From 48d6107b0b9e1a028046a230ebfe0e971cbac044 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Tue, 24 Apr 2018 23:03:05 +0200 Subject: [PATCH] Rename redirect query parameter into rd for compatibility with nginx-ingress --- example/compose/nginx/backend/html/home/index.html | 4 ++-- example/compose/nginx/portal/nginx.conf | 14 +++++++------- example/kube/apps/app-home/index.html | 2 +- example/kube/apps/secure-ingress.yml | 2 +- example/kube/ingress-controller/deployment.yml | 12 ++++++------ server/src/lib/routes/firstfactor/get.ts | 3 ++- shared/constants.ts | 2 +- test/features/access-control.feature | 6 +++--- test/features/auth-portal-redirection.feature | 10 +++++----- test/features/authelia.feature | 2 +- test/features/authentication.feature | 6 +++--- test/features/redirection.feature | 6 +++--- test/features/regulation.feature | 2 +- test/features/resilience.feature | 2 +- test/features/session-timeout.feature | 4 ++-- test/features/single-factor-domain.feature | 6 +++--- test/features/single-factor-only-server.feature | 2 +- 17 files changed, 43 insertions(+), 42 deletions(-) diff --git a/example/compose/nginx/backend/html/home/index.html b/example/compose/nginx/backend/html/home/index.html index 49f2dde04..5dd4295af 100644 --- a/example/compose/nginx/backend/html/home/index.html +++ b/example/compose/nginx/backend/html/home/index.html @@ -56,7 +56,7 @@ - You can also log off by visiting the following link. + You can also log off by visiting the following link.

List of users

Here is the list of credentials you can log in with to test access control.
@@ -131,4 +131,4 @@ users: - '^/users/harry/.*$' - \ No newline at end of file + diff --git a/example/compose/nginx/portal/nginx.conf b/example/compose/nginx/portal/nginx.conf index 1ce5fcfc9..a3bf5295c 100644 --- a/example/compose/nginx/portal/nginx.conf +++ b/example/compose/nginx/portal/nginx.conf @@ -96,7 +96,7 @@ http { proxy_set_header Host $http_host; - error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 401 =302 https://login.example.com:8080?rd=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; @@ -113,7 +113,7 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Custom-Forwarded-Groups $groups; - error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 401 =302 https://login.example.com:8080?rd=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_headers; @@ -159,7 +159,7 @@ http { proxy_set_header Host $http_host; - error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 401 =302 https://login.example.com:8080?rd=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; @@ -205,7 +205,7 @@ http { proxy_set_header Host $http_host; - error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 401 =302 https://login.example.com:8080?rd=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; @@ -251,7 +251,7 @@ http { proxy_set_header Host $http_host; - error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 401 =302 https://login.example.com:8080?rd=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; @@ -299,7 +299,7 @@ http { proxy_set_header Host $http_host; - error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 401 =302 https://login.example.com:8080?rd=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; @@ -316,7 +316,7 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Custom-Forwarded-Groups $groups; - error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 401 =302 https://login.example.com:8080?rd=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_headers; diff --git a/example/kube/apps/app-home/index.html b/example/kube/apps/app-home/index.html index 6483f6b38..a1e975e94 100644 --- a/example/kube/apps/app-home/index.html +++ b/example/kube/apps/app-home/index.html @@ -29,7 +29,7 @@

- You can always log off by clicking here + You can always log off by clicking here

diff --git a/example/kube/apps/secure-ingress.yml b/example/kube/apps/secure-ingress.yml index b840fb5a4..2858479fb 100644 --- a/example/kube/apps/secure-ingress.yml +++ b/example/kube/apps/secure-ingress.yml @@ -7,7 +7,7 @@ metadata: annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/auth-url: "http://authelia-service.authelia.svc.cluster.local/api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.kube.example.com?redirect=$redirect" + nginx.ingress.kubernetes.io/auth-signin: "https://login.kube.example.com" spec: tls: - secretName: app2-tls diff --git a/example/kube/ingress-controller/deployment.yml b/example/kube/ingress-controller/deployment.yml index 083c06204..61d564b2a 100644 --- a/example/kube/ingress-controller/deployment.yml +++ b/example/kube/ingress-controller/deployment.yml @@ -20,16 +20,16 @@ spec: spec: terminationGracePeriodSeconds: 60 containers: - - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0-beta.19 + - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.13.0 name: nginx-ingress-controller-external imagePullPolicy: Always ports: - containerPort: 80 - containerPort: 443 - volumeMounts: - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true + # volumeMounts: + # - mountPath: /etc/nginx/template + # name: nginx-template-volume + # readOnly: true env: - name: POD_NAME valueFrom: @@ -44,7 +44,7 @@ spec: - --ingress-class=nginx - --election-id=ingress-controller-leader-external - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - - --configmap=$(POD_NAMESPACE)/authelia-ingress-controller-config + # - --configmap=$(POD_NAMESPACE)/authelia-ingress-controller-config volumes: - name: nginx-template-volume configMap: diff --git a/server/src/lib/routes/firstfactor/get.ts b/server/src/lib/routes/firstfactor/get.ts index 14faa225e..9cb793da7 100644 --- a/server/src/lib/routes/firstfactor/get.ts +++ b/server/src/lib/routes/firstfactor/get.ts @@ -20,7 +20,8 @@ function redirectToSecondFactorPage(req: express.Request, res: express.Response) if (!redirectUrl) res.redirect(Endpoints.SECOND_FACTOR_GET); else - res.redirect(Util.format("%s?redirect=%s", Endpoints.SECOND_FACTOR_GET, + res.redirect(Util.format("%s?%s=%s", Endpoints.SECOND_FACTOR_GET, + Constants.REDIRECT_QUERY_PARAM, encodeURIComponent(redirectUrl))); } diff --git a/shared/constants.ts b/shared/constants.ts index a566fe0b8..47d3852a8 100644 --- a/shared/constants.ts +++ b/shared/constants.ts @@ -1 +1 @@ -export const REDIRECT_QUERY_PARAM = "redirect"; \ No newline at end of file +export const REDIRECT_QUERY_PARAM = "rd"; \ No newline at end of file diff --git a/test/features/access-control.feature b/test/features/access-control.feature index 9b5cb0769..701e3042f 100644 --- a/test/features/access-control.feature +++ b/test/features/access-control.feature @@ -2,7 +2,7 @@ Feature: User has access restricted access to domains @need-registered-user-john Scenario: User john has admin access - When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F" + When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" @@ -20,7 +20,7 @@ Feature: User has access restricted access to domains @need-registered-user-bob Scenario: User bob has restricted access - When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F" + When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F" And I login with user "bob" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" @@ -38,7 +38,7 @@ Feature: User has access restricted access to domains @need-registered-user-harry Scenario: User harry has restricted access - When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F" + When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F" And I login with user "harry" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" diff --git a/test/features/auth-portal-redirection.feature b/test/features/auth-portal-redirection.feature index a0fa36235..22445d794 100644 --- a/test/features/auth-portal-redirection.feature +++ b/test/features/auth-portal-redirection.feature @@ -3,16 +3,16 @@ Feature: User is redirected when factors are already validated @need-registered-user-john Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step. When I visit "https://single_factor.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I'm redirected to "https://single_factor.example.com:8080/secret.html" And I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" @need-registered-user-john Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration When I visit "https://public.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" @@ -25,10 +25,10 @@ Feature: User is redirected when factors are already validated @need-registered-user-john Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL When I visit "https://public.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" And I'm redirected to "https://public.example.com:8080/secret.html" - And I visit "https://login.example.com:8080?redirect=https://public.example.com:8080/secret.html" + And I visit "https://login.example.com:8080?rd=https://public.example.com:8080/secret.html" Then I'm redirected to "https://public.example.com:8080/secret.html" diff --git a/test/features/authelia.feature b/test/features/authelia.feature index 7c7f472db..dc993c2b8 100644 --- a/test/features/authelia.feature +++ b/test/features/authelia.feature @@ -5,5 +5,5 @@ Feature: Generic tests on Authelia endpoints Then I get error code 401 Scenario: /api/verify redirects when redirect parameter is provided - When I query "https://authelia.example.com:8080/api/verify?redirect=http://login.example.com:8080" + When I query "https://authelia.example.com:8080/api/verify?rd=http://login.example.com:8080" Then I get redirected to "http://login.example.com:8080" \ No newline at end of file diff --git a/test/features/authentication.feature b/test/features/authentication.feature index 79dcfaf43..4583d7076 100644 --- a/test/features/authentication.feature +++ b/test/features/authentication.feature @@ -19,7 +19,7 @@ Feature: Authentication scenarii And I login with user "john" and password "password" And I register a TOTP secret called "Sec0" When I visit "https://admin.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "Sec0" as TOTP token handle And I click on "Sign in" @@ -27,12 +27,12 @@ Feature: Authentication scenarii Scenario: User fails TOTP second factor When I visit "https://admin.example.com:8080/secret.html" - And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "BADTOKEN" as TOTP token And I click on "Sign in" Then I get a notification of type "error" with message "Authentication failed. Have you already registered your secret?" Scenario: Logout redirects user to redirect URL given in parameter - When I visit "https://login.example.com:8080/logout?redirect=https://home.example.com:8080/" + When I visit "https://login.example.com:8080/logout?rd=https://home.example.com:8080/" Then I'm redirected to "https://home.example.com:8080/" diff --git a/test/features/redirection.feature b/test/features/redirection.feature index 978580030..3d3924312 100644 --- a/test/features/redirection.feature +++ b/test/features/redirection.feature @@ -2,7 +2,7 @@ Feature: User is correctly redirected Scenario: User is redirected to authelia when he is not authenticated When I visit "https://public.example.com:8080" - Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2F" + Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2F" @need-registered-user-john Scenario: User is redirected to home page after several authentication tries @@ -22,7 +22,7 @@ Feature: User is correctly redirected Scenario: Redirection URL is propagated from restricted page to first factor When I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" Scenario: Redirection URL is propagated from first factor to second factor Given I visit "https://login.example.com:8080/" @@ -30,7 +30,7 @@ Feature: User is correctly redirected And I register a TOTP secret called "Sec0" When I visit "https://public.example.com:8080/secret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" Scenario: Redirection URL is used to send user from second factor to target page Given I visit "https://login.example.com:8080/" diff --git a/test/features/regulation.feature b/test/features/regulation.feature index 48d5849cc..d0c385d61 100644 --- a/test/features/regulation.feature +++ b/test/features/regulation.feature @@ -20,7 +20,7 @@ Feature: Authelia regulates authentication to avoid brute force @need-registered-user-blackhat Scenario: User is unbanned after a configured amount of time - Given I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Given I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I set field "username" to "blackhat" And I set field "password" to "bad-password" And I click on "Sign in" diff --git a/test/features/resilience.feature b/test/features/resilience.feature index b252ca66a..0bb6d5c5a 100644 --- a/test/features/resilience.feature +++ b/test/features/resilience.feature @@ -8,7 +8,7 @@ Feature: Authelia keeps user sessions despite the application restart @need-registered-user-john Scenario: Secrets are stored even when Authelia restarts When the application restarts - And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" diff --git a/test/features/session-timeout.feature b/test/features/session-timeout.feature index 1d31bb9d2..0306b0017 100644 --- a/test/features/session-timeout.feature +++ b/test/features/session-timeout.feature @@ -6,7 +6,7 @@ Feature: Session is closed after a certain amount of time Given I have access to "https://public.example.com:8080/secret.html" When I sleep for 6 seconds And I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" @need-authenticated-user-john Scenario: An authenticated user is disconnected after session expiration period @@ -17,4 +17,4 @@ Feature: Session is closed after a certain amount of time And I visit "https://public.example.com:8080/secret.html" And I sleep for 4 seconds And I visit "https://public.example.com:8080/secret.html" - Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" \ No newline at end of file + Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" \ No newline at end of file diff --git a/test/features/single-factor-domain.feature b/test/features/single-factor-domain.feature index ff2ec279e..6b15847fd 100644 --- a/test/features/single-factor-domain.feature +++ b/test/features/single-factor-domain.feature @@ -1,14 +1,14 @@ Feature: User can access certain subdomains with single factor Scenario: User is redirected to service after first factor if allowed - When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" Then I'm redirected to "https://single_factor.example.com:8080/secret.html" Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor. - When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" Scenario: User can login using basic authentication When I request "https://single_factor.example.com:8080/secret.html" with username "john" and password "password" using basic authentication diff --git a/test/features/single-factor-only-server.feature b/test/features/single-factor-only-server.feature index e6b8b9f08..25b233ad5 100644 --- a/test/features/single-factor-only-server.feature +++ b/test/features/single-factor-only-server.feature @@ -3,7 +3,7 @@ Feature: Server is configured as a single factor only server @need-registered-user-john Scenario: User is redirected to service after first factor if allowed - When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" Then I'm redirected to "https://public.example.com:8080/secret.html"