RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into feat-settings-ui

feat-otp-verification
James Elliott 2023-02-11 21:49:42 +11:00
parent 852dc808bd 2888ee7f41
commit 8c057f65a5
No known key found for this signature in database
GPG Key ID: 0F1C4A096E857E49
72 changed files with 556 additions and 534 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -25,3 +25,5 @@ authelia-image-dev.tar
/authelia
__debug_bin
internal/suites/common/pki/ca/ca.private.pem

2
Dockerfile
View File

@ -1,7 +1,7 @@
# ===================================
# ===== Authelia official image =====
# ===================================
FROM alpine:3.17.1
FROM alpine:3.17.2
ARG TARGETOS
ARG TARGETARCH

2
Dockerfile.coverage
View File

@ -46,7 +46,7 @@ RUN \
# ===================================
# ===== Authelia official image =====
# ===================================
FROM alpine:3.17.1
FROM alpine:3.17.2
RUN apk --no-cache add ca-certificates tzdata

2
Dockerfile.dev
View File

@ -43,7 +43,7 @@ RUN \
# ===================================
# ===== Authelia official image =====
# ===================================
FROM alpine:3.17.1
FROM alpine:3.17.2
WORKDIR /app

4
internal/commands/const.go
View File

@ -772,3 +772,7 @@ Layouts:
ANSIC: Mon Jan _2 15:04:05 2006
Date: 2006-01-02`
)
const (
fmtLogServerListening = "Server is listening for %s connections on '%s' path '%s'"
)

10
internal/commands/context.go
View File

@ -9,7 +9,6 @@ import (
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"golang.org/x/sync/errgroup"
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/authorization"
@ -35,14 +34,8 @@ import (
func NewCmdCtx() *CmdCtx {
ctx := context.Background()
ctx, cancel := context.WithCancel(ctx)
group, ctx := errgroup.WithContext(ctx)
return &CmdCtx{
Context: ctx,
cancel: cancel,
group: group,
log: logging.Logger(),
providers: middlewares.Providers{
Random: &random.Cryptographical{},
@ -55,9 +48,6 @@ func NewCmdCtx() *CmdCtx {
type CmdCtx struct {
context.Context
cancel context.CancelFunc
group *errgroup.Group
log *logrus.Logger
config *schema.Configuration

194
internal/commands/root.go
View File

@ -2,21 +2,13 @@ package commands
import (
"fmt"
"net"
"os"
"os/signal"
"path/filepath"
"strings"
"syscall"
"github.com/fsnotify/fsnotify"
"github.com/spf13/cobra"
"github.com/valyala/fasthttp"
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/logging"
"github.com/authelia/authelia/v4/internal/model"
"github.com/authelia/authelia/v4/internal/server"
"github.com/authelia/authelia/v4/internal/utils"
)
@ -95,195 +87,11 @@ func (ctx *CmdCtx) RootRunE(_ *cobra.Command, _ []string) (err error) {
ctx.cconfig = nil
runServices(ctx)
servicesRun(ctx)
return nil
}
//nolint:gocyclo // Complexity is required in this function.
func runServices(ctx *CmdCtx) {
defer ctx.cancel()
quit := make(chan os.Signal, 1)
signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
defer signal.Stop(quit)
var (
mainServer, metricsServer *fasthttp.Server
mainListener, metricsListener net.Listener
)
ctx.group.Go(func() (err error) {
defer func() {
if r := recover(); r != nil {
ctx.log.WithError(recoverErr(r)).Errorf("Server (main) critical error caught (recovered)")
}
}()
if mainServer, mainListener, err = server.CreateDefaultServer(*ctx.config, ctx.providers); err != nil {
ctx.log.WithError(err).Error("Create Server (main) returned error")
return err
}
if err = mainServer.Serve(mainListener); err != nil {
ctx.log.WithError(err).Error("Server (main) returned error")
return err
}
return nil
})
ctx.group.Go(func() (err error) {
if ctx.providers.Metrics == nil {
return nil
}
defer func() {
if r := recover(); r != nil {
ctx.log.WithError(recoverErr(r)).Errorf("Server (metrics) critical error caught (recovered)")
}
}()
if metricsServer, metricsListener, err = server.CreateMetricsServer(ctx.config.Telemetry.Metrics); err != nil {
ctx.log.WithError(err).Error("Create Server (metrics) returned error")
return err
}
if err = metricsServer.Serve(metricsListener); err != nil {
ctx.log.WithError(err).Error("Server (metrics) returned error")
return err
}
return nil
})
if ctx.config.AuthenticationBackend.File != nil && ctx.config.AuthenticationBackend.File.Watch {
provider := ctx.providers.UserProvider.(*authentication.FileUserProvider)
if watcher, err := runServiceFileWatcher(ctx, ctx.config.AuthenticationBackend.File.Path, provider); err != nil {
ctx.log.WithError(err).Errorf("File Watcher (user database) start returned error")
} else {
defer func(watcher *fsnotify.Watcher) {
if err := watcher.Close(); err != nil {
ctx.log.WithError(err).Errorf("File Watcher (user database) close returned error")
}
}(watcher)
}
}
select {
case s := <-quit:
switch s {
case syscall.SIGINT:
ctx.log.Debugf("Shutdown started due to SIGINT")
case syscall.SIGQUIT:
ctx.log.Debugf("Shutdown started due to SIGQUIT")
}
case <-ctx.Done():
ctx.log.Debugf("Shutdown started due to context completion")
}
ctx.cancel()
ctx.log.Infof("Shutting down")
var err error
if mainServer != nil {
if err = mainServer.Shutdown(); err != nil {
ctx.log.WithError(err).Errorf("Error occurred shutting down the server")
}
}
if metricsServer != nil {
if err = metricsServer.Shutdown(); err != nil {
ctx.log.WithError(err).Errorf("Error occurred shutting down the metrics server")
}
}
if err = ctx.providers.StorageProvider.Close(); err != nil {
ctx.log.WithError(err).Errorf("Error occurred closing the database connection")
}
if err = ctx.group.Wait(); err != nil {
ctx.log.WithError(err).Errorf("Error occurred waiting for shutdown")
}
}
type ReloadFilter func(path string) (skipped bool)
type ProviderReload interface {
Reload() (reloaded bool, err error)
}
func runServiceFileWatcher(ctx *CmdCtx, path string, reload ProviderReload) (watcher *fsnotify.Watcher, err error) {
if watcher, err = fsnotify.NewWatcher(); err != nil {
return nil, err
}
failed := make(chan struct{})
var directory, filename string
if path != "" {
directory, filename = filepath.Dir(path), filepath.Base(path)
}
ctx.group.Go(func() error {
for {
select {
case <-failed:
return nil
case event, ok := <-watcher.Events:
if !ok {
return nil
}
if filename != filepath.Base(event.Name) {
ctx.log.WithField("file", event.Name).WithField("op", event.Op).Tracef("File modification detected to irrelevant file")
break
}
switch {
case event.Op&fsnotify.Write == fsnotify.Write, event.Op&fsnotify.Create == fsnotify.Create:
ctx.log.WithField("file", event.Name).WithField("op", event.Op).Debug("File modification detected")
switch reloaded, err := reload.Reload(); {
case err != nil:
ctx.log.WithField("file", event.Name).WithField("op", event.Op).WithError(err).Error("Error occurred reloading file")
case reloaded:
ctx.log.WithField("file", event.Name).Info("Reloaded file successfully")
default:
ctx.log.WithField("file", event.Name).Debug("Reload of file was triggered but it was skipped")
}
case event.Op&fsnotify.Remove == fsnotify.Remove:
ctx.log.WithField("file", event.Name).WithField("op", event.Op).Debug("Remove of file was detected")
}
case err, ok := <-watcher.Errors:
if !ok {
return nil
}
ctx.log.WithError(err).Errorf("Error while watching files")
}
}
})
if err := watcher.Add(directory); err != nil {
failed <- struct{}{}
return nil, err
}
ctx.log.WithField("directory", directory).WithField("file", filename).Debug("Directory is being watched for changes to the file")
return watcher, nil
}
func doStartupChecks(ctx *CmdCtx) {
var (
failures []string

311
internal/commands/services.go 100644
View File

@ -0,0 +1,311 @@
package commands
import (
"context"
"fmt"
"net"
"os"
"os/signal"
"path/filepath"
"strings"
"sync"
"syscall"
"github.com/fsnotify/fsnotify"
"github.com/sirupsen/logrus"
"github.com/valyala/fasthttp"
"golang.org/x/sync/errgroup"
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/server"
)
// NewServerService creates a new ServerService with the appropriate logger etc.
func NewServerService(name string, server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, log *logrus.Logger) (service *ServerService) {
return &ServerService{
server: server,
listener: listener,
paths: paths,
isTLS: isTLS,
log: log.WithFields(map[string]any{"service": "server", "server": name}),
}
}
// NewFileWatcherService creates a new FileWatcherService with the appropriate logger etc.
func NewFileWatcherService(name, path string, reload ProviderReload, log *logrus.Logger) (service *FileWatcherService, err error) {
if path == "" {
return nil, fmt.Errorf("path must be specified")
}
var info os.FileInfo
if info, err = os.Stat(path); err != nil {
return nil, fmt.Errorf("error stating file '%s': %w", path, err)
}
if path, err = filepath.Abs(path); err != nil {
return nil, fmt.Errorf("error determining absolute path of file '%s': %w", path, err)
}
var watcher *fsnotify.Watcher
if watcher, err = fsnotify.NewWatcher(); err != nil {
return nil, err
}
entry := log.WithFields(map[string]any{"service": "watcher", "watcher": name})
if info.IsDir() {
service = &FileWatcherService{
watcher: watcher,
reload: reload,
log: entry,
directory: filepath.Clean(path),
}
} else {
service = &FileWatcherService{
watcher: watcher,
reload: reload,
log: entry,
directory: filepath.Dir(path),
file: filepath.Base(path),
}
}
if err = service.watcher.Add(service.directory); err != nil {
return nil, fmt.Errorf("failed to add path '%s' to watch list: %w", path, err)
}
return service, nil
}
// ProviderReload represents the required methods to support reloading a provider.
type ProviderReload interface {
Reload() (reloaded bool, err error)
}
// Service represents the required methods to support handling a service.
type Service interface {
Run() (err error)
Shutdown()
}
// ServerService is a Service which runs a webserver.
type ServerService struct {
server *fasthttp.Server
paths []string
isTLS bool
listener net.Listener
log *logrus.Entry
}
// Run the ServerService.
func (service *ServerService) Run() (err error) {
defer func() {
if r := recover(); r != nil {
service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)")
}
}()
service.log.Infof(fmtLogServerListening, connectionType(service.isTLS), service.listener.Addr().String(), strings.Join(service.paths, "' and '"))
if err = service.server.Serve(service.listener); err != nil {
service.log.WithError(err).Error("Error returned attempting to serve requests")
return err
}
return nil
}
// Shutdown the ServerService.
func (service *ServerService) Shutdown() {
if err := service.server.Shutdown(); err != nil {
service.log.WithError(err).Error("Error occurred during shutdown")
}
}
// FileWatcherService is a Service that watches files for changes.
type FileWatcherService struct {
watcher *fsnotify.Watcher
reload ProviderReload
log *logrus.Entry
file string
directory string
}
// Run the FileWatcherService.
func (service *FileWatcherService) Run() (err error) {
defer func() {
if r := recover(); r != nil {
service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)")
}
}()
service.log.WithField("file", filepath.Join(service.directory, service.file)).Info("Watching for file changes to the file")
for {
select {
case event, ok := <-service.watcher.Events:
if !ok {
return nil
}
if service.file != "" && service.file != filepath.Base(event.Name) {
service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Tracef("File modification detected to irrelevant file")
break
}
switch {
case event.Op&fsnotify.Write == fsnotify.Write, event.Op&fsnotify.Create == fsnotify.Create:
service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Debug("File modification was detected")
var reloaded bool
switch reloaded, err = service.reload.Reload(); {
case err != nil:
service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).WithError(err).Error("Error occurred during reload")
case reloaded:
service.log.WithField("file", event.Name).Info("Reloaded successfully")
default:
service.log.WithField("file", event.Name).Debug("Reload of was triggered but it was skipped")
}
case event.Op&fsnotify.Remove == fsnotify.Remove:
service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Debug("File remove was detected")
}
case err, ok := <-service.watcher.Errors:
if !ok {
return nil
}
service.log.WithError(err).Errorf("Error while watching files")
}
}
}
// Shutdown the FileWatcherService.
func (service *FileWatcherService) Shutdown() {
if err := service.watcher.Close(); err != nil {
service.log.WithError(err).Error("Error occurred during shutdown")
}
}
func svcSvrMainFunc(ctx *CmdCtx) (service Service) {
switch svr, listener, paths, isTLS, err := server.CreateDefaultServer(ctx.config, ctx.providers); {
case err != nil:
ctx.log.WithError(err).Fatal("Create Server Service (main) returned error")
case svr != nil && listener != nil:
service = NewServerService("main", svr, listener, paths, isTLS, ctx.log)
default:
ctx.log.Fatal("Create Server Service (main) failed")
}
return service
}
func svcSvrMetricsFunc(ctx *CmdCtx) (service Service) {
switch svr, listener, paths, isTLS, err := server.CreateMetricsServer(ctx.config, ctx.providers); {
case err != nil:
ctx.log.WithError(err).Fatal("Create Server Service (metrics) returned error")
case svr != nil && listener != nil:
service = NewServerService("metrics", svr, listener, paths, isTLS, ctx.log)
default:
ctx.log.Debug("Create Server Service (metrics) skipped")
}
return service
}
func svcWatcherUsersFunc(ctx *CmdCtx) (service Service) {
var err error
if ctx.config.AuthenticationBackend.File != nil && ctx.config.AuthenticationBackend.File.Watch {
provider := ctx.providers.UserProvider.(*authentication.FileUserProvider)
if service, err = NewFileWatcherService("users", ctx.config.AuthenticationBackend.File.Path, provider, ctx.log); err != nil {
ctx.log.WithError(err).Fatal("Create Watcher Service (users) returned error")
}
}
return service
}
func connectionType(isTLS bool) string {
if isTLS {
return "TLS"
}
return "non-TLS"
}
func servicesRun(ctx *CmdCtx) {
cctx, cancel := context.WithCancel(ctx)
group, cctx := errgroup.WithContext(cctx)
defer cancel()
quit := make(chan os.Signal, 1)
signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
defer signal.Stop(quit)
var (
services []Service
)
for _, serviceFunc := range []func(ctx *CmdCtx) Service{
svcSvrMainFunc, svcSvrMetricsFunc,
svcWatcherUsersFunc,
} {
if service := serviceFunc(ctx); service != nil {
services = append(services, service)
group.Go(service.Run)
}
}
ctx.log.Info("Startup Complete")
select {
case s := <-quit:
switch s {
case syscall.SIGINT:
ctx.log.WithField("signal", "SIGINT").Debugf("Shutdown started due to signal")
case syscall.SIGTERM:
ctx.log.WithField("signal", "SIGTERM").Debugf("Shutdown started due to signal")
}
case <-cctx.Done():
ctx.log.Debugf("Shutdown started due to context completion")
}
cancel()
ctx.log.Infof("Shutting down")
wgShutdown := &sync.WaitGroup{}
for _, service := range services {
go func() {
service.Shutdown()
wgShutdown.Done()
}()
wgShutdown.Add(1)
}
wgShutdown.Wait()
var err error
if err = ctx.providers.StorageProvider.Close(); err != nil {
ctx.log.WithError(err).Error("Error occurred closing database connections")
}
if err = group.Wait(); err != nil {
ctx.log.WithError(err).Errorf("Error occurred waiting for shutdown")
}
}

9
internal/server/const.go
View File

@ -83,12 +83,3 @@ const (
tmplCSPSwaggerNonce = "default-src 'self'; img-src 'self' https://validator.swagger.io data:; object-src 'none'; script-src 'self' 'unsafe-inline' 'nonce-%s'; style-src 'self' 'nonce-%s'; base-uri 'self'"
tmplCSPSwagger = "default-src 'self'; img-src 'self' https://validator.swagger.io data:; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; base-uri 'self'"
)
const (
connNonTLS = "non-TLS"
connTLS = "TLS"
)
const (
fmtLogServerInit = "Initializing %s for %s connections on '%s' path '%s'"
)

16
internal/server/handlers.go
View File

@ -92,10 +92,10 @@ func handleNotFound(next fasthttp.RequestHandler) fasthttp.RequestHandler {
}
//nolint:gocyclo
func handleRouter(config schema.Configuration, providers middlewares.Providers) fasthttp.RequestHandler {
func handleRouter(config *schema.Configuration, providers middlewares.Providers) fasthttp.RequestHandler {
log := logging.Logger()
optsTemplatedFile := NewTemplatedFileOptions(&config)
optsTemplatedFile := NewTemplatedFileOptions(config)
serveIndexHandler := ServeTemplatedFile(providers.Templates.GetAssetIndexTemplate(), optsTemplatedFile)
serveOpenAPIHandler := ServeTemplatedOpenAPI(providers.Templates.GetAssetOpenAPIIndexTemplate(), optsTemplatedFile)
@ -104,7 +104,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
handlerPublicHTML := newPublicHTMLEmbeddedHandler()
handlerLocales := newLocalesEmbeddedHandler()
bridge := middlewares.NewBridgeBuilder(config, providers).
bridge := middlewares.NewBridgeBuilder(*config, providers).
WithPreMiddlewares(middlewares.SecurityHeaders).Build()
policyCORSPublicGET := middlewares.NewCORSPolicyBuilder().
@ -141,16 +141,16 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
r.GET("/api/"+file, handlerPublicHTML)
}
middlewareAPI := middlewares.NewBridgeBuilder(config, providers).
middlewareAPI := middlewares.NewBridgeBuilder(*config, providers).
WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone).
Build()
middleware1FA := middlewares.NewBridgeBuilder(config, providers).
middleware1FA := middlewares.NewBridgeBuilder(*config, providers).
WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone).
WithPostMiddlewares(middlewares.Require1FA).
Build()
middleware2FA := middlewares.NewBridgeBuilder(config, providers).
middleware2FA := middlewares.NewBridgeBuilder(*config, providers).
WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone).
WithPostMiddlewares(middlewares.Require2FAWithAPIResponse).
Build()
@ -167,7 +167,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
for name, endpoint := range config.Server.Endpoints.Authz {
uri := path.Join(pathAuthz, name)
authz := handlers.NewAuthzBuilder().WithConfig(&config).WithEndpointConfig(endpoint).Build()
authz := handlers.NewAuthzBuilder().WithConfig(config).WithEndpointConfig(endpoint).Build()
handler := middlewares.Wrap(metricsVRMW, bridge(authz.Handler))
@ -275,7 +275,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
}
if providers.OpenIDConnect != nil {
bridgeOIDC := middlewares.NewBridgeBuilder(config, providers).WithPreMiddlewares(
bridgeOIDC := middlewares.NewBridgeBuilder(*config, providers).WithPreMiddlewares(
middlewares.SecurityHeaders, middlewares.SecurityHeadersCSPNoneOpenIDConnect, middlewares.SecurityHeadersNoStore,
).Build()

48
internal/server/server.go
View File

@ -7,7 +7,6 @@ import (
"net"
"os"
"strconv"
"strings"
"github.com/sirupsen/logrus"
"github.com/valyala/fasthttp"
@ -18,9 +17,9 @@ import (
)
// CreateDefaultServer Create Authelia's internal webserver with the given configuration and providers.
func CreateDefaultServer(config schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, err error) {
func CreateDefaultServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, err error) {
if err = providers.Templates.LoadTemplatedAssets(assets); err != nil {
return nil, nil, fmt.Errorf("failed to load templated assets: %w", err)
return nil, nil, nil, false, fmt.Errorf("failed to load templated assets: %w", err)
}
server = &fasthttp.Server{
@ -38,15 +37,14 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov
address := net.JoinHostPort(config.Server.Host, strconv.Itoa(config.Server.Port))
var (
connectionType string
connectionScheme string
)
if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {
connectionType, connectionScheme = connTLS, schemeHTTPS
isTLS, connectionScheme = true, schemeHTTPS
if err = server.AppendCert(config.Server.TLS.Certificate, config.Server.TLS.Key); err != nil {
return nil, nil, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
return nil, nil, nil, false, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
}
if len(config.Server.TLS.ClientCertificates) > 0 {
@ -56,7 +54,7 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov
for _, path := range config.Server.TLS.ClientCertificates {
if cert, err = os.ReadFile(path); err != nil {
return nil, nil, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
return nil, nil, nil, false, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
}
caCertPool.AppendCertsFromPEM(cert)
@ -69,51 +67,51 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov
}
if listener, err = tls.Listen("tcp", address, server.TLSConfig.Clone()); err != nil {
return nil, nil, fmt.Errorf("unable to initialize tcp listener: %w", err)
return nil, nil, nil, false, fmt.Errorf("unable to initialize tcp listener: %w", err)
}
} else {
connectionType, connectionScheme = connNonTLS, schemeHTTP
connectionScheme = schemeHTTP
if listener, err = net.Listen("tcp", address); err != nil {
return nil, nil, fmt.Errorf("unable to initialize tcp listener: %w", err)
return nil, nil, nil, false, fmt.Errorf("unable to initialize tcp listener: %w", err)
}
}
if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Host,
config.Server.Path, config.Server.Port); err != nil {
return nil, nil, fmt.Errorf("unable to configure healthcheck: %w", err)
return nil, nil, nil, false, fmt.Errorf("unable to configure healthcheck: %w", err)
}
paths := []string{"/"}
paths = []string{"/"}
if config.Server.Path != "" {
paths = append(paths, config.Server.Path)
}
logging.Logger().Infof(fmtLogServerInit, "server", connectionType, listener.Addr().String(), strings.Join(paths, "' and '"))
return server, listener, nil
return server, listener, paths, isTLS, nil
}
// CreateMetricsServer creates a metrics server.
func CreateMetricsServer(config schema.TelemetryMetricsConfig) (server *fasthttp.Server, listener net.Listener, err error) {
if listener, err = config.Address.Listener(); err != nil {
return nil, nil, err
func CreateMetricsServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, tls bool, err error) {
if providers.Metrics == nil {
return
}
server = &fasthttp.Server{
ErrorHandler: handleError(),
NoDefaultServerHeader: true,
Handler: handleMetrics(),
ReadBufferSize: config.Buffers.Read,
WriteBufferSize: config.Buffers.Write,
ReadTimeout: config.Timeouts.Read,
WriteTimeout: config.Timeouts.Write,
IdleTimeout: config.Timeouts.Idle,
ReadBufferSize: config.Telemetry.Metrics.Buffers.Read,
WriteBufferSize: config.Telemetry.Metrics.Buffers.Write,
ReadTimeout: config.Telemetry.Metrics.Timeouts.Read,
WriteTimeout: config.Telemetry.Metrics.Timeouts.Write,
IdleTimeout: config.Telemetry.Metrics.Timeouts.Idle,
Logger: logging.LoggerPrintf(logrus.DebugLevel),
}
logging.Logger().Infof(fmtLogServerInit, "server (metrics)", connNonTLS, listener.Addr().String(), "/metrics")
if listener, err = config.Telemetry.Metrics.Address.Listener(); err != nil {
return nil, nil, nil, false, err
}
return server, listener, nil
return server, listener, []string{"/metrics"}, false, nil
}

2
internal/server/server_test.go
View File

@ -152,7 +152,7 @@ func NewTLSServerContext(configuration schema.Configuration) (serverContext *TLS
return nil, err
}
s, listener, err := CreateDefaultServer(configuration, providers)
s, listener, _, _, err := CreateDefaultServer(&configuration, providers)
if err != nil {
return nil, err

4
internal/suites/ActiveDirectory/configuration.yml
View File

@ -10,8 +10,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/ActiveDirectory/docker-compose.yml
View File

@ -4,5 +4,5 @@ services:
authelia-backend:
volumes:
- './ActiveDirectory/configuration.yml:/config/configuration.yml:ro'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/BypassAll/configuration.yml
View File

@ -6,8 +6,8 @@
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/BypassAll/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './BypassAll/configuration.yml:/config/configuration.yml:ro'
- './BypassAll/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/CLI/configuration.yml
View File

@ -6,8 +6,8 @@
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/CLI/docker-compose.yml
View File

@ -6,7 +6,7 @@ services:
- './CLI/configuration.yml:/config/configuration.yml:ro'
- './CLI/storage.yml:/config/configuration.storage.yml:ro'
- './CLI/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
- '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID}
...

4
internal/suites/Caddy/configuration.yml
View File

@ -9,8 +9,8 @@ server:
port: 9091
asset_path: /config/assets/
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
endpoints:
authz:
caddy:

2
internal/suites/Caddy/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './Caddy/configuration.yml:/config/configuration.yml:ro'
- './Caddy/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/Docker/configuration.yml
View File

@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/Docker/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './Docker/configuration.yml:/config/configuration.yml:ro'
- './Docker/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/DuoPush/configuration.yml
View File

@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: trace

2
internal/suites/DuoPush/docker-compose.yml
View File

@ -5,7 +5,7 @@ services:
volumes:
- './DuoPush/configuration.yml:/config/configuration.yml:ro'
- './DuoPush/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
- '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID}
...

4
internal/suites/Envoy/configuration.yml
View File

@ -9,8 +9,8 @@ server:
port: 9091
asset_path: /config/assets/
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
endpoints:
authz:
ext-authz:

2
internal/suites/Envoy/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './Envoy/configuration.yml:/config/configuration.yml:ro'
- './Envoy/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/HAProxy/configuration.yml
View File

@ -8,8 +8,8 @@ jwt_secret: unsecure_secret
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/HAProxy/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './HAProxy/configuration.yml:/config/configuration.yml:ro'
- './HAProxy/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/HighAvailability/configuration.yml
View File

@ -8,8 +8,8 @@ jwt_secret: unsecure_secret
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/HighAvailability/docker-compose.yml
View File

@ -4,5 +4,5 @@ services:
authelia-backend:
volumes:
- './HighAvailability/configuration.yml:/config/configuration.yml:ro'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/LDAP/configuration.yml
View File

@ -10,8 +10,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/LDAP/docker-compose.yml
View File

@ -4,5 +4,5 @@ services:
authelia-backend:
volumes:
- './LDAP/configuration.yml:/config/configuration.yml:ro'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/MariaDB/configuration.yml
View File

@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/MariaDB/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './MariaDB/configuration.yml:/config/configuration.yml:ro'
- './MariaDB/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/MultiCookieDomain/configuration.yml
View File

@ -9,8 +9,8 @@ theme: auto
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
telemetry:
metrics:

2
internal/suites/MultiCookieDomain/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './MultiCookieDomain/configuration.yml:/config/configuration.yml:ro'
- './MultiCookieDomain/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/MySQL/configuration.yml
View File

@ -6,8 +6,8 @@
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/MySQL/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './MySQL/configuration.yml:/config/configuration.yml:ro'
- './MySQL/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/NetworkACL/configuration.yml
View File

@ -6,8 +6,8 @@
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/NetworkACL/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './NetworkACL/configuration.yml:/config/configuration.yml:ro'
- './NetworkACL/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

70
internal/suites/OIDC/configuration.yml
View File

@ -2,8 +2,8 @@
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug
@ -64,72 +64,6 @@ identity_providers:
oidc:
enable_client_debug_messages: true
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
issuer_certificate_chain: |
-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIRAIxvm0gFgsbh3D22rSZLuFQwDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UEChMIQXV0aGVsaWEwIBcNMjIxMDAyMDAzMDQyWhgPMjEyMjA5MDgw
MDMwNDJaMBMxETAPBgNVBAoTCEF1dGhlbGlhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABozUwMzAOBgNVHQ8BAf8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG
9w0BAQsFAAOCAQEAaZJ09yGa+DGr/iTqshGdPKNCtcf/CXCkL52xiI7DzLxDt30P
8vCuXXrrTGBY7eWYupcNy/MyqaUrz1ED+map3nQzZQBJ9vWIfr01B9phkg/WSaNJ
1DlYtbPYzr86BlGP1V5d3Wv6JqF3tkWHI0kI38CT68fWdDKrfa5j3JdZGIVJW+51
U0IE3Nqhfc76YzwQ3sNX5FT2Fr55RowH+l5OBPk0Bcztq58XmyPR/bvPfDASt8iS
DBT+0iiDiwk6LvOkasL8p7nuh5Grc9LMEYXY/QMUbkIWhIVRFlqyJA9s8vGHx1D4
96iYKudj+yvO17Szzr/NNmcwETbCs4j6P6QeiA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIQAK/NIAl3Bdg4Xk0y/ZGL7jANBgkqhkiG9w0BAQsFADAT
MREwDwYDVQQKEwhBdXRoZWxpYTAgFw0yMjEwMDIwMDMwMjFaGA8yMTIyMDkwODAw
MzAyMVowEzERMA8GA1UEChMIQXV0aGVsaWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCg7jdO1HmydfkPzTtz57pvAS3YOdBT0hlNjJ4N2lrKhNnixrzK
+4R1dWQDP2SHbZQ0TskF8eQ8HhTr7AsApotTthJFkUgV2g+bv7wVroz0Hok5xtd4
bnpOvG3YUCP13Nk3ZVxdQXqR3/G3MrbyiXVPcgU+0giJ8EBykbtMu8L79/1iyk+m
w4fZfzTOeorRgspO3z3+pTAib2MCTA7bby1dX9qI/ysFPLdbJYfNQDxij8SzNLyJ
EkQ4kh3jKXf1VcZjbQTtYTZ3JJDqM08OxGMKuXUxPHd72Xlb+Fzql8LjYdEy/YKA
3r8FMf14lzcjvxtLnFXh//hiXh4+xgXMkrLZAgMBAAGjUzBRMA4GA1UdDwEB/wQE
AwICpDAPBgNVHSUECDAGBgRVHSUAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
FGKpXiZA+8VQyMBqTTep+dVTthSbMA0GCSqGSIb3DQEBCwUAA4IBAQAE4DJg+Rb4
iiocvxxQ85lhh94ql++E8MKuzIdN7ORs+ybUnsDD1WFDebubroTQuTSBkFrNuGNJ
8B7NZsHiWWLvNsrnxxeC5CicqfhSDti0rKWsbGyeoq7Kqok5E4pwOzeRsxL2e/Hm
G6LsUQuQMUG2vxKNynqmJS4VpgSVkiGhUfURFuRRDuRpVQ/XTl7jDIGf/ls7TAZq
1AnmnSi4Cqy4hrTnwYUYkFCcH69onUKAoaVNl1eAH7ogxakz32WyWObY98NBrjzA
I6VQlaQNSHtdFqDpu7NWJZZZSgN4BknbMYQEPNYCm701cPB4ahJbpg5C3pVPFSql
Bc9iI6nN3PCr
-----END CERTIFICATE-----
issuer_private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABAoIBAA/EhhM8bRQqzo5t
lBFNaELNu8kCRD/iV9tzj8BzqVt+2JW9qG8bYn9K5Po1HCglFfyjIVOE7cAqIJGX
1a59x8PCuXDkfPolm6TLkZnXeta5u2K2MoLwN+M1aio5AvSGGTUkD8tr/KX8SQwQ
2ZZFaML0xcBadF7U8jEey4NRlSp5/voiIAB+FrJHepZBz2XJYCX5s2vYLPMn+51R
1HyO0n2aQ9H1Na8aBjTfAp9GDKJWBV3bSM7cVaLGlMFj/HNXUNVnSsVsJj0tdWKz
K6r9zPskLnS+eNjCgqrOtZSqJ7M3PL0/PoTFPrr1Fevr+soKWCaPF94Ib94O9SEq
scvP3kECgYEA0HBdGab0HjcZgFtsIaMm+eBcDhUmUrvMPUw6FmspKnc8wplscONW
wrDGhR0dpT8+aAMD5jFC2pvyHjI5AWkW+53LB15j6SVzUlUMfS3VTwE2prLtDHDs
nCDW2+fXY2kjv45efZGpMGbLJVePx2RCPzUlAlc14lzxnHgpo7eho1cCgYEA+jpi
Eo/Jqa5CNd4hrXqFxZTFtU2Mn38ZKI3QK/l47/347yHLebjsYIIwJRoHenxWxNlz
Y+BZ38vkP+f9BGAVGiRcyMmIJU0X305wKwl26Y2Q/tEm2OpwmDboD2pL9byi9vfY
bz7pQGK/l9j86KofRwVJJRLsofPI1SsjnC8c448CgYAkpg0IjJ1RjriSJADwLSKW
PseQxlE1rMVtZbC07mSPjeWGBbnWY3KGytQs5YCn5GXRne4alEC/9Tlt68CwKc0b
spPXGNaSUL5lFIUcoWlm+bylNMKPNG+1x+RfR/VMCll5vcuJYooP85L2Xt3t3gfz
2yFFtxXHVjY5H7uaiJgIAwKBgQDvkGXEj5TqtsL8/6YOiHb6Kuz+Hzi6mtxjTyI2
d6mpWuWxTBGaf8kOvJWLb9gpFFGeNPGcdXaWJIZqCJjcT4Dkflu2f/uwepaYXGhX
S8Bk6fwfee5PTmRt1mNmHsaKhgcfmznDh9+YnPIBVuULe5RmUlEtBWk3xEZKj/qP
1Ss7UQKBgAwZQz+h5Z/XOJH3Qs5nJBKAZUiYkj3ux7G6tjx0cz7XcUYd/6enBpkY
JeqVHB6G+bMRLwb+Hc5Vgpbd5GdaUWo8udaghHgSGPUVcn0lK38XhYek6ACGz7Lo
xEfgtKoBlUq+uPb8H05HY0t9KybA3LA5wkRYYnJ17/nkZtrrJAmX
-----END RSA PRIVATE KEY-----
clients:
- id: oidc-tester-app
secret: foobar

6
internal/suites/OIDC/docker-compose.yml
View File

@ -2,9 +2,11 @@
version: '3'
services:
authelia-backend:
environment:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.bundle.crt
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
volumes:
- './OIDC/configuration.yml:/config/configuration.yml:ro'
- './OIDC/users.yml:/config/users.yml'
- './OIDC/keypair/key.pem:/config/issuer.pem:ro'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

27
internal/suites/OIDC/keypair/key.pem
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvOFmoEJFt1JkfdlwM3vJFg5rrY9d6LyyqezjZkBZDQ4qdEEU
dCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3r0ugjJXjhvJdBSaoLlzL3saeyrXk
frOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy7Wzq0y7XxGeNidEmFjMAf9dwf6/+
PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5Z9iqn4LRXnAFnC438hZZKZU/+JxU
2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4TLjVS/3h75sh2Wk0xVaSwjPEjCOgm
a+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4NwIDAQABAoIBADWkupXnXI99Ogc4
GxK0JF88Rz6qyhwQg5mZKthejCwWCt6roRiBF33O933KOHa+OljMAqHDCv1pzjgw
BIz0mvaRPw7OfylTajHNUdShDFHADVc7I6MMcgz+eYBarhY5jCAjKHMOPjv7DSZs
OdYCKLvfxC2oTyV714n9uZhyccDcvQpkgZuBDL0oxPom1GOI8TGhPjxvFOovEHWA
Q8q9XY4cUVNDikZmvpgeUkJHWYHYb+11vKeSupnYD03yJ3sDy+F6+m+3/XmzFbXb
1p43ermHQsMfDlxPyulUUI0viSo2UhlMC/moAb9FusOv+dTl2lt0gGqzDJ9gg1z1
XpHRnwkCgYEA5x48dyxd4lydtVYef9sBmbLJEYozsYyOwLcnrLSNaZxeCza1exyR
QIRogswoLDacxrYvO8FY6LtAEMkisv732M29zthBPm5wyoSZiM1X2YfQXKsmyh2h
x1/yCWv/BQjj68A8IAxToaXxSG4WAr/X00RGUkXgkgw122FxcmGuFyUCgYEA0TcR
dnt/oRMK4aCZHcBgTknzDfxKlJh4S0C9WjxKgr8IlW4LTeVSBuuqOObOQYImEhtw
TRTKZIViL0roDF79cioQSp1Tk5h6uy8wr6VyhWRnWfTz2/azoTHnmQ780rtAuEI/
NvE6FiqwikJLjma1YJoRfr/bfmgMdxcYbJI1MSsCgYAEZ5Yda1IKu1siFpcUNrdM
F5UvaWPc0WHzGEqARxye06UTL6K7yuqVwTBAteVaGlxYiSZTTDcGkHMDHuIzaRqO
HjWs2IA90VsC8Q4ABnHTKnx1F6nwlin8I774IP/GN8ooNwyuS63YWdJEYBy5RrC1
TQrODJjgD62DFdNUq7nmpQKBgFMJEzI+Q+KPJ0NztTG8t7x61y/W0Vb2yM+9Syn0
QfJwlZyRR4VMHelHQZFB8dzIJgoLv9+n/8gztEtm5IB8dwUHst2aYaBz5UpDqYQd
Gz3cIrTuZpcH7DVvFCeIbknJLh+zk1lgFpjTqqvFMi27kANeQtFWnmwmKcRec0As
K1ZvAoGAV/3YB44/zIoB590+yhpx2HTmDPVHH+J+5O71Pi1D9W13ClBFLrE69wo+
IQLIstBI5tGOGeuQNjXhDKJ1U30xppZXcnebrkA+oOo+6dy20zghFR2maAGXfWFU
pM4GsSnSTm0bXPebVouQFqhj7LqcQQzCqRDThmw/Lp1tJUmu40g=
-----END RSA PRIVATE KEY-----

9
internal/suites/OIDC/keypair/key.pub
View File

@ -1,9 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOFmoEJFt1JkfdlwM3vJ
Fg5rrY9d6LyyqezjZkBZDQ4qdEEUdCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3
r0ugjJXjhvJdBSaoLlzL3saeyrXkfrOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy
7Wzq0y7XxGeNidEmFjMAf9dwf6/+PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5
Z9iqn4LRXnAFnC438hZZKZU/+JxU2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4T
LjVS/3h75sh2Wk0xVaSwjPEjCOgma+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4
NwIDAQAB
-----END RSA PUBLIC KEY-----

70
internal/suites/OIDCTraefik/configuration.yml
View File

@ -2,8 +2,8 @@
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug
@ -65,72 +65,6 @@ identity_providers:
oidc:
enable_client_debug_messages: true
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
issuer_certificate_chain: |
-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIRAIxvm0gFgsbh3D22rSZLuFQwDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UEChMIQXV0aGVsaWEwIBcNMjIxMDAyMDAzMDQyWhgPMjEyMjA5MDgw
MDMwNDJaMBMxETAPBgNVBAoTCEF1dGhlbGlhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABozUwMzAOBgNVHQ8BAf8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG
9w0BAQsFAAOCAQEAaZJ09yGa+DGr/iTqshGdPKNCtcf/CXCkL52xiI7DzLxDt30P
8vCuXXrrTGBY7eWYupcNy/MyqaUrz1ED+map3nQzZQBJ9vWIfr01B9phkg/WSaNJ
1DlYtbPYzr86BlGP1V5d3Wv6JqF3tkWHI0kI38CT68fWdDKrfa5j3JdZGIVJW+51
U0IE3Nqhfc76YzwQ3sNX5FT2Fr55RowH+l5OBPk0Bcztq58XmyPR/bvPfDASt8iS
DBT+0iiDiwk6LvOkasL8p7nuh5Grc9LMEYXY/QMUbkIWhIVRFlqyJA9s8vGHx1D4
96iYKudj+yvO17Szzr/NNmcwETbCs4j6P6QeiA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIQAK/NIAl3Bdg4Xk0y/ZGL7jANBgkqhkiG9w0BAQsFADAT
MREwDwYDVQQKEwhBdXRoZWxpYTAgFw0yMjEwMDIwMDMwMjFaGA8yMTIyMDkwODAw
MzAyMVowEzERMA8GA1UEChMIQXV0aGVsaWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCg7jdO1HmydfkPzTtz57pvAS3YOdBT0hlNjJ4N2lrKhNnixrzK
+4R1dWQDP2SHbZQ0TskF8eQ8HhTr7AsApotTthJFkUgV2g+bv7wVroz0Hok5xtd4
bnpOvG3YUCP13Nk3ZVxdQXqR3/G3MrbyiXVPcgU+0giJ8EBykbtMu8L79/1iyk+m
w4fZfzTOeorRgspO3z3+pTAib2MCTA7bby1dX9qI/ysFPLdbJYfNQDxij8SzNLyJ
EkQ4kh3jKXf1VcZjbQTtYTZ3JJDqM08OxGMKuXUxPHd72Xlb+Fzql8LjYdEy/YKA
3r8FMf14lzcjvxtLnFXh//hiXh4+xgXMkrLZAgMBAAGjUzBRMA4GA1UdDwEB/wQE
AwICpDAPBgNVHSUECDAGBgRVHSUAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
FGKpXiZA+8VQyMBqTTep+dVTthSbMA0GCSqGSIb3DQEBCwUAA4IBAQAE4DJg+Rb4
iiocvxxQ85lhh94ql++E8MKuzIdN7ORs+ybUnsDD1WFDebubroTQuTSBkFrNuGNJ
8B7NZsHiWWLvNsrnxxeC5CicqfhSDti0rKWsbGyeoq7Kqok5E4pwOzeRsxL2e/Hm
G6LsUQuQMUG2vxKNynqmJS4VpgSVkiGhUfURFuRRDuRpVQ/XTl7jDIGf/ls7TAZq
1AnmnSi4Cqy4hrTnwYUYkFCcH69onUKAoaVNl1eAH7ogxakz32WyWObY98NBrjzA
I6VQlaQNSHtdFqDpu7NWJZZZSgN4BknbMYQEPNYCm701cPB4ahJbpg5C3pVPFSql
Bc9iI6nN3PCr
-----END CERTIFICATE-----
issuer_private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABAoIBAA/EhhM8bRQqzo5t
lBFNaELNu8kCRD/iV9tzj8BzqVt+2JW9qG8bYn9K5Po1HCglFfyjIVOE7cAqIJGX
1a59x8PCuXDkfPolm6TLkZnXeta5u2K2MoLwN+M1aio5AvSGGTUkD8tr/KX8SQwQ
2ZZFaML0xcBadF7U8jEey4NRlSp5/voiIAB+FrJHepZBz2XJYCX5s2vYLPMn+51R
1HyO0n2aQ9H1Na8aBjTfAp9GDKJWBV3bSM7cVaLGlMFj/HNXUNVnSsVsJj0tdWKz
K6r9zPskLnS+eNjCgqrOtZSqJ7M3PL0/PoTFPrr1Fevr+soKWCaPF94Ib94O9SEq
scvP3kECgYEA0HBdGab0HjcZgFtsIaMm+eBcDhUmUrvMPUw6FmspKnc8wplscONW
wrDGhR0dpT8+aAMD5jFC2pvyHjI5AWkW+53LB15j6SVzUlUMfS3VTwE2prLtDHDs
nCDW2+fXY2kjv45efZGpMGbLJVePx2RCPzUlAlc14lzxnHgpo7eho1cCgYEA+jpi
Eo/Jqa5CNd4hrXqFxZTFtU2Mn38ZKI3QK/l47/347yHLebjsYIIwJRoHenxWxNlz
Y+BZ38vkP+f9BGAVGiRcyMmIJU0X305wKwl26Y2Q/tEm2OpwmDboD2pL9byi9vfY
bz7pQGK/l9j86KofRwVJJRLsofPI1SsjnC8c448CgYAkpg0IjJ1RjriSJADwLSKW
PseQxlE1rMVtZbC07mSPjeWGBbnWY3KGytQs5YCn5GXRne4alEC/9Tlt68CwKc0b
spPXGNaSUL5lFIUcoWlm+bylNMKPNG+1x+RfR/VMCll5vcuJYooP85L2Xt3t3gfz
2yFFtxXHVjY5H7uaiJgIAwKBgQDvkGXEj5TqtsL8/6YOiHb6Kuz+Hzi6mtxjTyI2
d6mpWuWxTBGaf8kOvJWLb9gpFFGeNPGcdXaWJIZqCJjcT4Dkflu2f/uwepaYXGhX
S8Bk6fwfee5PTmRt1mNmHsaKhgcfmznDh9+YnPIBVuULe5RmUlEtBWk3xEZKj/qP
1Ss7UQKBgAwZQz+h5Z/XOJH3Qs5nJBKAZUiYkj3ux7G6tjx0cz7XcUYd/6enBpkY
JeqVHB6G+bMRLwb+Hc5Vgpbd5GdaUWo8udaghHgSGPUVcn0lK38XhYek6ACGz7Lo
xEfgtKoBlUq+uPb8H05HY0t9KybA3LA5wkRYYnJ17/nkZtrrJAmX
-----END RSA PRIVATE KEY-----
clients:
- id: oidc-tester-app
secret: foobar

6
internal/suites/OIDCTraefik/docker-compose.yml
View File

@ -2,9 +2,11 @@
version: '3'
services:
authelia-backend:
environment:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.bundle.crt
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
volumes:
- './OIDCTraefik/configuration.yml:/config/configuration.yml:ro'
- './OIDCTraefik/users.yml:/config/users.yml'
- './OIDCTraefik/keypair/key.pem:/config/issuer.pem:ro'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

27
internal/suites/OIDCTraefik/keypair/key.pem
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAvOFmoEJFt1JkfdlwM3vJFg5rrY9d6LyyqezjZkBZDQ4qdEEU
dCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3r0ugjJXjhvJdBSaoLlzL3saeyrXk
frOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy7Wzq0y7XxGeNidEmFjMAf9dwf6/+
PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5Z9iqn4LRXnAFnC438hZZKZU/+JxU
2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4TLjVS/3h75sh2Wk0xVaSwjPEjCOgm
a+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4NwIDAQABAoIBADWkupXnXI99Ogc4
GxK0JF88Rz6qyhwQg5mZKthejCwWCt6roRiBF33O933KOHa+OljMAqHDCv1pzjgw
BIz0mvaRPw7OfylTajHNUdShDFHADVc7I6MMcgz+eYBarhY5jCAjKHMOPjv7DSZs
OdYCKLvfxC2oTyV714n9uZhyccDcvQpkgZuBDL0oxPom1GOI8TGhPjxvFOovEHWA
Q8q9XY4cUVNDikZmvpgeUkJHWYHYb+11vKeSupnYD03yJ3sDy+F6+m+3/XmzFbXb
1p43ermHQsMfDlxPyulUUI0viSo2UhlMC/moAb9FusOv+dTl2lt0gGqzDJ9gg1z1
XpHRnwkCgYEA5x48dyxd4lydtVYef9sBmbLJEYozsYyOwLcnrLSNaZxeCza1exyR
QIRogswoLDacxrYvO8FY6LtAEMkisv732M29zthBPm5wyoSZiM1X2YfQXKsmyh2h
x1/yCWv/BQjj68A8IAxToaXxSG4WAr/X00RGUkXgkgw122FxcmGuFyUCgYEA0TcR
dnt/oRMK4aCZHcBgTknzDfxKlJh4S0C9WjxKgr8IlW4LTeVSBuuqOObOQYImEhtw
TRTKZIViL0roDF79cioQSp1Tk5h6uy8wr6VyhWRnWfTz2/azoTHnmQ780rtAuEI/
NvE6FiqwikJLjma1YJoRfr/bfmgMdxcYbJI1MSsCgYAEZ5Yda1IKu1siFpcUNrdM
F5UvaWPc0WHzGEqARxye06UTL6K7yuqVwTBAteVaGlxYiSZTTDcGkHMDHuIzaRqO
HjWs2IA90VsC8Q4ABnHTKnx1F6nwlin8I774IP/GN8ooNwyuS63YWdJEYBy5RrC1
TQrODJjgD62DFdNUq7nmpQKBgFMJEzI+Q+KPJ0NztTG8t7x61y/W0Vb2yM+9Syn0
QfJwlZyRR4VMHelHQZFB8dzIJgoLv9+n/8gztEtm5IB8dwUHst2aYaBz5UpDqYQd
Gz3cIrTuZpcH7DVvFCeIbknJLh+zk1lgFpjTqqvFMi27kANeQtFWnmwmKcRec0As
K1ZvAoGAV/3YB44/zIoB590+yhpx2HTmDPVHH+J+5O71Pi1D9W13ClBFLrE69wo+
IQLIstBI5tGOGeuQNjXhDKJ1U30xppZXcnebrkA+oOo+6dy20zghFR2maAGXfWFU
pM4GsSnSTm0bXPebVouQFqhj7LqcQQzCqRDThmw/Lp1tJUmu40g=
-----END RSA PRIVATE KEY-----

9
internal/suites/OIDCTraefik/keypair/key.pub
View File

@ -1,9 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOFmoEJFt1JkfdlwM3vJ
Fg5rrY9d6LyyqezjZkBZDQ4qdEEUdCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3
r0ugjJXjhvJdBSaoLlzL3saeyrXkfrOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy
7Wzq0y7XxGeNidEmFjMAf9dwf6/+PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5
Z9iqn4LRXnAFnC438hZZKZU/+JxU2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4T
LjVS/3h75sh2Wk0xVaSwjPEjCOgma+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4
NwIDAQAB
-----END RSA PUBLIC KEY-----

4
internal/suites/OneFactorOnly/configuration.yml
View File

@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/OneFactorOnly/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './OneFactorOnly/configuration.yml:/config/configuration.yml:ro'
- './OneFactorOnly/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/PathPrefix/configuration.yml
View File

@ -9,8 +9,8 @@ server:
port: 9091
path: auth
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/PathPrefix/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './PathPrefix/configuration.yml:/config/configuration.yml:ro'
- './PathPrefix/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/Postgres/configuration.yml
View File

@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/Postgres/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './Postgres/configuration.yml:/config/configuration.yml:ro'
- './Postgres/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/ShortTimeouts/configuration.yml
View File

@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/ShortTimeouts/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './ShortTimeouts/configuration.yml:/config/configuration.yml:ro'
- './ShortTimeouts/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/Standalone/configuration.yml
View File

@ -8,8 +8,8 @@ theme: auto
server:
port: 9091
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
telemetry:
metrics:

2
internal/suites/Standalone/docker-compose.yml
View File

@ -8,7 +8,7 @@ services:
volumes:
- './Standalone/configuration.yml:/config/configuration.yml:ro'
- './Standalone/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
- '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID}
...

4
internal/suites/Traefik/configuration.yml
View File

@ -9,8 +9,8 @@ server:
port: 9091
asset_path: /config/assets/
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

2
internal/suites/Traefik/docker-compose.yml
View File

@ -5,5 +5,5 @@ services:
volumes:
- './Traefik/configuration.yml:/config/configuration.yml:ro'
- './Traefik/users.yml:/config/users.yml'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

4
internal/suites/Traefik2/configuration.yml
View File

@ -9,8 +9,8 @@ server:
port: 9091
asset_path: /config/assets/
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
endpoints:
authz:
forward-auth:

2
internal/suites/Traefik2/docker-compose.yml
View File

@ -7,5 +7,5 @@ services:
- './Traefik2/users.yml:/config/users.yml'
- './Traefik2/favicon.ico:/config/assets/favicon.ico'
- './Traefik2/logo.png:/config/assets/logo.png'
- './common/pki:/config/ssl:ro'
- './common/pki:/pki:ro'
...

21
internal/suites/common/pki/ca/ca.public.crt 100644
View File

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIRAPl83YWFsuwIwxBRmdJyLLQwDQYJKoZIhvcNAQELBQAw
WzERMA8GA1UEChMIQXV0aGVsaWExFDASBgNVBAsTC0RldmVsb3BtZW50MTAwLgYD
VQQDEydBdXRoZWxpYSBEZXZlbG9wbWVudCBTdGFuZGFsb25lIFJvb3QgQ0EwIBcN
MDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMFsxETAPBgNVBAoTCEF1dGhl
bGlhMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEwMC4GA1UEAxMnQXV0aGVsaWEgRGV2
ZWxvcG1lbnQgU3RhbmRhbG9uZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA2RtD74ISXHruAIIkIRTLGf5VK0b7iN5+CPW8qWjg74PCnid1
3DOqVCZ3HSXMP0iaH5rd+WAYojQo5Z1uZ75tXgzYjt6tyXG5H1nN1fkmjkHyNORP
abOZtngVaixvlT/hsONXszFdqogXhhI4DtEo0lvxJcnOHER4QVylM4YgDMF85jXi
VD893Y6Luik9B6FXLVK9iAJ5MfvD/r8kEPLsDTl2u/Ye0q4igVDJq9tOtb2enhlz
HtipYhzzNwEzQwy3tjzP9xpQG6XE6/JW20gQaBvoRBN64DMgRlh1/8ZVyYE8v/B1
vRVpSgmyCdDJeaRYZ6J+hO3LXBXU20CVZsM5VQIDAQABo0IwQDAOBgNVHQ8BAf8E
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlrBVtyTWJQWRimLeZXr2
mrOzy2gwDQYJKoZIhvcNAQELBQADggEBAKXjAw5v8VTM6EDiUvR8XdiikYkycAG/
hcEt+QLkkBb72+tUNYbr57YJeJuqQcaPTBUQrIXsID8JV5dQJFfyIG2s3G0iuN70
W4fSRPqsSBIcyOK+2APLjkYV8qwLdh03Lyll4SZo7PCK8ItemsIK1NWhd74N49fm
+a8eyY5bgfA0FMkjY/ts4gAnYExGRoLOQRu/CgOvBlj2KQUrSNptze1rNlP32b63
eUv1wf/ajK2TxI1pQgkeu2lM3Tyu7q7J4UVn0UY0wtZvHtw2+UBGKZB3ok6ejBy2
HMjgLGuayGjhyUN8zRkuSvBynuI2wGhIlHklEbaQW5oFKbniXRqdzc4=
-----END CERTIFICATE-----

8
internal/suites/common/pki/gen.sh
View File

@ -1,5 +1,7 @@
#!/bin/bash
go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki -n 'Authelia Development Standalone Root CA' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --ca
go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ -n '*.example.com' --sans '*.example.com,example.com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ --file.certificate public.backend.crt --file.certificate-bundle public.backend.bundle.crt --file.private-key private.backend.pem -n 'login.example.com' --sans 'login.example.com,authelia' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
# go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki/ca -n 'Authelia Development Standalone Root CA' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --ca
# cp ./internal/suites/common/pki/ca/ca.public.crt ./internal/suites/common/pki/ca.public.crt
go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca -n '*.example.com' --sans '*.example.com,example.com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca --file.certificate public.backend.crt --file.certificate-bundle public.backend.bundle.crt --file.private-key private.backend.pem -n 'login.example.com' --sans 'login.example.com,authelia' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca --file.certificate public.oidc.crt --file.certificate-bundle public.oidc.bundle.crt --file.private-key private.oidc.pem -n 'login.example.com' --sans 'login.example.com,login.example1.com,login.example2.com,login.example3,com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle

27
internal/suites/common/pki/private.oidc.pem 100644
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0x+u2Kkd1VZGkj7FDwgoXQp0fx1mx5VXd2VEJN9yYTXzlNRZ
Taw8WrOcud7hsBPw3DkhbCjEzvw0Ee+DjwtSCotKbtsBwjyLCegjluPHKUvsVNYZ
m19TxYY2erx7gohdEcmCGnpWSPRUAKBasIfpM0q6LXG70o8vTuKS82Ub++Sgl1Pa
kRL/e/KBUYFZksGEMK1oiPiOtRoJF+vUhRf46ZBg3aZ/HLNvcT5TAMgRRws+K3ek
C5+h5oXFexUosj2DCxcjTbsL7C5nqfR3jwmjrBaGN8KnloEDvC84+OsN/nE2PLa5
c1kTlRCvKd0gmRuucOKsJ6zvYf/hAqp/WCj1MQIDAQABAoIBAAOHCP3XvYbd/Sne
YJ6CrWH4lb+19wyooyB8kanoDdov85TuA1v3375IN/snDTBK9QBI+BT9jWRD9H7E
OLeAIevJLgIyKJJdPpl4xndz8NTwzs8QELd23Uh0mJ5uXcXtj1iHvGPC3YQ0iN7F
zx4Z9zyDKB8wQkofWFQCFyB39QK9ZGDW4ZstVb57fS62SuqFPW/rO2qSpsuUUwgy
Z2P2NqoqtqLIyw3qbsJCArzGoHuMCtjKDYenf8wJxORAsAGAREj71w2bQ20cMMIA
w30jgoXtEC9zS2BOb3mUBHiDOKnn4vwlNd7wiLPdZIGP75G4EkI4AHLhJQ1a5YuF
8E6V9AECgYEA1LSQVdWggvHTQnj5PHr5k7+YkL/MeIvOkLW5s0r7Lt3x45bAFaQh
XVZIXrynv62IZmTzCPwOwrXGJJieT0Ctom0XHgtp8nu7Okxk4AISRfjy7J03EXsJ
cS508IJ1B3HZepGvVwp+geJ0r9JmQ19JqZsJ7VENYoPKtYRZ9aV7CUECgYEA/hi1
Yw2FcSBk/kXVlcWvKtohY6NISgI5U1Kp7T16ZH3anpew6WwQ3GfueVet714BdwaZ
knqiiMvaTAOG66KYHCzRBSeXOozT/0N9AfKqS1y7xW+mR2nUrAiWCL95uZpB9SxE
3gylWULV4/+wlF006tEcJ5qiXymAAYv+wEg+f/ECgYBu2XLm6J/v3esFF1p8RHJQ
p2bw+KOspt+N1sbiQ09IC26F9wg/vvuMUu0AQj0BzYPqKO3nXsSqgGS0qbzG/KQA
o+2KQNSEBCt8pFdlzm6LfMPMv9n1CDPRgi57MOGgcZqvH8FLETMAqW26O2ID9mLD
OwMfZEAfeSNpGYJwXD8UgQKBgQC+0k1+Csx47YwKzOUeqivncZL7occLFWp5oa3N
ZYsB5uYEjgSk96wd6ctUwzzzc1SET6eLMp/XPcg9p7RuR1gWaK28QkQ3C0W2ALfj
e5raJ9U366YjIV4+p+AMx8chVLBN8CXz3+lZBHFe3Ul90hWIduu+7kkcUC06fCkf
u+F78QKBgFajhBPESe344ixG/fASpsVe2Yg14SgYCeWkinOe856zABY8dkfWWBIq
KX2eq1WJXErHWDuuNPP3Jol1CouqqHseqYQ+SaOhlHdoGws70bsIvBHrtj7NiEQZ
HFLhEk+OnnG+wJ1jQ5cseA4kbTuPjEL0NNVk7OSndiuxnnDbe91R
-----END RSA PRIVATE KEY-----

44
internal/suites/common/pki/public.oidc.bundle.crt 100644
View File

@ -0,0 +1,44 @@
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIQZjmlbZI+QaeqQpApxA2eDjANBgkqhkiG9w0BAQsFADBb
MREwDwYDVQQKEwhBdXRoZWxpYTEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxMDAuBgNV
BAMTJ0F1dGhlbGlhIERldmVsb3BtZW50IFN0YW5kYWxvbmUgUm9vdCBDQTAgFw0w
MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowRTERMA8GA1UEChMIQXV0aGVs
aWExFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQQDExFsb2dpbi5leGFtcGxl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMfrtipHdVWRpI+
xQ8IKF0KdH8dZseVV3dlRCTfcmE185TUWU2sPFqznLne4bAT8Nw5IWwoxM78NBHv
g48LUgqLSm7bAcI8iwnoI5bjxylL7FTWGZtfU8WGNnq8e4KIXRHJghp6Vkj0VACg
WrCH6TNKui1xu9KPL07ikvNlG/vkoJdT2pES/3vygVGBWZLBhDCtaIj4jrUaCRfr
1IUX+OmQYN2mfxyzb3E+UwDIEUcLPit3pAufoeaFxXsVKLI9gwsXI027C+wuZ6n0
d48Jo6wWhjfCp5aBA7wvOPjrDf5xNjy2uXNZE5UQryndIJkbrnDirCes72H/4QKq
f1go9TECAwEAAaOBsjCBrzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSWsFW3JNYlBZGKYt5levaa
s7PLaDBZBgNVHREEUjBQghFsb2dpbi5leGFtcGxlLmNvbYISbG9naW4uZXhhbXBs
ZTEuY29tghJsb2dpbi5leGFtcGxlMi5jb22CDmxvZ2luLmV4YW1wbGUzggNjb20w
DQYJKoZIhvcNAQELBQADggEBAH46LB6fFF+5dbFhEa8rsDX17oZPVsIMHi+vhmMh
aS5IACOpmc3q/yyhZelNwB/MRzlPziQwpqwr9B5SQ9UOBvZDuv9ESXYHlVHSIGo9
+3Ax9fvxLVpF3E62whr+d8YHjXE85UgUKaDAWYCAVB7fkY7WfyS3t8IxgJVa+oMZ
sLeI4YmheKdgRZsE+83VcNUVuGhsh3R5NKFo46tonpbdx13Eg2k3IInKAkZmTA5D
YoPfPTDbd1BOC+h2C0s+guUyoG1Fi5DzS/x8xNoRcZ7/fkdcboAXa8dlVZeqGRky
ddYggjZYnqGaD9qKFAox4EqkCYB1XwNeUPUapdvGICC7UGc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDhTCCAm2gAwIBAgIRAPl83YWFsuwIwxBRmdJyLLQwDQYJKoZIhvcNAQELBQAw
WzERMA8GA1UEChMIQXV0aGVsaWExFDASBgNVBAsTC0RldmVsb3BtZW50MTAwLgYD
VQQDEydBdXRoZWxpYSBEZXZlbG9wbWVudCBTdGFuZGFsb25lIFJvb3QgQ0EwIBcN
MDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMFsxETAPBgNVBAoTCEF1dGhl
bGlhMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEwMC4GA1UEAxMnQXV0aGVsaWEgRGV2
ZWxvcG1lbnQgU3RhbmRhbG9uZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA2RtD74ISXHruAIIkIRTLGf5VK0b7iN5+CPW8qWjg74PCnid1
3DOqVCZ3HSXMP0iaH5rd+WAYojQo5Z1uZ75tXgzYjt6tyXG5H1nN1fkmjkHyNORP
abOZtngVaixvlT/hsONXszFdqogXhhI4DtEo0lvxJcnOHER4QVylM4YgDMF85jXi
VD893Y6Luik9B6FXLVK9iAJ5MfvD/r8kEPLsDTl2u/Ye0q4igVDJq9tOtb2enhlz
HtipYhzzNwEzQwy3tjzP9xpQG6XE6/JW20gQaBvoRBN64DMgRlh1/8ZVyYE8v/B1
vRVpSgmyCdDJeaRYZ6J+hO3LXBXU20CVZsM5VQIDAQABo0IwQDAOBgNVHQ8BAf8E
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlrBVtyTWJQWRimLeZXr2
mrOzy2gwDQYJKoZIhvcNAQELBQADggEBAKXjAw5v8VTM6EDiUvR8XdiikYkycAG/
hcEt+QLkkBb72+tUNYbr57YJeJuqQcaPTBUQrIXsID8JV5dQJFfyIG2s3G0iuN70
W4fSRPqsSBIcyOK+2APLjkYV8qwLdh03Lyll4SZo7PCK8ItemsIK1NWhd74N49fm
+a8eyY5bgfA0FMkjY/ts4gAnYExGRoLOQRu/CgOvBlj2KQUrSNptze1rNlP32b63
eUv1wf/ajK2TxI1pQgkeu2lM3Tyu7q7J4UVn0UY0wtZvHtw2+UBGKZB3ok6ejBy2
HMjgLGuayGjhyUN8zRkuSvBynuI2wGhIlHklEbaQW5oFKbniXRqdzc4=
-----END CERTIFICATE-----

23
internal/suites/common/pki/public.oidc.crt 100644
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIQZjmlbZI+QaeqQpApxA2eDjANBgkqhkiG9w0BAQsFADBb
MREwDwYDVQQKEwhBdXRoZWxpYTEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxMDAuBgNV
BAMTJ0F1dGhlbGlhIERldmVsb3BtZW50IFN0YW5kYWxvbmUgUm9vdCBDQTAgFw0w
MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowRTERMA8GA1UEChMIQXV0aGVs
aWExFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQQDExFsb2dpbi5leGFtcGxl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMfrtipHdVWRpI+
xQ8IKF0KdH8dZseVV3dlRCTfcmE185TUWU2sPFqznLne4bAT8Nw5IWwoxM78NBHv
g48LUgqLSm7bAcI8iwnoI5bjxylL7FTWGZtfU8WGNnq8e4KIXRHJghp6Vkj0VACg
WrCH6TNKui1xu9KPL07ikvNlG/vkoJdT2pES/3vygVGBWZLBhDCtaIj4jrUaCRfr
1IUX+OmQYN2mfxyzb3E+UwDIEUcLPit3pAufoeaFxXsVKLI9gwsXI027C+wuZ6n0
d48Jo6wWhjfCp5aBA7wvOPjrDf5xNjy2uXNZE5UQryndIJkbrnDirCes72H/4QKq
f1go9TECAwEAAaOBsjCBrzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSWsFW3JNYlBZGKYt5levaa
s7PLaDBZBgNVHREEUjBQghFsb2dpbi5leGFtcGxlLmNvbYISbG9naW4uZXhhbXBs
ZTEuY29tghJsb2dpbi5leGFtcGxlMi5jb22CDmxvZ2luLmV4YW1wbGUzggNjb20w
DQYJKoZIhvcNAQELBQADggEBAH46LB6fFF+5dbFhEa8rsDX17oZPVsIMHi+vhmMh
aS5IACOpmc3q/yyhZelNwB/MRzlPziQwpqwr9B5SQ9UOBvZDuv9ESXYHlVHSIGo9
+3Ax9fvxLVpF3E62whr+d8YHjXE85UgUKaDAWYCAVB7fkY7WfyS3t8IxgJVa+oMZ
sLeI4YmheKdgRZsE+83VcNUVuGhsh3R5NKFo46tonpbdx13Eg2k3IInKAkZmTA5D
YoPfPTDbd1BOC+h2C0s+guUyoG1Fi5DzS/x8xNoRcZ7/fkdcboAXa8dlVZeqGRky
ddYggjZYnqGaD9qKFAox4EqkCYB1XwNeUPUapdvGICC7UGc=
-----END CERTIFICATE-----

2
internal/suites/environment.go
View File

@ -42,7 +42,7 @@ func waitUntilAutheliaBackendIsReady(dockerEnvironment *DockerEnvironment) error
90*time.Second,
dockerEnvironment,
"authelia-backend",
[]string{"Initializing server for"})
[]string{"Startup Complete"})
}
func waitUntilAutheliaFrontendIsReady(dockerEnvironment *DockerEnvironment) error {

2
internal/suites/example/compose/samba/Dockerfile
View File

@ -1,4 +1,4 @@
FROM alpine:3.17.1
FROM alpine:3.17.2
RUN \
apk add --no-cache \

2
internal/suites/example/kube/authelia/authelia.yml
View File

@ -33,7 +33,7 @@ spec:
mountPath: /config/configuration.yml
readOnly: true
- name: authelia-ssl
mountPath: /config/ssl
mountPath: /pki
readOnly: true
- name: secrets
mountPath: /config/secrets

4
internal/suites/example/kube/authelia/configs/configuration.yml
View File

@ -8,8 +8,8 @@ default_redirection_url: https://home.example.com:8080
server:
port: 443
tls:
certificate: /config/ssl/public.backend.crt
key: /config/ssl/private.backend.pem
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
log:
level: debug

5
internal/utils/crypto_test.go
View File

@ -54,7 +54,7 @@ func TestShouldNotReturnErrWhenX509DirectoryExist(t *testing.T) {
func TestShouldReadCertsFromDirectoryButNotKeys(t *testing.T) {
pool, warnings, errors := NewX509CertPool("../suites/common/pki/")
assert.NotNil(t, pool)
require.Len(t, errors, 2)
require.Len(t, errors, 3)
if runtime.GOOS == "windows" {
require.Len(t, warnings, 1)
@ -64,7 +64,8 @@ func TestShouldReadCertsFromDirectoryButNotKeys(t *testing.T) {
}
assert.EqualError(t, errors[0], "could not import certificate private.backend.pem")
assert.EqualError(t, errors[1], "could not import certificate private.pem")
assert.EqualError(t, errors[1], "could not import certificate private.oidc.pem")
assert.EqualError(t, errors[2], "could not import certificate private.pem")
}
func TestShouldGenerateCertificateAndPersistIt(t *testing.T) {