Misc Spelling Corrections
- Mostly changes to spelling of comments/docs/displayed text - A few changes to test function namespull/570/head
parent
47b34b4026
commit
736ed3f212
|
@ -63,7 +63,7 @@ Release Notes - Version 3.14.0
|
||||||
Release Notes - Version 3.13.0
|
Release Notes - Version 3.13.0
|
||||||
------------------------------
|
------------------------------
|
||||||
* Rewrite Authelia portal in Typescript.
|
* Rewrite Authelia portal in Typescript.
|
||||||
* Intoduce concept of suites and authelia-scripts.
|
* Introduce concept of suites and authelia-scripts.
|
||||||
* Add official support for Kubernetes and a suite.
|
* Add official support for Kubernetes and a suite.
|
||||||
* Improve documentation for nginx.
|
* Improve documentation for nginx.
|
||||||
* Fix bypass policy not properly handled.
|
* Fix bypass policy not properly handled.
|
||||||
|
@ -90,7 +90,7 @@ Release Notes - Version 3.10.0
|
||||||
------------------------------
|
------------------------------
|
||||||
* Add docker-compose for deploying Authelia on Swarm*.
|
* Add docker-compose for deploying Authelia on Swarm*.
|
||||||
* Add "keep me logged in" checkbox in first factor page.
|
* Add "keep me logged in" checkbox in first factor page.
|
||||||
* Fix U2F compatiblity with Firefox.
|
* Fix U2F compatibility with Firefox.
|
||||||
* Bump dependencies to fix vulnerabilities reported by snyk.
|
* Bump dependencies to fix vulnerabilities reported by snyk.
|
||||||
* Improve documentation for dev setup.
|
* Improve documentation for dev setup.
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@ func init() {
|
||||||
SuitesTestCmd.Flags().BoolVar(&headless, "headless", false, "Run tests in headless mode")
|
SuitesTestCmd.Flags().BoolVar(&headless, "headless", false, "Run tests in headless mode")
|
||||||
}
|
}
|
||||||
|
|
||||||
// SuitesListCmd Command for listing the available suites
|
// SuitesListCmd Command for listing the available suites.
|
||||||
var SuitesListCmd = &cobra.Command{
|
var SuitesListCmd = &cobra.Command{
|
||||||
Use: "list",
|
Use: "list",
|
||||||
Short: "List available suites.",
|
Short: "List available suites.",
|
||||||
|
@ -42,7 +42,7 @@ var SuitesListCmd = &cobra.Command{
|
||||||
Args: cobra.ExactArgs(0),
|
Args: cobra.ExactArgs(0),
|
||||||
}
|
}
|
||||||
|
|
||||||
// SuitesSetupCmd Command for setuping a suite environment
|
// SuitesSetupCmd Command to setup a suite environment.
|
||||||
var SuitesSetupCmd = &cobra.Command{
|
var SuitesSetupCmd = &cobra.Command{
|
||||||
Use: "setup [suite]",
|
Use: "setup [suite]",
|
||||||
Short: "Setup a Go suite environment. Suites can be listed using the list command.",
|
Short: "Setup a Go suite environment. Suites can be listed using the list command.",
|
||||||
|
|
|
@ -117,7 +117,7 @@ authentication_backend:
|
||||||
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
||||||
#
|
#
|
||||||
# Note: You must put patterns containing wildcards between simple quotes for the YAML
|
# Note: You must put patterns containing wildcards between simple quotes for the YAML
|
||||||
# to be syntaxically correct.
|
# to be syntactically correct.
|
||||||
#
|
#
|
||||||
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
|
# Definition: A `rule` is an object with the following keys: `domain`, `subject`,
|
||||||
# `policy` and `resources`.
|
# `policy` and `resources`.
|
||||||
|
|
|
@ -46,7 +46,7 @@ Integration tests are located under the `internal/suites` directory
|
||||||
and are based on Selenium. A suite is a combination of environment
|
and are based on Selenium. A suite is a combination of environment
|
||||||
and tests. Executing a suite therefore means starting the environment,
|
and tests. Executing a suite therefore means starting the environment,
|
||||||
running the tests and tearing down the environment. Each step can be
|
running the tests and tearing down the environment. Each step can be
|
||||||
run independantly:
|
run independently:
|
||||||
|
|
||||||
# List the available suites
|
# List the available suites
|
||||||
$ authelia-scripts suites list
|
$ authelia-scripts suites list
|
||||||
|
|
|
@ -149,7 +149,7 @@ This documentation gives instructions that will make **Authelia** non
|
||||||
highly-available and non scalable by preventing you from running multiple
|
highly-available and non scalable by preventing you from running multiple
|
||||||
instances of the application.
|
instances of the application.
|
||||||
This means that **Authelia** won't be able to distribute the
|
This means that **Authelia** won't be able to distribute the
|
||||||
load accross multiple servers and it will prevent failover in case of a
|
load across multiple servers and it will prevent failover in case of a
|
||||||
crash or an hardware issue. Moreover, it will also prevent from reliably
|
crash or an hardware issue. Moreover, it will also prevent from reliably
|
||||||
persisting data and consequently fail access to your platform as the devices
|
persisting data and consequently fail access to your platform as the devices
|
||||||
registered by your users will be lost.
|
registered by your users will be lost.
|
||||||
|
|
|
@ -6,12 +6,12 @@ Authelia uses two mechanisms to protect against cookie theft:
|
||||||
1. session attribute `httpOnly` set to true make client-side code unable to
|
1. session attribute `httpOnly` set to true make client-side code unable to
|
||||||
read the cookie.
|
read the cookie.
|
||||||
2. session attribute `secure` ensure the cookie will never be sent over an
|
2. session attribute `secure` ensure the cookie will never be sent over an
|
||||||
unsecure HTTP connections.
|
insecure HTTP connections.
|
||||||
|
|
||||||
## Protection against multi-domain cookie attacks
|
## Protection against multi-domain cookie attacks
|
||||||
|
|
||||||
Since Authelia uses multi-domain cookies to perform single sign-on, an
|
Since Authelia uses multi-domain cookies to perform single sign-on, an
|
||||||
attacker who poisonned a user's DNS cache can easily retrieve the user's
|
attacker who poisoned a user's DNS cache can easily retrieve the user's
|
||||||
cookies by making the user send a request to one of the attacker's IPs.
|
cookies by making the user send a request to one of the attacker's IPs.
|
||||||
|
|
||||||
To mitigate this risk, it's advisable to only use HTTPS connections with valid
|
To mitigate this risk, it's advisable to only use HTTPS connections with valid
|
||||||
|
@ -54,12 +54,12 @@ that can be used to validate the authenticity of a server with a self signed
|
||||||
certificate. This can either be the public cert of the certificate authority
|
certificate. This can either be the public cert of the certificate authority
|
||||||
used to sign the certificate or the public key itself. They must be in the PEM
|
used to sign the certificate or the public key itself. They must be in the PEM
|
||||||
format. The certificate is added in addition to the certificates trusted by the
|
format. The certificate is added in addition to the certificates trusted by the
|
||||||
;host machine. If the certificate is invalid, inaccessible, or is otherwise not
|
host machine. If the certificate is invalid, inaccessible, or is otherwise not
|
||||||
configured; Authelia just uses the hosts certificates.
|
configured; Authelia just uses the hosts certificates.
|
||||||
|
|
||||||
### Explanation
|
### Explanation
|
||||||
There are a few reasons for the security measures implemented:
|
There are a few reasons for the security measures implemented:
|
||||||
1. Transmitting usernames and passwords over plain-text is an obvious vulnerability
|
1. Transmitting username's and passwords over plain-text is an obvious vulnerability
|
||||||
2. The emails generated by Authelia, if transmitted in plain-text could allow
|
2. The emails generated by Authelia, if transmitted in plain-text could allow
|
||||||
an attacker to intercept a link used to setup 2FA; which reduces security
|
an attacker to intercept a link used to setup 2FA; which reduces security
|
||||||
3. Not validating the identity of the server allows man-in-the-middle attacks
|
3. Not validating the identity of the server allows man-in-the-middle attacks
|
||||||
|
|
|
@ -67,7 +67,7 @@
|
||||||
Here is the list of credentials you can log in with to test access control.<br />
|
Here is the list of credentials you can log in with to test access control.<br />
|
||||||
<br /> Once first factor is passed, you will need to follow the links to register a secret for the second
|
<br /> Once first factor is passed, you will need to follow the links to register a secret for the second
|
||||||
factor.<br /> Authelia
|
factor.<br /> Authelia
|
||||||
will send you a fictituous email in a <strong>fake webmail</strong> at <a
|
will send you a fictitious email in a <strong>fake webmail</strong> at <a
|
||||||
href="http://localhost:8085">http://localhost:8085</a>.<br />
|
href="http://localhost:8085">http://localhost:8085</a>.<br />
|
||||||
It will provide you with the link to complete the registration allowing you to authenticate with 2-factor.
|
It will provide you with the link to complete the registration allowing you to authenticate with 2-factor.
|
||||||
|
|
||||||
|
|
|
@ -33,7 +33,7 @@ func identityRetrieverFromStorage(ctx *middlewares.AutheliaCtx) (*session.Identi
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResetPasswordIdentityStart the handler for initiating the identity validation for resetting a password.
|
// ResetPasswordIdentityStart the handler for initiating the identity validation for resetting a password.
|
||||||
// We need to ensure the attacker cannot perform user enumeration by alway replying with 200 whatever what happens in backend.
|
// We need to ensure the attacker cannot perform user enumeration by always replying with 200 whatever what happens in backend.
|
||||||
var ResetPasswordIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{
|
var ResetPasswordIdentityStart = middlewares.IdentityVerificationStart(middlewares.IdentityVerificationStartArgs{
|
||||||
MailSubject: "[Authelia] Reset your password",
|
MailSubject: "[Authelia] Reset your password",
|
||||||
MailTitle: "Reset your password",
|
MailTitle: "Reset your password",
|
||||||
|
@ -52,6 +52,6 @@ func resetPasswordIdentityFinish(ctx *middlewares.AutheliaCtx, username string)
|
||||||
ctx.ReplyOK()
|
ctx.ReplyOK()
|
||||||
}
|
}
|
||||||
|
|
||||||
// ResetPasswordIdentityFinish the handler for finishing the identity validation
|
// ResetPasswordIdentityFinish the handler for finishing the identity validation.
|
||||||
var ResetPasswordIdentityFinish = middlewares.IdentityVerificationFinish(
|
var ResetPasswordIdentityFinish = middlewares.IdentityVerificationFinish(
|
||||||
middlewares.IdentityVerificationFinishArgs{ActionClaim: ResetPasswordAction}, resetPasswordIdentityFinish)
|
middlewares.IdentityVerificationFinishArgs{ActionClaim: ResetPasswordAction}, resetPasswordIdentityFinish)
|
||||||
|
|
|
@ -92,7 +92,7 @@ func (s *SecondFactorDuoPostSuite) TestShouldCallDuoAPIAndFail() {
|
||||||
s.mock.Assert200KO(s.T(), "Authentication failed, please retry later.")
|
s.mock.Assert200KO(s.T(), "Authentication failed, please retry later.")
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestRunSecondeFactorDuoPostSuite(t *testing.T) {
|
func TestRunSecondFactorDuoPostSuite(t *testing.T) {
|
||||||
s := new(SecondFactorDuoPostSuite)
|
s := new(SecondFactorDuoPostSuite)
|
||||||
suite.Run(t, s)
|
suite.Run(t, s)
|
||||||
}
|
}
|
||||||
|
|
|
@ -12,14 +12,14 @@ import (
|
||||||
"github.com/sirupsen/logrus"
|
"github.com/sirupsen/logrus"
|
||||||
)
|
)
|
||||||
|
|
||||||
func loadInfo(username string, storageProvier storage.Provider, preferences *UserPreferences, logger *logrus.Entry) []error {
|
func loadInfo(username string, storageProvider storage.Provider, preferences *UserPreferences, logger *logrus.Entry) []error {
|
||||||
var wg sync.WaitGroup
|
var wg sync.WaitGroup
|
||||||
wg.Add(3)
|
wg.Add(3)
|
||||||
|
|
||||||
errors := make([]error, 0)
|
errors := make([]error, 0)
|
||||||
go func() {
|
go func() {
|
||||||
defer wg.Done()
|
defer wg.Done()
|
||||||
method, err := storageProvier.LoadPreferred2FAMethod(username)
|
method, err := storageProvider.LoadPreferred2FAMethod(username)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errors = append(errors, err)
|
errors = append(errors, err)
|
||||||
logger.Error(err)
|
logger.Error(err)
|
||||||
|
@ -34,7 +34,7 @@ func loadInfo(username string, storageProvier storage.Provider, preferences *Use
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
defer wg.Done()
|
defer wg.Done()
|
||||||
_, _, err := storageProvier.LoadU2FDeviceHandle(username)
|
_, _, err := storageProvider.LoadU2FDeviceHandle(username)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == storage.ErrNoU2FDeviceHandle {
|
if err == storage.ErrNoU2FDeviceHandle {
|
||||||
return
|
return
|
||||||
|
@ -48,7 +48,7 @@ func loadInfo(username string, storageProvier storage.Provider, preferences *Use
|
||||||
|
|
||||||
go func() {
|
go func() {
|
||||||
defer wg.Done()
|
defer wg.Done()
|
||||||
_, err := storageProvier.LoadTOTPSecret(username)
|
_, err := storageProvider.LoadTOTPSecret(username)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == storage.ErrNoTOTPSecret {
|
if err == storage.ErrNoTOTPSecret {
|
||||||
return
|
return
|
||||||
|
@ -64,7 +64,7 @@ func loadInfo(username string, storageProvier storage.Provider, preferences *Use
|
||||||
return errors
|
return errors
|
||||||
}
|
}
|
||||||
|
|
||||||
// UserInfoGet get the info related to the user identitified by the session.
|
// UserInfoGet get the info related to the user identified by the session.
|
||||||
func UserInfoGet(ctx *middlewares.AutheliaCtx) {
|
func UserInfoGet(ctx *middlewares.AutheliaCtx) {
|
||||||
userSession := ctx.GetSession()
|
userSession := ctx.GetSession()
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ func init() {
|
||||||
logrus.AddHook(logrus_stack.NewHook(callerLevels, stackLevels))
|
logrus.AddHook(logrus_stack.NewHook(callerLevels, stackLevels))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Logger return the standard logrues logger.
|
// Logger return the standard logrus logger.
|
||||||
func Logger() *logrus.Logger {
|
func Logger() *logrus.Logger {
|
||||||
return logrus.StandardLogger()
|
return logrus.StandardLogger()
|
||||||
}
|
}
|
||||||
|
|
|
@ -87,7 +87,7 @@ func TestShouldFailSendingAnEmail(t *testing.T) {
|
||||||
assert.Equal(t, "no notif", mock.Hook.LastEntry().Message)
|
assert.Equal(t, "no notif", mock.Hook.LastEntry().Message)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestShouldSucceedIdentityVerficationStartProcess(t *testing.T) {
|
func TestShouldSucceedIdentityVerificationStartProcess(t *testing.T) {
|
||||||
mock := mocks.NewMockAutheliaCtx(t)
|
mock := mocks.NewMockAutheliaCtx(t)
|
||||||
defer mock.Close()
|
defer mock.Close()
|
||||||
|
|
||||||
|
|
|
@ -69,7 +69,7 @@ access_control:
|
||||||
regulation:
|
regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: 300
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: 900
|
||||||
|
|
|
@ -85,7 +85,7 @@ regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: 300
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
|
|
|
@ -212,7 +212,7 @@ regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The time range during which the user can attempt login before being banned.
|
# The time range during which the user can attempt login before being banned.
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 8
|
find_time: 8
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
|
|
|
@ -83,7 +83,7 @@ regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: 300
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
|
|
|
@ -53,7 +53,7 @@ regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 8
|
find_time: 8
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
|
|
|
@ -48,7 +48,7 @@ access_control:
|
||||||
regulation:
|
regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: 300
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: 900
|
||||||
|
|
|
@ -53,7 +53,7 @@ regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 8
|
find_time: 8
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
|
|
|
@ -69,7 +69,7 @@ access_control:
|
||||||
regulation:
|
regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
# The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: 300
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: 900
|
||||||
|
|
|
@ -75,7 +75,7 @@ func (s *ResetPasswordScenario) TestShouldMakeAttackerThinkPasswordResetIsInitia
|
||||||
s.doVisit(s.T(), LoginBaseURL)
|
s.doVisit(s.T(), LoginBaseURL)
|
||||||
s.verifyIsFirstFactorPage(ctx, s.T())
|
s.verifyIsFirstFactorPage(ctx, s.T())
|
||||||
|
|
||||||
// Try to initiate a password reset of an inexistant user
|
// Try to initiate a password reset of an nonexistent user.
|
||||||
s.doInitiatePasswordReset(ctx, s.T(), "i_dont_exist")
|
s.doInitiatePasswordReset(ctx, s.T(), "i_dont_exist")
|
||||||
|
|
||||||
// Check that the notification make the attacker thinks the process is initiated
|
// Check that the notification make the attacker thinks the process is initiated
|
||||||
|
|
|
@ -5,7 +5,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
// CheckUntil regurly check a predicate until it's true or time out is reached
|
// CheckUntil regularly check a predicate until it's true or time out is reached.
|
||||||
func CheckUntil(interval time.Duration, timeout time.Duration, predicate func() (bool, error)) error {
|
func CheckUntil(interval time.Duration, timeout time.Duration, predicate func() (bool, error)) error {
|
||||||
for {
|
for {
|
||||||
select {
|
select {
|
||||||
|
|
|
@ -31,11 +31,11 @@ See the section about [deployment](https://facebook.github.io/create-react-app/d
|
||||||
|
|
||||||
**Note: this is a one-way operation. Once you `eject`, you can’t go back!**
|
**Note: this is a one-way operation. Once you `eject`, you can’t go back!**
|
||||||
|
|
||||||
If you aren’t satisfied with the build tool and configuration choices, you can `eject` at any time. This command will remove the single build dependency from your project.
|
If you aren't satisfied with the build tool and configuration choices, you can `eject` at any time. This command will remove the single build dependency from your project.
|
||||||
|
|
||||||
Instead, it will copy all the configuration files and the transitive dependencies (Webpack, Babel, ESLint, etc) right into your project so you have full control over them. All of the commands except `eject` will still work, but they will point to the copied scripts so you can tweak them. At this point you’re on your own.
|
Instead, it will copy all the configuration files and the transitive dependencies (Webpack, Babel, ESLint, etc) right into your project so you have full control over them. All of the commands except `eject` will still work, but they will point to the copied scripts so you can tweak them. At this point you’re on your own.
|
||||||
|
|
||||||
You don’t have to ever use `eject`. The curated feature set is suitable for small and middle deployments, and you shouldn’t feel obligated to use this feature. However we understand that this tool wouldn’t be useful if you couldn’t customize it when you are ready for it.
|
You don’t have to ever use `eject`. The curated feature set is suitable for small and middle deployments, and you shouldn’t feel obligated to use this feature. However we understand that this tool wouldn't be useful if you couldn't customize it when you are ready for it.
|
||||||
|
|
||||||
## Learn More
|
## Learn More
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue