:"session_data"` +} + +type encWebauthnDevice struct { + ID int `db:"id"` + PublicKey []byte `db:"public_key"` +} + +type encTOTPConfiguration struct { + ID int `db:"id" json:"-"` + Secret []byte `db:"secret" json:"-"` +} + +// EncryptionValidationResult contains information about the success of a schema encryption validation. +type EncryptionValidationResult struct { + InvalidCheckValue bool + Tables map[string]EncryptionValidationTableResult +} + +// Success returns true if no validation errors occurred. +func (r EncryptionValidationResult) Success() bool { + if r.InvalidCheckValue { + return false + } + + for _, table := range r.Tables { + if table.Invalid != 0 || table.Error != nil { + return false + } + } + + return true +} + +// Checked returns true the validation completed all phases even if there were errors. +func (r EncryptionValidationResult) Checked() bool { + for _, table := range r.Tables { + if table.Error != nil { + return false + } + } + + return true +} + +// EncryptionValidationTableResult contains information about the success of a table schema encryption validation. +type EncryptionValidationTableResult struct { + Error error + Total int + Invalid int +} + +// ResultDescriptor returns a string representing the result. +func (r EncryptionValidationTableResult) ResultDescriptor() string { + if r.Total == 0 { + return na + } + + if r.Error != nil || r.Invalid != 0 { + return "FAILURE" + } + + return "SUCCESS" +} diff --git a/internal/suites/suite_cli_test.go b/internal/suites/suite_cli_test.go index 0357b89b1..93e65d0a0 100644 --- a/internal/suites/suite_cli_test.go +++ b/internal/suites/suite_cli_test.go @@ -816,7 +816,7 @@ func (s *CLISuite) TestStorage00ShouldShowCorrectPreInitInformation() { output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--config=/config/configuration.storage.yml"}) s.Assert().NoError(err) - s.Assert().Contains(output, "Could not check encryption key for validity. The schema version doesn't support encryption.") + s.Assert().Contains(output, "Storage Encryption Key Validation: FAILURE\n\n\tCause: The schema version doesn't support encryption.\n") output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "migrate", "down", "--target=0", "--destroy-data", "--config=/config/configuration.storage.yml"}) s.Assert().EqualError(err, "exit status 1") @@ -1136,27 +1136,27 @@ func (s *CLISuite) TestStorage05ShouldChangeEncryptionKey() { output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--config=/config/configuration.storage.yml"}) s.Assert().NoError(err) - s.Assert().Contains(output, "Encryption key validation: failed.\n\nError: the encryption key is not valid against the schema check value.\n") + s.Assert().Contains(output, "Storage Encryption Key Validation: FAILURE\n\n\tCause: the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database.\n") output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--verbose", "--config=/config/configuration.storage.yml"}) s.Assert().NoError(err) - s.Assert().Contains(output, "Encryption key validation: failed.\n\nError: the encryption key is not valid against the schema check value, 4 of 4 total TOTP secrets were invalid.\n") + s.Assert().Contains(output, "Storage Encryption Key Validation: FAILURE\n\n\tCause: the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database.\n\nTables:\n\n\tTable (oauth2_access_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_authorization_code_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_openid_connect_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_pkce_request_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_refresh_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (totp_configurations): FAILURE\n\t\tInvalid Rows: 4\n\t\tTotal Rows: 4\n\n\tTable (webauthn_devices): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n") output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"}) s.Assert().NoError(err) - s.Assert().Contains(output, "Encryption key validation: success.\n") + s.Assert().Contains(output, "Storage Encryption Key Validation: SUCCESS\n") output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "check", "--verbose", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"}) s.Assert().NoError(err) - s.Assert().Contains(output, "Encryption key validation: success.\n") + s.Assert().Contains(output, "Storage Encryption Key Validation: SUCCESS\n\nTables:\n\n\tTable (oauth2_access_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_authorization_code_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_openid_connect_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_pkce_request_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (oauth2_refresh_token_session): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n\n\tTable (totp_configurations): SUCCESS\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 4\n\n\tTable (webauthn_devices): N/A\n\t\tInvalid Rows: 0\n\t\tTotal Rows: 0\n") output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--encryption-key=apple-apple-apple-apple", "--config=/config/configuration.storage.yml"}) s.Assert().EqualError(err, "exit status 1") - s.Assert().Contains(output, "Error: you must set the --new-encryption-key flag\n") + s.Assert().Contains(output, "Error: you must either use an interactive terminal or use the --new-encryption-key flag\n") output, err = s.Exec("authelia-backend", []string{"authelia", s.testArg, s.coverageArg, "storage", "encryption", "change-key", "--encryption-key=apple-apple-apple-apple", "--new-encryption-key=abc", "--config=/config/configuration.storage.yml"}) s.Assert().EqualError(err, "exit status 1") From 1bab80f6b6500fc6839c4fa0023ab54e6e7d13d1 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Fri, 25 Nov 2022 23:55:25 +1100 Subject: [PATCH 20/32] docs: update (#4433) --- .../content/en/configuration/storage/migrations.md | 2 +- .../authelia_storage_user_totp_generate.md | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/content/en/configuration/storage/migrations.md b/docs/content/en/configuration/storage/migrations.md index 308976472..4d987ce92 100644 --- a/docs/content/en/configuration/storage/migrations.md +++ b/docs/content/en/configuration/storage/migrations.md @@ -28,7 +28,7 @@ this instance if you wanted to downgrade to pre1 you would need to use an Authel | Schema Version | Authelia Version | Notes | |:--------------:|:----------------:|:--------------------------------------------------------------------------------------------------:| -| pre1 | 4.0.0 | Downgrading to this version requires you use the --pre1 flag | +| pre1 | 4.0.0 | Downgrading to this version requires you use the --pre1 flag on Authelia 4.37.2 | | 1 | 4.33.0 | Initial migration managed version | | 2 | 4.34.0 | WebAuthn - added webauthn_devices table, altered totp_config to include device created/used dates | | 3 | 4.34.2 | WebAuthn - fix V2 migration kid column length and provide migration path for anyone on V2 | diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md index cbbafea4d..3d00321e2 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md @@ -41,15 +41,15 @@ authelia storage user totp generate john --algorithm SHA512 --config config.yml ### Options ``` - --algorithm string set the TOTP algorithm (default "SHA1") - --digits uint set the TOTP digits (default 6) - -f, --force forces the TOTP configuration to be generated regardless if it exists or not + --algorithm string set the algorithm to either SHA1 (supported by most applications), SHA256, or SHA512 (default "SHA1") + --digits uint set the number of digits (default 6) + -f, --force forces the configuration to be generated regardless if it exists or not -h, --help help for generate - --issuer string set the TOTP issuer (default "Authelia") + --issuer string set the issuer description (default "Authelia") -p, --path string path to a file to create a PNG file with the QR code (optional) - --period uint set the TOTP period (default 30) - --secret string Optionally set the TOTP shared secret as base32 encoded bytes (no padding), it's recommended to not set this option unless you're restoring an TOTP config - --secret-size uint set the TOTP secret size (default 32) + --period uint set the period between rotations (default 30) + --secret string set the shared secret as base32 encoded bytes (no padding), it's recommended that you do not use this option unless you're restoring a configuration + --secret-size uint set the secret size (default 32) ``` ### Options inherited from parent commands From 2c21ad9e5f6991c25f9b36733ad7f15410918560 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 25 Nov 2022 23:16:06 +0000 Subject: [PATCH 21/32] build(deps): update dependency i18next-http-backend to v2.0.2 (#4434) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 2 +- web/pnpm-lock.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/web/package.json b/web/package.json index 05b90d7fc..c8e34dd64 100644 --- a/web/package.json +++ b/web/package.json @@ -33,7 +33,7 @@ "classnames": "2.3.2", "i18next": "22.0.6", "i18next-browser-languagedetector": "7.0.1", - "i18next-http-backend": "2.0.1", + "i18next-http-backend": "2.0.2", "qrcode.react": "3.1.0", "query-string": "7.1.1", "react": "18.2.0", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index a4e016c90..1da2b735d 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -42,7 +42,7 @@ specifiers: husky: 8.0.2 i18next: 22.0.6 i18next-browser-languagedetector: 7.0.1 - i18next-http-backend: 2.0.1 + i18next-http-backend: 2.0.2 jest: 29.3.1 jest-environment-jsdom: 29.3.1 jest-transform-stub: 2.0.0 @@ -81,7 +81,7 @@ dependencies: classnames: 2.3.2 i18next: 22.0.6 i18next-browser-languagedetector: 7.0.1 - i18next-http-backend: 2.0.1 + i18next-http-backend: 2.0.2 qrcode.react: 3.1.0_react@18.2.0 query-string: 7.1.1 react: 18.2.0 @@ -6312,8 +6312,8 @@ packages: '@babel/runtime': 7.19.4 dev: false - /i18next-http-backend/2.0.1: - resolution: {integrity: sha512-kzvSkOT3yhVijumDlp8/TgD1v07lYdFXsf5YYbB7Yu+K2S6PO0lKgZ4c/fyFcAKWiAiTjt9uVecBAbnJjKzhOw==} + /i18next-http-backend/2.0.2: + resolution: {integrity: sha512-TFiIqitZEc8+jyca31EW5ef5PjUYtUGGfL8c8FJwiiHguq5OQTqoR3mxpKqaCPiikg+cxSgXtNA2gZPCu0aryQ==} dependencies: cross-fetch: 3.1.5 transitivePeerDependencies: From eba63f1359642d1c352121e0ba05b8de23f1d05e Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 27 Nov 2022 16:07:08 +1100 Subject: [PATCH 22/32] docs: update index (#4437) --- .../authorization/openid-connect-1.0.md | 21 +++++++++++++++++++ .../overview/authorization/trusted-headers.md | 20 ++++++++++++++++++ docs/layouts/index.html | 2 +- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 docs/content/en/overview/authorization/openid-connect-1.0.md create mode 100644 docs/content/en/overview/authorization/trusted-headers.md diff --git a/docs/content/en/overview/authorization/openid-connect-1.0.md b/docs/content/en/overview/authorization/openid-connect-1.0.md new file mode 100644 index 000000000..53f7637c0 --- /dev/null +++ b/docs/content/en/overview/authorization/openid-connect-1.0.md @@ -0,0 +1,21 @@ +--- +title: "OpenID Connect 1.0" +description: "OpenID Connect 1.0 is a authorization identity framework supported by Authelia." +date: 2022-06-15T17:51:47+10:00 +draft: false +images: [] +menu: + overview: + parent: "authorization" +weight: 330 +toc: false +--- + +[OpenID Connect 1.0](https://openid.net/connect/) is a authorization identity framework supported by Authelia. You can +configure your applications to use Authelia as an [OpenID Connect 1.0 Provider](https://openid.net/connect/). We do not +currently operate as an [OpenID Connect 1.0 Relying Party](https://openid.net/connect/). This like all single-sign on +technologies requires support by the protected application. + +See the [OpenID Connect 1.0 Configuration Guide](../../configuration/identity-providers/open-id-connect.md) and the +[OpenID Connect 1.0 Integration Guide](../../integration/openid-connect/introduction.md) for more information. + diff --git a/docs/content/en/overview/authorization/trusted-headers.md b/docs/content/en/overview/authorization/trusted-headers.md new file mode 100644 index 000000000..c99122f9b --- /dev/null +++ b/docs/content/en/overview/authorization/trusted-headers.md @@ -0,0 +1,20 @@ +--- +title: "Trusted Headers SSO" +description: "Trusted Headers SSO is a simple header authorization framework supported by Authelia." +lead: "Trusted Headers is a simple header authorization framework supported by Authelia." +date: 2022-06-15T17:51:47+10:00 +draft: false +images: [] +menu: + overview: + parent: "authorization" +weight: 340 +toc: false +--- + +This mechanism is supported by proxies which inject certain response headers from Authelia into the protected +application. This is a very basic means that allows the target application to identify the user who is logged in +to Authelia. This like all single-sign on technologies requires support by the protected application. + +You can read more about this in the [Trusted Header SSO Integration Guide](../../integration/trusted-header-sso/introduction.md). + diff --git a/docs/layouts/index.html b/docs/layouts/index.html index d300e2493..94f91eef6 100644 --- a/docs/layouts/index.html +++ b/docs/layouts/index.html @@ -52,7 +52,7 @@

Single Sign-On 🎟️

-

Allow your users the convenience of just being required to login once to a wide range of web applications.

+

Allow your users the convenience of just being required to login once to a wide range of web applications via OpenID Connect 1.0 or Trusted Headers

Authorization Policies 👮

From 6f21a0d1cdfd984679e2f33dcb43cb4a1b516551 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 27 Nov 2022 16:19:47 +1100 Subject: [PATCH 23/32] docs: update index (#4438) --- docs/layouts/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/layouts/index.html b/docs/layouts/index.html index 94f91eef6..ae4c6247d 100644 --- a/docs/layouts/index.html +++ b/docs/layouts/index.html @@ -52,7 +52,7 @@

Single Sign-On 🎟️

-

Allow your users the convenience of just being required to login once to a wide range of web applications via OpenID Connect 1.0 or Trusted Headers

+

Allow your users the convenience of just being required to login once to a wide range of web applications via a session cookie, OpenID Connect 1.0, or Trusted Headers.

Authorization Policies 👮

From 01422b0f4312c600cd2d3133c74d21bc3d2f8a4b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 28 Nov 2022 08:00:12 +1100 Subject: [PATCH 24/32] build(deps): update dependency esbuild to v0.15.16 (#4439) --- web/package.json | 2 +- web/pnpm-lock.yaml | 148 ++++++++++++++++++++++----------------------- 2 files changed, 75 insertions(+), 75 deletions(-) diff --git a/web/package.json b/web/package.json index c8e34dd64..84806709d 100644 --- a/web/package.json +++ b/web/package.json @@ -156,7 +156,7 @@ "@typescript-eslint/eslint-plugin": "5.44.0", "@typescript-eslint/parser": "5.44.0", "@vitejs/plugin-react": "2.2.0", - "esbuild": "0.15.15", + "esbuild": "0.15.16", "esbuild-jest": "0.5.0", "eslint": "8.28.0", "eslint-config-prettier": "8.5.0", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 1da2b735d..ce1a8ae16 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -27,7 +27,7 @@ specifiers: axios: 1.2.0 broadcast-channel: 4.18.1 classnames: 2.3.2 - esbuild: 0.15.15 + esbuild: 0.15.16 esbuild-jest: 0.5.0 eslint: 8.28.0 eslint-config-prettier: 8.5.0 @@ -106,8 +106,8 @@ devDependencies: '@typescript-eslint/eslint-plugin': 5.44.0_fnsv2sbzcckq65bwfk7a5xwslu '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a '@vitejs/plugin-react': 2.2.0_vite@3.2.4 - esbuild: 0.15.15 - esbuild-jest: 0.5.0_esbuild@0.15.15 + esbuild: 0.15.16 + esbuild-jest: 0.5.0_esbuild@0.15.16 eslint: 8.28.0 eslint-config-prettier: 8.5.0_eslint@8.28.0 eslint-config-react-app: 7.0.1_ffu622cxxp5swe5tqcog7svb5i @@ -2449,8 +2449,8 @@ packages: resolution: {integrity: sha512-AHPmaAx+RYfZz0eYu6Gviiagpmiyw98ySSlQvCUhVGDRtDFe4DBS0x1bSjdF3gqUDYOczB+yYvBTtEylYSdRhg==} dev: false - /@esbuild/android-arm/0.15.15: - resolution: {integrity: sha512-JJjZjJi2eBL01QJuWjfCdZxcIgot+VoK6Fq7eKF9w4YHm9hwl7nhBR1o2Wnt/WcANk5l9SkpvrldW1PLuXxcbw==} + /@esbuild/android-arm/0.15.16: + resolution: {integrity: sha512-nyB6CH++2mSgx3GbnrJsZSxzne5K0HMyNIWafDHqYy7IwxFc4fd/CgHVZXr8Eh+Q3KbIAcAe3vGyqIPhGblvMQ==} engines: {node: '>=12'} cpu: [arm] os: [android] @@ -2458,8 +2458,8 @@ packages: dev: true optional: true - /@esbuild/linux-loong64/0.15.15: - resolution: {integrity: sha512-lhz6UNPMDXUhtXSulw8XlFAtSYO26WmHQnCi2Lg2p+/TMiJKNLtZCYUxV4wG6rZMzXmr8InGpNwk+DLT2Hm0PA==} + /@esbuild/linux-loong64/0.15.16: + resolution: {integrity: sha512-SDLfP1uoB0HZ14CdVYgagllgrG7Mdxhkt4jDJOKl/MldKrkQ6vDJMZKl2+5XsEY/Lzz37fjgLQoJBGuAw/x8kQ==} engines: {node: '>=12'} cpu: [loong64] os: [linux] @@ -5095,8 +5095,8 @@ packages: is-symbol: 1.0.4 dev: true - /esbuild-android-64/0.15.15: - resolution: {integrity: sha512-F+WjjQxO+JQOva3tJWNdVjouFMLK6R6i5gjDvgUthLYJnIZJsp1HlF523k73hELY20WPyEO8xcz7aaYBVkeg5Q==} + /esbuild-android-64/0.15.16: + resolution: {integrity: sha512-Vwkv/sT0zMSgPSVO3Jlt1pUbnZuOgtOQJkJkyyJFAlLe7BiT8e9ESzo0zQSx4c3wW4T6kGChmKDPMbWTgtliQA==} engines: {node: '>=12'} cpu: [x64] os: [android] @@ -5104,8 +5104,8 @@ packages: dev: true optional: true - /esbuild-android-arm64/0.15.15: - resolution: {integrity: sha512-attlyhD6Y22jNyQ0fIIQ7mnPvDWKw7k6FKnsXlBvQE6s3z6s6cuEHcSgoirquQc7TmZgVCK5fD/2uxmRN+ZpcQ==} + /esbuild-android-arm64/0.15.16: + resolution: {integrity: sha512-lqfKuofMExL5niNV3gnhMUYacSXfsvzTa/58sDlBET/hCOG99Zmeh+lz6kvdgvGOsImeo6J9SW21rFCogNPLxg==} engines: {node: '>=12'} cpu: [arm64] os: [android] @@ -5113,8 +5113,8 @@ packages: dev: true optional: true - /esbuild-darwin-64/0.15.15: - resolution: {integrity: sha512-ohZtF8W1SHJ4JWldsPVdk8st0r9ExbAOSrBOh5L+Mq47i696GVwv1ab/KlmbUoikSTNoXEhDzVpxUR/WIO19FQ==} + /esbuild-darwin-64/0.15.16: + resolution: {integrity: sha512-wo2VWk/n/9V2TmqUZ/KpzRjCEcr00n7yahEdmtzlrfQ3lfMCf3Wa+0sqHAbjk3C6CKkR3WKK/whkMq5Gj4Da9g==} engines: {node: '>=12'} cpu: [x64] os: [darwin] @@ -5122,8 +5122,8 @@ packages: dev: true optional: true - /esbuild-darwin-arm64/0.15.15: - resolution: {integrity: sha512-P8jOZ5zshCNIuGn+9KehKs/cq5uIniC+BeCykvdVhx/rBXSxmtj3CUIKZz4sDCuESMbitK54drf/2QX9QHG5Ag==} + /esbuild-darwin-arm64/0.15.16: + resolution: {integrity: sha512-fMXaUr5ou0M4WnewBKsspMtX++C1yIa3nJ5R2LSbLCfJT3uFdcRoU/NZjoM4kOMKyOD9Sa/2vlgN8G07K3SJnw==} engines: {node: '>=12'} cpu: [arm64] os: [darwin] @@ -5131,8 +5131,8 @@ packages: dev: true optional: true - /esbuild-freebsd-64/0.15.15: - resolution: {integrity: sha512-KkTg+AmDXz1IvA9S1gt8dE24C8Thx0X5oM0KGF322DuP+P3evwTL9YyusHAWNsh4qLsR80nvBr/EIYs29VSwuA==} + /esbuild-freebsd-64/0.15.16: + resolution: {integrity: sha512-UzIc0xlRx5x9kRuMr+E3+hlSOxa/aRqfuMfiYBXu2jJ8Mzej4lGL7+o6F5hzhLqWfWm1GWHNakIdlqg1ayaTNQ==} engines: {node: '>=12'} cpu: [x64] os: [freebsd] @@ -5140,8 +5140,8 @@ packages: dev: true optional: true - /esbuild-freebsd-arm64/0.15.15: - resolution: {integrity: sha512-FUcML0DRsuyqCMfAC+HoeAqvWxMeq0qXvclZZ/lt2kLU6XBnDA5uKTLUd379WYEyVD4KKFctqWd9tTuk8C/96g==} + /esbuild-freebsd-arm64/0.15.16: + resolution: {integrity: sha512-8xyiYuGc0DLZphFQIiYaLHlfoP+hAN9RHbE+Ibh8EUcDNHAqbQgUrQg7pE7Bo00rXmQ5Ap6KFgcR0b4ALZls1g==} engines: {node: '>=12'} cpu: [arm64] os: [freebsd] @@ -5149,7 +5149,7 @@ packages: dev: true optional: true - /esbuild-jest/0.5.0_esbuild@0.15.15: + /esbuild-jest/0.5.0_esbuild@0.15.16: resolution: {integrity: sha512-AMZZCdEpXfNVOIDvURlqYyHwC8qC1/BFjgsrOiSL1eyiIArVtHL8YAC83Shhn16cYYoAWEW17yZn0W/RJKJKHQ==} peerDependencies: esbuild: '>=0.8.50' @@ -5157,13 +5157,13 @@ packages: '@babel/core': 7.18.6 '@babel/plugin-transform-modules-commonjs': 7.18.6_@babel+core@7.18.6 babel-jest: 26.6.3_@babel+core@7.18.6 - esbuild: 0.15.15 + esbuild: 0.15.16 transitivePeerDependencies: - supports-color dev: true - /esbuild-linux-32/0.15.15: - resolution: {integrity: sha512-q28Qn5pZgHNqug02aTkzw5sW9OklSo96b5nm17Mq0pDXrdTBcQ+M6Q9A1B+dalFeynunwh/pvfrNucjzwDXj+Q==} + /esbuild-linux-32/0.15.16: + resolution: {integrity: sha512-iGijUTV+0kIMyUVoynK0v+32Oi8yyp0xwMzX69GX+5+AniNy/C/AL1MjFTsozRp/3xQPl7jVux/PLe2ds10/2w==} engines: {node: '>=12'} cpu: [ia32] os: [linux] @@ -5171,8 +5171,8 @@ packages: dev: true optional: true - /esbuild-linux-64/0.15.15: - resolution: {integrity: sha512-217KPmWMirkf8liO+fj2qrPwbIbhNTGNVtvqI1TnOWJgcMjUWvd677Gq3fTzXEjilkx2yWypVnTswM2KbXgoAg==} + /esbuild-linux-64/0.15.16: + resolution: {integrity: sha512-tuSOjXdLw7VzaUj89fIdAaQT7zFGbKBcz4YxbWrOiXkwscYgE7HtTxUavreBbnRkGxKwr9iT/gmeJWNm4djy/g==} engines: {node: '>=12'} cpu: [x64] os: [linux] @@ -5180,8 +5180,8 @@ packages: dev: true optional: true - /esbuild-linux-arm/0.15.15: - resolution: {integrity: sha512-RYVW9o2yN8yM7SB1yaWr378CwrjvGCyGybX3SdzPHpikUHkME2AP55Ma20uNwkNyY2eSYFX9D55kDrfQmQBR4w==} + /esbuild-linux-arm/0.15.16: + resolution: {integrity: sha512-XKcrxCEXDTOuoRj5l12tJnkvuxXBMKwEC5j0JISw3ziLf0j4zIwXbKbTmUrKFWbo6ZgvNpa7Y5dnbsjVvH39bQ==} engines: {node: '>=12'} cpu: [arm] os: [linux] @@ -5189,8 +5189,8 @@ packages: dev: true optional: true - /esbuild-linux-arm64/0.15.15: - resolution: {integrity: sha512-/ltmNFs0FivZkYsTzAsXIfLQX38lFnwJTWCJts0IbCqWZQe+jjj0vYBNbI0kmXLb3y5NljiM5USVAO1NVkdh2g==} + /esbuild-linux-arm64/0.15.16: + resolution: {integrity: sha512-mPYksnfHnemNrvjrDhZyixL/AfbJN0Xn9S34ZOHYdh6/jJcNd8iTsv3JwJoEvTJqjMggjMhGUPJAdjnFBHoH8A==} engines: {node: '>=12'} cpu: [arm64] os: [linux] @@ -5198,8 +5198,8 @@ packages: dev: true optional: true - /esbuild-linux-mips64le/0.15.15: - resolution: {integrity: sha512-PksEPb321/28GFFxtvL33yVPfnMZihxkEv5zME2zapXGp7fA1X2jYeiTUK+9tJ/EGgcNWuwvtawPxJG7Mmn86A==} + /esbuild-linux-mips64le/0.15.16: + resolution: {integrity: sha512-kSJO2PXaxfm0pWY39+YX+QtpFqyyrcp0ZeI8QPTrcFVQoWEPiPVtOfTZeS3ZKedfH+Ga38c4DSzmKMQJocQv6A==} engines: {node: '>=12'} cpu: [mips64el] os: [linux] @@ -5207,8 +5207,8 @@ packages: dev: true optional: true - /esbuild-linux-ppc64le/0.15.15: - resolution: {integrity: sha512-ek8gJBEIhcpGI327eAZigBOHl58QqrJrYYIZBWQCnH3UnXoeWMrMZLeeZL8BI2XMBhP+sQ6ERctD5X+ajL/AIA==} + /esbuild-linux-ppc64le/0.15.16: + resolution: {integrity: sha512-NimPikwkBY0yGABw6SlhKrtT35sU4O23xkhlrTT/O6lSxv3Pm5iSc6OYaqVAHWkLdVf31bF4UDVFO+D990WpAA==} engines: {node: '>=12'} cpu: [ppc64] os: [linux] @@ -5216,8 +5216,8 @@ packages: dev: true optional: true - /esbuild-linux-riscv64/0.15.15: - resolution: {integrity: sha512-H5ilTZb33/GnUBrZMNJtBk7/OXzDHDXjIzoLXHSutwwsLxSNaLxzAaMoDGDd/keZoS+GDBqNVxdCkpuiRW4OSw==} + /esbuild-linux-riscv64/0.15.16: + resolution: {integrity: sha512-ty2YUHZlwFOwp7pR+J87M4CVrXJIf5ZZtU/umpxgVJBXvWjhziSLEQxvl30SYfUPq0nzeWKBGw5i/DieiHeKfw==} engines: {node: '>=12'} cpu: [riscv64] os: [linux] @@ -5225,8 +5225,8 @@ packages: dev: true optional: true - /esbuild-linux-s390x/0.15.15: - resolution: {integrity: sha512-jKaLUg78mua3rrtrkpv4Or2dNTJU7bgHN4bEjT4OX4GR7nLBSA9dfJezQouTxMmIW7opwEC5/iR9mpC18utnxQ==} + /esbuild-linux-s390x/0.15.16: + resolution: {integrity: sha512-VkZaGssvPDQtx4fvVdZ9czezmyWyzpQhEbSNsHZZN0BHvxRLOYAQ7sjay8nMQwYswP6O2KlZluRMNPYefFRs+w==} engines: {node: '>=12'} cpu: [s390x] os: [linux] @@ -5234,8 +5234,8 @@ packages: dev: true optional: true - /esbuild-netbsd-64/0.15.15: - resolution: {integrity: sha512-aOvmF/UkjFuW6F36HbIlImJTTx45KUCHJndtKo+KdP8Dhq3mgLRKW9+6Ircpm8bX/RcS3zZMMmaBLkvGY06Gvw==} + /esbuild-netbsd-64/0.15.16: + resolution: {integrity: sha512-ElQ9rhdY51et6MJTWrCPbqOd/YuPowD7Cxx3ee8wlmXQQVW7UvQI6nSprJ9uVFQISqSF5e5EWpwWqXZsECLvXg==} engines: {node: '>=12'} cpu: [x64] os: [netbsd] @@ -5243,8 +5243,8 @@ packages: dev: true optional: true - /esbuild-openbsd-64/0.15.15: - resolution: {integrity: sha512-HFFX+WYedx1w2yJ1VyR1Dfo8zyYGQZf1cA69bLdrHzu9svj6KH6ZLK0k3A1/LFPhcEY9idSOhsB2UyU0tHPxgQ==} + /esbuild-openbsd-64/0.15.16: + resolution: {integrity: sha512-KgxMHyxMCT+NdLQE1zVJEsLSt2QQBAvJfmUGDmgEq8Fvjrf6vSKB00dVHUEDKcJwMID6CdgCpvYNt999tIYhqA==} engines: {node: '>=12'} cpu: [x64] os: [openbsd] @@ -5252,8 +5252,8 @@ packages: dev: true optional: true - /esbuild-sunos-64/0.15.15: - resolution: {integrity: sha512-jOPBudffG4HN8yJXcK9rib/ZTFoTA5pvIKbRrt3IKAGMq1EpBi4xoVoSRrq/0d4OgZLaQbmkHp8RO9eZIn5atA==} + /esbuild-sunos-64/0.15.16: + resolution: {integrity: sha512-exSAx8Phj7QylXHlMfIyEfNrmqnLxFqLxdQF6MBHPdHAjT7fsKaX6XIJn+aQEFiOcE4X8e7VvdMCJ+WDZxjSRQ==} engines: {node: '>=12'} cpu: [x64] os: [sunos] @@ -5261,8 +5261,8 @@ packages: dev: true optional: true - /esbuild-windows-32/0.15.15: - resolution: {integrity: sha512-MDkJ3QkjnCetKF0fKxCyYNBnOq6dmidcwstBVeMtXSgGYTy8XSwBeIE4+HuKiSsG6I/mXEb++px3IGSmTN0XiA==} + /esbuild-windows-32/0.15.16: + resolution: {integrity: sha512-zQgWpY5pUCSTOwqKQ6/vOCJfRssTvxFuEkpB4f2VUGPBpdddZfdj8hbZuFRdZRPIVHvN7juGcpgCA/XCF37mAQ==} engines: {node: '>=12'} cpu: [ia32] os: [win32] @@ -5270,8 +5270,8 @@ packages: dev: true optional: true - /esbuild-windows-64/0.15.15: - resolution: {integrity: sha512-xaAUIB2qllE888SsMU3j9nrqyLbkqqkpQyWVkfwSil6BBPgcPk3zOFitTTncEKCLTQy3XV9RuH7PDj3aJDljWA==} + /esbuild-windows-64/0.15.16: + resolution: {integrity: sha512-HjW1hHRLSncnM3MBCP7iquatHVJq9l0S2xxsHHj4yzf4nm9TU4Z7k4NkeMlD/dHQ4jPlQQhwcMvwbJiOefSuZw==} engines: {node: '>=12'} cpu: [x64] os: [win32] @@ -5279,8 +5279,8 @@ packages: dev: true optional: true - /esbuild-windows-arm64/0.15.15: - resolution: {integrity: sha512-ttuoCYCIJAFx4UUKKWYnFdrVpoXa3+3WWkXVI6s09U+YjhnyM5h96ewTq/WgQj9LFSIlABQvadHSOQyAVjW5xQ==} + /esbuild-windows-arm64/0.15.16: + resolution: {integrity: sha512-oCcUKrJaMn04Vxy9Ekd8x23O8LoU01+4NOkQ2iBToKgnGj5eo1vU9i27NQZ9qC8NFZgnQQZg5oZWAejmbsppNA==} engines: {node: '>=12'} cpu: [arm64] os: [win32] @@ -5288,34 +5288,34 @@ packages: dev: true optional: true - /esbuild/0.15.15: - resolution: {integrity: sha512-TEw/lwK4Zzld9x3FedV6jy8onOUHqcEX3ADFk4k+gzPUwrxn8nWV62tH0udo8jOtjFodlEfc4ypsqX3e+WWO6w==} + /esbuild/0.15.16: + resolution: {integrity: sha512-o6iS9zxdHrrojjlj6pNGC2NAg86ECZqIETswTM5KmJitq+R1YmahhWtMumeQp9lHqJaROGnsBi2RLawGnfo5ZQ==} engines: {node: '>=12'} hasBin: true requiresBuild: true optionalDependencies: - '@esbuild/android-arm': 0.15.15 - '@esbuild/linux-loong64': 0.15.15 - esbuild-android-64: 0.15.15 - esbuild-android-arm64: 0.15.15 - esbuild-darwin-64: 0.15.15 - esbuild-darwin-arm64: 0.15.15 - esbuild-freebsd-64: 0.15.15 - esbuild-freebsd-arm64: 0.15.15 - esbuild-linux-32: 0.15.15 - esbuild-linux-64: 0.15.15 - esbuild-linux-arm: 0.15.15 - esbuild-linux-arm64: 0.15.15 - esbuild-linux-mips64le: 0.15.15 - esbuild-linux-ppc64le: 0.15.15 - esbuild-linux-riscv64: 0.15.15 - esbuild-linux-s390x: 0.15.15 - esbuild-netbsd-64: 0.15.15 - esbuild-openbsd-64: 0.15.15 - esbuild-sunos-64: 0.15.15 - esbuild-windows-32: 0.15.15 - esbuild-windows-64: 0.15.15 - esbuild-windows-arm64: 0.15.15 + '@esbuild/android-arm': 0.15.16 + '@esbuild/linux-loong64': 0.15.16 + esbuild-android-64: 0.15.16 + esbuild-android-arm64: 0.15.16 + esbuild-darwin-64: 0.15.16 + esbuild-darwin-arm64: 0.15.16 + esbuild-freebsd-64: 0.15.16 + esbuild-freebsd-arm64: 0.15.16 + esbuild-linux-32: 0.15.16 + esbuild-linux-64: 0.15.16 + esbuild-linux-arm: 0.15.16 + esbuild-linux-arm64: 0.15.16 + esbuild-linux-mips64le: 0.15.16 + esbuild-linux-ppc64le: 0.15.16 + esbuild-linux-riscv64: 0.15.16 + esbuild-linux-s390x: 0.15.16 + esbuild-netbsd-64: 0.15.16 + esbuild-openbsd-64: 0.15.16 + esbuild-sunos-64: 0.15.16 + esbuild-windows-32: 0.15.16 + esbuild-windows-64: 0.15.16 + esbuild-windows-arm64: 0.15.16 dev: true /escalade/3.1.1: @@ -9478,7 +9478,7 @@ packages: optional: true dependencies: '@types/node': 18.11.9 - esbuild: 0.15.15 + esbuild: 0.15.16 postcss: 8.4.18 resolve: 1.22.1 rollup: 2.79.1 From 4cfa3cf5a635ab404ffb1c34e3e6d1d16c46eb61 Mon Sep 17 00:00:00 2001 From: Amir Zarrinkafsh Date: Mon, 28 Nov 2022 14:22:06 +1100 Subject: [PATCH 25/32] ci(web): add eslint alias linter (#4440) This linter utilises alias/path configuration specified in the `tsconfig.json` for imports, this allows us to enforce consistency within the frontend codebase. --- web/.eslintrc.js | 2 ++ web/package.json | 1 + web/pnpm-lock.yaml | 15 +++++++++++++++ 3 files changed, 18 insertions(+) diff --git a/web/.eslintrc.js b/web/.eslintrc.js index 6686baf50..1bd05c74f 100644 --- a/web/.eslintrc.js +++ b/web/.eslintrc.js @@ -9,8 +9,10 @@ module.exports = { typescript: {}, }, }, + plugins: ["@limegrass/import-alias"], extends: ["react-app", "plugin:import/errors", "plugin:import/warnings", "plugin:prettier/recommended", "prettier"], rules: { + "@limegrass/import-alias/import-alias": "error", "import/order": [ "error", { diff --git a/web/package.json b/web/package.json index 84806709d..e393a8e93 100644 --- a/web/package.json +++ b/web/package.json @@ -145,6 +145,7 @@ "devDependencies": { "@commitlint/cli": "17.3.0", "@commitlint/config-conventional": "17.3.0", + "@limegrass/eslint-plugin-import-alias": "1.0.6", "@testing-library/jest-dom": "5.16.5", "@testing-library/react": "13.4.0", "@types/jest": "29.2.3", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index ce1a8ae16..0716e12d6 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -10,6 +10,7 @@ specifiers: '@fortawesome/free-regular-svg-icons': 6.2.1 '@fortawesome/free-solid-svg-icons': 6.2.1 '@fortawesome/react-fontawesome': 0.2.0 + '@limegrass/eslint-plugin-import-alias': 1.0.6 '@mui/icons-material': 5.10.15 '@mui/material': 5.10.15 '@mui/styles': 5.10.15 @@ -95,6 +96,7 @@ dependencies: devDependencies: '@commitlint/cli': 17.3.0 '@commitlint/config-conventional': 17.3.0 + '@limegrass/eslint-plugin-import-alias': 1.0.6_eslint@8.28.0 '@testing-library/jest-dom': 5.16.5 '@testing-library/react': 13.4.0_biqbaboplfbrettd7655fr4n2y '@types/jest': 29.2.3 @@ -2853,6 +2855,19 @@ packages: '@jridgewell/sourcemap-codec': 1.4.14 dev: true + /@limegrass/eslint-plugin-import-alias/1.0.6_eslint@8.28.0: + resolution: {integrity: sha512-BtPmdHbL4NmkVh2wMnOboyOCrdLOpBqwwtBIsB0/giTiALw/UTHD9TyH4vVnbDOuWPZQgE6kKloJ9G77FApt7w==} + peerDependencies: + eslint: ^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8 + dependencies: + eslint: 8.28.0 + find-up: 5.0.0 + fs-extra: 10.1.0 + micromatch: 4.0.5 + slash: 3.0.0 + tsconfig-paths: 3.14.1 + dev: true + /@mui/base/5.0.0-alpha.107_2zx2umvpluuhvlq44va5bta2da: resolution: {integrity: sha512-HX/BD8CSe+Y/dpbZ5aKJScJhKQ/Hw6du2yd68Upv2cO67bwixyZ64h3aNcdDu7RQzI7nrZQm0JykffP1Orgq0g==} engines: {node: '>=12.0.0'} From fbe42a91c3fc5eb1637abef5f3724dc47c6824cb Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 28 Nov 2022 16:02:40 +1100 Subject: [PATCH 26/32] docs: bump dependencies (#4441) --- docs/package.json | 12 +++---- docs/pnpm-lock.yaml | 84 ++++++++++++++++++++++----------------------- 2 files changed, 48 insertions(+), 48 deletions(-) diff --git a/docs/package.json b/docs/package.json index 1e9c47f9d..5b0c3df18 100644 --- a/docs/package.json +++ b/docs/package.json @@ -46,13 +46,13 @@ "@popperjs/core": "2.11.6", "auto-changelog": "2.4.0", "autoprefixer": "10.4.13", - "bootstrap": "5.2.2", - "bootstrap-icons": "1.10.0", + "bootstrap": "5.2.3", + "bootstrap-icons": "1.10.2", "clipboard": "2.0.11", - "eslint": "8.27.0", + "eslint": "8.28.0", "exec-bin": "1.0.0", "flexsearch": "0.7.31", - "highlight.js": "11.6.0", + "highlight.js": "11.7.0", "hugo-installer": "4.0.1", "instant.page": "5.1.1", "katex": "0.16.3", @@ -64,10 +64,10 @@ "postcss-cli": "10.0.0", "purgecss-whitelister": "2.4.0", "shx": "0.3.4", - "stylelint": "14.14.1", + "stylelint": "14.15.0", "stylelint-config-standard-scss": "6.1.0" }, "otherDependencies": { - "hugo": "0.105.0" + "hugo": "0.107.0" } } diff --git a/docs/pnpm-lock.yaml b/docs/pnpm-lock.yaml index acc309003..29f43ea9c 100644 --- a/docs/pnpm-lock.yaml +++ b/docs/pnpm-lock.yaml @@ -9,13 +9,13 @@ specifiers: '@popperjs/core': 2.11.6 auto-changelog: 2.4.0 autoprefixer: 10.4.13 - bootstrap: 5.2.2 - bootstrap-icons: 1.10.0 + bootstrap: 5.2.3 + bootstrap-icons: 1.10.2 clipboard: 2.0.11 - eslint: 8.27.0 + eslint: 8.28.0 exec-bin: 1.0.0 flexsearch: 0.7.31 - highlight.js: 11.6.0 + highlight.js: 11.7.0 hugo-installer: 4.0.1 instant.page: 5.1.1 katex: 0.16.3 @@ -27,7 +27,7 @@ specifiers: postcss-cli: 10.0.0 purgecss-whitelister: 2.4.0 shx: 0.3.4 - stylelint: 14.14.1 + stylelint: 14.15.0 stylelint-config-standard-scss: 6.1.0 devDependencies: @@ -39,13 +39,13 @@ devDependencies: '@popperjs/core': 2.11.6 auto-changelog: 2.4.0 autoprefixer: 10.4.13_postcss@8.4.19 - bootstrap: 5.2.2_@popperjs+core@2.11.6 - bootstrap-icons: 1.10.0 + bootstrap: 5.2.3_@popperjs+core@2.11.6 + bootstrap-icons: 1.10.2 clipboard: 2.0.11 - eslint: 8.27.0 + eslint: 8.28.0 exec-bin: 1.0.0 flexsearch: 0.7.31 - highlight.js: 11.6.0 + highlight.js: 11.7.0 hugo-installer: 4.0.1 instant.page: 5.1.1 katex: 0.16.3 @@ -57,8 +57,8 @@ devDependencies: postcss-cli: 10.0.0_postcss@8.4.19 purgecss-whitelister: 2.4.0 shx: 0.3.4 - stylelint: 14.14.1 - stylelint-config-standard-scss: 6.1.0_ave2i6l4ingtbwj4aquhd5witq + stylelint: 14.15.0 + stylelint-config-standard-scss: 6.1.0_a37symlv4urgexnspmy4gyeh7i packages: @@ -1603,12 +1603,12 @@ packages: safe-buffer: 5.2.1 dev: true - /bootstrap-icons/1.10.0: - resolution: {integrity: sha512-SNQ3EUv5cKuoqkS6tebZztusF1P8hKyCVVSlYjm6d5H2fa1v32w72oPjujrTlGy2g9LiZ0tR/uFMEZwO71GHPQ==} + /bootstrap-icons/1.10.2: + resolution: {integrity: sha512-PTPYadRn1AMGr+QTSxe4ZCc+Wzv9DGZxbi3lNse/dajqV31n2/wl/7NX78ZpkvFgRNmH4ogdIQPQmxAfhEV6nA==} dev: true - /bootstrap/5.2.2_@popperjs+core@2.11.6: - resolution: {integrity: sha512-dEtzMTV71n6Fhmbg4fYJzQsw1N29hJKO1js5ackCgIpDcGid2ETMGC6zwSYw09v05Y+oRdQ9loC54zB1La3hHQ==} + /bootstrap/5.2.3_@popperjs+core@2.11.6: + resolution: {integrity: sha512-cEKPM+fwb3cT8NzQZYEu4HilJ3anCrWqh3CHAok1p9jXqMPsPTBhU25fBckEJHJ/p+tTxTFTsFQGM+gaHpi3QQ==} peerDependencies: '@popperjs/core': ^2.11.6 dependencies: @@ -1859,8 +1859,8 @@ packages: resolution: {integrity: sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==} dev: true - /cosmiconfig/7.0.1: - resolution: {integrity: sha512-a1YWNUV2HwGimB7dU2s1wUMurNKjpx60HxBB6xUM8Re+2s1g1IIfJvFR0/iCF+XHdE0GMTKTuLR32UQff4TEyQ==} + /cosmiconfig/7.1.0: + resolution: {integrity: sha512-AdmX6xUzdNASswsFtmwSt7Vj8po9IuqXm0UXz7QKPuEUmPB4XyjGfaAr2PSuELMwkRMVH1EpIkX5bTZGRB3eCA==} engines: {node: '>=10'} dependencies: '@types/parse-json': 4.0.0 @@ -2079,13 +2079,13 @@ packages: estraverse: 5.3.0 dev: true - /eslint-utils/3.0.0_eslint@8.27.0: + /eslint-utils/3.0.0_eslint@8.28.0: resolution: {integrity: sha512-uuQC43IGctw68pJA1RgbQS8/NP7rch6Cwd4j3ZBtgo4/8Flj4eGE7ZYSZRN3iq5pVUv6GPdW5Z1RFleo84uLDA==} engines: {node: ^10.0.0 || ^12.0.0 || >= 14.0.0} peerDependencies: eslint: '>=5' dependencies: - eslint: 8.27.0 + eslint: 8.28.0 eslint-visitor-keys: 2.1.0 dev: true @@ -2099,8 +2099,8 @@ packages: engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dev: true - /eslint/8.27.0: - resolution: {integrity: sha512-0y1bfG2ho7mty+SiILVf9PfuRA49ek4Nc60Wmmu62QlobNR+CeXa4xXIJgcuwSQgZiWaPH+5BDsctpIW0PR/wQ==} + /eslint/8.28.0: + resolution: {integrity: sha512-S27Di+EVyMxcHiwDrFzk8dJYAaD+/5SoWKxL1ri/71CRHsnJnRDPNt2Kzj24+MT9FDupf4aqqyqPrvI8MvQ4VQ==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} hasBin: true dependencies: @@ -2115,7 +2115,7 @@ packages: doctrine: 3.0.0 escape-string-regexp: 4.0.0 eslint-scope: 7.1.1 - eslint-utils: 3.0.0_eslint@8.27.0 + eslint-utils: 3.0.0_eslint@8.28.0 eslint-visitor-keys: 3.3.0 espree: 9.4.0 esquery: 1.4.0 @@ -2552,8 +2552,8 @@ packages: function-bind: 1.1.1 dev: true - /highlight.js/11.6.0: - resolution: {integrity: sha512-ig1eqDzJaB0pqEvlPVIpSSyMaO92bH1N2rJpLMN/nX396wTpDA4Eq0uK+7I/2XG17pFaaKE0kjV/XPeGt7Evjw==} + /highlight.js/11.7.0: + resolution: {integrity: sha512-1rRqesRFhMO/PRF+G86evnyJkCgaZFOI+Z6kdj15TA18funfoqJXvgPCLSf0SWq3SRfg1j3HlDs8o4s3EGq1oQ==} engines: {node: '>=12.0.0'} dev: true @@ -3829,7 +3829,7 @@ packages: resolution: {integrity: sha512-Dj1Okke1C3uKKwQcetra4jSuk0DqbzbYtXipzFlFMZtowbF1x7BKJwB9AayVMyFARvU8EDrZdcax4At/452cAg==} dev: true - /stylelint-config-recommended-scss/8.0.0_ave2i6l4ingtbwj4aquhd5witq: + /stylelint-config-recommended-scss/8.0.0_a37symlv4urgexnspmy4gyeh7i: resolution: {integrity: sha512-BxjxEzRaZoQb7Iinc3p92GS6zRdRAkIuEu2ZFLTxJK2e1AIcCb5B5MXY9KOXdGTnYFZ+KKx6R4Fv9zU6CtMYPQ==} peerDependencies: postcss: ^8.3.3 @@ -3840,20 +3840,20 @@ packages: dependencies: postcss: 8.4.19 postcss-scss: 4.0.4_postcss@8.4.19 - stylelint: 14.14.1 - stylelint-config-recommended: 9.0.0_stylelint@14.14.1 - stylelint-scss: 4.2.0_stylelint@14.14.1 + stylelint: 14.15.0 + stylelint-config-recommended: 9.0.0_stylelint@14.15.0 + stylelint-scss: 4.2.0_stylelint@14.15.0 dev: true - /stylelint-config-recommended/9.0.0_stylelint@14.14.1: + /stylelint-config-recommended/9.0.0_stylelint@14.15.0: resolution: {integrity: sha512-9YQSrJq4NvvRuTbzDsWX3rrFOzOlYBmZP+o513BJN/yfEmGSr0AxdvrWs0P/ilSpVV/wisamAHu5XSk8Rcf4CQ==} peerDependencies: stylelint: ^14.10.0 dependencies: - stylelint: 14.14.1 + stylelint: 14.15.0 dev: true - /stylelint-config-standard-scss/6.1.0_ave2i6l4ingtbwj4aquhd5witq: + /stylelint-config-standard-scss/6.1.0_a37symlv4urgexnspmy4gyeh7i: resolution: {integrity: sha512-iZ2B5kQT2G3rUzx+437cEpdcnFOQkwnwqXuY8Z0QUwIHQVE8mnYChGAquyKFUKZRZ0pRnrciARlPaR1RBtPb0Q==} peerDependencies: postcss: ^8.3.3 @@ -3863,21 +3863,21 @@ packages: optional: true dependencies: postcss: 8.4.19 - stylelint: 14.14.1 - stylelint-config-recommended-scss: 8.0.0_ave2i6l4ingtbwj4aquhd5witq - stylelint-config-standard: 29.0.0_stylelint@14.14.1 + stylelint: 14.15.0 + stylelint-config-recommended-scss: 8.0.0_a37symlv4urgexnspmy4gyeh7i + stylelint-config-standard: 29.0.0_stylelint@14.15.0 dev: true - /stylelint-config-standard/29.0.0_stylelint@14.14.1: + /stylelint-config-standard/29.0.0_stylelint@14.15.0: resolution: {integrity: sha512-uy8tZLbfq6ZrXy4JKu3W+7lYLgRQBxYTUUB88vPgQ+ZzAxdrvcaSUW9hOMNLYBnwH+9Kkj19M2DHdZ4gKwI7tg==} peerDependencies: stylelint: ^14.14.0 dependencies: - stylelint: 14.14.1 - stylelint-config-recommended: 9.0.0_stylelint@14.14.1 + stylelint: 14.15.0 + stylelint-config-recommended: 9.0.0_stylelint@14.15.0 dev: true - /stylelint-scss/4.2.0_stylelint@14.14.1: + /stylelint-scss/4.2.0_stylelint@14.15.0: resolution: {integrity: sha512-HHHMVKJJ5RM9pPIbgJ/XA67h9H0407G68Rm69H4fzFbFkyDMcTV1Byep3qdze5+fJ3c0U7mJrbj6S0Fg072uZA==} peerDependencies: stylelint: ^14.5.1 @@ -3887,18 +3887,18 @@ packages: postcss-resolve-nested-selector: 0.1.1 postcss-selector-parser: 6.0.10 postcss-value-parser: 4.2.0 - stylelint: 14.14.1 + stylelint: 14.15.0 dev: true - /stylelint/14.14.1: - resolution: {integrity: sha512-Jnftu+lSD8cSpcV/+Z2nfgfgFpTIS1FcujezXPngtoIQ6wtwutL22MsNE0dJuMiM1h1790g2qIjAyUZCMrX4sw==} + /stylelint/14.15.0: + resolution: {integrity: sha512-JOgDAo5QRsqiOZPZO+B9rKJvBm64S0xasbuRPAbPs6/vQDgDCnZLIiw6XcAS6GQKk9k1sBWR6rmH3Mfj8OknKg==} engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} hasBin: true dependencies: '@csstools/selector-specificity': 2.0.2_45y636a2vqremknoajyxd5nkzy balanced-match: 2.0.0 colord: 2.9.3 - cosmiconfig: 7.0.1 + cosmiconfig: 7.1.0 css-functions-list: 3.1.0 debug: 4.3.4 fast-glob: 3.2.12 From fcf31a370ff308695bb84179a6d868ec6d417bf8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 28 Nov 2022 18:50:20 +0000 Subject: [PATCH 27/32] build(deps): update module github.com/valyala/fasthttp to v1.43.0 (#4443) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 0cd7e9f38..b5242e074 100644 --- a/go.mod +++ b/go.mod @@ -38,7 +38,7 @@ require ( github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.8.1 github.com/trustelem/zxcvbn v1.0.1 - github.com/valyala/fasthttp v1.42.0 + github.com/valyala/fasthttp v1.43.0 golang.org/x/sync v0.1.0 golang.org/x/term v0.2.0 golang.org/x/text v0.4.0 diff --git a/go.sum b/go.sum index 79798f010..053f96c70 100644 --- a/go.sum +++ b/go.sum @@ -604,8 +604,9 @@ github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljT github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.40.0/go.mod h1:t/G+3rLek+CyY9bnIE+YlMRddxVAAGjhxndDB4i4C0I= -github.com/valyala/fasthttp v1.42.0 h1:LBMyqvJR8DEBgN79oI8dGbkuj5Lm9jbHESxH131TTN8= github.com/valyala/fasthttp v1.42.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY= +github.com/valyala/fasthttp v1.43.0 h1:Gy4sb32C98fbzVWZlTM1oTMdLWGyvxR03VhM6cBIU4g= +github.com/valyala/fasthttp v1.43.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY= github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= From d7638d6ca9b0ab6203affdf83f0ba5ae23ab0eee Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Nov 2022 10:36:01 +1100 Subject: [PATCH 28/32] build(deps): update material-ui monorepo to v5.10.16 (#4445) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 6 ++-- web/pnpm-lock.yaml | 84 +++++++++++++++++++++++----------------------- 2 files changed, 45 insertions(+), 45 deletions(-) diff --git a/web/package.json b/web/package.json index e393a8e93..370bb829f 100644 --- a/web/package.json +++ b/web/package.json @@ -25,9 +25,9 @@ "@fortawesome/free-regular-svg-icons": "6.2.1", "@fortawesome/free-solid-svg-icons": "6.2.1", "@fortawesome/react-fontawesome": "0.2.0", - "@mui/icons-material": "5.10.15", - "@mui/material": "5.10.15", - "@mui/styles": "5.10.15", + "@mui/icons-material": "5.10.16", + "@mui/material": "5.10.16", + "@mui/styles": "5.10.16", "axios": "1.2.0", "broadcast-channel": "4.18.1", "classnames": "2.3.2", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 0716e12d6..1f6a17b01 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -11,9 +11,9 @@ specifiers: '@fortawesome/free-solid-svg-icons': 6.2.1 '@fortawesome/react-fontawesome': 0.2.0 '@limegrass/eslint-plugin-import-alias': 1.0.6 - '@mui/icons-material': 5.10.15 - '@mui/material': 5.10.15 - '@mui/styles': 5.10.15 + '@mui/icons-material': 5.10.16 + '@mui/material': 5.10.16 + '@mui/styles': 5.10.16 '@testing-library/jest-dom': 5.16.5 '@testing-library/react': 13.4.0 '@types/jest': 29.2.3 @@ -74,9 +74,9 @@ dependencies: '@fortawesome/free-regular-svg-icons': 6.2.1 '@fortawesome/free-solid-svg-icons': 6.2.1 '@fortawesome/react-fontawesome': 0.2.0_z27bm67dtmuyyvss23ckjdrcuy - '@mui/icons-material': 5.10.15_oev7u2jo7ua7d3mgxqd6sscfw4 - '@mui/material': 5.10.15_thp4wrxo45nyllusrnt46mid4u - '@mui/styles': 5.10.15_fan5qbzahqtxlm5dzefqlqx5ia + '@mui/icons-material': 5.10.16_ge2ne5gh5gcqikeclw577gsblu + '@mui/material': 5.10.16_thp4wrxo45nyllusrnt46mid4u + '@mui/styles': 5.10.16_fan5qbzahqtxlm5dzefqlqx5ia axios: 1.2.0 broadcast-channel: 4.18.1 classnames: 2.3.2 @@ -2868,8 +2868,8 @@ packages: tsconfig-paths: 3.14.1 dev: true - /@mui/base/5.0.0-alpha.107_2zx2umvpluuhvlq44va5bta2da: - resolution: {integrity: sha512-HX/BD8CSe+Y/dpbZ5aKJScJhKQ/Hw6du2yd68Upv2cO67bwixyZ64h3aNcdDu7RQzI7nrZQm0JykffP1Orgq0g==} + /@mui/base/5.0.0-alpha.108_2zx2umvpluuhvlq44va5bta2da: + resolution: {integrity: sha512-KjzRUts2i/ODlMfywhFTqTzQl+Cr9nlDSZxJcnYjrbOV/iRyQNBTDoiFJt+XEdRi0fZBHnk74AFbnP56ehybsA==} engines: {node: '>=12.0.0'} peerDependencies: '@types/react': ^17.0.0 || ^18.0.0 || 18 @@ -2881,8 +2881,8 @@ packages: dependencies: '@babel/runtime': 7.20.1 '@emotion/is-prop-valid': 1.2.0 - '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.15_react@18.2.0 + '@mui/types': 7.2.2_@types+react@18.0.25 + '@mui/utils': 5.10.16_react@18.2.0 '@popperjs/core': 2.11.6 '@types/react': 18.0.25 clsx: 1.2.1 @@ -2892,12 +2892,12 @@ packages: react-is: 18.2.0 dev: false - /@mui/core-downloads-tracker/5.10.15: - resolution: {integrity: sha512-xFcS0LpdF0Q1qJrrNsYUv9PU+ovvhCEPTOMw2jcpEFtl3CA87dLpvztORR5oE2UBFjWF7qLQLOwboQU1+xC7Cw==} + /@mui/core-downloads-tracker/5.10.16: + resolution: {integrity: sha512-eK9+olw2ZbXX+vGrtKnN01/vLP1aX0Lq0xok35bqWM1aB93Dcmky/xPNf8h31oJ/C+IzJBjZaZMEDzVZg4Qc0A==} dev: false - /@mui/icons-material/5.10.15_oev7u2jo7ua7d3mgxqd6sscfw4: - resolution: {integrity: sha512-fXkz7CtYTt4AH4YYT67VFhM/A3YCUqZGGLp/3BlzRPQRNEfFKknw3MgG1S5UYrY5weti8jxMx3mwwfhVP8OMhQ==} + /@mui/icons-material/5.10.16_ge2ne5gh5gcqikeclw577gsblu: + resolution: {integrity: sha512-jjCc0IF6iyLiucQCu5igg3fOscSqbbvRCmyRxXgzOcLR56B0sg2L8o+ZfJ0dAg59+wvgtXaxvjze/mJg0B4iWA==} engines: {node: '>=12.0.0'} peerDependencies: '@mui/material': ^5.0.0 @@ -2908,13 +2908,13 @@ packages: optional: true dependencies: '@babel/runtime': 7.20.1 - '@mui/material': 5.10.15_thp4wrxo45nyllusrnt46mid4u + '@mui/material': 5.10.16_thp4wrxo45nyllusrnt46mid4u '@types/react': 18.0.25 react: 18.2.0 dev: false - /@mui/material/5.10.15_thp4wrxo45nyllusrnt46mid4u: - resolution: {integrity: sha512-OqoHfUtVMppFHgk2M95j+pR8MWfLKhzSdz4aKEfIpFrHIHbYang+oY7Iy/exX+vqpZSEGHgHQ0cGX0hGTGx9cg==} + /@mui/material/5.10.16_thp4wrxo45nyllusrnt46mid4u: + resolution: {integrity: sha512-JSHcDQQ+k30NKkCM/0KX6jq4F5LOrbFKZpS+cEl7scZWOCJpUPH5ccAT5a7O8wzrgNZ8Y9PnwzNvWBrfShpJFw==} engines: {node: '>=12.0.0'} peerDependencies: '@emotion/react': ^11.5.0 @@ -2933,11 +2933,11 @@ packages: '@babel/runtime': 7.20.1 '@emotion/react': 11.10.5_fan5qbzahqtxlm5dzefqlqx5ia '@emotion/styled': 11.10.5_otcjdfkheatawhug6fwk7ldzni - '@mui/base': 5.0.0-alpha.107_2zx2umvpluuhvlq44va5bta2da - '@mui/core-downloads-tracker': 5.10.15 - '@mui/system': 5.10.15_v64nlmo6pkqfmpmxge6otzlg54 - '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.15_react@18.2.0 + '@mui/base': 5.0.0-alpha.108_2zx2umvpluuhvlq44va5bta2da + '@mui/core-downloads-tracker': 5.10.16 + '@mui/system': 5.10.16_v64nlmo6pkqfmpmxge6otzlg54 + '@mui/types': 7.2.2_@types+react@18.0.25 + '@mui/utils': 5.10.16_react@18.2.0 '@types/react': 18.0.25 '@types/react-transition-group': 4.4.5 clsx: 1.2.1 @@ -2949,8 +2949,8 @@ packages: react-transition-group: 4.4.5_biqbaboplfbrettd7655fr4n2y dev: false - /@mui/private-theming/5.10.15_fan5qbzahqtxlm5dzefqlqx5ia: - resolution: {integrity: sha512-l7CsUj5kYdYz118/JHSvZZTYE9WnIWwln0td5jYATnYw9cNX4ygD6AkKOUYZ1Jitp1YLJqcO8jCP9E5/Nql9IQ==} + /@mui/private-theming/5.10.16_fan5qbzahqtxlm5dzefqlqx5ia: + resolution: {integrity: sha512-0MArkJaOHRCKqL/GWjngGZmyOeRz+uxffhx82bKcewr8swqV7xx7EFP02pk0L/gLdfcvYdqwH4YTVjG/+TaKrg==} engines: {node: '>=12.0.0'} peerDependencies: '@types/react': ^17.0.0 || ^18.0.0 || 18 @@ -2960,14 +2960,14 @@ packages: optional: true dependencies: '@babel/runtime': 7.20.1 - '@mui/utils': 5.10.15_react@18.2.0 + '@mui/utils': 5.10.16_react@18.2.0 '@types/react': 18.0.25 prop-types: 15.8.1 react: 18.2.0 dev: false - /@mui/styled-engine/5.10.14_dovxhg2tvkkxkdnqyoum6wzcxm: - resolution: {integrity: sha512-bgKdM57ExogWpIfhL/ngSlzF4FhbH00vYF+Y5VALTob4uslFqje0xzoWmbfcCn4cZt2NXxZJIwhsq4vzo5itlw==} + /@mui/styled-engine/5.10.16_dovxhg2tvkkxkdnqyoum6wzcxm: + resolution: {integrity: sha512-ZMSjXvtiGwGDKqrSlXhpxK2voUaF2/lpC/pSTfFmZvKH9j9a9h1/iwo3ybgjFVYGgbfNeW4h0xEchiRohu9xsw==} engines: {node: '>=12.0.0'} peerDependencies: '@emotion/react': ^11.4.1 @@ -2988,8 +2988,8 @@ packages: react: 18.2.0 dev: false - /@mui/styles/5.10.15_fan5qbzahqtxlm5dzefqlqx5ia: - resolution: {integrity: sha512-q8OW8Cyq2C9wGJMcDWXYtFa7qgIIZPAZ15JShDQXBLvyib4qDop5wV3+olQoJdwU5ARjmfPd67IsbORWxG3abQ==} + /@mui/styles/5.10.16_fan5qbzahqtxlm5dzefqlqx5ia: + resolution: {integrity: sha512-GYxY9pAx/mIAF3l9QJhTfWyUdT18UyjXHRmfPFgDupphTyHumrVE4rgYoTFordmzMWr+1kaS0mAUvDfziGncGA==} engines: {node: '>=12.0.0'} peerDependencies: '@types/react': ^17.0.0 || 18 @@ -3000,9 +3000,9 @@ packages: dependencies: '@babel/runtime': 7.20.1 '@emotion/hash': 0.9.0 - '@mui/private-theming': 5.10.15_fan5qbzahqtxlm5dzefqlqx5ia - '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.15_react@18.2.0 + '@mui/private-theming': 5.10.16_fan5qbzahqtxlm5dzefqlqx5ia + '@mui/types': 7.2.2_@types+react@18.0.25 + '@mui/utils': 5.10.16_react@18.2.0 '@types/react': 18.0.25 clsx: 1.2.1 csstype: 3.1.1 @@ -3019,8 +3019,8 @@ packages: react: 18.2.0 dev: false - /@mui/system/5.10.15_v64nlmo6pkqfmpmxge6otzlg54: - resolution: {integrity: sha512-WZmgmpYTMXAaD++QetaaM/miwhNh1JJY1dH7MJH/3Fuv3r3gnhfzE6A55lDqWxkQmlWUO2DCn/cnNZ0FkSdZUg==} + /@mui/system/5.10.16_v64nlmo6pkqfmpmxge6otzlg54: + resolution: {integrity: sha512-OqI9B1jZ9zQ/dmoqseku4CzdEs9DbLiiMOaWxC3WeAJxM1UavlCgXz0encqm93LIlmSL7TjuHN1/rW8BJCnU8A==} engines: {node: '>=12.0.0'} peerDependencies: '@emotion/react': ^11.5.0 @@ -3038,10 +3038,10 @@ packages: '@babel/runtime': 7.20.1 '@emotion/react': 11.10.5_fan5qbzahqtxlm5dzefqlqx5ia '@emotion/styled': 11.10.5_otcjdfkheatawhug6fwk7ldzni - '@mui/private-theming': 5.10.15_fan5qbzahqtxlm5dzefqlqx5ia - '@mui/styled-engine': 5.10.14_dovxhg2tvkkxkdnqyoum6wzcxm - '@mui/types': 7.2.1_@types+react@18.0.25 - '@mui/utils': 5.10.15_react@18.2.0 + '@mui/private-theming': 5.10.16_fan5qbzahqtxlm5dzefqlqx5ia + '@mui/styled-engine': 5.10.16_dovxhg2tvkkxkdnqyoum6wzcxm + '@mui/types': 7.2.2_@types+react@18.0.25 + '@mui/utils': 5.10.16_react@18.2.0 '@types/react': 18.0.25 clsx: 1.2.1 csstype: 3.1.1 @@ -3049,8 +3049,8 @@ packages: react: 18.2.0 dev: false - /@mui/types/7.2.1_@types+react@18.0.25: - resolution: {integrity: sha512-c5mSM7ivD8EsqK6HUi9hQPr5V7TJ/IRThUQ9nWNYPdhCGriTSQV4vL6DflT99LkM+wLiIS1rVjphpEWxERep7A==} + /@mui/types/7.2.2_@types+react@18.0.25: + resolution: {integrity: sha512-siex8cZDtWeC916cXOoUOnEQQejuMYmHtc4hM6VkKVYaBICz3VIiqyiAomRboTQHt2jchxQ5Q5ATlbcDekTxDA==} peerDependencies: '@types/react': '*' peerDependenciesMeta: @@ -3060,8 +3060,8 @@ packages: '@types/react': 18.0.25 dev: false - /@mui/utils/5.10.15_react@18.2.0: - resolution: {integrity: sha512-6AW4MLBUijJi31hxx+6utTJM2q/4hbO+QiMdtwM+f4Iy+BfFnh/elhb08apxNYLfuugPnXXpkDmzEjg+8uDU9g==} + /@mui/utils/5.10.16_react@18.2.0: + resolution: {integrity: sha512-3MB/SGsgiiu9Z55CFmAfiONUoR7AAue/H4F6w3mc2LnhFQCsoVvXhioDPcsiRpUMIQr34jDPzGXdCuqWooPCXQ==} engines: {node: '>=12.0.0'} peerDependencies: react: ^17.0.0 || ^18.0.0 || 18 From 340dded65639a354edf5bfbcc94f439db8af903e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Nov 2022 02:45:55 +0000 Subject: [PATCH 29/32] build(deps): update module github.com/ory/x to v0.0.517 (#4447) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index b5242e074..2fb34a6f9 100644 --- a/go.mod +++ b/go.mod @@ -28,7 +28,7 @@ require ( github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/ory/fosite v0.43.0 github.com/ory/herodot v0.9.13 - github.com/ory/x v0.0.516 + github.com/ory/x v0.0.517 github.com/otiai10/copy v1.9.0 github.com/pkg/errors v0.9.1 github.com/pquerna/otp v1.3.0 diff --git a/go.sum b/go.sum index 053f96c70..6b77f5c18 100644 --- a/go.sum +++ b/go.sum @@ -460,8 +460,8 @@ github.com/ory/herodot v0.9.13 h1:cN/Z4eOkErl/9W7hDIDLb79IO/bfsH+8yscBjRpB4IU= github.com/ory/herodot v0.9.13/go.mod h1:IWDs9kSvFQqw/cQ8zi5ksyYvITiUU4dI7glUrhZcJYo= github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE= github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM= -github.com/ory/x v0.0.516 h1:haNWvY0HU8mDXzWVXgAxkWIxbB9H3G/934udclempV0= -github.com/ory/x v0.0.516/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= +github.com/ory/x v0.0.517 h1:20FrwHie18q78WGaHcaH0+XoPNdE88zqSXCQNPNlYUs= +github.com/ory/x v0.0.517/go.mod h1:xUtRpoiRARyJNPVk/fcCNKzyp25Foxt9GPlj8pd7egY= github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4= github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= From eeae98a50e93af7b6ed62a1f3b5ea582feb76067 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Nov 2022 05:48:53 +0000 Subject: [PATCH 30/32] build(deps): update typescript-eslint monorepo to v5.45.0 (#4446) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- web/package.json | 4 +- web/pnpm-lock.yaml | 102 ++++++++++++++++++++++----------------------- 2 files changed, 53 insertions(+), 53 deletions(-) diff --git a/web/package.json b/web/package.json index 370bb829f..a4f3db8a6 100644 --- a/web/package.json +++ b/web/package.json @@ -154,8 +154,8 @@ "@types/react": "18.0.25", "@types/react-dom": "18.0.9", "@types/zxcvbn": "4.4.1", - "@typescript-eslint/eslint-plugin": "5.44.0", - "@typescript-eslint/parser": "5.44.0", + "@typescript-eslint/eslint-plugin": "5.45.0", + "@typescript-eslint/parser": "5.45.0", "@vitejs/plugin-react": "2.2.0", "esbuild": "0.15.16", "esbuild-jest": "0.5.0", diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 1f6a17b01..4f98c710d 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -22,8 +22,8 @@ specifiers: '@types/react': 18.0.25 '@types/react-dom': 18.0.9 '@types/zxcvbn': 4.4.1 - '@typescript-eslint/eslint-plugin': 5.44.0 - '@typescript-eslint/parser': 5.44.0 + '@typescript-eslint/eslint-plugin': 5.45.0 + '@typescript-eslint/parser': 5.45.0 '@vitejs/plugin-react': 2.2.0 axios: 1.2.0 broadcast-channel: 4.18.1 @@ -105,8 +105,8 @@ devDependencies: '@types/react': 18.0.25 '@types/react-dom': 18.0.9 '@types/zxcvbn': 4.4.1 - '@typescript-eslint/eslint-plugin': 5.44.0_fnsv2sbzcckq65bwfk7a5xwslu - '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/eslint-plugin': 5.45.0_czs5uoqkd3podpy6vgtsxfc7au + '@typescript-eslint/parser': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a '@vitejs/plugin-react': 2.2.0_vite@3.2.4 esbuild: 0.15.16 esbuild-jest: 0.5.0_esbuild@0.15.16 @@ -115,7 +115,7 @@ devDependencies: eslint-config-react-app: 7.0.1_ffu622cxxp5swe5tqcog7svb5i eslint-formatter-rdjson: 1.0.5 eslint-import-resolver-typescript: 3.5.2_ktrec6dplf4now6nlbc6d67jee - eslint-plugin-import: 2.26.0_vc54pluhgv7booofyyjouvuf74 + eslint-plugin-import: 2.26.0_xmouedd5rhgbah4737x2hltudq eslint-plugin-jsx-a11y: 6.6.1_eslint@8.28.0 eslint-plugin-prettier: 4.2.1_cwlo2dingkvfydnaculr42urve eslint-plugin-react: 7.31.11_eslint@8.28.0 @@ -3660,8 +3660,8 @@ packages: resolution: {integrity: sha512-3NoqvZC2W5gAC5DZbTpCeJ251vGQmgcWIHQJGq2J240HY6ErQ9aWKkwfoKJlHLx+A83WPNTZ9+3cd2ILxbvr1w==} dev: true - /@typescript-eslint/eslint-plugin/5.44.0_fnsv2sbzcckq65bwfk7a5xwslu: - resolution: {integrity: sha512-j5ULd7FmmekcyWeArx+i8x7sdRHzAtXTkmDPthE4amxZOWKFK7bomoJ4r7PJ8K7PoMzD16U8MmuZFAonr1ERvw==} + /@typescript-eslint/eslint-plugin/5.45.0_czs5uoqkd3podpy6vgtsxfc7au: + resolution: {integrity: sha512-CXXHNlf0oL+Yg021cxgOdMHNTXD17rHkq7iW6RFHoybdFgQBjU3yIXhhcPpGwr1CjZlo6ET8C6tzX5juQoXeGA==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: '@typescript-eslint/parser': ^5.0.0 @@ -3671,10 +3671,10 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a - '@typescript-eslint/scope-manager': 5.44.0 - '@typescript-eslint/type-utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a - '@typescript-eslint/utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/parser': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/scope-manager': 5.45.0 + '@typescript-eslint/type-utils': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/utils': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a debug: 4.3.4 eslint: 8.28.0 ignore: 5.2.0 @@ -3700,8 +3700,8 @@ packages: - typescript dev: true - /@typescript-eslint/parser/5.44.0_hsf322ms6xhhd4b5ne6lb74y4a: - resolution: {integrity: sha512-H7LCqbZnKqkkgQHaKLGC6KUjt3pjJDx8ETDqmwncyb6PuoigYajyAwBGz08VU/l86dZWZgI4zm5k2VaKqayYyA==} + /@typescript-eslint/parser/5.45.0_hsf322ms6xhhd4b5ne6lb74y4a: + resolution: {integrity: sha512-brvs/WSM4fKUmF5Ot/gEve6qYiCMjm6w4HkHPfS6ZNmxTS0m0iNN4yOChImaCkqc1hRwFGqUyanMXuGal6oyyQ==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: eslint: ^6.0.0 || ^7.0.0 || ^8.0.0 @@ -3710,9 +3710,9 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/scope-manager': 5.44.0 - '@typescript-eslint/types': 5.44.0 - '@typescript-eslint/typescript-estree': 5.44.0_typescript@4.9.3 + '@typescript-eslint/scope-manager': 5.45.0 + '@typescript-eslint/types': 5.45.0 + '@typescript-eslint/typescript-estree': 5.45.0_typescript@4.9.3 debug: 4.3.4 eslint: 8.28.0 typescript: 4.9.3 @@ -3728,16 +3728,16 @@ packages: '@typescript-eslint/visitor-keys': 5.30.6 dev: true - /@typescript-eslint/scope-manager/5.44.0: - resolution: {integrity: sha512-2pKml57KusI0LAhgLKae9kwWeITZ7IsZs77YxyNyIVOwQ1kToyXRaJLl+uDEXzMN5hnobKUOo2gKntK9H1YL8g==} + /@typescript-eslint/scope-manager/5.45.0: + resolution: {integrity: sha512-noDMjr87Arp/PuVrtvN3dXiJstQR1+XlQ4R1EvzG+NMgXi8CuMCXpb8JqNtFHKceVSQ985BZhfRdowJzbv4yKw==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dependencies: - '@typescript-eslint/types': 5.44.0 - '@typescript-eslint/visitor-keys': 5.44.0 + '@typescript-eslint/types': 5.45.0 + '@typescript-eslint/visitor-keys': 5.45.0 dev: true - /@typescript-eslint/type-utils/5.44.0_hsf322ms6xhhd4b5ne6lb74y4a: - resolution: {integrity: sha512-A1u0Yo5wZxkXPQ7/noGkRhV4J9opcymcr31XQtOzcc5nO/IHN2E2TPMECKWYpM3e6olWEM63fq/BaL1wEYnt/w==} + /@typescript-eslint/type-utils/5.45.0_hsf322ms6xhhd4b5ne6lb74y4a: + resolution: {integrity: sha512-DY7BXVFSIGRGFZ574hTEyLPRiQIvI/9oGcN8t1A7f6zIs6ftbrU0nhyV26ZW//6f85avkwrLag424n+fkuoJ1Q==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: eslint: '*' @@ -3746,8 +3746,8 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/typescript-estree': 5.44.0_typescript@4.9.3 - '@typescript-eslint/utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/typescript-estree': 5.45.0_typescript@4.9.3 + '@typescript-eslint/utils': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a debug: 4.3.4 eslint: 8.28.0 tsutils: 3.21.0_typescript@4.9.3 @@ -3761,8 +3761,8 @@ packages: engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dev: true - /@typescript-eslint/types/5.44.0: - resolution: {integrity: sha512-Tp+zDnHmGk4qKR1l+Y1rBvpjpm5tGXX339eAlRBDg+kgZkz9Bw+pqi4dyseOZMsGuSH69fYfPJCBKBrbPCxYFQ==} + /@typescript-eslint/types/5.45.0: + resolution: {integrity: sha512-QQij+u/vgskA66azc9dCmx+rev79PzX8uDHpsqSjEFtfF2gBUTRCpvYMh2gw2ghkJabNkPlSUCimsyBEQZd1DA==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dev: true @@ -3787,8 +3787,8 @@ packages: - supports-color dev: true - /@typescript-eslint/typescript-estree/5.44.0_typescript@4.9.3: - resolution: {integrity: sha512-M6Jr+RM7M5zeRj2maSfsZK2660HKAJawv4Ud0xT+yauyvgrsHu276VtXlKDFnEmhG+nVEd0fYZNXGoAgxwDWJw==} + /@typescript-eslint/typescript-estree/5.45.0_typescript@4.9.3: + resolution: {integrity: sha512-maRhLGSzqUpFcZgXxg1qc/+H0bT36lHK4APhp0AEUVrpSwXiRAomm/JGjSG+kNUio5kAa3uekCYu/47cnGn5EQ==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: typescript: '*' @@ -3796,8 +3796,8 @@ packages: typescript: optional: true dependencies: - '@typescript-eslint/types': 5.44.0 - '@typescript-eslint/visitor-keys': 5.44.0 + '@typescript-eslint/types': 5.45.0 + '@typescript-eslint/visitor-keys': 5.45.0 debug: 4.3.4 globby: 11.1.0 is-glob: 4.0.3 @@ -3826,17 +3826,17 @@ packages: - typescript dev: true - /@typescript-eslint/utils/5.44.0_hsf322ms6xhhd4b5ne6lb74y4a: - resolution: {integrity: sha512-fMzA8LLQ189gaBjS0MZszw5HBdZgVwxVFShCO3QN+ws3GlPkcy9YuS3U4wkT6su0w+Byjq3mS3uamy9HE4Yfjw==} + /@typescript-eslint/utils/5.45.0_hsf322ms6xhhd4b5ne6lb74y4a: + resolution: {integrity: sha512-OUg2JvsVI1oIee/SwiejTot2OxwU8a7UfTFMOdlhD2y+Hl6memUSL4s98bpUTo8EpVEr0lmwlU7JSu/p2QpSvA==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} peerDependencies: eslint: ^6.0.0 || ^7.0.0 || ^8.0.0 dependencies: '@types/json-schema': 7.0.11 '@types/semver': 7.3.12 - '@typescript-eslint/scope-manager': 5.44.0 - '@typescript-eslint/types': 5.44.0 - '@typescript-eslint/typescript-estree': 5.44.0_typescript@4.9.3 + '@typescript-eslint/scope-manager': 5.45.0 + '@typescript-eslint/types': 5.45.0 + '@typescript-eslint/typescript-estree': 5.45.0_typescript@4.9.3 eslint: 8.28.0 eslint-scope: 5.1.1 eslint-utils: 3.0.0_eslint@8.28.0 @@ -3854,11 +3854,11 @@ packages: eslint-visitor-keys: 3.3.0 dev: true - /@typescript-eslint/visitor-keys/5.44.0: - resolution: {integrity: sha512-a48tLG8/4m62gPFbJ27FxwCOqPKxsb8KC3HkmYoq2As/4YyjQl1jDbRr1s63+g4FS/iIehjmN3L5UjmKva1HzQ==} + /@typescript-eslint/visitor-keys/5.45.0: + resolution: {integrity: sha512-jc6Eccbn2RtQPr1s7th6jJWQHBHI6GBVQkCHoJFQ5UreaKm59Vxw+ynQUPPY2u2Amquc+7tmEoC2G52ApsGNNg==} engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0} dependencies: - '@typescript-eslint/types': 5.44.0 + '@typescript-eslint/types': 5.45.0 eslint-visitor-keys: 3.3.0 dev: true @@ -5386,14 +5386,14 @@ packages: '@babel/core': 7.18.6 '@babel/eslint-parser': 7.18.2_e6dejpcwcc66ssvjscxl7tagl4 '@rushstack/eslint-patch': 1.1.4 - '@typescript-eslint/eslint-plugin': 5.44.0_fnsv2sbzcckq65bwfk7a5xwslu - '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/eslint-plugin': 5.45.0_czs5uoqkd3podpy6vgtsxfc7au + '@typescript-eslint/parser': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a babel-preset-react-app: 10.0.1 confusing-browser-globals: 1.0.11 eslint: 8.28.0 eslint-plugin-flowtype: 8.0.3_eslint@8.28.0 - eslint-plugin-import: 2.26.0_vc54pluhgv7booofyyjouvuf74 - eslint-plugin-jest: 25.7.0_bifecjdquhom2xjmkl7gfpj6ma + eslint-plugin-import: 2.26.0_xmouedd5rhgbah4737x2hltudq + eslint-plugin-jest: 25.7.0_g4s445ihmht4kpk3znm26xsocm eslint-plugin-jsx-a11y: 6.6.1_eslint@8.28.0 eslint-plugin-react: 7.31.11_eslint@8.28.0 eslint-plugin-react-hooks: 4.6.0_eslint@8.28.0 @@ -5431,7 +5431,7 @@ packages: debug: 4.3.4 enhanced-resolve: 5.10.0 eslint: 8.28.0 - eslint-plugin-import: 2.26.0_vc54pluhgv7booofyyjouvuf74 + eslint-plugin-import: 2.26.0_xmouedd5rhgbah4737x2hltudq get-tsconfig: 4.2.0 globby: 13.1.2 is-core-module: 2.10.0 @@ -5441,7 +5441,7 @@ packages: - supports-color dev: true - /eslint-module-utils/2.7.3_nkdimya4zmerbrybxnwpev2imm: + /eslint-module-utils/2.7.3_qlteae5dad2nfnhgbnb4x6nyxy: resolution: {integrity: sha512-088JEC7O3lDZM9xGe0RerkOMd0EjFl+Yvd1jPWIkMT5u3H9+HC34mWWPnqPrN13gieT9pBOO+Qt07Nb/6TresQ==} engines: {node: '>=4'} peerDependencies: @@ -5459,7 +5459,7 @@ packages: eslint-import-resolver-webpack: optional: true dependencies: - '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/parser': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a debug: 3.2.7 eslint-import-resolver-node: 0.3.6 eslint-import-resolver-typescript: 3.5.2_ktrec6dplf4now6nlbc6d67jee @@ -5486,7 +5486,7 @@ packages: string-natural-compare: 3.0.1 dev: true - /eslint-plugin-import/2.26.0_vc54pluhgv7booofyyjouvuf74: + /eslint-plugin-import/2.26.0_xmouedd5rhgbah4737x2hltudq: resolution: {integrity: sha512-hYfi3FXaM8WPLf4S1cikh/r4IxnO6zrhZbEGz2b660EJRbuxgpDS5gkCuYgGWg2xxh2rBuIr4Pvhve/7c31koA==} engines: {node: '>=4'} peerDependencies: @@ -5496,14 +5496,14 @@ packages: '@typescript-eslint/parser': optional: true dependencies: - '@typescript-eslint/parser': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/parser': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a array-includes: 3.1.5 array.prototype.flat: 1.3.0 debug: 2.6.9 doctrine: 2.1.0 eslint: 8.28.0 eslint-import-resolver-node: 0.3.6 - eslint-module-utils: 2.7.3_nkdimya4zmerbrybxnwpev2imm + eslint-module-utils: 2.7.3_qlteae5dad2nfnhgbnb4x6nyxy has: 1.0.3 is-core-module: 2.9.0 is-glob: 4.0.3 @@ -5517,7 +5517,7 @@ packages: - supports-color dev: true - /eslint-plugin-jest/25.7.0_bifecjdquhom2xjmkl7gfpj6ma: + /eslint-plugin-jest/25.7.0_g4s445ihmht4kpk3znm26xsocm: resolution: {integrity: sha512-PWLUEXeeF7C9QGKqvdSbzLOiLTx+bno7/HC9eefePfEb257QFHg7ye3dh80AZVkaa/RQsBB1Q/ORQvg2X7F0NQ==} engines: {node: ^12.13.0 || ^14.15.0 || >=16.0.0} peerDependencies: @@ -5530,7 +5530,7 @@ packages: jest: optional: true dependencies: - '@typescript-eslint/eslint-plugin': 5.44.0_fnsv2sbzcckq65bwfk7a5xwslu + '@typescript-eslint/eslint-plugin': 5.45.0_czs5uoqkd3podpy6vgtsxfc7au '@typescript-eslint/experimental-utils': 5.30.6_hsf322ms6xhhd4b5ne6lb74y4a eslint: 8.28.0 jest: 29.3.1_@types+node@18.11.9 @@ -5617,7 +5617,7 @@ packages: peerDependencies: eslint: ^7.5.0 || ^8.0.0 dependencies: - '@typescript-eslint/utils': 5.44.0_hsf322ms6xhhd4b5ne6lb74y4a + '@typescript-eslint/utils': 5.45.0_hsf322ms6xhhd4b5ne6lb74y4a eslint: 8.28.0 transitivePeerDependencies: - supports-color From 85a579ca5a9dff18e6cfa21b6e5cf7eda0bc895d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 29 Nov 2022 20:00:20 +0000 Subject: [PATCH 31/32] build(deps): update module github.com/golang-jwt/jwt/v4 to v4.4.3 (#4448) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2fb34a6f9..c3aabac45 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/go-rod/rod v0.112.2 github.com/go-sql-driver/mysql v1.6.0 github.com/go-webauthn/webauthn v0.5.0 - github.com/golang-jwt/jwt/v4 v4.4.2 + github.com/golang-jwt/jwt/v4 v4.4.3 github.com/golang/mock v1.6.0 github.com/google/uuid v1.3.0 github.com/hashicorp/go-retryablehttp v0.7.1 diff --git a/go.sum b/go.sum index 6b77f5c18..add7ef375 100644 --- a/go.sum +++ b/go.sum @@ -197,8 +197,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= -github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU= +github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= From 442cb272d9d07bea9d76934b17593806e608d3f5 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Wed, 30 Nov 2022 09:12:50 +1100 Subject: [PATCH 32/32] docs: update proxy docs (#4449) --- docs/content/en/integration/proxies/nginx.md | 2 + .../content/en/integration/proxies/support.md | 38 ++-- docs/content/en/integration/proxies/swag.md | 165 +++++++++++++----- .../en/overview/prologue/supported-proxies.md | 38 ++-- .../en/roadmap/active/openid-connect.md | 9 +- docs/layouts/shortcodes/support.html | 9 + 6 files changed, 176 insertions(+), 85 deletions(-) create mode 100644 docs/layouts/shortcodes/support.html diff --git a/docs/content/en/integration/proxies/nginx.md b/docs/content/en/integration/proxies/nginx.md index 08dc7c691..5b48e39be 100644 --- a/docs/content/en/integration/proxies/nginx.md +++ b/docs/content/en/integration/proxies/nginx.md @@ -387,6 +387,7 @@ location /authelia { ## Headers ## The headers starting with X-* are required. proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; @@ -470,6 +471,7 @@ location /authelia-basic { ## Headers ## The headers starting with X-* are required. proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Original-Method $request_method; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; diff --git a/docs/content/en/integration/proxies/support.md b/docs/content/en/integration/proxies/support.md index c2e7925c2..cc0803e64 100644 --- a/docs/content/en/integration/proxies/support.md +++ b/docs/content/en/integration/proxies/support.md @@ -15,28 +15,28 @@ aliases: - /docs/home/supported-proxies.html --- -| Proxy | [Standard](#standard) | [Kubernetes](#kubernetes) | [XHR Redirect](#xhr-redirect) | [Request Method](#request-method) | -|:---------------------:|:----------------------------------------------------------------:|:------------------------------------------------------------------------------------:|:-----------------------------------------------------:|:-----------------------------------------------------:| -| [Traefik] | [](traefik.md) | [](../../integration/kubernetes/traefik-ingress.md) | | | -| [NGINX] | [](nginx.md) | [](../../integration/kubernetes/nginx-ingress.md) | | | -| [NGINX Proxy Manager] | [](nginx-proxy-manager.md) | | | | -| [SWAG] | [](swag.md) | | | | -| [HAProxy] | [](haproxy.md) | | | | -| [Caddy] | [](caddy.md) | | | | -| [Traefik] 1.x | [](traefikv1.md) | | | | -| [Envoy] | [](envoy.md) | [](../../integration/kubernetes/istio.md) | | | -| [Skipper] | [](skipper.md) | | | | -| [Apache] | [](#apache) | | | | -| [IIS] | [](#iis) | | | | +| Proxy | [Standard](#standard) | [Kubernetes](#kubernetes) | [XHR Redirect](#xhr-redirect) | [Request Method](#request-method) | +|:---------------------:|:------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:| +| [Traefik] | {{% support support="full" link="traefik.md" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Caddy] | {{% support support="full" link="caddy.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Envoy] | {{% support support="full" link="envoy.md" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [NGINX] | {{% support support="full" link="nginx.md" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} | +| [NGINX Proxy Manager] | {{% support support="full" link="nginx-proxy-manager/index.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | +| [SWAG] | {{% support support="full" link="swag.md" %}} | {{% support support="unknown" %}} | {{% support %}} | {{% support support="full" %}} | +| [HAProxy] | {{% support support="full" link="haproxy.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [Skipper] | {{% support support="full" link="skipper.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | +| [Traefik] 1.x | {{% support support="full" link="traefikv1.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Apache] | {{% support link="#apache" %}} | {{% support %}} | {{% support %}} | {{% support %}} | +| [IIS] | {{% support link="#iis" %}} | {{% support %}} | {{% support %}} | {{% support %}} | Legend: -| Icon | Meaning | -|:------------------------------------:|:-------------------:| -| | Supported | -| | Unknown | -| | Partially Supported | -| | Not Supported | +| Icon | Meaning | +|:---------------------------------:|:-------------------:| +| {{% support support="full" %}} | Supported | +| {{% support support="unknown" %}} | Unknown | +| {{% support support="partial" %}} | Partially Supported | +| {{% support support="none" %}} | Not Supported | ## Support diff --git a/docs/content/en/integration/proxies/swag.md b/docs/content/en/integration/proxies/swag.md index f6610c604..d659672a2 100644 --- a/docs/content/en/integration/proxies/swag.md +++ b/docs/content/en/integration/proxies/swag.md @@ -49,9 +49,15 @@ One current caveat of the [SWAG] implementation is that it serves Authelia as a This is partly because Webauthn requires that the domain is an exact match when registering and authenticating and it is possible that due to web standards this will never change. -In addition this represents a bad user experience in some instances as users sometimes visit the -`https://app.example.com/auth` URL which doesn't automatically redirect the user to `https://app.example.com` (if they -visit `https://app.example.com` then they'll be redirected to authenticate then redirected back to their original URL). +In addition this represents a bad user experience in some instances such as: + + - Users sometimes visit the `https://app.example.com/authelia` URL which doesn't automatically redirect the user to + `https://app.example.com` (if they visit `https://app.example.com` then they'll be redirected to authenticate then + redirected back to their original URL). + - Administrators may wish to setup OpenID Connect 1.0 in which case it also doesn't represent a good user experience. + +Taking these factors into consideration we're adapting our [SWAG] guide to use what we consider best for the users and +most easily supported. Users who wish to use the [SWAG] guide are free to do so but may not receive the same support. ## Trusted Proxies @@ -61,22 +67,116 @@ Especially if you have never read it before.* To configure trusted proxies for [SWAG] see the [NGINX] section on [Trusted Proxies](nginx.md#trusted-proxies). Adapting this to [SWAG] is beyond the scope of this documentation. +## Docker Compose + +The following docker compose example has various applications suitable for setting up an example environment. + +It uses the [nginx image](https://github.com/linuxserver/docker-nginx) from [linuxserver.io] which includes all of the +required modules including the `http_set_misc` module. + +It also includes the [nginx-proxy-confs](https://github.com/linuxserver/docker-mods/tree/nginx-proxy-confs) mod where +they have several configuration examples in the `/config/nginx/proxy-confs` directory. This can be omitted if desired. + +If you're looking for a more complete solution [linuxserver.io] also have an nginx container called [SWAG](./swag.md) +which includes ACME and various other useful utilities. + +{{< details "docker-compose.yaml" >}} +```yaml +--- +version: "3.8" + +networks: + net: + driver: bridge + +services: + swag: + container_name: swag + image: lscr.io/linuxserver/swag + restart: unless-stopped + networks: + net: + aliases: [] + ports: + - '80:80' + - '443:443' + volumes: + - ${PWD}/data/swag:/config + environment: + PUID: '1000' + PGID: '1000' + TZ: 'Australia/Melbourne' + URL: 'example.com' + SUBDOMAINS: 'www,whoami,auth,nextcloud,' + VALIDATION: 'http' + CERTPROVIDER: 'cloudflare' + ONLY_SUBDOMAINS: 'false' + STAGING: 'true' + cap_add: + - NET_ADMIN + authelia: + container_name: authelia + image: authelia/authelia + restart: unless-stopped + networks: + net: + aliases: [] + expose: + - 9091 + volumes: + - ${PWD}/data/authelia/config:/config + environment: + TZ: 'Australia/Melbourne' + nextcloud: + container_name: nextcloud + image: lscr.io/linuxserver/nextcloud + restart: unless-stopped + networks: + net: + aliases: [] + expose: + - 443 + volumes: + - ${PWD}/data/nextcloud/config:/config + - ${PWD}/data/nextcloud/data:/data + environment: + PUID: '1000' + PGID: '1000' + TZ: 'Australia/Melbourne' + whoami: + container_name: whoami + image: docker.io/traefik/whoami + restart: unless-stopped + networks: + net: + aliases: [] + expose: + - 80 + environment: + TZ: 'Australia/Melbourne' +... +``` +{{< /details >}} + ## Prerequisite Steps -These steps must be followed regardless of the choice of [subdomain](#subdomain-steps) or [subpath](#subpath-steps). +In the [SWAG] `/config` mount which is mounted to `${PWD}/data/swag` in our example: -1. Deploy __Authelia__ to your docker network with the `container_name` of `authelia` and ensure it's listening on the - default port and you have not configured the __Authelia__ server TLS settings. +1. Create a folder named `snippets/authelia`: + - The `mkdir -p ${PWD}/data/swag/snippets/authelia` command should achieve this on Linux. +2. Create the `${PWD}/data/swag/nginxsnippets/authelia/location.conf` file which can be found [here](nginx.md#authelia-locationconf). +3. Create the `${PWD}/data/swag/nginxsnippets/authelia/authrequest.conf` file which can be found [here](nginx.md#authelia-authrequestconf). + - Ensure you adjust the line `error_page 401 =302 https://auth.example.com/?rd=$target_url;` replacing `https://auth.example.com/` with your external Authelia URL. -## Subdomain Steps +## Protected Application In the server configuration for the application you want to protect: 1. Edit the `/config/nginx/proxy-confs/` file for the application you wish to protect. -2. Uncomment the `#include /config/nginx/authelia-server.conf;` line which should be within the `server` block - but not inside any `location` blocks. -3. Uncomment the `#include /config/nginx/authelia-location.conf;` line which should be within the applications - `location` block. +2. Under the `#include /config/nginx/authelia-server.conf;` line which should be within the `server` block + but not inside any `location` blocks add the following line: ``. +3. Under the `#include /config/nginx/authelia-location.conf;` line which should be within the applications + `location` block add the following line `include /config/nginx/snippets/authelia/authrequest.conf;`. ### Example @@ -85,58 +185,31 @@ server { listen 443 ssl; listen [::]:443 ssl; - server_name heimdall.*; + server_name whoami.*; include /config/nginx/ssl.conf; client_max_body_size 0; # Authelia: Step 1. - include /config/nginx/authelia-server.conf; + #include /config/nginx/authelia-server.conf; + include /config/nginx/snippets/authelia/location.conf; location / { # Authelia: Step 2. - include /config/nginx/authelia-location.conf; + #include /config/nginx/authelia-location.conf; + include /config/nginx/snippets/authelia/authrequest.conf; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; - set $upstream_app heimdall; - set $upstream_port 443; - set $upstream_proto https; + set $upstream_app whoami; + set $upstream_port 80; + set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; } } ``` -## Subpath Steps - -*__Note:__ Steps 1 and 2 only need to be done once, even if you wish to protect multiple applications.* - -1. Edit `/config/nginx/proxy-confs/default`. -2. Uncomment the `#include /config/nginx/authelia-server.conf;` line. -3. Edit the `/config/nginx/proxy-confs/` file for the application you wish to protect. -4. Uncomment the `#include /config/nginx/authelia-location.conf;` line which should be within the applications - `location` block. - -### Example - -```nginx -location ^~ /bazarr/ { - # Authelia: Step 4. - include /config/nginx/authelia-location.conf; - - include /config/nginx/proxy.conf; - resolver 127.0.0.11 valid=30s; - set $upstream_app bazarr; - set $upstream_port 6767; - set $upstream_proto http; - proxy_pass $upstream_proto://$upstream_app:$upstream_port; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; -} -``` - ## See Also * [Authelia NGINX Integration Documentation](nginx.md) diff --git a/docs/content/en/overview/prologue/supported-proxies.md b/docs/content/en/overview/prologue/supported-proxies.md index 01a12fcc5..d834d6973 100644 --- a/docs/content/en/overview/prologue/supported-proxies.md +++ b/docs/content/en/overview/prologue/supported-proxies.md @@ -14,28 +14,28 @@ toc: false The following table is a support matrix for Authelia features and specific reverse proxies. -| Proxy | [Standard](#standard) | [Kubernetes](#kubernetes) | [XHR Redirect](#xhr-redirect) | [Request Method](#request-method) | -|:---------------------:|:-------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|:-----------------------------------------------------:|:-----------------------------------------------------:| -| [Traefik] | [](../../integration/proxies/traefik.md) | [](../../integration/kubernetes/traefik-ingress.md) | | | -| [NGINX] | [](../../integration/proxies/nginx.md) | [](../../integration/kubernetes/nginx-ingress.md) | | | -| [NGINX Proxy Manager] | [](../../integration/proxies/nginx-proxy-manager.md) | | | | -| [SWAG] | [](../../integration/proxies/swag.md) | | | | -| [HAProxy] | [](../../integration/proxies/haproxy.md) | | | | -| [Caddy] | [](../../integration/proxies/caddy.md) | | | | -| [Traefik] 1.x | [](../../integration/proxies/traefikv1.md) | | | | -| [Envoy] | [](../../integration/proxies/envoy.md) | [](../../integration/kubernetes/istio.md) | | | -| [Skipper] | [](../../integration/proxies/skipper.md) | | | | -| [Apache] | | | | | -| [IIS] | | | | | +| Proxy | Standard | Kubernetes | XHR Redirect | Request Method | +|:---------------------:|:--------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------:|:---------------------------------:|:---------------------------------:| +| [Traefik] | {{% support support="full" link="../../integration/proxies/traefik.md" %}} | {{% support support="full" link="../../integration/kubernetes/traefik-ingress.md" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Caddy] | {{% support support="full" link="../../integration/proxies/caddy.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Envoy] | {{% support support="full" link="../../integration/proxies/envoy.md" %}} | {{% support support="full" link="../../integration/kubernetes/istio.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [NGINX] | {{% support support="full" link="../../integration/proxies/nginx.md" %}} | {{% support support="full" link="../../integration/kubernetes/nginx-ingress.md" %}} | {{% support %}} | {{% support support="full" %}} | +| [NGINX Proxy Manager] | {{% support support="full" link="../../integration/proxies/nginx-proxy-manager/index.md" %}} | {{% support %}} | {{% support %}} | {{% support support="full" %}} | +| [SWAG] | {{% support support="full" link="../../integration/proxies/swag.md" %}} | {{% support %}} | {{% support %}} | {{% support support="full" %}} | +| [HAProxy] | {{% support support="full" link="../../integration/proxies/haproxy.md" %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | +| [Traefik] 1.x | {{% support support="full" link="../../integration/proxies/traefikv1.md" %}} | {{% support support="unknown" %}} | {{% support support="full" %}} | {{% support support="full" %}} | +| [Skipper] | {{% support support="full" link="../../integration/proxies/skipper.md" %}} | {{% support %}} | {{% support support="unknown" %}} | {{% support support="unknown" %}} | +| [Apache] | {{% support %}} | {{% support %}} | {{% support %}} | {{% support %}} | +| [IIS] | {{% support %}} | {{% support %}} | {{% support %}} | {{% support %}} | Legend: -| Icon | Meaning | -|-------------------------------------:|:-------------------:| -| | Supported | -| | Unknown | -| | Partially Supported | -| | Not Supported | +| Icon | Meaning | +|:----------------------------------:|:-------------------:| +| {{% support support="full" %}} | Supported | +| {{% support support="unknown" %}} | Unknown | +| {{% support support="partial" %}} | Partially Supported | +| {{% support %}} | Not Supported | ## More Information diff --git a/docs/content/en/roadmap/active/openid-connect.md b/docs/content/en/roadmap/active/openid-connect.md index 180a5a24a..08cff74f0 100644 --- a/docs/content/en/roadmap/active/openid-connect.md +++ b/docs/content/en/roadmap/active/openid-connect.md @@ -113,6 +113,13 @@ Feature List: ### Beta 6 +{{< roadmap-status stage="in-progress" version="v4.38.0" >}} + + +* [OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html) + +### Beta 7 + {{< roadmap-status >}} Feature List: @@ -122,7 +129,7 @@ Feature List: See [OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]. -### Beta 7 +### Beta 8 {{< roadmap-status >}} diff --git a/docs/layouts/shortcodes/support.html b/docs/layouts/shortcodes/support.html new file mode 100644 index 000000000..031f987ac --- /dev/null +++ b/docs/layouts/shortcodes/support.html @@ -0,0 +1,9 @@ +{{- $class := "icon-support-none" }}{{ $title := "Not Supported" }} +{{- with .Get "support" }} +{{- if (eq . "full") }}{{ $class = "icon-support-full" }}{{ $title = "Fully Supported" }} +{{- else if (eq . "partial") }}{{ $class = "icon-support-partial" }}{{ $title = "Partially Supported" }} +{{- else if (eq . "unknown") }}{{ $class = "icon-support-unknown" }}{{ $title = "Unknown" }} +{{- end }}{{ end }} +{{- with .Get "title" }}{{ $title = . }}{{ end }} +{{- with .Get "link" }}[]({{ . }}) +{{- else }}{{ end }} \ No newline at end of file