RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: fix regex examples (#3094)

pull/3096/head^2
James Elliott 2022-04-02 16:41:16 +11:00 committed by GitHub
parent 86dcb54e4a
commit 4d7f930e74
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 109 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
config.template.yml
View File

@ -363,22 +363,22 @@ access_control:
rules: rules:
## Rules applied to everyone ## Rules applied to everyone
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: bypass
## Domain Regex examples. Generally we recommend just using a standard domain. ## Domain Regex examples. Generally we recommend just using a standard domain.
# - domain_regex: "^(?P<User>\w+)\\.example\\.com$" # - domain_regex: '^(?P<User>\w+)\.example\.com$'
# policy: one_factor # policy: one_factor
# - domain_regex: "^(?P<Group>\w+)\\.example\\.com$" # - domain_regex: '^(?P<Group>\w+)\.example\.com$'
# policy: one_factor # policy: one_factor
# - domain_regex: # - domain_regex:
# - "^appgroup-.*\\.example\\.com$" # - '^appgroup-.*\.example\.com$'
# - "^appgroup2-.*\\.example\\.com$" # - '^appgroup2-.*\.example\.com$'
# policy: one_factor # policy: one_factor
# - domain_regex: "^.*\\.example.com$" # - domain_regex: '^.*\.example\.com$'
# policy: two_factor # policy: two_factor
- domain: secure.example.com - domain: 'secure.example.com'
policy: one_factor policy: one_factor
## Network based rule, if not provided any network matches. ## Network based rule, if not provided any network matches.
networks: networks:
@ -388,53 +388,53 @@ access_control:
- 10.0.0.1 - 10.0.0.1
- domain: - domain:
- secure.example.com - 'secure.example.com'
- private.example.com - 'private.example.com'
policy: two_factor policy: two_factor
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: one_factor
## Rules applied to 'admins' group ## Rules applied to 'admins' group
- domain: "mx2.mail.example.com" - domain: 'mx2.mail.example.com'
subject: "group:admins" subject: 'group:admins'
policy: deny policy: deny
- domain: "*.example.com" - domain: '*.example.com'
subject: subject:
- "group:admins" - 'group:admins'
- "group:moderators" - 'group:moderators'
policy: two_factor policy: two_factor
## Rules applied to 'dev' group ## Rules applied to 'dev' group
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- '^/groups/dev/.*$' - '^/groups/dev/.*$'
subject: "group:dev" subject: 'group:dev'
policy: two_factor policy: two_factor
## Rules applied to user 'john' ## Rules applied to user 'john'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- '^/users/john/.*$' - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: two_factor
## Rules applied to user 'harry' ## Rules applied to user 'harry'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- '^/users/harry/.*$' - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: two_factor
## Rules applied to user 'bob' ## Rules applied to user 'bob'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: two_factor
- domain: "dev.example.com" - domain: 'dev.example.com'
resources: resources:
- '^/users/bob/.*$' - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: two_factor
## ##

63
docs/configuration/access-control.md
View File

@ -22,16 +22,16 @@ access_control:
- 192.168.0.0/18 - 192.168.0.0/18
rules: rules:
- domain: public.example.com - domain: 'public.example.com'
domain_regex: "^\d+\\.public.example.com$" domain_regex: '^\d+\.public.example.com$'
policy: one_factor policy: one_factor
networks: networks:
- internal - internal
- 1.1.1.1 - 1.1.1.1
subject: subject:
- ["user:adam"] - ['user:adam']
- ["user:fred"] - ['user:fred']
- ["group:admins"] - ['group:admins']
methods: methods:
- GET - GET
- HEAD - HEAD
@ -156,10 +156,10 @@ different ways.*
```yaml ```yaml
access_control: access_control:
rules: rules:
- domain: "*.example.com" - domain: '*.example.com'
policy: bypass policy: bypass
- domain: - domain:
- "*.example.com" - '*.example.com'
policy: bypass policy: bypass
``` ```
@ -169,7 +169,7 @@ list are effectively the same rule just expressed in different ways.*
```yaml ```yaml
access_control: access_control:
rules: rules:
- domain: ["apple.example.com", "banana.example.com"] - domain: ['apple.example.com', 'banana.example.com']
policy: bypass policy: bypass
- domain: - domain:
- apple.example.com - apple.example.com
@ -190,14 +190,13 @@ _**Required:** This criteria OR the [domain](#domain) criteria are required._
_**Important Note:** If you intend to use this criteria with a bypass rule please read _**Important Note:** If you intend to use this criteria with a bypass rule please read
[bypass and subjects](#bypass-and-user-identity) before doing so._ [bypass and subjects](#bypass-and-user-identity) before doing so._
_**Important Note:** to utilize regex you must escape it properly. See [regex](./index.md#regex) for more information._
This criteria matches the domain name and has two methods of configuration, either as a single string or as a list of This criteria matches the domain name and has two methods of configuration, either as a single string or as a list of
strings. When it's a list of strings the rule matches when **any** of the domains in the list match the request domain. strings. When it's a list of strings the rule matches when **any** of the domains in the list match the request domain.
When used in conjunction with [domain](#domain) the rule will match when either the [domain](#domain) or the When used in conjunction with [domain](#domain) the rule will match when either the [domain](#domain) or the
[domain_regex](#domain_regex) criteria matches. [domain_regex](#domain_regex) criteria matches.
As this is a regex string you will either need to use single quotes or need to double-escape certain portions of the
regex in order make this work.
This criteria takes any standard go regex pattern to match the requests. We additionally utilize two special named match This criteria takes any standard go regex pattern to match the requests. We additionally utilize two special named match
groups which match attributes of the user: groups which match attributes of the user:
@ -221,8 +220,8 @@ access_control:
- banana.example.com - banana.example.com
policy: bypass policy: bypass
- domain_regex: - domain_regex:
- "^user-(?P<User>\w+)\\.example\\.com$" - '^user-(?P<User>\w+)\.example\.com$'
- "^group-(?P<Group>\w+)\\.example\\.com$" - '^group-(?P<Group>\w+)\.example\.com$'
policy: one_factor policy: one_factor
``` ```
@ -407,17 +406,15 @@ required: no
{: .label .label-config .label-green } {: .label .label-config .label-green }
</div> </div>
_**Important Note:** to utilize regex you must escape it properly. See [regex](./index.md#regex) for more information._
This criteria matches the path and query of the request using regular expressions. The rule is expressed as a list of This criteria matches the path and query of the request using regular expressions. The rule is expressed as a list of
strings. If any one of the regular expressions in the list matches the request it's considered a match. A useful tool strings. If any one of the regular expressions in the list matches the request it's considered a match. A useful tool
for debugging these regular expressions is called [Rego](https://regoio.herokuapp.com/). for debugging these regular expressions is called [Rego](https://regoio.herokuapp.com/).
***Note:** Prior to 4.27.0 the regular expressions only matched the path excluding the query parameters. After 4.27.0 _**Note:** Prior to 4.27.0 the regular expressions only matched the path excluding the query parameters. After 4.27.0
they match the entire path including the query parameters. When upgrading you may be required to alter some of your they match the entire path including the query parameters. When upgrading you may be required to alter some of your
resource rules to get them to operate as they previously did.* resource rules to get them to operate as they previously did._
As this is a regex string you will either need to use single quotes or need to double-escape certain portions of the
regex in order make this work. If you don't do either of these things either the regex may not be parsed, or it may not
be parsed correctly. It's technically optional but will likely save you a lot of time if you do it for all resource rules.
Examples: Examples:
@ -487,15 +484,15 @@ access_control:
- name: VPN - name: VPN
networks: 10.9.0.0/16 networks: 10.9.0.0/16
rules: rules:
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: bypass
- domain: "*.example.com" - domain: '*.example.com'
policy: bypass policy: bypass
methods: methods:
- OPTIONS - OPTIONS
- domain: secure.example.com - domain: 'secure.example.com'
policy: one_factor policy: one_factor
networks: networks:
- internal - internal
@ -504,37 +501,37 @@ access_control:
- 10.0.0.1 - 10.0.0.1
- domain: - domain:
- secure.example.com - 'secure.example.com'
- private.example.com - 'private.example.com'
policy: two_factor policy: two_factor
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: one_factor
- domain: "mx2.mail.example.com" - domain: 'mx2.mail.example.com'
subject: "group:admins" subject: "group:admins"
policy: deny policy: deny
- domain: "*.example.com" - domain: '*.example.com'
subject: subject:
- "group:admins" - 'group:admins'
- "group:moderators" - 'group:moderators'
policy: two_factor policy: two_factor
- domain: dev.example.com - domain: dev.example.com
resources: resources:
- '^/groups/dev/.*$' - '^/groups/dev/.*$'
subject: "group:dev" subject: 'group:dev'
policy: two_factor policy: two_factor
- domain: dev.example.com - domain: dev.example.com
resources: resources:
- '^/users/john/.*$' - '^/users/john/.*$'
subject: subject:
- ["group:dev", "user:john"] - ['group:dev', 'user:john']
- "group:admins" - 'group:admins'
policy: two_factor policy: two_factor
- domain: "{user}.example.com" - domain: '{user}.example.com'
policy: bypass policy: bypass
``` ```

21
docs/configuration/index.md
View File

@ -98,6 +98,27 @@ integrations, it only checks that your configuration syntax is valid.
$ authelia validate-config --config configuration.yml $ authelia validate-config --config configuration.yml
``` ```
# Regex
We have several sections of configuration that utilize regular expressions. It's recommended to validate your regex
manually either via tools like [Rego](https://regoio.herokuapp.com/) or some other means.
It's important when attempting to utilize a backslash that it's utilized correctly. The YAML parser is likely to parse
this as you trying to use YAML escape syntax instead of regex escape syntax. To avoid this use single quotes instead of
no quotes or double quotes.
Good Example:
```yaml
domain_regex: '^(admin|secure)\.example\.com$'
```
Bad Example:
```yaml
domain_regex: "^(admin|secure)\.example\.com$"
```
# Duration Notation Format # Duration Notation Format
We have implemented a string/integer based notation for configuration options that take a duration of time. This section We have implemented a string/integer based notation for configuration options that take a duration of time. This section

13
docs/features/access-control.md
View File

@ -14,11 +14,14 @@ to the resource.
For instance a rule can look like this: For instance a rule can look like this:
- domain: dev.example.com ```yaml
resources: - domain: dev.example.com
- "^/groups/dev/.*$" resources:
subject: "group:dev" - '^/groups/dev/.*$'
policy: two_factor subject: 'group:dev'
policy: two_factor
```
This rule matches when the request targets the domain `dev.example.com` and the path This rule matches when the request targets the domain `dev.example.com` and the path
matches the regular expression `^/groups/dev/.*$`. In that case, a two-factor policy matches the regular expression `^/groups/dev/.*$`. In that case, a two-factor policy

50
internal/configuration/config.template.yml
View File

@ -363,22 +363,22 @@ access_control:
rules: rules:
## Rules applied to everyone ## Rules applied to everyone
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: bypass
## Domain Regex examples. Generally we recommend just using a standard domain. ## Domain Regex examples. Generally we recommend just using a standard domain.
# - domain_regex: "^(?P<User>\w+)\\.example\\.com$" # - domain_regex: '^(?P<User>\w+)\.example\.com$'
# policy: one_factor # policy: one_factor
# - domain_regex: "^(?P<Group>\w+)\\.example\\.com$" # - domain_regex: '^(?P<Group>\w+)\.example\.com$'
# policy: one_factor # policy: one_factor
# - domain_regex: # - domain_regex:
# - "^appgroup-.*\\.example\\.com$" # - '^appgroup-.*\.example\.com$'
# - "^appgroup2-.*\\.example\\.com$" # - '^appgroup2-.*\.example\.com$'
# policy: one_factor # policy: one_factor
# - domain_regex: "^.*\\.example.com$" # - domain_regex: '^.*\.example\.com$'
# policy: two_factor # policy: two_factor
- domain: secure.example.com - domain: 'secure.example.com'
policy: one_factor policy: one_factor
## Network based rule, if not provided any network matches. ## Network based rule, if not provided any network matches.
networks: networks:
@ -388,53 +388,53 @@ access_control:
- 10.0.0.1 - 10.0.0.1
- domain: - domain:
- secure.example.com - 'secure.example.com'
- private.example.com - 'private.example.com'
policy: two_factor policy: two_factor
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: one_factor
## Rules applied to 'admins' group ## Rules applied to 'admins' group
- domain: "mx2.mail.example.com" - domain: 'mx2.mail.example.com'
subject: "group:admins" subject: 'group:admins'
policy: deny policy: deny
- domain: "*.example.com" - domain: '*.example.com'
subject: subject:
- "group:admins" - 'group:admins'
- "group:moderators" - 'group:moderators'
policy: two_factor policy: two_factor
## Rules applied to 'dev' group ## Rules applied to 'dev' group
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- '^/groups/dev/.*$' - '^/groups/dev/.*$'
subject: "group:dev" subject: 'group:dev'
policy: two_factor policy: two_factor
## Rules applied to user 'john' ## Rules applied to user 'john'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- '^/users/john/.*$' - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: two_factor
## Rules applied to user 'harry' ## Rules applied to user 'harry'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- '^/users/harry/.*$' - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: two_factor
## Rules applied to user 'bob' ## Rules applied to user 'bob'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: two_factor
- domain: "dev.example.com" - domain: 'dev.example.com'
resources: resources:
- '^/users/bob/.*$' - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: two_factor
## ##