Merge remote-tracking branch 'origin/master' into feat-settings-ui

pull/4806/head
James Elliott 2022-12-23 16:08:47 +11:00
commit 4a2fd3dea7
No known key found for this signature in database
GPG Key ID: 0F1C4A096E857E49
174 changed files with 5917 additions and 3361 deletions

View File

@ -825,6 +825,15 @@
"code",
"design"
]
},
{
"login": "Ohelig",
"name": "Ohelig",
"avatar_url": "https://avatars.githubusercontent.com/u/5841980?v=4",
"profile": "https://github.com/Ohelig",
"contributions": [
"doc"
]
}
],
"contributorsPerLine": 7

View File

@ -26,6 +26,8 @@ body:
description: What version(s) of Authelia can you reproduce this bug on?
multiple: true
options:
- v4.37.5
- v4.37.4
- v4.37.3
- v4.37.2
- v4.37.1

View File

@ -10,7 +10,9 @@ Don't hesitate to come help us improve Authelia! See you soon!
## Bug Reports and Feature Requests
If you've found a **bug** or have a **feature request** then please create an issue in this repository (but search first in case a similar issue already exists).
If you've found a **bug** or have a **feature request** then please create a
[bug report](https://www.authelia.com/l/bug) or [feature request](https://www.authelia.com/l/fr) respectively in this
repository (but search first in case a similar issue already exists).
## Code
@ -23,13 +25,14 @@ about requirement or implementation. That way you can be sure that the maintaine
and you can hopefully get a quick merge afterwards. Also, let the maintainers know that you plan to work on a particular
issue so that no one else starts any duplicate work.
Pull Requests can only be merged once all status checks are green, which means `authelia-scripts --log-level debug ci` passes, and coverage does not regress.
Pull Requests can only be merged once all status checks are green, which means `authelia-scripts --log-level debug ci`
passes, and coverage does not regress.
## Do not force push to your pull request branch
Please do not force push to your PR's branch after you have created your PR, as doing so makes it harder for us to review your work.
PRs will always be squashed by us when we merge your work.
Commit as many times as you need in your pull request branch.
Please do not force push to your PR's branch after you have created your PR, as doing so makes it harder for us to
review your work. PRs will always be squashed by us when we merge your work. Commit as many times as you need in your
pull request branch.
## Re-requesting a review

View File

@ -11,15 +11,16 @@ WORKDIR /app
# Set environment variables
ENV PATH="/app:${PATH}" \
PUID=0 \
PGID=0
PGID=0 \
X_AUTHELIA_CONFIG="/config/configuration.yml"
RUN \
apk --no-cache add ca-certificates su-exec tzdata
apk --no-cache add ca-certificates su-exec tzdata
COPY LICENSE .healthcheck.env entrypoint.sh healthcheck.sh ./
RUN \
chmod 0666 /app/.healthcheck.env
chmod 0666 /app/.healthcheck.env
COPY authelia-${TARGETOS}-${TARGETARCH}-musl ./authelia
@ -28,5 +29,4 @@ EXPOSE 9091
VOLUME /config
ENTRYPOINT ["/app/entrypoint.sh"]
CMD ["--config", "/config/configuration.yml"]
HEALTHCHECK --interval=30s --timeout=3s --start-period=1m CMD /app/healthcheck.sh

View File

@ -20,14 +20,14 @@ FROM golang:1.19.4-alpine AS builder-backend
WORKDIR /go/src/app
RUN \
echo ">> Downloading required apk's..." && \
apk --no-cache add gcc musl-dev
echo ">> Downloading required apk's..." && \
apk --no-cache add gcc musl-dev
COPY go.mod go.sum ./
RUN \
echo ">> Downloading go modules..." && \
go mod download
echo ">> Downloading go modules..." && \
go mod download
COPY / ./
@ -36,12 +36,12 @@ COPY --from=builder-frontend /node/src/internal/server/public_html internal/serv
ARG LDFLAGS_EXTRA
RUN \
mv api internal/server/public_html/api && \
cd cmd/authelia && \
chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build (coverage via go test)..." && \
CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go test -c --tags coverage -covermode=atomic \
-ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
mv api internal/server/public_html/api && \
cd cmd/authelia && \
chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build (coverage via go test)..." && \
CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go test -c --tags coverage -covermode=atomic \
-ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
# ===================================
# ===== Authelia official image =====
@ -58,7 +58,8 @@ EXPOSE 9091
VOLUME /config
ENV PATH="/app:${PATH}"
ENV PATH="/app:${PATH}" \
X_AUTHELIA_CONFIG="/config/configuration.yml"
CMD ["authelia", "-test.coverprofile=/authelia/coverage.txt", "COVERAGE", "--config", "/config/configuration.yml"]
CMD ["authelia", "-test.coverprofile=/authelia/coverage.txt", "COVERAGE"]
HEALTHCHECK --interval=30s --timeout=3s CMD /app/healthcheck.sh

View File

@ -18,14 +18,14 @@ FROM golang:1.19.4-alpine AS builder-backend
WORKDIR /go/src/app
RUN \
echo ">> Downloading required apk's..." && \
apk --no-cache add gcc musl-dev
echo ">> Downloading required apk's..." && \
apk --no-cache add gcc musl-dev
COPY go.mod go.sum ./
RUN \
echo ">> Downloading go modules..." && \
go mod download
echo ">> Downloading go modules..." && \
go mod download
COPY / ./
@ -34,11 +34,11 @@ COPY --from=builder-frontend /node/src/internal/server/public_html internal/serv
ARG LDFLAGS_EXTRA
RUN \
mv api internal/server/public_html/api && \
chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build..." && \
CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go build \
-ldflags "-linkmode=external -s -w ${LDFLAGS_EXTRA}" -trimpath -buildmode=pie -o authelia ./cmd/authelia
mv api internal/server/public_html/api && \
chmod 0666 /go/src/app/.healthcheck.env && \
echo ">> Starting go build..." && \
CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go build \
-ldflags "-linkmode=external -s -w ${LDFLAGS_EXTRA}" -trimpath -buildmode=pie -o authelia ./cmd/authelia
# ===================================
# ===== Authelia official image =====
@ -50,20 +50,20 @@ WORKDIR /app
# Set environment variables
ENV PATH="/app:${PATH}" \
PUID=0 \
PGID=0
PGID=0 \
X_AUTHELIA_CONFIG="/config/configuration.yml"
RUN \
apk --no-cache add ca-certificates su-exec tzdata
apk --no-cache add ca-certificates su-exec tzdata
COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
RUN \
chmod 0666 /app/.healthcheck.env
chmod 0666 /app/.healthcheck.env
EXPOSE 9091
VOLUME /config
ENTRYPOINT ["/app/entrypoint.sh"]
CMD ["--config", "/config/configuration.yml"]
HEALTHCHECK --interval=30s --timeout=3s --start-period=1m CMD /app/healthcheck.sh

View File

@ -307,6 +307,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
<tr>
<td align="center"><a href="https://github.com/paul-ohl"><img src="https://avatars.githubusercontent.com/u/37795294?v=4?s=100" width="100px;" alt="Paul Ohl"/><br /><sub><b>Paul Ohl</b></sub></a><br /><a href="https://github.com/authelia/authelia/commits?author=paul-ohl" title="Documentation">📖</a></td>
<td align="center"><a href="https://github.com/smkent"><img src="https://avatars.githubusercontent.com/u/2831985?v=4?s=100" width="100px;" alt="Stephen Kent"/><br /><sub><b>Stephen Kent</b></sub></a><br /><a href="#ideas-smkent" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/authelia/authelia/commits?author=smkent" title="Code">💻</a> <a href="#design-smkent" title="Design">🎨</a></td>
<td align="center"><a href="https://github.com/Ohelig"><img src="https://avatars.githubusercontent.com/u/5841980?v=4?s=100" width="100px;" alt="Ohelig"/><br /><sub><b>Ohelig</b></sub></a><br /><a href="https://github.com/authelia/authelia/commits?author=Ohelig" title="Documentation">📖</a></td>
</tr>
</tbody>
</table>

View File

@ -175,6 +175,240 @@ paths:
description: Unauthorized
security:
- authelia_auth: []
options:
tags:
- Authentication
summary: Verification
description: >
The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
domain.
parameters:
- $ref: '#/components/parameters/originalURLParam'
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
post:
tags:
- Authentication
summary: Verification
description: >
The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
domain.
parameters:
- $ref: '#/components/parameters/originalURLParam'
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
put:
tags:
- Authentication
summary: Verification
description: >
The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
domain.
parameters:
- $ref: '#/components/parameters/originalURLParam'
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
patch:
tags:
- Authentication
summary: Verification
description: >
The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
domain.
parameters:
- $ref: '#/components/parameters/originalURLParam'
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
delete:
tags:
- Authentication
summary: Verification
description: >
The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
domain.
parameters:
- $ref: '#/components/parameters/originalURLParam'
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
trace:
tags:
- Authentication
summary: Verification
description: >
The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
domain.
parameters:
- $ref: '#/components/parameters/originalURLParam'
- $ref: '#/components/parameters/forwardedMethodParam'
- $ref: '#/components/parameters/authParam'
responses:
"200":
description: Successful Operation
headers:
remote-user:
description: Username
schema:
type: string
example: john
remote-name:
description: Name
schema:
type: string
example: John Doe
remote-email:
description: Email
schema:
type: string
example: john.doe@authelia.com
remote-groups:
description: Comma separated list of Groups
schema:
type: string
example: admin,devs
"401":
description: Unauthorized
security:
- authelia_auth: []
/api/firstfactor:
post:
tags:

View File

@ -5,18 +5,14 @@ import (
"fmt"
"strings"
"text/template"
"github.com/authelia/authelia/v4/internal/templates"
)
//go:embed templates/*
var templatesFS embed.FS
var (
funcMap = template.FuncMap{
"stringsContains": strings.Contains,
"join": strings.Join,
"joinX": fmJoinX,
}
tmplCodeConfigurationSchemaKeys = template.Must(newTMPL("internal_configuration_schema_keys.go"))
tmplGitHubIssueTemplateBug = template.Must(newTMPL("github_issue_template_bug_report.yml"))
tmplIssueTemplateFeature = template.Must(newTMPL("github_issue_template_feature.yml"))
@ -27,33 +23,14 @@ var (
tmplServer = template.Must(newTMPL("server_gen.go"))
)
func fmJoinX(elems []string, sep string, n int, p string) string {
buf := strings.Builder{}
c := 0
e := len(elems) - 1
for i := 0; i <= e; i++ {
if c+len(elems[i])+1 > n {
c = 0
buf.WriteString(p)
}
c += len(elems[i]) + 1
buf.WriteString(elems[i])
if i < e {
buf.WriteString(sep)
}
}
return buf.String()
}
func newTMPL(name string) (tmpl *template.Template, err error) {
return template.New(name).Funcs(funcMap).Parse(mustLoadTmplFS(name))
return template.New(name).
Funcs(template.FuncMap{
"stringsContains": strings.Contains,
"join": strings.Join,
"joinX": templates.StringJoinXFunc,
}).
Parse(mustLoadTmplFS(name))
}
func mustLoadTmplFS(tmpl string) string {

View File

@ -284,8 +284,10 @@ authentication_backend:
# ldap:
## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
## Acceptable options are as follows:
## - 'activedirectory' - For Microsoft Active Directory.
## - 'custom' - For custom specifications of attributes and filters.
## - 'activedirectory' - for Microsoft Active Directory.
## - 'freeipa' - for FreeIPA.
## - 'lldap' - for lldap.
## - 'custom' - for custom specifications of attributes and filters.
## This currently defaults to 'custom' to maintain existing behaviour.
##
## Depending on the option here certain other values in this section have a default value, notably all of the

View File

@ -12,6 +12,23 @@ weight: 101200
toc: true
---
## Loading Behaviour and Discovery
There are several options which affect the loading of files:
| Name | Argument | Environment Variable | Description |
|:-----------------:|:-------------------------------:|:---------------------------:|:----------------------------------------------------------------------------------:|
| Files/Directories | `--config`, `-c` | `X_AUTHELIA_CONFIG` | A list of file or directory (non-recursive) paths to load configuration files from |
| Filters | `--config.experimental.filters` | `X_AUTHELIA_CONFIG_FILTERS` | A list of filters applied to every file from the Files or Directories options |
__*Note:* when specifying directories and files, the individual files specified must not be within any of the
directories specified.__
Configuration options can be discovered via either the Argument or Environment Variable, but not both at the same time.
If both are specified the Argument takes precedence and the Environment Variable is ignored. It is generally recommended
that if you're using a container that you use the Environment Variable as this will allow you to execute other commands
from the context of the container more easily.
## Formats
The only supported configuration file format is [YAML](#yaml).
@ -124,3 +141,167 @@ spec:
See the Kubernetes [workloads documentation](https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates) or the
[Container API docs](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core) for more
information.
## File Filters
Experimental file filters exist which allow modification of all configuration files after reading them from the
filesystem but before parsing their content. These filters are _**NOT**_ covered by our
[Standard Versioning Policy](../../policies/versioning.md). There __*WILL*__ be a point where the name of the CLI
argument or environment variable will change and usage of these will either break or just not work.
The filters are configured as a list of filter names by the `--config.experimental.filters` CLI argument and
`X_AUTHELIA_CONFIG_EXPERIMENTAL_FILTERS` environment variable. We recommend using the environment variable as it ensures
commands executed from the container use the same filters. If both the CLI argument and environment variable are used
the environment variable is completely ignored.
Filters can either be used on their own, in combination, or not at all. The filters are processed in order as they are
defined.
Examples:
```bash
authelia --config config.yml --config.experimental.filters expand-env,template
```
```text
X_AUTHELIA_CONFIG_EXPERIMENTAL_FILTERS=expand-env,template
```
### Expand Environment Variable Filter
The name used to enable this filter is `expand-env`.
This filter is the most common filter type used by many other applications. It is similar to using `envsubst` where it
replaces a string like `$EXAMPLE` or `${EXAMPLE}` with the value of the `EXAMPLE` environment variable.
### Go Template Filter
The name used to enable this filter is `template`.
This filter uses the [Go template engine](https://pkg.go.dev/text/template) to render the configuration files. It uses
similar syntax to Jinja2 templates with different function names.
Comprehensive examples are beyond what we support and people wishing to use this should consult the official
[Go template engine](https://pkg.go.dev/text/template) documentation for syntax instructions. We also log the generated
output at each filter stage as a base64 string when trace logging is enabled.
#### Functions
In addition to the standard builtin functions we support several other functions.
##### iterate
The `iterate` function generates a list of numbers from 0 to the input provided. Useful for ranging over a list of
numbers.
Example:
```yaml
numbers:
{{- range $i := iterate 5 }}
- {{ $i }}
{{- end }}
```
##### env
The `env` function returns the value of an environment variable or a blank string.
Example:
```yaml
default_redirection_url: 'https://{{ env "DOMAIN" }}'
```
##### split
The `split` function splits a string by the separator.
Example:
```yaml
access_control:
rules:
- domain: 'app.{{ env "DOMAIN" }}'
policy: bypass
methods:
{{ range _, $method := split "GET,POST" "," }}
- {{ $method }}
{{ end }}
```
##### join
The `join` function is similar to [split](#split) but does the complete oppiste, joining an array of strings with a
separator.
Example:
```yaml
access_control:
rules:
- domain: ['app.{{ join (split (env "DOMAINS") ",") "', 'app." }}']
policy: bypass
```
##### contains
The `contains` function is a test function which checks if one string contains another string.
Example:
```yaml
{{ if contains (env "DOMAIN") "https://" }}
default_redirection_url: '{{ env "DOMAIN" }}'
{{ else }}
default_redirection_url: 'https://{{ env "DOMAIN" }}'
{{ end }}
```
##### hasPrefix
The `hasPrefix` function is a test function which checks if one string is prefixed with another string.
Example:
```yaml
{{ if hasPrefix (env "DOMAIN") "https://" }}
default_redirection_url: '{{ env "DOMAIN" }}'
{{ else }}
default_redirection_url: 'https://{{ env "DOMAIN" }}'
{{ end }}
```
##### hasSuffix
The `hasSuffix` function is a test function which checks if one string is suffixed with another string.
Example:
```yaml
{{ if hasSuffix (env "DOMAIN") "/" }}
default_redirection_url: 'https://{{ env "DOMAIN" }}'
{{ else }}
default_redirection_url: 'https://{{ env "DOMAIN" }}/'
{{ end }}
```
##### lower
The `lower` function is a conversion function which converts a string to all lowercase.
Example:
```yaml
default_redirection_url: 'https://{{ env "DOMAIN" | lower }}'
```
##### upper
The `upper` function is a conversion function which converts a string to all uppercase.
Example:
```yaml
default_redirection_url: 'https://{{ env "DOMAIN" | upper }}'
```

View File

@ -209,8 +209,9 @@ Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when
For security reasons Authelia refuses to send messages to these servers.
This option disables this measure and is enabled *__AT YOUR OWN RISK__*. It's *__strongly recommended__*
that instead of enabling this option you either fix the issue with the SMTP server's configuration or
have the administrators of the server fix it. If the issue can't be fixed by configuration we recommend
have the administrators of the server fix it. If the issue can't be fixed via the SMTP server configuration we recommend
lodging an issue with the authors of the SMTP server.
See [security] for more information.
### disable_html_emails

View File

@ -169,23 +169,8 @@ This may be inconvenient for some users who wish to export TOTP keys from Authel
a command specifically for exporting TOTP configurations from the database. These commands require the configuration or
at least a minimal configuration that has the storage backend connection details and the encryption key.
Export in [Key URI Format](https://github.com/google/google-authenticator/wiki/Key-Uri-Format):
```bash
authelia storage user totp export --format uri
```
Export as CSV:
```bash
authelia storage user totp export --format csv
```
Help:
```bash
authelia storage user totp export --help
```
See the [CLI Documentation](../../reference/cli/authelia/authelia_storage_user_totp_export.md) for methods to perform
exports.
[RFC4226]: https://www.rfc-editor.org/rfc/rfc4226.html
[RFC6238]: https://www.rfc-editor.org/rfc/rfc6238.html

View File

@ -93,7 +93,7 @@ Reference values.
The values this [Claim] has are not strictly defined by the [OpenID Connect] specification. As such, some backends may
expect a specification other than [RFC8176] for this purpose. If you have such an application and wish for us to support
it then you're encouraged to create an issue.
it then you're encouraged to create a [feature request](https://www.authelia.com/l/fr).
Below is a list of the potential values we place in the [Claim] and their meaning:

View File

@ -346,14 +346,17 @@ typically located at `/etc/fail2ban/filter.d`.
# the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
# second line) as a failure.
# the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
# the ignoreregex rule ignores info and warning messages as all authentication failures are flagged as errors
# the third line catches incorrect usernames entered at the password reset form
# the fourth line catches attempts to spam via the password reset form or 2fa device reset form. This requires debug logging to be enabled
[Definition]
failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
^.*user not found.*path=/api/reset-password/identity/start remote_ip="?<HOST>"? stack.*
^.*Sending an email to user.*path=/api/.*/start remote_ip="?<HOST>"?
ignoreregex = ^.*level=debug.*
^.*level=info.*
ignoreregex = ^.*level=info.*
^.*level=warning.*
```

View File

@ -16,9 +16,14 @@ aliases:
- /privacy.html
---
## Website
This section applies to the public website at https://www.authelia.com and does not apply to the _Authelia_ application
itself.
__TLDR__: We do not use cookies and we do not collect any personal data.
## Website visitors
### Website visitors
* No personal information is collected.
* No information is stored in the browser.
@ -27,6 +32,32 @@ __TLDR__: We do not use cookies and we do not collect any personal data.
* No information is mined and harvested for personal and behavioral trends.
* No information is monetized.
## Application
This section applies to the _Authelia_ application itself and does not apply to the public website
at https://www.authelia.com. It's important for users of _Authelia_ to note that this policy only applies to what the
_Authelia_ application itself does automatically. Individual installations of _Authelia_ may differ from this policy
depending on the administrator who deploys the application. It is beyond our ability to include this in our policy and
you should refer to their privacy policy.
__TLDR__: We collect only information necessary to operate the application and properly perform security audits. This
information is only stored in the local SQL database and is NOT sent to any external service.
### Application visitors
* Information collected is stored locally in the database and not sent to any external service.
* No personal information is collected other than:
* Username and IP address are recorded and logged for security related events for auditing purposes.
* The information stored in the browser is:
* Cookies:
* A session cookie necessary for the application to operate.
* Local Storage:
* A language preference necessary for the application to operate.
* No information is shared with, sent to or sold to third-parties.
* No information is shared with advertising companies.
* No information is mined and harvested for personal and behavioral trends.
* No information is monetized.
## Contact us
[Contact us](../information/contact.md) if you have any questions.

View File

@ -0,0 +1,52 @@
---
title: "Versioning Policy"
description: "The Authelia Versioning Policy which is important reading for administrators"
date: 2022-12-21T20:48:14+11:00
draft: false
images: []
aliases:
- /versioning-policy
- /versioning
---
The __Authelia__ team aims to abide by the [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html) policy. This
means that we use the format `major.minor.patch` for our version numbers, where a change to `major` denotes a breaking
change which will likely require user interaction to upgrade, `minor` which denotes a new feature, and `patch` denotes a
fix.
It is therefore recommended users do not automatically upgrade the `minor` version without reading the patch notes, and
it's critically important users do not upgrade the `major` version without reading the patch notes. You should pin your
version to `4.37` for example to prevent automatic upgrades from negatively affecting you.
## Exceptions
There are exceptions to this versioning policy.
### Advanced Customizations
Some advanced customizations are not guaranteed by the versioning policy. These features require the administrator to
ensure they keep up to date with the changes relevant to their version. While the customizations exist as a feature we
cannot allow these customizations to hinder the development process.
Notable Advanced Customizations:
- Templates:
- Email
- Content Security Policy header
- Localization Assets
### Breaking Changes
All features which are marked as:
- beta
- experimental
Notable examples:
- OpenID Connect 1.0
- File Filters
The reasoning is as we develop these features there may be mistakes and we may need to make a change that should be
considered breaking. As these features graduate from their status to generally available they will move into our
standard versioning policy from this exception.

View File

@ -24,7 +24,8 @@ An open-source authentication and authorization server providing
two-factor authentication and single sign-on (SSO) for your
applications via a web portal.
Documentation is available at: https://www.authelia.com/
General documentation is available at: https://www.authelia.com/
CLI documentation is available at: https://www.authelia.com/reference/cli/authelia/authelia/
```
authelia [flags]
@ -41,8 +42,9 @@ authelia --config /etc/authelia/config/
### Options
```
-c, --config strings configuration files to load
-h, --help help for authelia
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
-h, --help help for authelia
```
### SEE ALSO
@ -50,7 +52,6 @@ authelia --config /etc/authelia/config/
* [authelia access-control](authelia_access-control.md) - Helpers for the access control system
* [authelia build-info](authelia_build-info.md) - Show the build information of Authelia
* [authelia crypto](authelia_crypto.md) - Perform cryptographic operations
* [authelia hash-password](authelia_hash-password.md) - Hash a password to be used in file-based users database
* [authelia storage](authelia_storage.md) - Manage the Authelia storage
* [authelia validate-config](authelia_validate-config.md) - Check a configuration against the internal configuration validation mechanisms

View File

@ -32,6 +32,13 @@ authelia access-control --help
-h, --help help for access-control
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia](authelia.md) - authelia untagged-unknown-dirty (master, unknown)

View File

@ -53,7 +53,6 @@ authelia access-control check-policy --config config.yml --url https://example.c
### Options
```
-c, --config strings configuration files to load (default [configuration.yml])
--groups strings the groups of the subject
-h, --help help for check-policy
--ip string the ip of the subject
@ -63,6 +62,13 @@ authelia access-control check-policy --config config.yml --url https://example.c
--verbose enables verbose output
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia access-control](authelia_access-control.md) - Helpers for the access control system

View File

@ -45,6 +45,13 @@ authelia build-info
-h, --help help for build-info
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia](authelia.md) - authelia untagged-unknown-dirty (master, unknown)

View File

@ -34,6 +34,13 @@ authelia crypto --help
-h, --help help for crypto
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia](authelia.md) - authelia untagged-unknown-dirty (master, unknown)

View File

@ -34,6 +34,13 @@ authelia crypto certificate --help
-h, --help help for certificate
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto](authelia_crypto.md) - Perform cryptographic operations

View File

@ -34,6 +34,13 @@ authelia crypto certificate ecdsa --help
-h, --help help for ecdsa
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate](authelia_crypto_certificate.md) - Perform certificate cryptographic operations

View File

@ -36,7 +36,7 @@ authelia crypto certificate ecdsa generate --help
```
--ca create the certificate as a certificate authority certificate
-c, --common-name string certificate common name
-n, --common-name string certificate common name
--country strings certificate country
-b, --curve string Sets the elliptic curve which can be P224, P256, P384, or P521 (default "P256")
-d, --directory string directory where the generated keys, certificates, etc will be stored
@ -59,6 +59,13 @@ authelia crypto certificate ecdsa generate --help
-s, --street-address strings certificate street address
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate ecdsa](authelia_crypto_certificate_ecdsa.md) - Perform ECDSA certificate cryptographic operations

View File

@ -35,7 +35,7 @@ authelia crypto certificate ecdsa request --help
### Options
```
-c, --common-name string certificate common name
-n, --common-name string certificate common name
--country strings certificate country
-b, --curve string Sets the elliptic curve which can be P224, P256, P384, or P521 (default "P256")
-d, --directory string directory where the generated keys, certificates, etc will be stored
@ -54,6 +54,13 @@ authelia crypto certificate ecdsa request --help
-s, --street-address strings certificate street address
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate ecdsa](authelia_crypto_certificate_ecdsa.md) - Perform ECDSA certificate cryptographic operations

View File

@ -34,6 +34,13 @@ authelia crypto certificate ed25519 --help
-h, --help help for ed25519
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate](authelia_crypto_certificate.md) - Perform certificate cryptographic operations

View File

@ -36,7 +36,7 @@ authelia crypto certificate ed25519 request --help
```
--ca create the certificate as a certificate authority certificate
-c, --common-name string certificate common name
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
@ -58,6 +58,13 @@ authelia crypto certificate ed25519 request --help
-s, --street-address strings certificate street address
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate ed25519](authelia_crypto_certificate_ed25519.md) - Perform Ed25519 certificate cryptographic operations

View File

@ -35,7 +35,7 @@ authelia crypto certificate ed25519 request --help
### Options
```
-c, --common-name string certificate common name
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
@ -53,6 +53,13 @@ authelia crypto certificate ed25519 request --help
-s, --street-address strings certificate street address
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate ed25519](authelia_crypto_certificate_ed25519.md) - Perform Ed25519 certificate cryptographic operations

View File

@ -34,6 +34,13 @@ authelia crypto certificate rsa --help
-h, --help help for rsa
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate](authelia_crypto_certificate.md) - Perform certificate cryptographic operations

View File

@ -37,7 +37,7 @@ authelia crypto certificate rsa generate --help
```
-b, --bits int number of RSA bits for the certificate (default 2048)
--ca create the certificate as a certificate authority certificate
-c, --common-name string certificate common name
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
@ -59,6 +59,13 @@ authelia crypto certificate rsa generate --help
-s, --street-address strings certificate street address
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate rsa](authelia_crypto_certificate_rsa.md) - Perform RSA certificate cryptographic operations

View File

@ -36,7 +36,7 @@ authelia crypto certificate rsa request --help
```
-b, --bits int number of RSA bits for the certificate (default 2048)
-c, --common-name string certificate common name
-n, --common-name string certificate common name
--country strings certificate country
-d, --directory string directory where the generated keys, certificates, etc will be stored
--duration duration duration of time the certificate is valid for (default 8760h0m0s)
@ -54,6 +54,13 @@ authelia crypto certificate rsa request --help
-s, --street-address strings certificate street address
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto certificate rsa](authelia_crypto_certificate_rsa.md) - Perform RSA certificate cryptographic operations

View File

@ -34,6 +34,13 @@ authelia crypto hash --help
-h, --help help for hash
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto](authelia_crypto.md) - Perform cryptographic operations

View File

@ -37,7 +37,6 @@ authelia crypto hash generate --help
### Options
```
-c, --config strings configuration files to load (default [configuration.yml])
-h, --help help for generate
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
@ -47,6 +46,13 @@ authelia crypto hash generate --help
--random.length int sets the character length for the random string (default 72)
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto hash](authelia_crypto_hash.md) - Perform cryptographic hash operations

View File

@ -48,13 +48,14 @@ authelia crypto hash generate argon2 --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
```
### SEE ALSO

View File

@ -43,13 +43,14 @@ authelia crypto hash generate bcrypt --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
```
### SEE ALSO

View File

@ -44,13 +44,14 @@ authelia crypto hash generate pbkdf2 --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
```
### SEE ALSO

View File

@ -46,13 +46,14 @@ authelia crypto hash generate scrypt --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
```
### SEE ALSO

View File

@ -44,13 +44,14 @@ authelia crypto hash generate sha2crypt --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--no-confirm skip the password confirmation prompt
--password string manually supply the password rather than using the terminal prompt
--random uses a randomly generated password
--random.characters string sets the explicit characters for the random string
--random.charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
--random.length int sets the character length for the random string (default 72)
```
### SEE ALSO

View File

@ -40,6 +40,13 @@ authelia crypto hash validate '$5$rounds=500000$WFjMpdCQxIkbNl0k$M0qZaZoK8Gwdh8C
--password string manually supply the password rather than using the terminal prompt
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto hash](authelia_crypto_hash.md) - Perform cryptographic hash operations

View File

@ -34,6 +34,13 @@ authelia crypto pair --help
-h, --help help for pair
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto](authelia_crypto.md) - Perform cryptographic operations

View File

@ -38,6 +38,13 @@ authelia crypto pair ecdsa --help
-h, --help help for ecdsa
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto pair](authelia_crypto_pair.md) - Perform key pair cryptographic operations

View File

@ -43,6 +43,13 @@ authelia crypto pair ecdsa generate --help
--pkcs8 force PKCS #8 ASN.1 format
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto pair ecdsa](authelia_crypto_pair_ecdsa.md) - Perform ECDSA key pair cryptographic operations

View File

@ -38,6 +38,13 @@ authelia crypto pair ed25519 --help
-h, --help help for ed25519
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto pair](authelia_crypto_pair.md) - Perform key pair cryptographic operations

View File

@ -42,6 +42,13 @@ authelia crypto pair ed25519 generate --help
--pkcs8 force PKCS #8 ASN.1 format
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto pair ed25519](authelia_crypto_pair_ed25519.md) - Perform Ed25519 key pair cryptographic operations

View File

@ -38,6 +38,13 @@ authelia crypto pair rsa --help
-h, --help help for rsa
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto pair](authelia_crypto_pair.md) - Perform key pair cryptographic operations

View File

@ -43,6 +43,13 @@ authelia crypto pair rsa generate --help
--pkcs8 force PKCS #8 ASN.1 format
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto pair rsa](authelia_crypto_pair_rsa.md) - Perform RSA key pair cryptographic operations

View File

@ -44,11 +44,18 @@ authelia crypto rand --characters 0123456789ABCDEF
```
--characters string sets the explicit characters for the random string
-c, --charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
-x, --charset string sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
-h, --help help for rand
-n, --length int sets the character length for the random string (default 72)
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia crypto](authelia_crypto.md) - Perform cryptographic operations

View File

@ -1,55 +0,0 @@
---
title: "authelia hash-password"
description: "Reference for the authelia hash-password command."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "cli-authelia"
weight: 905
toc: true
---
## authelia hash-password
Hash a password to be used in file-based users database
### Synopsis
Hash a password to be used in file-based users database.
```
authelia hash-password [flags] -- [password]
```
### Examples
```
authelia hash-password -- 'mypass'
authelia hash-password --sha512 -- 'mypass'
authelia hash-password --iterations=4 -- 'mypass'
authelia hash-password --memory=128 -- 'mypass'
authelia hash-password --parallelism=1 -- 'mypass'
authelia hash-password --key-length=64 -- 'mypass'
```
### Options
```
-c, --config strings configuration files to load (default [configuration.yml])
-h, --help help for hash-password
-i, --iterations int set the number of hashing iterations (default 3)
-k, --key-length int [argon2id] set the key length param (default 32)
-m, --memory int [argon2id] set the amount of memory param (in MB) (default 65536)
--no-confirm skip the password confirmation prompt
-p, --parallelism int [argon2id] set the parallelism param (default 4)
-l, --salt-length int set the auto-generated salt length (default 16)
-z, --sha512 use sha512 as the algorithm (changes iterations to 50000, change with -i)
```
### SEE ALSO
* [authelia](authelia.md) - authelia untagged-unknown-dirty (master, unknown)

View File

@ -33,7 +33,6 @@ authelia storage --help
### Options
```
-c, --config strings configuration files to load (default [configuration.yml])
--encryption-key string the storage encryption key to use
-h, --help help for storage
--mysql.database string the MySQL database name (default "authelia")
@ -54,6 +53,13 @@ authelia storage --help
--sqlite.path string the SQLite database path
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO
* [authelia](authelia.md) - authelia untagged-unknown-dirty (master, unknown)

View File

@ -37,7 +37,8 @@ authelia storage encryption --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -43,7 +43,8 @@ authelia storage encryption change-key --encryption-key b3453fde-ecc2-4a1f-9422-
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -45,7 +45,8 @@ authelia storage encryption check --verbose --encryption-key b3453fde-ecc2-4a1f-
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -37,7 +37,8 @@ authelia storage migrate --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -46,7 +46,8 @@ authelia storage migrate down --target 20 --encryption-key b3453fde-ecc2-4a1f-94
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -43,7 +43,8 @@ authelia storage migrate history --encryption-key b3453fde-ecc2-4a1f-9422-2707dd
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -44,7 +44,8 @@ authelia storage migrate list-down --encryption-key b3453fde-ecc2-4a1f-9422-2707
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -44,7 +44,8 @@ authelia storage migrate list-up --encryption-key b3453fde-ecc2-4a1f-9422-2707dd
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -46,7 +46,8 @@ authelia storage migrate up --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed49
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -43,7 +43,8 @@ authelia storage schema-info --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed4
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -37,7 +37,8 @@ authelia storage user --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -37,7 +37,8 @@ authelia storage user identifiers --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -46,7 +46,8 @@ authelia storage user identifiers add john --identifier f0919359-9d15-4e15-bcba-
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -38,14 +38,15 @@ authelia storage user identifiers export --file export.yaml --encryption-key b34
### Options
```
-f, --file string The file name for the YAML export (default "user-opaque-identifiers.yml")
-f, --file string The file name for the YAML export (default "authelia.export.opaque-identifiers.yml")
-h, --help help for export
```
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -48,7 +48,8 @@ authelia storage user identifiers generate --users john,mary --services openid -
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -26,29 +26,29 @@ The YAML file can either be automatically generated using the authelia storage u
manually provided the file is in the same format.
```
authelia storage user identifiers import [flags]
authelia storage user identifiers import <filename> [flags]
```
### Examples
```
authelia storage user identifiers import
authelia storage user identifiers import --file export.yaml
authelia storage user identifiers import --file export.yaml --config config.yml
authelia storage user identifiers import --file export.yaml --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
authelia storage user identifiers import authelia.export.opaque-identifiers.yaml
authelia storage user identifiers import --config config.yml export.yaml
authelia storage user identifiers import --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw export.yaml
```
### Options
```
-f, --file string The file name for the YAML import (default "user-opaque-identifiers.yml")
-h, --help help for import
-h, --help help for import
```
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -37,7 +37,8 @@ authelia storage user totp --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
@ -63,4 +64,5 @@ authelia storage user totp --help
* [authelia storage user totp delete](authelia_storage_user_totp_delete.md) - Delete a TOTP configuration for a user
* [authelia storage user totp export](authelia_storage_user_totp_export.md) - Perform exports of the TOTP configurations
* [authelia storage user totp generate](authelia_storage_user_totp_generate.md) - Generate a TOTP configuration for a user
* [authelia storage user totp import](authelia_storage_user_totp_import.md) - Perform imports of the TOTP configurations

View File

@ -43,7 +43,8 @@ authelia storage user totp delete john --encryption-key b3453fde-ecc2-4a1f-9422-
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -20,7 +20,7 @@ Perform exports of the TOTP configurations
Perform exports of the TOTP configurations.
This subcommand allows exporting TOTP configurations to various formats.
This subcommand allows exporting TOTP configurations to importable YAML files, or use the subcommands to export them to other non-importable formats.
```
authelia storage user totp export [flags]
@ -29,24 +29,23 @@ authelia storage user totp export [flags]
### Examples
```
authelia storage user totp export --format csv
authelia storage user totp export --format png --dir ./totp-qr
authelia storage user totp export --format png --dir ./totp-qr --config config.yml
authelia storage user totp export --format png --dir ./totp-qr --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
authelia storage user totp export --file example.yaml
authelia storage user totp export --config config.yml
authelia storage user totp export --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
```
### Options
```
--dir string used with the png output format to specify which new directory to save the files in
--format string sets the output format, valid values are: csv, uri, png (default "uri")
-h, --help help for export
-f, --file string The file name for the YAML export (default "authelia.export.totp.yaml")
-h, --help help for export
```
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
@ -69,4 +68,7 @@ authelia storage user totp export --format png --dir ./totp-qr --encryption-key
### SEE ALSO
* [authelia storage user totp](authelia_storage_user_totp.md) - Manage TOTP configurations
* [authelia storage user totp export csv](authelia_storage_user_totp_export_csv.md) - Perform exports of the TOTP configurations to a CSV
* [authelia storage user totp export png](authelia_storage_user_totp_export_png.md) - Perform exports of the TOTP configurations to QR code PNG images
* [authelia storage user totp export uri](authelia_storage_user_totp_export_uri.md) - Perform exports of the TOTP configurations to URIs

View File

@ -0,0 +1,71 @@
---
title: "authelia storage user totp export csv"
description: "Reference for the authelia storage user totp export csv command."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "cli-authelia"
weight: 905
toc: true
---
## authelia storage user totp export csv
Perform exports of the TOTP configurations to a CSV
### Synopsis
Perform exports of the TOTP configurations to a CSV.
This subcommand allows exporting TOTP configurations to a CSV.
```
authelia storage user totp export csv [flags]
```
### Examples
```
authelia storage user totp export csv --file users.csv
authelia storage user totp export csv --config config.yml
authelia storage user totp export csv --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
```
### Options
```
-f, --file string The file name for the CSV export (default "authelia.export.totp.csv")
-h, --help help for csv
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
--mysql.password string the MySQL password
--mysql.port int the MySQL port (default 3306)
--mysql.username string the MySQL username (default "authelia")
--postgres.database string the PostgreSQL database name (default "authelia")
--postgres.host string the PostgreSQL hostname
--postgres.password string the PostgreSQL password
--postgres.port int the PostgreSQL port (default 5432)
--postgres.schema string the PostgreSQL schema name (default "public")
--postgres.ssl.certificate string the PostgreSQL ssl certificate file location
--postgres.ssl.key string the PostgreSQL ssl key file location
--postgres.ssl.mode string the PostgreSQL ssl mode (default "disable")
--postgres.ssl.root_certificate string the PostgreSQL ssl root certificate file location
--postgres.username string the PostgreSQL username (default "authelia")
--sqlite.path string the SQLite database path
```
### SEE ALSO
* [authelia storage user totp export](authelia_storage_user_totp_export.md) - Perform exports of the TOTP configurations

View File

@ -0,0 +1,72 @@
---
title: "authelia storage user totp export png"
description: "Reference for the authelia storage user totp export png command."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "cli-authelia"
weight: 905
toc: true
---
## authelia storage user totp export png
Perform exports of the TOTP configurations to QR code PNG images
### Synopsis
Perform exports of the TOTP configurations to QR code PNG images.
This subcommand allows exporting TOTP configurations to PNG images with QR codes which represent the appropriate URI so they can be scanned.
```
authelia storage user totp export png [flags]
```
### Examples
```
authelia storage user totp export png
authelia storage user totp export png --directory example/dir
authelia storage user totp export png --config config.yml
authelia storage user totp export png --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
```
### Options
```
--directory string The directory where all exported png files will be saved to
-h, --help help for png
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
--mysql.password string the MySQL password
--mysql.port int the MySQL port (default 3306)
--mysql.username string the MySQL username (default "authelia")
--postgres.database string the PostgreSQL database name (default "authelia")
--postgres.host string the PostgreSQL hostname
--postgres.password string the PostgreSQL password
--postgres.port int the PostgreSQL port (default 5432)
--postgres.schema string the PostgreSQL schema name (default "public")
--postgres.ssl.certificate string the PostgreSQL ssl certificate file location
--postgres.ssl.key string the PostgreSQL ssl key file location
--postgres.ssl.mode string the PostgreSQL ssl mode (default "disable")
--postgres.ssl.root_certificate string the PostgreSQL ssl root certificate file location
--postgres.username string the PostgreSQL username (default "authelia")
--sqlite.path string the SQLite database path
```
### SEE ALSO
* [authelia storage user totp export](authelia_storage_user_totp_export.md) - Perform exports of the TOTP configurations

View File

@ -0,0 +1,70 @@
---
title: "authelia storage user totp export uri"
description: "Reference for the authelia storage user totp export uri command."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "cli-authelia"
weight: 905
toc: true
---
## authelia storage user totp export uri
Perform exports of the TOTP configurations to URIs
### Synopsis
Perform exports of the TOTP configurations to URIs.
This subcommand allows exporting TOTP configurations to TOTP URIs.
```
authelia storage user totp export uri [flags]
```
### Examples
```
authelia storage user totp export uri
authelia storage user totp export uri --config config.yml
authelia storage user totp export uri --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
```
### Options
```
-h, --help help for uri
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
--mysql.password string the MySQL password
--mysql.port int the MySQL port (default 3306)
--mysql.username string the MySQL username (default "authelia")
--postgres.database string the PostgreSQL database name (default "authelia")
--postgres.host string the PostgreSQL hostname
--postgres.password string the PostgreSQL password
--postgres.port int the PostgreSQL port (default 5432)
--postgres.schema string the PostgreSQL schema name (default "public")
--postgres.ssl.certificate string the PostgreSQL ssl certificate file location
--postgres.ssl.key string the PostgreSQL ssl key file location
--postgres.ssl.mode string the PostgreSQL ssl mode (default "disable")
--postgres.ssl.root_certificate string the PostgreSQL ssl root certificate file location
--postgres.username string the PostgreSQL username (default "authelia")
--sqlite.path string the SQLite database path
```
### SEE ALSO
* [authelia storage user totp export](authelia_storage_user_totp_export.md) - Perform exports of the TOTP configurations

View File

@ -55,7 +55,8 @@ authelia storage user totp generate john --algorithm SHA512 --config config.yml
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -0,0 +1,70 @@
---
title: "authelia storage user totp import"
description: "Reference for the authelia storage user totp import command."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "cli-authelia"
weight: 905
toc: true
---
## authelia storage user totp import
Perform imports of the TOTP configurations
### Synopsis
Perform imports of the TOTP configurations.
This subcommand allows importing TOTP configurations from various formats.
```
authelia storage user totp import <filename> [flags]
```
### Examples
```
authelia storage user totp import authelia.export.totp.yaml
authelia storage user totp import --config config.yml authelia.export.totp.yaml
authelia storage user totp import --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw authelia.export.totp.yaml
```
### Options
```
-h, --help help for import
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
--mysql.password string the MySQL password
--mysql.port int the MySQL port (default 3306)
--mysql.username string the MySQL username (default "authelia")
--postgres.database string the PostgreSQL database name (default "authelia")
--postgres.host string the PostgreSQL hostname
--postgres.password string the PostgreSQL password
--postgres.port int the PostgreSQL port (default 5432)
--postgres.schema string the PostgreSQL schema name (default "public")
--postgres.ssl.certificate string the PostgreSQL ssl certificate file location
--postgres.ssl.key string the PostgreSQL ssl key file location
--postgres.ssl.mode string the PostgreSQL ssl mode (default "disable")
--postgres.ssl.root_certificate string the PostgreSQL ssl root certificate file location
--postgres.username string the PostgreSQL username (default "authelia")
--sqlite.path string the SQLite database path
```
### SEE ALSO
* [authelia storage user totp](authelia_storage_user_totp.md) - Manage TOTP configurations

View File

@ -37,7 +37,8 @@ authelia storage user webauthn --help
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
@ -60,6 +61,8 @@ authelia storage user webauthn --help
### SEE ALSO
* [authelia storage user](authelia_storage_user.md) - Manages user settings
* [authelia storage user webauthn delete](authelia_storage_user_webauthn_delete.md) - Delete a WebAuthn device
* [authelia storage user webauthn list](authelia_storage_user_webauthn_list.md) - List WebAuthn devices
* [authelia storage user webauthn delete](authelia_storage_user_webauthn_delete.md) - Delete a Webauthn device
* [authelia storage user webauthn export](authelia_storage_user_webauthn_export.md) - Perform exports of the Webauthn devices
* [authelia storage user webauthn import](authelia_storage_user_webauthn_import.md) - Perform imports of the Webauthn devices
* [authelia storage user webauthn list](authelia_storage_user_webauthn_list.md) - List Webauthn devices

View File

@ -14,13 +14,13 @@ toc: true
## authelia storage user webauthn delete
Delete a WebAuthn device
Delete a Webauthn device
### Synopsis
Delete a WebAuthn device.
Delete a Webauthn device.
This subcommand allows deleting a WebAuthn device directly from the database.
This subcommand allows deleting a Webauthn device directly from the database.
```
authelia storage user webauthn delete [username] [flags]
@ -52,7 +52,8 @@ authelia storage user webauthn delete --kid abc123 --encryption-key b3453fde-ecc
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -0,0 +1,72 @@
---
title: "authelia storage user webauthn export"
description: "Reference for the authelia storage user webauthn export command."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "cli-authelia"
weight: 905
toc: true
---
## authelia storage user webauthn export
Perform exports of the Webauthn devices
### Synopsis
Perform exports of the Webauthn devices.
This subcommand allows exporting Webauthn devices to various formats.
```
authelia storage user webauthn export [flags]
```
### Examples
```
authelia storage user webauthn export
authelia storage user webauthn export --file authelia.export.webauthn.yaml
authelia storage user webauthn export --config config.yml
authelia storage user webauthn export--encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
```
### Options
```
-f, --file string The file name for the YAML export (default "authelia.export.webauthn.yaml")
-h, --help help for export
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
--mysql.password string the MySQL password
--mysql.port int the MySQL port (default 3306)
--mysql.username string the MySQL username (default "authelia")
--postgres.database string the PostgreSQL database name (default "authelia")
--postgres.host string the PostgreSQL hostname
--postgres.password string the PostgreSQL password
--postgres.port int the PostgreSQL port (default 5432)
--postgres.schema string the PostgreSQL schema name (default "public")
--postgres.ssl.certificate string the PostgreSQL ssl certificate file location
--postgres.ssl.key string the PostgreSQL ssl key file location
--postgres.ssl.mode string the PostgreSQL ssl mode (default "disable")
--postgres.ssl.root_certificate string the PostgreSQL ssl root certificate file location
--postgres.username string the PostgreSQL username (default "authelia")
--sqlite.path string the SQLite database path
```
### SEE ALSO
* [authelia storage user webauthn](authelia_storage_user_webauthn.md) - Manage Webauthn devices

View File

@ -0,0 +1,71 @@
---
title: "authelia storage user webauthn import"
description: "Reference for the authelia storage user webauthn import command."
lead: ""
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
reference:
parent: "cli-authelia"
weight: 905
toc: true
---
## authelia storage user webauthn import
Perform imports of the Webauthn devices
### Synopsis
Perform imports of the Webauthn devices.
This subcommand allows importing Webauthn devices from various formats.
```
authelia storage user webauthn import <filename> [flags]
```
### Examples
```
authelia storage user webauthn export
authelia storage user webauthn import --file authelia.export.webauthn.yaml
authelia storage user webauthn import --file authelia.export.webauthn.yaml --config config.yml
authelia storage user webauthn import --file authelia.export.webauthn.yaml --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
```
### Options
```
-h, --help help for import
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname
--mysql.password string the MySQL password
--mysql.port int the MySQL port (default 3306)
--mysql.username string the MySQL username (default "authelia")
--postgres.database string the PostgreSQL database name (default "authelia")
--postgres.host string the PostgreSQL hostname
--postgres.password string the PostgreSQL password
--postgres.port int the PostgreSQL port (default 5432)
--postgres.schema string the PostgreSQL schema name (default "public")
--postgres.ssl.certificate string the PostgreSQL ssl certificate file location
--postgres.ssl.key string the PostgreSQL ssl key file location
--postgres.ssl.mode string the PostgreSQL ssl mode (default "disable")
--postgres.ssl.root_certificate string the PostgreSQL ssl root certificate file location
--postgres.username string the PostgreSQL username (default "authelia")
--sqlite.path string the SQLite database path
```
### SEE ALSO
* [authelia storage user webauthn](authelia_storage_user_webauthn.md) - Manage Webauthn devices

View File

@ -14,13 +14,13 @@ toc: true
## authelia storage user webauthn list
List WebAuthn devices
List Webauthn devices
### Synopsis
List WebAuthn devices.
List Webauthn devices.
This subcommand allows listing WebAuthn devices.
This subcommand allows listing Webauthn devices.
```
authelia storage user webauthn list [username] [flags]
@ -46,7 +46,8 @@ authelia storage user webauthn list john --encryption-key b3453fde-ecc2-4a1f-942
### Options inherited from parent commands
```
-c, --config strings configuration files to load (default [configuration.yml])
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
--encryption-key string the storage encryption key to use
--mysql.database string the MySQL database name (default "authelia")
--mysql.host string the MySQL hostname

View File

@ -37,8 +37,14 @@ authelia validate-config --config config.yml
### Options
```
-c, --config strings configuration files to load (default [configuration.yml])
-h, --help help for validate-config
-h, --help help for validate-config
```
### Options inherited from parent commands
```
-c, --config strings configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
--config.experimental.filters strings list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
```
### SEE ALSO

View File

@ -10,6 +10,8 @@ menu:
parent: "guides"
weight: 220
toc: true
aliases:
- /r/ldap
---
## Binding
@ -46,10 +48,28 @@ Authelia primarily supports this method.
## Implementation Guide
There are currently two implementations, `custom` and `activedirectory`. The `activedirectory` implementation
must be used if you wish to allow users to change or reset their password as Active Directory
uses a custom attribute for this, and an input format other implementations do not use. The long term
intention of this is to have logical defaults for various RFC implementations of LDAP.
The following implementations exist:
- `custom`:
- Not specific to any particular LDAP provider
- `activedirectory`:
- Specific configuration defaults for [Active Directory]
- Special implementation details:
- Includes a special encoding format required for changing passwords with [Active Directory]
- `freeipa`:
- Specific configuration defaults for [FreeIPA]
- No special implementation details
- `lldap`:
- Specific configuration defaults for [lldap]
- No special implementation details
- `glauth`:
- Specific configuration defaults for [GLAuth]
- No special implementation details
[Active Directory]: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-domain-services
[FreeIPA]: https://www.freeipa.org/
[lldap]: https://github.com/nitnelave/lldap
[GLAuth]: https://glauth.github.io/
### Filter replacements
@ -58,12 +78,15 @@ search.
#### Users filter replacements
| Placeholder | Phase | Replacement |
|:------------------------:|:-------:|:-------------------------------------:|
| {username_attribute} | startup | The configured username attribute |
| {mail_attribute} | startup | The configured mail attribute |
| {display_name_attribute} | startup | The configured display name attribute |
| {input} | search | The input into the username field |
| Placeholder | Phase | Replacement |
|:------------------------:|:-------:|:----------------------------------------------------------------------------------------------------------------:|
| {username_attribute} | startup | The configured username attribute |
| {mail_attribute} | startup | The configured mail attribute |
| {display_name_attribute} | startup | The configured display name attribute |
| {input} | search | The input into the username field |
| {date-time:generalized} | search | The current UTC time formatted as a LDAP generalized time in the format of `20060102150405.0Z` |
| {date-time:unix} | search | The current time formatted as a Unix epoch |
| {date-time:microsoft-nt} | search | The current time formatted as a Microsoft NT epoch which is used by some Microsoft [Active Directory] attributes |
#### Groups filter replacements
@ -77,6 +100,14 @@ search.
The below tables describes the current attribute defaults for each implementation.
#### Search Base defaults
The following set defaults for the `additional_users_dn` and `additional_groups_dn` values.
| Implementation | Users | Groups |
|:--------------:|:---------:|:---------:|
| lldap | OU=people | OU=groups |
#### Attribute defaults
This table describes the attribute defaults for each implementation. i.e. the username_attribute is described by the
@ -86,18 +117,33 @@ Username column.
|:---------------:|:--------------:|:------------:|:----:|:----------:|
| custom | N/A | displayName | mail | cn |
| activedirectory | sAMAccountName | displayName | mail | cn |
| freeipa | uid | displayName | mail | cn |
| lldap | uid | cn | mail | cn |
| glauth | cn | description | mail | cn |
#### Filter defaults
The filters are probably the most important part to get correct when setting up LDAP. You want to exclude disabled
accounts. The active directory example has two attribute filters that accomplish this as an example (more examples would
be appreciated). The userAccountControl filter checks that the account is not disabled and the pwdLastSet makes sure that
value is not 0 which means the password requires changing at the next login.
The filters are probably the most important part to get correct when setting up LDAP. You want to exclude accounts under
the following conditions:
| Implementation | Users Filter | Groups Filter |
|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:|
| custom | N/A | N/A |
| activedirectory | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(&#124;(sAMAccountType=268435456)(sAMAccountType=536870912))) |
- The account is disabled or locked:
- The [Active Directory] implementation achieves this via the `(!(userAccountControl:1.2.840.113556.1.4.803:=2))` filter.
- The [FreeIPA] implementation achieves this via the `(!(nsAccountLock=TRUE))` filter.
- The [GLAuth] implementation achieves this via the `(!(accountStatus=inactive))` filter.
- Their password is expired:
- The [Active Directory] implementation achieves this via the `(!(pwdLastSet=0))` filter.
- The [FreeIPA] implementation achieves this via the `(krbPasswordExpiration>={date-time:generalized})` filter.
- Their account is expired:
- The [Active Directory] implementation achieves this via the `(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt}))` filter.
- The [FreeIPA] implementation achieves this via the `(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized}))` filter.
| Implementation | Users Filter | Groups Filter |
|:---------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:|
| custom | N/A | N/A |
| activedirectory | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(&#124;(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt}))) | (&(member={dn})(&#124;(sAMAccountType=268435456)(sAMAccountType=536870912))) |
| freeipa | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(&#124;(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized}))) | (&(member={dn})(objectClass=groupOfNames)) |
| lldap | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) | (&(member={dn})(objectClass=groupOfNames)) |
| glauth | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive))) | (&(uniqueMember={dn})(objectClass=posixGroup)) |
##### Microsoft Active Directory sAMAccountType

View File

@ -23,8 +23,7 @@ This guide effectively documents the usage of the
1. The templates are not covered by our stability guarantees. While we aim to avoid changes to the templates which
would cause users to have to manually change them changes may be necessary in order to facilitate bug fixes or
generally improve the templates.
1. This is especially important for the [Envelope Template](#envelope-template).
2. It is your responsibility to ensure your templates are up to date. We make no efforts in facilitating this.
1. It is your responsibility to ensure your templates are up to date. We make no efforts in facilitating this.
2. We may not be able to offer any direct support in debugging these templates. We only offer support and fixes to
the official templates.
3. All templates __*MUST*__ be encoded in UTF-8 with CRLF line endings. The line endings __*MUST NOT*__ be a simple LF.
@ -69,30 +68,6 @@ This is a basic example:
Some Additional examples for specific purposes can be found in the
[examples directory on GitHub](https://github.com/authelia/authelia/tree/master/examples/templates/notifications).
## Envelope Template
*__Important Note:__ This template must end with a CRLF newline. Failure to include this newline will result in
malformed emails.*
There is also a special envelope template. This is the email envelope which contains the content of the other templates
when sent via the SMTP notifier. It's *__strongly recommended__* that you do not modify this template unless you know
what you're doing. If you really want to modify it the name of the file must be `Envelope.tmpl`.
This template contains the following placeholders which are automatically injected into the template:
| Placeholder | Description |
|:-----------------------:|:---------------------------------------------------------------------------:|
| `{{ .ProcessID }}` | The Authelia Process ID. |
| `{{ .UUID }}` | A string representation of a UUID v4 generated specifically for this email. |
| `{{ .Host }}` | The configured [host]. |
| `{{ .ServerName }}` | The configured TLS [server_name]. |
| `{{ .SenderDomain }}` | The domain portion of the configured [sender]. |
| `{{ .Identifier }}` | The configured [identifier]. |
| `{{ .From }}` | The string representation of the configured [sender]. |
| `{{ .To }}` | The string representation of the recipients email address. |
| `{{ .Subject }}` | The email subject. |
| `{{ .Date }}` | The time.Time of the email envelope being rendered. |
## Original Templates
The original template content can be found on

View File

@ -2,7 +2,7 @@
title: "Cache Integrations"
description: "A cache integration reference guide"
lead: "This section contains a cache integration reference guide for Authelia."
date: 2022-11-19T16:47:09+11:00
date: 2022-12-09T18:24:02+11:00
draft: false
images: []
menu:

View File

@ -3,6 +3,6 @@
<div class="w-100">
This documentation is maintained by the community, it is not guaranteed to be complete or up-to-date.
We always recommend users read the third-party documentation as part of the integration process to ensure the configuration matches their needs and as such we always link the documentation if available.
If you find an error in this documentation please either make a GitHub Pull Request or start a GitHub Discussion.
If you find an error in this documentation please either start a <a class="link-danger" href="https://github.com/authelia/authelia/discussions">Discussion</a>, make a <a class="link-danger" href="https://github.com/authelia/authelia/pulls">Pull Request</a>, or contact us on a <a class="link-danger" href="https://www.authelia.com/contact/#chat">Chat Room</a>.
</div>
</div>

View File

@ -8,5 +8,5 @@
{{ else }}
{{ errorf "No valid text variable or Inner content given"}}
{{ end }}
{{ end}}
{{ end }}
</div>

5
go.mod
View File

@ -28,7 +28,7 @@ require (
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
github.com/ory/fosite v0.44.0
github.com/ory/herodot v0.9.13
github.com/ory/x v0.0.520
github.com/ory/x v0.0.523
github.com/otiai10/copy v1.9.0
github.com/pkg/errors v0.9.1
github.com/pquerna/otp v1.4.0
@ -39,6 +39,8 @@ require (
github.com/stretchr/testify v1.8.1
github.com/trustelem/zxcvbn v1.0.1
github.com/valyala/fasthttp v1.43.0
github.com/wneessen/go-mail v0.3.5
golang.org/x/net v0.1.0
golang.org/x/sync v0.1.0
golang.org/x/term v0.3.0
golang.org/x/text v0.5.0
@ -108,7 +110,6 @@ require (
github.com/ysmood/leakless v0.8.0 // indirect
golang.org/x/crypto v0.1.0 // indirect
golang.org/x/mod v0.6.0 // indirect
golang.org/x/net v0.1.0 // indirect
golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
golang.org/x/sys v0.3.0 // indirect
golang.org/x/tools v0.2.0 // indirect

6
go.sum
View File

@ -461,8 +461,8 @@ github.com/ory/herodot v0.9.13 h1:cN/Z4eOkErl/9W7hDIDLb79IO/bfsH+8yscBjRpB4IU=
github.com/ory/herodot v0.9.13/go.mod h1:IWDs9kSvFQqw/cQ8zi5ksyYvITiUU4dI7glUrhZcJYo=
github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE=
github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM=
github.com/ory/x v0.0.520 h1:ryfKHQEViUBv/UdlZhePOG52RpPAooZtK/I7+x58lBI=
github.com/ory/x v0.0.520/go.mod h1:7f32P5XMBLCy6aVT+fUYq3WPcMVpzsjC0C+FovlMNqY=
github.com/ory/x v0.0.523 h1:vn8e+8tV3RqD8RlvoE6lLPUnjpjua1ExJDMFy3Z5TAQ=
github.com/ory/x v0.0.523/go.mod h1:ayJio5x/fK4RwTgfgzs3JetOaaOSxso9hQjc3mFY8z0=
github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4=
github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI=
github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
@ -609,6 +609,8 @@ github.com/valyala/fasthttp v1.42.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seB
github.com/valyala/fasthttp v1.43.0 h1:Gy4sb32C98fbzVWZlTM1oTMdLWGyvxR03VhM6cBIU4g=
github.com/valyala/fasthttp v1.43.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY=
github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
github.com/wneessen/go-mail v0.3.5 h1:5fl4O1SnBpA072WFD+q1KBX6L3ltiIsKQDYjs7sY7GM=
github.com/wneessen/go-mail v0.3.5/go.mod h1:m25lkU2GYQnlVr6tdwK533/UXxo57V0kLOjaFYmub0E=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=

View File

@ -70,9 +70,16 @@ const (
)
const (
ldapPlaceholderInput = "{input}"
ldapPlaceholderDistinguishedName = "{dn}"
ldapPlaceholderUsername = "{username}"
ldapPlaceholderInput = "{input}"
ldapPlaceholderDistinguishedName = "{dn}"
ldapPlaceholderUsername = "{username}"
ldapPlaceholderDateTimeGeneralized = "{date-time:generalized}"
ldapPlaceholderDateTimeMicrosoftNTTimeEpoch = "{date-time:microsoft-nt}"
ldapPlaceholderDateTimeUnixEpoch = "{date-time:unix}"
)
const (
ldapGeneralizedTimeDateTimeFormat = "20060102150405.0Z"
)
const (

View File

@ -5,6 +5,7 @@ import (
"crypto/x509"
"fmt"
"net"
"strconv"
"strings"
"github.com/go-ldap/ldap/v3"
@ -23,15 +24,20 @@ type LDAPUserProvider struct {
log *logrus.Logger
factory LDAPClientFactory
clock utils.Clock
disableResetPassword bool
// Automatically detected LDAP features.
features LDAPSupportedFeatures
// Dynamically generated users values.
usersBaseDN string
usersAttributes []string
usersFilterReplacementInput bool
usersBaseDN string
usersAttributes []string
usersFilterReplacementInput bool
usersFilterReplacementDateTimeGeneralized bool
usersFilterReplacementDateTimeUnixEpoch bool
usersFilterReplacementDateTimeMicrosoftNTTimeEpoch bool
// Dynamically generated groups values.
groupsBaseDN string
@ -41,14 +47,15 @@ type LDAPUserProvider struct {
groupsFilterReplacementDN bool
}
// NewLDAPUserProvider creates a new instance of LDAPUserProvider.
// NewLDAPUserProvider creates a new instance of LDAPUserProvider with the ProductionLDAPClientFactory.
func NewLDAPUserProvider(config schema.AuthenticationBackend, certPool *x509.CertPool) (provider *LDAPUserProvider) {
provider = newLDAPUserProvider(*config.LDAP, config.PasswordReset.Disable, certPool, nil)
provider = NewLDAPUserProviderWithFactory(*config.LDAP, config.PasswordReset.Disable, certPool, NewProductionLDAPClientFactory())
return provider
}
func newLDAPUserProvider(config schema.LDAPAuthenticationBackend, disableResetPassword bool, certPool *x509.CertPool, factory LDAPClientFactory) (provider *LDAPUserProvider) {
// NewLDAPUserProviderWithFactory creates a new instance of LDAPUserProvider with the specified LDAPClientFactory.
func NewLDAPUserProviderWithFactory(config schema.LDAPAuthenticationBackend, disableResetPassword bool, certPool *x509.CertPool, factory LDAPClientFactory) (provider *LDAPUserProvider) {
if config.TLS == nil {
config.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS
}
@ -74,6 +81,7 @@ func newLDAPUserProvider(config schema.LDAPAuthenticationBackend, disableResetPa
log: logging.Logger(),
factory: factory,
disableResetPassword: disableResetPassword,
clock: &utils.RealClock{},
}
provider.parseDynamicUsersConfiguration()
@ -394,12 +402,24 @@ func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (p
return &userProfile, nil
}
func (p *LDAPUserProvider) resolveUsersFilter(username string) (filter string) {
func (p *LDAPUserProvider) resolveUsersFilter(input string) (filter string) {
filter = p.config.UsersFilter
if p.usersFilterReplacementInput {
// The {input} placeholder is replaced by the username input.
filter = strings.ReplaceAll(filter, ldapPlaceholderInput, ldapEscape(username))
filter = strings.ReplaceAll(filter, ldapPlaceholderInput, ldapEscape(input))
}
if p.usersFilterReplacementDateTimeGeneralized {
filter = strings.ReplaceAll(filter, ldapPlaceholderDateTimeGeneralized, p.clock.Now().UTC().Format(ldapGeneralizedTimeDateTimeFormat))
}
if p.usersFilterReplacementDateTimeUnixEpoch {
filter = strings.ReplaceAll(filter, ldapPlaceholderDateTimeUnixEpoch, strconv.Itoa(int(p.clock.Now().Unix())))
}
if p.usersFilterReplacementDateTimeMicrosoftNTTimeEpoch {
filter = strings.ReplaceAll(filter, ldapPlaceholderDateTimeMicrosoftNTTimeEpoch, strconv.Itoa(int(utils.UnixNanoTimeToMicrosoftNTEpoch(p.clock.Now().UnixNano()))))
}
p.log.Tracef("Detected user filter is %s", filter)
@ -407,12 +427,12 @@ func (p *LDAPUserProvider) resolveUsersFilter(username string) (filter string) {
return filter
}
func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUserProfile) (filter string) {
func (p *LDAPUserProvider) resolveGroupsFilter(input string, profile *ldapUserProfile) (filter string) {
filter = p.config.GroupsFilter
if p.groupsFilterReplacementInput {
// The {input} placeholder is replaced by the users username input.
filter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderInput, ldapEscape(username))
filter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderInput, ldapEscape(input))
}
if profile != nil {

View File

@ -120,6 +120,18 @@ func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {
p.usersFilterReplacementInput = true
}
if strings.Contains(p.config.UsersFilter, ldapPlaceholderDateTimeGeneralized) {
p.usersFilterReplacementDateTimeGeneralized = true
}
if strings.Contains(p.config.UsersFilter, ldapPlaceholderDateTimeUnixEpoch) {
p.usersFilterReplacementDateTimeUnixEpoch = true
}
if strings.Contains(p.config.UsersFilter, ldapPlaceholderDateTimeMicrosoftNTTimeEpoch) {
p.usersFilterReplacementDateTimeMicrosoftNTTimeEpoch = true
}
p.log.Tracef("Detected user filter replacements that need to be resolved per lookup are: %s=%v",
ldapPlaceholderInput, p.usersFilterReplacementInput)
}

File diff suppressed because it is too large Load Diff

View File

@ -1,15 +1,15 @@
package authentication
// LevelToString returns a string representation of an authentication.Level.
func LevelToString(level Level) string {
switch level {
// String returns a string representation of an authentication.Level.
func (l Level) String() string {
switch l {
case NotAuthenticated:
return "not_authenticated"
case OneFactor:
return "one_factor"
case TwoFactor:
return "two_factor"
default:
return "invalid"
}
return "invalid"
}

View File

@ -26,7 +26,7 @@ func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][
Methods: schemaMethodsToACL(rule.Methods),
Networks: schemaNetworksToACL(rule.Networks, networksMap, networksCacheMap),
Subjects: schemaSubjectsToACL(rule.Subjects),
Policy: StringToLevel(rule.Policy),
Policy: NewLevel(rule.Policy),
}
if len(r.Subjects) != 0 {

View File

@ -19,7 +19,7 @@ type Authorizer struct {
// NewAuthorizer create an instance of authorizer with a given access control config.
func NewAuthorizer(config *schema.Configuration) (authorizer *Authorizer) {
authorizer = &Authorizer{
defaultPolicy: StringToLevel(config.AccessControl.DefaultPolicy),
defaultPolicy: NewLevel(config.AccessControl.DefaultPolicy),
rules: NewAccessControlRules(config.AccessControl),
config: config,
log: logging.Logger(),

View File

@ -988,12 +988,12 @@ func (s *AuthorizerSuite) TestShouldMatchResourceWithSubjectRules() {
}
func (s *AuthorizerSuite) TestPolicyToLevel() {
s.Assert().Equal(Bypass, StringToLevel(bypass))
s.Assert().Equal(OneFactor, StringToLevel(oneFactor))
s.Assert().Equal(TwoFactor, StringToLevel(twoFactor))
s.Assert().Equal(Denied, StringToLevel(deny))
s.Assert().Equal(Bypass, NewLevel(bypass))
s.Assert().Equal(OneFactor, NewLevel(oneFactor))
s.Assert().Equal(TwoFactor, NewLevel(twoFactor))
s.Assert().Equal(Denied, NewLevel(deny))
s.Assert().Equal(Denied, StringToLevel("whatever"))
s.Assert().Equal(Denied, NewLevel("whatever"))
}
func TestRunSuite(t *testing.T) {

View File

@ -9,8 +9,8 @@ import (
"github.com/authelia/authelia/v4/internal/configuration/schema"
)
// StringToLevel converts a string policy to int authorization level.
func StringToLevel(policy string) Level {
// NewLevel converts a string policy to int authorization level.
func NewLevel(policy string) Level {
switch policy {
case bypass:
return Bypass
@ -25,9 +25,9 @@ func StringToLevel(policy string) Level {
return Denied
}
// LevelToString converts a int authorization level to string policy.
func LevelToString(level Level) (policy string) {
switch level {
// String returns a policy string representation of an authorization.Level.
func (l Level) String() string {
switch l {
case Bypass:
return bypass
case OneFactor:
@ -36,9 +36,9 @@ func LevelToString(level Level) (policy string) {
return twoFactor
case Denied:
return deny
default:
return deny
}
return deny
}
func stringSliceToRegexpSlice(strings []string) (regexps []regexp.Regexp, err error) {

View File

@ -25,7 +25,7 @@ func TestLevelToString(t *testing.T) {
for _, tc := range testCases {
t.Run("Expected_"+tc.expected, func(t *testing.T) {
assert.Equal(t, tc.expected, LevelToString(tc.have))
assert.Equal(t, tc.expected, tc.have.String())
})
}
}

View File

@ -10,12 +10,10 @@ import (
"github.com/spf13/cobra"
"github.com/authelia/authelia/v4/internal/authorization"
"github.com/authelia/authelia/v4/internal/configuration"
"github.com/authelia/authelia/v4/internal/configuration/schema"
"github.com/authelia/authelia/v4/internal/configuration/validator"
)
func newAccessControlCommand() (cmd *cobra.Command) {
func newAccessControlCommand(ctx *CmdCtx) (cmd *cobra.Command) {
cmd = &cobra.Command{
Use: "access-control",
Short: cmdAutheliaAccessControlShort,
@ -26,25 +24,26 @@ func newAccessControlCommand() (cmd *cobra.Command) {
}
cmd.AddCommand(
newAccessControlCheckCommand(),
newAccessControlCheckCommand(ctx),
)
return cmd
}
func newAccessControlCheckCommand() (cmd *cobra.Command) {
func newAccessControlCheckCommand(ctx *CmdCtx) (cmd *cobra.Command) {
cmd = &cobra.Command{
Use: "check-policy",
Short: cmdAutheliaAccessControlCheckPolicyShort,
Long: cmdAutheliaAccessControlCheckPolicyLong,
Example: cmdAutheliaAccessControlCheckPolicyExample,
RunE: accessControlCheckRunE,
PreRunE: ctx.ChainRunE(
ctx.ConfigLoadRunE,
),
RunE: ctx.AccessControlCheckRunE,
DisableAutoGenTag: true,
}
cmdWithConfigFlags(cmd, false, []string{"configuration.yml"})
cmd.Flags().String("url", "", "the url of the object")
cmd.Flags().String("method", "GET", "the HTTP method of the object")
cmd.Flags().String("username", "", "the username of the subject")
@ -55,36 +54,14 @@ func newAccessControlCheckCommand() (cmd *cobra.Command) {
return cmd
}
func accessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
configs, err := cmd.Flags().GetStringSlice(cmdFlagNameConfig)
if err != nil {
return err
}
func (ctx *CmdCtx) AccessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
validator.ValidateAccessControl(ctx.config, ctx.cconfig.validator)
sources := make([]configuration.Source, len(configs)+2)
for i, path := range configs {
sources[i] = configuration.NewYAMLFileSource(path)
}
sources[0+len(configs)] = configuration.NewEnvironmentSource(configuration.DefaultEnvPrefix, configuration.DefaultEnvDelimiter)
sources[1+len(configs)] = configuration.NewSecretsSource(configuration.DefaultEnvPrefix, configuration.DefaultEnvDelimiter)
val := schema.NewStructValidator()
accessControlConfig := &schema.Configuration{}
if _, err = configuration.LoadAdvanced(val, "access_control", &accessControlConfig.AccessControl, sources...); err != nil {
return err
}
validator.ValidateAccessControl(accessControlConfig, val)
if val.HasErrors() || val.HasWarnings() {
if ctx.cconfig.validator.HasErrors() || ctx.cconfig.validator.HasWarnings() {
return errors.New("your configuration has errors")
}
authorizer := authorization.NewAuthorizer(accessControlConfig)
authorizer := authorization.NewAuthorizer(ctx.config)
subject, object, err := getSubjectAndObjectFromFlags(cmd)
if err != nil {
@ -94,7 +71,7 @@ func accessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
results := authorizer.GetRuleMatchResults(subject, object)
if len(results) == 0 {
fmt.Printf("\nThe default policy '%s' will be applied to ALL requests as no rules are configured.\n\n", accessControlConfig.AccessControl.DefaultPolicy)
fmt.Printf("\nThe default policy '%s' will be applied to ALL requests as no rules are configured.\n\n", ctx.config.AccessControl.DefaultPolicy)
return nil
}
@ -104,7 +81,7 @@ func accessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
return err
}
accessControlCheckWriteOutput(object, subject, results, accessControlConfig.AccessControl.DefaultPolicy, verbose)
accessControlCheckWriteOutput(object, subject, results, ctx.config.AccessControl.DefaultPolicy, verbose)
return nil
}
@ -171,11 +148,11 @@ func accessControlCheckWriteOutput(object authorization.Object, subject authoriz
switch {
case appliedPos != 0 && (potentialPos == 0 || (potentialPos > appliedPos)):
fmt.Printf("\nThe policy '%s' from rule #%d will be applied to this request.\n\n", authorization.LevelToString(applied.Rule.Policy), appliedPos)
fmt.Printf("\nThe policy '%s' from rule #%d will be applied to this request.\n\n", applied.Rule.Policy, appliedPos)
case potentialPos != 0 && appliedPos != 0:
fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. If not policy '%s' from rule #%d will be.\n\n", authorization.LevelToString(potential.Rule.Policy), potentialPos, authorization.LevelToString(applied.Rule.Policy), appliedPos)
fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. If not policy '%s' from rule #%d will be.\n\n", potential.Rule.Policy, potentialPos, applied.Rule.Policy, appliedPos)
case potentialPos != 0:
fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. Otherwise the policy '%s' from the default policy will be.\n\n", authorization.LevelToString(potential.Rule.Policy), potentialPos, defaultPolicy)
fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. Otherwise the policy '%s' from the default policy will be.\n\n", potential.Rule.Policy, potentialPos, defaultPolicy)
default:
fmt.Printf("\nThe policy '%s' from the default policy will be applied to this request as no rules matched the request.\n\n", defaultPolicy)
}

View File

@ -9,13 +9,13 @@ import (
"github.com/authelia/authelia/v4/internal/utils"
)
func newBuildInfoCmd() (cmd *cobra.Command) {
func newBuildInfoCmd(ctx *CmdCtx) (cmd *cobra.Command) {
cmd = &cobra.Command{
Use: "build-info",
Short: cmdAutheliaBuildInfoShort,
Long: cmdAutheliaBuildInfoLong,
Example: cmdAutheliaBuildInfoExample,
RunE: cmdBuildInfoRunE,
RunE: ctx.BuildInfoRunE,
Args: cobra.NoArgs,
DisableAutoGenTag: true,
@ -24,7 +24,8 @@ func newBuildInfoCmd() (cmd *cobra.Command) {
return cmd
}
func cmdBuildInfoRunE(_ *cobra.Command, _ []string) (err error) {
// BuildInfoRunE is the RunE for the authelia build-info command.
func (ctx *CmdCtx) BuildInfoRunE(_ *cobra.Command, _ []string) (err error) {
_, err = fmt.Printf(fmtAutheliaBuild, utils.BuildTag, utils.BuildState, utils.BuildBranch, utils.BuildCommit,
utils.BuildNumber, runtime.GOOS, runtime.GOARCH, utils.BuildDate, utils.BuildExtra)

View File

@ -1,101 +0,0 @@
package commands
import (
"os"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
"github.com/authelia/authelia/v4/internal/configuration"
"github.com/authelia/authelia/v4/internal/configuration/schema"
"github.com/authelia/authelia/v4/internal/configuration/validator"
"github.com/authelia/authelia/v4/internal/logging"
)
// cmdWithConfigFlags is used for commands which require access to the configuration to add the flag to the command.
func cmdWithConfigFlags(cmd *cobra.Command, persistent bool, configs []string) {
if persistent {
cmd.PersistentFlags().StringSliceP(cmdFlagNameConfig, "c", configs, "configuration files to load")
} else {
cmd.Flags().StringSliceP(cmdFlagNameConfig, "c", configs, "configuration files to load")
}
}
var config *schema.Configuration
func newCmdWithConfigPreRun(ensureConfigExists, validateKeys, validateConfiguration bool) func(cmd *cobra.Command, args []string) {
return func(cmd *cobra.Command, _ []string) {
var (
logger *logrus.Logger
configs []string
err error
)
logger = logging.Logger()
if configs, err = cmd.Flags().GetStringSlice(cmdFlagNameConfig); err != nil {
logger.Fatalf("Error reading flags: %v", err)
}
if ensureConfigExists && len(configs) == 1 {
created, err := configuration.EnsureConfigurationExists(configs[0])
if err != nil {
logger.Fatal(err)
}
if created {
logger.Warnf("Configuration did not exist so a default one has been generated at %s, you will need to configure this", configs[0])
os.Exit(0)
}
}
var (
val *schema.StructValidator
)
config, val, err = loadConfig(configs, validateKeys, validateConfiguration)
if err != nil {
logger.Fatalf("Error occurred loading configuration: %v", err)
}
warnings := val.Warnings()
if len(warnings) != 0 {
for _, warning := range warnings {
logger.Warnf("Configuration: %+v", warning)
}
}
errs := val.Errors()
if len(errs) != 0 {
for _, err := range errs {
logger.Errorf("Configuration: %+v", err)
}
logger.Fatalf("Can't continue due to the errors loading the configuration")
}
}
}
func loadConfig(configs []string, validateKeys, validateConfiguration bool) (c *schema.Configuration, val *schema.StructValidator, err error) {
var keys []string
val = schema.NewStructValidator()
if keys, c, err = configuration.Load(val,
configuration.NewDefaultSources(
configs,
configuration.DefaultEnvPrefix,
configuration.DefaultEnvDelimiter)...); err != nil {
return nil, nil, err
}
if validateKeys {
validator.ValidateKeys(keys, configuration.DefaultEnvPrefix, val)
}
if validateConfiguration {
validator.ValidateConfiguration(c, val)
}
return c, val, nil
}

Some files were not shown because too many files have changed in this diff Show More