From a0758bb4ba17fd3085efc59d27678212bfb60455 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 11 Feb 2023 15:37:54 +1100 Subject: [PATCH 1/3] refactor(suites): use pki for oidc (#4913) --- .gitignore | 2 + .../suites/ActiveDirectory/configuration.yml | 4 +- .../suites/ActiveDirectory/docker-compose.yml | 2 +- internal/suites/BypassAll/configuration.yml | 4 +- internal/suites/BypassAll/docker-compose.yml | 2 +- internal/suites/CLI/configuration.yml | 4 +- internal/suites/CLI/docker-compose.yml | 2 +- internal/suites/Caddy/configuration.yml | 4 +- internal/suites/Caddy/docker-compose.yml | 2 +- internal/suites/Docker/configuration.yml | 4 +- internal/suites/Docker/docker-compose.yml | 2 +- internal/suites/DuoPush/configuration.yml | 4 +- internal/suites/DuoPush/docker-compose.yml | 2 +- internal/suites/Envoy/configuration.yml | 4 +- internal/suites/Envoy/docker-compose.yml | 2 +- internal/suites/HAProxy/configuration.yml | 4 +- internal/suites/HAProxy/docker-compose.yml | 2 +- .../suites/HighAvailability/configuration.yml | 4 +- .../HighAvailability/docker-compose.yml | 2 +- internal/suites/LDAP/configuration.yml | 4 +- internal/suites/LDAP/docker-compose.yml | 2 +- internal/suites/MariaDB/configuration.yml | 4 +- internal/suites/MariaDB/docker-compose.yml | 2 +- .../MultiCookieDomain/configuration.yml | 4 +- .../MultiCookieDomain/docker-compose.yml | 2 +- internal/suites/MySQL/configuration.yml | 4 +- internal/suites/MySQL/docker-compose.yml | 2 +- internal/suites/NetworkACL/configuration.yml | 4 +- internal/suites/NetworkACL/docker-compose.yml | 2 +- internal/suites/OIDC/configuration.yml | 70 +------------------ internal/suites/OIDC/docker-compose.yml | 6 +- internal/suites/OIDC/keypair/key.pem | 27 ------- internal/suites/OIDC/keypair/key.pub | 9 --- internal/suites/OIDCTraefik/configuration.yml | 70 +------------------ .../suites/OIDCTraefik/docker-compose.yml | 6 +- internal/suites/OIDCTraefik/keypair/key.pem | 27 ------- internal/suites/OIDCTraefik/keypair/key.pub | 9 --- .../suites/OneFactorOnly/configuration.yml | 4 +- .../suites/OneFactorOnly/docker-compose.yml | 2 +- internal/suites/PathPrefix/configuration.yml | 4 +- internal/suites/PathPrefix/docker-compose.yml | 2 +- internal/suites/Postgres/configuration.yml | 4 +- internal/suites/Postgres/docker-compose.yml | 2 +- .../suites/ShortTimeouts/configuration.yml | 4 +- .../suites/ShortTimeouts/docker-compose.yml | 2 +- internal/suites/Standalone/configuration.yml | 4 +- internal/suites/Standalone/docker-compose.yml | 2 +- internal/suites/Traefik/configuration.yml | 4 +- internal/suites/Traefik/docker-compose.yml | 2 +- internal/suites/Traefik2/configuration.yml | 4 +- internal/suites/Traefik2/docker-compose.yml | 2 +- internal/suites/common/pki/ca/ca.public.crt | 21 ++++++ internal/suites/common/pki/gen.sh | 8 ++- internal/suites/common/pki/private.oidc.pem | 27 +++++++ .../suites/common/pki/public.oidc.bundle.crt | 44 ++++++++++++ internal/suites/common/pki/public.oidc.crt | 23 ++++++ .../suites/example/kube/authelia/authelia.yml | 2 +- .../kube/authelia/configs/configuration.yml | 4 +- internal/utils/crypto_test.go | 5 +- 59 files changed, 203 insertions(+), 283 deletions(-) delete mode 100644 internal/suites/OIDC/keypair/key.pem delete mode 100644 internal/suites/OIDC/keypair/key.pub delete mode 100644 internal/suites/OIDCTraefik/keypair/key.pem delete mode 100644 internal/suites/OIDCTraefik/keypair/key.pub create mode 100644 internal/suites/common/pki/ca/ca.public.crt create mode 100644 internal/suites/common/pki/private.oidc.pem create mode 100644 internal/suites/common/pki/public.oidc.bundle.crt create mode 100644 internal/suites/common/pki/public.oidc.crt diff --git a/.gitignore b/.gitignore index 7bb4c5401..1d41f9141 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,5 @@ authelia-image-dev.tar /authelia __debug_bin + +internal/suites/common/pki/ca/ca.private.pem diff --git a/internal/suites/ActiveDirectory/configuration.yml b/internal/suites/ActiveDirectory/configuration.yml index 3a11f94ff..26044c7e5 100644 --- a/internal/suites/ActiveDirectory/configuration.yml +++ b/internal/suites/ActiveDirectory/configuration.yml @@ -10,8 +10,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/ActiveDirectory/docker-compose.yml b/internal/suites/ActiveDirectory/docker-compose.yml index ac6f88202..c2bc0b1cf 100644 --- a/internal/suites/ActiveDirectory/docker-compose.yml +++ b/internal/suites/ActiveDirectory/docker-compose.yml @@ -4,5 +4,5 @@ services: authelia-backend: volumes: - './ActiveDirectory/configuration.yml:/config/configuration.yml:ro' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/BypassAll/configuration.yml b/internal/suites/BypassAll/configuration.yml index e7e04abe2..e5906d1dd 100644 --- a/internal/suites/BypassAll/configuration.yml +++ b/internal/suites/BypassAll/configuration.yml @@ -6,8 +6,8 @@ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/BypassAll/docker-compose.yml b/internal/suites/BypassAll/docker-compose.yml index 306d724ff..05abf964c 100644 --- a/internal/suites/BypassAll/docker-compose.yml +++ b/internal/suites/BypassAll/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './BypassAll/configuration.yml:/config/configuration.yml:ro' - './BypassAll/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/CLI/configuration.yml b/internal/suites/CLI/configuration.yml index 18ec44c1d..9c4b95d50 100644 --- a/internal/suites/CLI/configuration.yml +++ b/internal/suites/CLI/configuration.yml @@ -6,8 +6,8 @@ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/CLI/docker-compose.yml b/internal/suites/CLI/docker-compose.yml index d38329137..886561fd6 100644 --- a/internal/suites/CLI/docker-compose.yml +++ b/internal/suites/CLI/docker-compose.yml @@ -6,7 +6,7 @@ services: - './CLI/configuration.yml:/config/configuration.yml:ro' - './CLI/storage.yml:/config/configuration.storage.yml:ro' - './CLI/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' - '/tmp:/tmp' user: ${USER_ID}:${GROUP_ID} ... diff --git a/internal/suites/Caddy/configuration.yml b/internal/suites/Caddy/configuration.yml index 14f9fdff0..b57c30d69 100644 --- a/internal/suites/Caddy/configuration.yml +++ b/internal/suites/Caddy/configuration.yml @@ -9,8 +9,8 @@ server: port: 9091 asset_path: /config/assets/ tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem endpoints: authz: caddy: diff --git a/internal/suites/Caddy/docker-compose.yml b/internal/suites/Caddy/docker-compose.yml index 2b5a105a5..b478ae4c2 100644 --- a/internal/suites/Caddy/docker-compose.yml +++ b/internal/suites/Caddy/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './Caddy/configuration.yml:/config/configuration.yml:ro' - './Caddy/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/Docker/configuration.yml b/internal/suites/Docker/configuration.yml index 706ff86e2..776790973 100644 --- a/internal/suites/Docker/configuration.yml +++ b/internal/suites/Docker/configuration.yml @@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/Docker/docker-compose.yml b/internal/suites/Docker/docker-compose.yml index 9c6aae12d..b8b22f644 100644 --- a/internal/suites/Docker/docker-compose.yml +++ b/internal/suites/Docker/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './Docker/configuration.yml:/config/configuration.yml:ro' - './Docker/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/DuoPush/configuration.yml b/internal/suites/DuoPush/configuration.yml index 0d8c3abf2..59565ac2b 100644 --- a/internal/suites/DuoPush/configuration.yml +++ b/internal/suites/DuoPush/configuration.yml @@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: trace diff --git a/internal/suites/DuoPush/docker-compose.yml b/internal/suites/DuoPush/docker-compose.yml index f5799b427..1a3d12015 100644 --- a/internal/suites/DuoPush/docker-compose.yml +++ b/internal/suites/DuoPush/docker-compose.yml @@ -5,7 +5,7 @@ services: volumes: - './DuoPush/configuration.yml:/config/configuration.yml:ro' - './DuoPush/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' - '/tmp:/tmp' user: ${USER_ID}:${GROUP_ID} ... diff --git a/internal/suites/Envoy/configuration.yml b/internal/suites/Envoy/configuration.yml index eaf11e4fd..f04cd8b5d 100644 --- a/internal/suites/Envoy/configuration.yml +++ b/internal/suites/Envoy/configuration.yml @@ -9,8 +9,8 @@ server: port: 9091 asset_path: /config/assets/ tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem endpoints: authz: ext-authz: diff --git a/internal/suites/Envoy/docker-compose.yml b/internal/suites/Envoy/docker-compose.yml index 1063b0799..33e143eea 100644 --- a/internal/suites/Envoy/docker-compose.yml +++ b/internal/suites/Envoy/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './Envoy/configuration.yml:/config/configuration.yml:ro' - './Envoy/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/HAProxy/configuration.yml b/internal/suites/HAProxy/configuration.yml index 55811316f..e9685844a 100644 --- a/internal/suites/HAProxy/configuration.yml +++ b/internal/suites/HAProxy/configuration.yml @@ -8,8 +8,8 @@ jwt_secret: unsecure_secret server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/HAProxy/docker-compose.yml b/internal/suites/HAProxy/docker-compose.yml index ca67c5135..fefc9d50c 100644 --- a/internal/suites/HAProxy/docker-compose.yml +++ b/internal/suites/HAProxy/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './HAProxy/configuration.yml:/config/configuration.yml:ro' - './HAProxy/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/HighAvailability/configuration.yml b/internal/suites/HighAvailability/configuration.yml index 02822df2b..c1d3002e5 100644 --- a/internal/suites/HighAvailability/configuration.yml +++ b/internal/suites/HighAvailability/configuration.yml @@ -8,8 +8,8 @@ jwt_secret: unsecure_secret server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/HighAvailability/docker-compose.yml b/internal/suites/HighAvailability/docker-compose.yml index 87914c061..35ee85ce2 100644 --- a/internal/suites/HighAvailability/docker-compose.yml +++ b/internal/suites/HighAvailability/docker-compose.yml @@ -4,5 +4,5 @@ services: authelia-backend: volumes: - './HighAvailability/configuration.yml:/config/configuration.yml:ro' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/LDAP/configuration.yml b/internal/suites/LDAP/configuration.yml index 2d28b704a..d9c2ad7ee 100644 --- a/internal/suites/LDAP/configuration.yml +++ b/internal/suites/LDAP/configuration.yml @@ -10,8 +10,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/LDAP/docker-compose.yml b/internal/suites/LDAP/docker-compose.yml index 5dc2a34cb..fa0e0a38c 100644 --- a/internal/suites/LDAP/docker-compose.yml +++ b/internal/suites/LDAP/docker-compose.yml @@ -4,5 +4,5 @@ services: authelia-backend: volumes: - './LDAP/configuration.yml:/config/configuration.yml:ro' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/MariaDB/configuration.yml b/internal/suites/MariaDB/configuration.yml index b4fae1e60..cd46fe740 100644 --- a/internal/suites/MariaDB/configuration.yml +++ b/internal/suites/MariaDB/configuration.yml @@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/MariaDB/docker-compose.yml b/internal/suites/MariaDB/docker-compose.yml index 60c852c16..625399c40 100644 --- a/internal/suites/MariaDB/docker-compose.yml +++ b/internal/suites/MariaDB/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './MariaDB/configuration.yml:/config/configuration.yml:ro' - './MariaDB/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/MultiCookieDomain/configuration.yml b/internal/suites/MultiCookieDomain/configuration.yml index f0ce576f8..8102b658e 100644 --- a/internal/suites/MultiCookieDomain/configuration.yml +++ b/internal/suites/MultiCookieDomain/configuration.yml @@ -9,8 +9,8 @@ theme: auto server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem telemetry: metrics: diff --git a/internal/suites/MultiCookieDomain/docker-compose.yml b/internal/suites/MultiCookieDomain/docker-compose.yml index 117eefee3..4f0535f7a 100644 --- a/internal/suites/MultiCookieDomain/docker-compose.yml +++ b/internal/suites/MultiCookieDomain/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './MultiCookieDomain/configuration.yml:/config/configuration.yml:ro' - './MultiCookieDomain/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/MySQL/configuration.yml b/internal/suites/MySQL/configuration.yml index c41a4d3ac..18a998436 100644 --- a/internal/suites/MySQL/configuration.yml +++ b/internal/suites/MySQL/configuration.yml @@ -6,8 +6,8 @@ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/MySQL/docker-compose.yml b/internal/suites/MySQL/docker-compose.yml index bc6dabe1c..b4771444c 100644 --- a/internal/suites/MySQL/docker-compose.yml +++ b/internal/suites/MySQL/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './MySQL/configuration.yml:/config/configuration.yml:ro' - './MySQL/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/NetworkACL/configuration.yml b/internal/suites/NetworkACL/configuration.yml index d90e84815..3c29c965e 100644 --- a/internal/suites/NetworkACL/configuration.yml +++ b/internal/suites/NetworkACL/configuration.yml @@ -6,8 +6,8 @@ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/NetworkACL/docker-compose.yml b/internal/suites/NetworkACL/docker-compose.yml index c19338554..cd78e2fbf 100644 --- a/internal/suites/NetworkACL/docker-compose.yml +++ b/internal/suites/NetworkACL/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './NetworkACL/configuration.yml:/config/configuration.yml:ro' - './NetworkACL/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/OIDC/configuration.yml b/internal/suites/OIDC/configuration.yml index f8fb2a8c7..14ebd61b4 100644 --- a/internal/suites/OIDC/configuration.yml +++ b/internal/suites/OIDC/configuration.yml @@ -2,8 +2,8 @@ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug @@ -64,72 +64,6 @@ identity_providers: oidc: enable_client_debug_messages: true hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm - issuer_certificate_chain: | - -----BEGIN CERTIFICATE----- - MIIC6DCCAdCgAwIBAgIRAIxvm0gFgsbh3D22rSZLuFQwDQYJKoZIhvcNAQELBQAw - EzERMA8GA1UEChMIQXV0aGVsaWEwIBcNMjIxMDAyMDAzMDQyWhgPMjEyMjA5MDgw - MDMwNDJaMBMxETAPBgNVBAoTCEF1dGhlbGlhMIIBIjANBgkqhkiG9w0BAQEFAAOC - AQ8AMIIBCgKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd - UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE - 5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0 - 01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa - 7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3 - t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABozUwMzAOBgNVHQ8BAf8E - BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG - 9w0BAQsFAAOCAQEAaZJ09yGa+DGr/iTqshGdPKNCtcf/CXCkL52xiI7DzLxDt30P - 8vCuXXrrTGBY7eWYupcNy/MyqaUrz1ED+map3nQzZQBJ9vWIfr01B9phkg/WSaNJ - 1DlYtbPYzr86BlGP1V5d3Wv6JqF3tkWHI0kI38CT68fWdDKrfa5j3JdZGIVJW+51 - U0IE3Nqhfc76YzwQ3sNX5FT2Fr55RowH+l5OBPk0Bcztq58XmyPR/bvPfDASt8iS - DBT+0iiDiwk6LvOkasL8p7nuh5Grc9LMEYXY/QMUbkIWhIVRFlqyJA9s8vGHx1D4 - 96iYKudj+yvO17Szzr/NNmcwETbCs4j6P6QeiA== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIDBTCCAe2gAwIBAgIQAK/NIAl3Bdg4Xk0y/ZGL7jANBgkqhkiG9w0BAQsFADAT - MREwDwYDVQQKEwhBdXRoZWxpYTAgFw0yMjEwMDIwMDMwMjFaGA8yMTIyMDkwODAw - MzAyMVowEzERMA8GA1UEChMIQXV0aGVsaWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB - DwAwggEKAoIBAQCg7jdO1HmydfkPzTtz57pvAS3YOdBT0hlNjJ4N2lrKhNnixrzK - +4R1dWQDP2SHbZQ0TskF8eQ8HhTr7AsApotTthJFkUgV2g+bv7wVroz0Hok5xtd4 - bnpOvG3YUCP13Nk3ZVxdQXqR3/G3MrbyiXVPcgU+0giJ8EBykbtMu8L79/1iyk+m - w4fZfzTOeorRgspO3z3+pTAib2MCTA7bby1dX9qI/ysFPLdbJYfNQDxij8SzNLyJ - EkQ4kh3jKXf1VcZjbQTtYTZ3JJDqM08OxGMKuXUxPHd72Xlb+Fzql8LjYdEy/YKA - 3r8FMf14lzcjvxtLnFXh//hiXh4+xgXMkrLZAgMBAAGjUzBRMA4GA1UdDwEB/wQE - AwICpDAPBgNVHSUECDAGBgRVHSUAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE - FGKpXiZA+8VQyMBqTTep+dVTthSbMA0GCSqGSIb3DQEBCwUAA4IBAQAE4DJg+Rb4 - iiocvxxQ85lhh94ql++E8MKuzIdN7ORs+ybUnsDD1WFDebubroTQuTSBkFrNuGNJ - 8B7NZsHiWWLvNsrnxxeC5CicqfhSDti0rKWsbGyeoq7Kqok5E4pwOzeRsxL2e/Hm - G6LsUQuQMUG2vxKNynqmJS4VpgSVkiGhUfURFuRRDuRpVQ/XTl7jDIGf/ls7TAZq - 1AnmnSi4Cqy4hrTnwYUYkFCcH69onUKAoaVNl1eAH7ogxakz32WyWObY98NBrjzA - I6VQlaQNSHtdFqDpu7NWJZZZSgN4BknbMYQEPNYCm701cPB4ahJbpg5C3pVPFSql - Bc9iI6nN3PCr - -----END CERTIFICATE----- - issuer_private_key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEowIBAAKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd - UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE - 5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0 - 01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa - 7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3 - t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABAoIBAA/EhhM8bRQqzo5t - lBFNaELNu8kCRD/iV9tzj8BzqVt+2JW9qG8bYn9K5Po1HCglFfyjIVOE7cAqIJGX - 1a59x8PCuXDkfPolm6TLkZnXeta5u2K2MoLwN+M1aio5AvSGGTUkD8tr/KX8SQwQ - 2ZZFaML0xcBadF7U8jEey4NRlSp5/voiIAB+FrJHepZBz2XJYCX5s2vYLPMn+51R - 1HyO0n2aQ9H1Na8aBjTfAp9GDKJWBV3bSM7cVaLGlMFj/HNXUNVnSsVsJj0tdWKz - K6r9zPskLnS+eNjCgqrOtZSqJ7M3PL0/PoTFPrr1Fevr+soKWCaPF94Ib94O9SEq - scvP3kECgYEA0HBdGab0HjcZgFtsIaMm+eBcDhUmUrvMPUw6FmspKnc8wplscONW - wrDGhR0dpT8+aAMD5jFC2pvyHjI5AWkW+53LB15j6SVzUlUMfS3VTwE2prLtDHDs - nCDW2+fXY2kjv45efZGpMGbLJVePx2RCPzUlAlc14lzxnHgpo7eho1cCgYEA+jpi - Eo/Jqa5CNd4hrXqFxZTFtU2Mn38ZKI3QK/l47/347yHLebjsYIIwJRoHenxWxNlz - Y+BZ38vkP+f9BGAVGiRcyMmIJU0X305wKwl26Y2Q/tEm2OpwmDboD2pL9byi9vfY - bz7pQGK/l9j86KofRwVJJRLsofPI1SsjnC8c448CgYAkpg0IjJ1RjriSJADwLSKW - PseQxlE1rMVtZbC07mSPjeWGBbnWY3KGytQs5YCn5GXRne4alEC/9Tlt68CwKc0b - spPXGNaSUL5lFIUcoWlm+bylNMKPNG+1x+RfR/VMCll5vcuJYooP85L2Xt3t3gfz - 2yFFtxXHVjY5H7uaiJgIAwKBgQDvkGXEj5TqtsL8/6YOiHb6Kuz+Hzi6mtxjTyI2 - d6mpWuWxTBGaf8kOvJWLb9gpFFGeNPGcdXaWJIZqCJjcT4Dkflu2f/uwepaYXGhX - S8Bk6fwfee5PTmRt1mNmHsaKhgcfmznDh9+YnPIBVuULe5RmUlEtBWk3xEZKj/qP - 1Ss7UQKBgAwZQz+h5Z/XOJH3Qs5nJBKAZUiYkj3ux7G6tjx0cz7XcUYd/6enBpkY - JeqVHB6G+bMRLwb+Hc5Vgpbd5GdaUWo8udaghHgSGPUVcn0lK38XhYek6ACGz7Lo - xEfgtKoBlUq+uPb8H05HY0t9KybA3LA5wkRYYnJ17/nkZtrrJAmX - -----END RSA PRIVATE KEY----- clients: - id: oidc-tester-app secret: foobar diff --git a/internal/suites/OIDC/docker-compose.yml b/internal/suites/OIDC/docker-compose.yml index 90137cac1..7f545a02a 100644 --- a/internal/suites/OIDC/docker-compose.yml +++ b/internal/suites/OIDC/docker-compose.yml @@ -2,9 +2,11 @@ version: '3' services: authelia-backend: + environment: + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.bundle.crt + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem volumes: - './OIDC/configuration.yml:/config/configuration.yml:ro' - './OIDC/users.yml:/config/users.yml' - - './OIDC/keypair/key.pem:/config/issuer.pem:ro' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/OIDC/keypair/key.pem b/internal/suites/OIDC/keypair/key.pem deleted file mode 100644 index c5df003c7..000000000 --- a/internal/suites/OIDC/keypair/key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAvOFmoEJFt1JkfdlwM3vJFg5rrY9d6LyyqezjZkBZDQ4qdEEU -dCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3r0ugjJXjhvJdBSaoLlzL3saeyrXk -frOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy7Wzq0y7XxGeNidEmFjMAf9dwf6/+ -PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5Z9iqn4LRXnAFnC438hZZKZU/+JxU -2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4TLjVS/3h75sh2Wk0xVaSwjPEjCOgm -a+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4NwIDAQABAoIBADWkupXnXI99Ogc4 -GxK0JF88Rz6qyhwQg5mZKthejCwWCt6roRiBF33O933KOHa+OljMAqHDCv1pzjgw -BIz0mvaRPw7OfylTajHNUdShDFHADVc7I6MMcgz+eYBarhY5jCAjKHMOPjv7DSZs -OdYCKLvfxC2oTyV714n9uZhyccDcvQpkgZuBDL0oxPom1GOI8TGhPjxvFOovEHWA -Q8q9XY4cUVNDikZmvpgeUkJHWYHYb+11vKeSupnYD03yJ3sDy+F6+m+3/XmzFbXb -1p43ermHQsMfDlxPyulUUI0viSo2UhlMC/moAb9FusOv+dTl2lt0gGqzDJ9gg1z1 -XpHRnwkCgYEA5x48dyxd4lydtVYef9sBmbLJEYozsYyOwLcnrLSNaZxeCza1exyR -QIRogswoLDacxrYvO8FY6LtAEMkisv732M29zthBPm5wyoSZiM1X2YfQXKsmyh2h -x1/yCWv/BQjj68A8IAxToaXxSG4WAr/X00RGUkXgkgw122FxcmGuFyUCgYEA0TcR -dnt/oRMK4aCZHcBgTknzDfxKlJh4S0C9WjxKgr8IlW4LTeVSBuuqOObOQYImEhtw -TRTKZIViL0roDF79cioQSp1Tk5h6uy8wr6VyhWRnWfTz2/azoTHnmQ780rtAuEI/ -NvE6FiqwikJLjma1YJoRfr/bfmgMdxcYbJI1MSsCgYAEZ5Yda1IKu1siFpcUNrdM -F5UvaWPc0WHzGEqARxye06UTL6K7yuqVwTBAteVaGlxYiSZTTDcGkHMDHuIzaRqO -HjWs2IA90VsC8Q4ABnHTKnx1F6nwlin8I774IP/GN8ooNwyuS63YWdJEYBy5RrC1 -TQrODJjgD62DFdNUq7nmpQKBgFMJEzI+Q+KPJ0NztTG8t7x61y/W0Vb2yM+9Syn0 -QfJwlZyRR4VMHelHQZFB8dzIJgoLv9+n/8gztEtm5IB8dwUHst2aYaBz5UpDqYQd -Gz3cIrTuZpcH7DVvFCeIbknJLh+zk1lgFpjTqqvFMi27kANeQtFWnmwmKcRec0As -K1ZvAoGAV/3YB44/zIoB590+yhpx2HTmDPVHH+J+5O71Pi1D9W13ClBFLrE69wo+ -IQLIstBI5tGOGeuQNjXhDKJ1U30xppZXcnebrkA+oOo+6dy20zghFR2maAGXfWFU -pM4GsSnSTm0bXPebVouQFqhj7LqcQQzCqRDThmw/Lp1tJUmu40g= ------END RSA PRIVATE KEY----- diff --git a/internal/suites/OIDC/keypair/key.pub b/internal/suites/OIDC/keypair/key.pub deleted file mode 100644 index b8e37ffa4..000000000 --- a/internal/suites/OIDC/keypair/key.pub +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN RSA PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOFmoEJFt1JkfdlwM3vJ -Fg5rrY9d6LyyqezjZkBZDQ4qdEEUdCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3 -r0ugjJXjhvJdBSaoLlzL3saeyrXkfrOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy -7Wzq0y7XxGeNidEmFjMAf9dwf6/+PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5 -Z9iqn4LRXnAFnC438hZZKZU/+JxU2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4T -LjVS/3h75sh2Wk0xVaSwjPEjCOgma+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4 -NwIDAQAB ------END RSA PUBLIC KEY----- diff --git a/internal/suites/OIDCTraefik/configuration.yml b/internal/suites/OIDCTraefik/configuration.yml index e9c8dd532..f5e936cca 100644 --- a/internal/suites/OIDCTraefik/configuration.yml +++ b/internal/suites/OIDCTraefik/configuration.yml @@ -2,8 +2,8 @@ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug @@ -65,72 +65,6 @@ identity_providers: oidc: enable_client_debug_messages: true hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm - issuer_certificate_chain: | - -----BEGIN CERTIFICATE----- - MIIC6DCCAdCgAwIBAgIRAIxvm0gFgsbh3D22rSZLuFQwDQYJKoZIhvcNAQELBQAw - EzERMA8GA1UEChMIQXV0aGVsaWEwIBcNMjIxMDAyMDAzMDQyWhgPMjEyMjA5MDgw - MDMwNDJaMBMxETAPBgNVBAoTCEF1dGhlbGlhMIIBIjANBgkqhkiG9w0BAQEFAAOC - AQ8AMIIBCgKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd - UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE - 5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0 - 01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa - 7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3 - t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABozUwMzAOBgNVHQ8BAf8E - BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG - 9w0BAQsFAAOCAQEAaZJ09yGa+DGr/iTqshGdPKNCtcf/CXCkL52xiI7DzLxDt30P - 8vCuXXrrTGBY7eWYupcNy/MyqaUrz1ED+map3nQzZQBJ9vWIfr01B9phkg/WSaNJ - 1DlYtbPYzr86BlGP1V5d3Wv6JqF3tkWHI0kI38CT68fWdDKrfa5j3JdZGIVJW+51 - U0IE3Nqhfc76YzwQ3sNX5FT2Fr55RowH+l5OBPk0Bcztq58XmyPR/bvPfDASt8iS - DBT+0iiDiwk6LvOkasL8p7nuh5Grc9LMEYXY/QMUbkIWhIVRFlqyJA9s8vGHx1D4 - 96iYKudj+yvO17Szzr/NNmcwETbCs4j6P6QeiA== - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIDBTCCAe2gAwIBAgIQAK/NIAl3Bdg4Xk0y/ZGL7jANBgkqhkiG9w0BAQsFADAT - MREwDwYDVQQKEwhBdXRoZWxpYTAgFw0yMjEwMDIwMDMwMjFaGA8yMTIyMDkwODAw - MzAyMVowEzERMA8GA1UEChMIQXV0aGVsaWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB - DwAwggEKAoIBAQCg7jdO1HmydfkPzTtz57pvAS3YOdBT0hlNjJ4N2lrKhNnixrzK - +4R1dWQDP2SHbZQ0TskF8eQ8HhTr7AsApotTthJFkUgV2g+bv7wVroz0Hok5xtd4 - bnpOvG3YUCP13Nk3ZVxdQXqR3/G3MrbyiXVPcgU+0giJ8EBykbtMu8L79/1iyk+m - w4fZfzTOeorRgspO3z3+pTAib2MCTA7bby1dX9qI/ysFPLdbJYfNQDxij8SzNLyJ - EkQ4kh3jKXf1VcZjbQTtYTZ3JJDqM08OxGMKuXUxPHd72Xlb+Fzql8LjYdEy/YKA - 3r8FMf14lzcjvxtLnFXh//hiXh4+xgXMkrLZAgMBAAGjUzBRMA4GA1UdDwEB/wQE - AwICpDAPBgNVHSUECDAGBgRVHSUAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE - FGKpXiZA+8VQyMBqTTep+dVTthSbMA0GCSqGSIb3DQEBCwUAA4IBAQAE4DJg+Rb4 - iiocvxxQ85lhh94ql++E8MKuzIdN7ORs+ybUnsDD1WFDebubroTQuTSBkFrNuGNJ - 8B7NZsHiWWLvNsrnxxeC5CicqfhSDti0rKWsbGyeoq7Kqok5E4pwOzeRsxL2e/Hm - G6LsUQuQMUG2vxKNynqmJS4VpgSVkiGhUfURFuRRDuRpVQ/XTl7jDIGf/ls7TAZq - 1AnmnSi4Cqy4hrTnwYUYkFCcH69onUKAoaVNl1eAH7ogxakz32WyWObY98NBrjzA - I6VQlaQNSHtdFqDpu7NWJZZZSgN4BknbMYQEPNYCm701cPB4ahJbpg5C3pVPFSql - Bc9iI6nN3PCr - -----END CERTIFICATE----- - issuer_private_key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEowIBAAKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd - UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE - 5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0 - 01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa - 7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3 - t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABAoIBAA/EhhM8bRQqzo5t - lBFNaELNu8kCRD/iV9tzj8BzqVt+2JW9qG8bYn9K5Po1HCglFfyjIVOE7cAqIJGX - 1a59x8PCuXDkfPolm6TLkZnXeta5u2K2MoLwN+M1aio5AvSGGTUkD8tr/KX8SQwQ - 2ZZFaML0xcBadF7U8jEey4NRlSp5/voiIAB+FrJHepZBz2XJYCX5s2vYLPMn+51R - 1HyO0n2aQ9H1Na8aBjTfAp9GDKJWBV3bSM7cVaLGlMFj/HNXUNVnSsVsJj0tdWKz - K6r9zPskLnS+eNjCgqrOtZSqJ7M3PL0/PoTFPrr1Fevr+soKWCaPF94Ib94O9SEq - scvP3kECgYEA0HBdGab0HjcZgFtsIaMm+eBcDhUmUrvMPUw6FmspKnc8wplscONW - wrDGhR0dpT8+aAMD5jFC2pvyHjI5AWkW+53LB15j6SVzUlUMfS3VTwE2prLtDHDs - nCDW2+fXY2kjv45efZGpMGbLJVePx2RCPzUlAlc14lzxnHgpo7eho1cCgYEA+jpi - Eo/Jqa5CNd4hrXqFxZTFtU2Mn38ZKI3QK/l47/347yHLebjsYIIwJRoHenxWxNlz - Y+BZ38vkP+f9BGAVGiRcyMmIJU0X305wKwl26Y2Q/tEm2OpwmDboD2pL9byi9vfY - bz7pQGK/l9j86KofRwVJJRLsofPI1SsjnC8c448CgYAkpg0IjJ1RjriSJADwLSKW - PseQxlE1rMVtZbC07mSPjeWGBbnWY3KGytQs5YCn5GXRne4alEC/9Tlt68CwKc0b - spPXGNaSUL5lFIUcoWlm+bylNMKPNG+1x+RfR/VMCll5vcuJYooP85L2Xt3t3gfz - 2yFFtxXHVjY5H7uaiJgIAwKBgQDvkGXEj5TqtsL8/6YOiHb6Kuz+Hzi6mtxjTyI2 - d6mpWuWxTBGaf8kOvJWLb9gpFFGeNPGcdXaWJIZqCJjcT4Dkflu2f/uwepaYXGhX - S8Bk6fwfee5PTmRt1mNmHsaKhgcfmznDh9+YnPIBVuULe5RmUlEtBWk3xEZKj/qP - 1Ss7UQKBgAwZQz+h5Z/XOJH3Qs5nJBKAZUiYkj3ux7G6tjx0cz7XcUYd/6enBpkY - JeqVHB6G+bMRLwb+Hc5Vgpbd5GdaUWo8udaghHgSGPUVcn0lK38XhYek6ACGz7Lo - xEfgtKoBlUq+uPb8H05HY0t9KybA3LA5wkRYYnJ17/nkZtrrJAmX - -----END RSA PRIVATE KEY----- clients: - id: oidc-tester-app secret: foobar diff --git a/internal/suites/OIDCTraefik/docker-compose.yml b/internal/suites/OIDCTraefik/docker-compose.yml index 429492cff..4ffae1fda 100644 --- a/internal/suites/OIDCTraefik/docker-compose.yml +++ b/internal/suites/OIDCTraefik/docker-compose.yml @@ -2,9 +2,11 @@ version: '3' services: authelia-backend: + environment: + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.bundle.crt + AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem volumes: - './OIDCTraefik/configuration.yml:/config/configuration.yml:ro' - './OIDCTraefik/users.yml:/config/users.yml' - - './OIDCTraefik/keypair/key.pem:/config/issuer.pem:ro' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/OIDCTraefik/keypair/key.pem b/internal/suites/OIDCTraefik/keypair/key.pem deleted file mode 100644 index c5df003c7..000000000 --- a/internal/suites/OIDCTraefik/keypair/key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAvOFmoEJFt1JkfdlwM3vJFg5rrY9d6LyyqezjZkBZDQ4qdEEU -dCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3r0ugjJXjhvJdBSaoLlzL3saeyrXk -frOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy7Wzq0y7XxGeNidEmFjMAf9dwf6/+ -PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5Z9iqn4LRXnAFnC438hZZKZU/+JxU -2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4TLjVS/3h75sh2Wk0xVaSwjPEjCOgm -a+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4NwIDAQABAoIBADWkupXnXI99Ogc4 -GxK0JF88Rz6qyhwQg5mZKthejCwWCt6roRiBF33O933KOHa+OljMAqHDCv1pzjgw -BIz0mvaRPw7OfylTajHNUdShDFHADVc7I6MMcgz+eYBarhY5jCAjKHMOPjv7DSZs -OdYCKLvfxC2oTyV714n9uZhyccDcvQpkgZuBDL0oxPom1GOI8TGhPjxvFOovEHWA -Q8q9XY4cUVNDikZmvpgeUkJHWYHYb+11vKeSupnYD03yJ3sDy+F6+m+3/XmzFbXb -1p43ermHQsMfDlxPyulUUI0viSo2UhlMC/moAb9FusOv+dTl2lt0gGqzDJ9gg1z1 -XpHRnwkCgYEA5x48dyxd4lydtVYef9sBmbLJEYozsYyOwLcnrLSNaZxeCza1exyR -QIRogswoLDacxrYvO8FY6LtAEMkisv732M29zthBPm5wyoSZiM1X2YfQXKsmyh2h -x1/yCWv/BQjj68A8IAxToaXxSG4WAr/X00RGUkXgkgw122FxcmGuFyUCgYEA0TcR -dnt/oRMK4aCZHcBgTknzDfxKlJh4S0C9WjxKgr8IlW4LTeVSBuuqOObOQYImEhtw -TRTKZIViL0roDF79cioQSp1Tk5h6uy8wr6VyhWRnWfTz2/azoTHnmQ780rtAuEI/ -NvE6FiqwikJLjma1YJoRfr/bfmgMdxcYbJI1MSsCgYAEZ5Yda1IKu1siFpcUNrdM -F5UvaWPc0WHzGEqARxye06UTL6K7yuqVwTBAteVaGlxYiSZTTDcGkHMDHuIzaRqO -HjWs2IA90VsC8Q4ABnHTKnx1F6nwlin8I774IP/GN8ooNwyuS63YWdJEYBy5RrC1 -TQrODJjgD62DFdNUq7nmpQKBgFMJEzI+Q+KPJ0NztTG8t7x61y/W0Vb2yM+9Syn0 -QfJwlZyRR4VMHelHQZFB8dzIJgoLv9+n/8gztEtm5IB8dwUHst2aYaBz5UpDqYQd -Gz3cIrTuZpcH7DVvFCeIbknJLh+zk1lgFpjTqqvFMi27kANeQtFWnmwmKcRec0As -K1ZvAoGAV/3YB44/zIoB590+yhpx2HTmDPVHH+J+5O71Pi1D9W13ClBFLrE69wo+ -IQLIstBI5tGOGeuQNjXhDKJ1U30xppZXcnebrkA+oOo+6dy20zghFR2maAGXfWFU -pM4GsSnSTm0bXPebVouQFqhj7LqcQQzCqRDThmw/Lp1tJUmu40g= ------END RSA PRIVATE KEY----- diff --git a/internal/suites/OIDCTraefik/keypair/key.pub b/internal/suites/OIDCTraefik/keypair/key.pub deleted file mode 100644 index b8e37ffa4..000000000 --- a/internal/suites/OIDCTraefik/keypair/key.pub +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN RSA PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOFmoEJFt1JkfdlwM3vJ -Fg5rrY9d6LyyqezjZkBZDQ4qdEEUdCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3 -r0ugjJXjhvJdBSaoLlzL3saeyrXkfrOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy -7Wzq0y7XxGeNidEmFjMAf9dwf6/+PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5 -Z9iqn4LRXnAFnC438hZZKZU/+JxU2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4T -LjVS/3h75sh2Wk0xVaSwjPEjCOgma+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4 -NwIDAQAB ------END RSA PUBLIC KEY----- diff --git a/internal/suites/OneFactorOnly/configuration.yml b/internal/suites/OneFactorOnly/configuration.yml index e53e40bff..4e54656cd 100644 --- a/internal/suites/OneFactorOnly/configuration.yml +++ b/internal/suites/OneFactorOnly/configuration.yml @@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/OneFactorOnly/docker-compose.yml b/internal/suites/OneFactorOnly/docker-compose.yml index 673704fed..45e24b23a 100644 --- a/internal/suites/OneFactorOnly/docker-compose.yml +++ b/internal/suites/OneFactorOnly/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './OneFactorOnly/configuration.yml:/config/configuration.yml:ro' - './OneFactorOnly/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/PathPrefix/configuration.yml b/internal/suites/PathPrefix/configuration.yml index eb2cfe57c..95c5861ed 100644 --- a/internal/suites/PathPrefix/configuration.yml +++ b/internal/suites/PathPrefix/configuration.yml @@ -9,8 +9,8 @@ server: port: 9091 path: auth tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/PathPrefix/docker-compose.yml b/internal/suites/PathPrefix/docker-compose.yml index 92985d4cc..46574bfb5 100644 --- a/internal/suites/PathPrefix/docker-compose.yml +++ b/internal/suites/PathPrefix/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './PathPrefix/configuration.yml:/config/configuration.yml:ro' - './PathPrefix/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/Postgres/configuration.yml b/internal/suites/Postgres/configuration.yml index 66af743af..2276a4763 100644 --- a/internal/suites/Postgres/configuration.yml +++ b/internal/suites/Postgres/configuration.yml @@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/Postgres/docker-compose.yml b/internal/suites/Postgres/docker-compose.yml index 46e4a07f2..ba7ed9059 100644 --- a/internal/suites/Postgres/docker-compose.yml +++ b/internal/suites/Postgres/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './Postgres/configuration.yml:/config/configuration.yml:ro' - './Postgres/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/ShortTimeouts/configuration.yml b/internal/suites/ShortTimeouts/configuration.yml index 8e0e594c1..3a3cb945c 100644 --- a/internal/suites/ShortTimeouts/configuration.yml +++ b/internal/suites/ShortTimeouts/configuration.yml @@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/ server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/ShortTimeouts/docker-compose.yml b/internal/suites/ShortTimeouts/docker-compose.yml index f5d2b5cf5..08a85dadc 100644 --- a/internal/suites/ShortTimeouts/docker-compose.yml +++ b/internal/suites/ShortTimeouts/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './ShortTimeouts/configuration.yml:/config/configuration.yml:ro' - './ShortTimeouts/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/Standalone/configuration.yml b/internal/suites/Standalone/configuration.yml index 9b4186a11..19fba7a36 100644 --- a/internal/suites/Standalone/configuration.yml +++ b/internal/suites/Standalone/configuration.yml @@ -8,8 +8,8 @@ theme: auto server: port: 9091 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem telemetry: metrics: diff --git a/internal/suites/Standalone/docker-compose.yml b/internal/suites/Standalone/docker-compose.yml index 6dd37796f..3bda7e4f4 100644 --- a/internal/suites/Standalone/docker-compose.yml +++ b/internal/suites/Standalone/docker-compose.yml @@ -8,7 +8,7 @@ services: volumes: - './Standalone/configuration.yml:/config/configuration.yml:ro' - './Standalone/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' - '/tmp:/tmp' user: ${USER_ID}:${GROUP_ID} ... diff --git a/internal/suites/Traefik/configuration.yml b/internal/suites/Traefik/configuration.yml index cdf2326a8..e4cb5c403 100644 --- a/internal/suites/Traefik/configuration.yml +++ b/internal/suites/Traefik/configuration.yml @@ -9,8 +9,8 @@ server: port: 9091 asset_path: /config/assets/ tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/suites/Traefik/docker-compose.yml b/internal/suites/Traefik/docker-compose.yml index 2e8524c8c..051059c9a 100644 --- a/internal/suites/Traefik/docker-compose.yml +++ b/internal/suites/Traefik/docker-compose.yml @@ -5,5 +5,5 @@ services: volumes: - './Traefik/configuration.yml:/config/configuration.yml:ro' - './Traefik/users.yml:/config/users.yml' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/Traefik2/configuration.yml b/internal/suites/Traefik2/configuration.yml index 7289f1086..cf45b4ca6 100644 --- a/internal/suites/Traefik2/configuration.yml +++ b/internal/suites/Traefik2/configuration.yml @@ -9,8 +9,8 @@ server: port: 9091 asset_path: /config/assets/ tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem endpoints: authz: forward-auth: diff --git a/internal/suites/Traefik2/docker-compose.yml b/internal/suites/Traefik2/docker-compose.yml index 0a970db9f..e24d2eada 100644 --- a/internal/suites/Traefik2/docker-compose.yml +++ b/internal/suites/Traefik2/docker-compose.yml @@ -7,5 +7,5 @@ services: - './Traefik2/users.yml:/config/users.yml' - './Traefik2/favicon.ico:/config/assets/favicon.ico' - './Traefik2/logo.png:/config/assets/logo.png' - - './common/pki:/config/ssl:ro' + - './common/pki:/pki:ro' ... diff --git a/internal/suites/common/pki/ca/ca.public.crt b/internal/suites/common/pki/ca/ca.public.crt new file mode 100644 index 000000000..98244a4ce --- /dev/null +++ b/internal/suites/common/pki/ca/ca.public.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhTCCAm2gAwIBAgIRAPl83YWFsuwIwxBRmdJyLLQwDQYJKoZIhvcNAQELBQAw +WzERMA8GA1UEChMIQXV0aGVsaWExFDASBgNVBAsTC0RldmVsb3BtZW50MTAwLgYD +VQQDEydBdXRoZWxpYSBEZXZlbG9wbWVudCBTdGFuZGFsb25lIFJvb3QgQ0EwIBcN +MDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMFsxETAPBgNVBAoTCEF1dGhl +bGlhMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEwMC4GA1UEAxMnQXV0aGVsaWEgRGV2 +ZWxvcG1lbnQgU3RhbmRhbG9uZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA2RtD74ISXHruAIIkIRTLGf5VK0b7iN5+CPW8qWjg74PCnid1 +3DOqVCZ3HSXMP0iaH5rd+WAYojQo5Z1uZ75tXgzYjt6tyXG5H1nN1fkmjkHyNORP +abOZtngVaixvlT/hsONXszFdqogXhhI4DtEo0lvxJcnOHER4QVylM4YgDMF85jXi +VD893Y6Luik9B6FXLVK9iAJ5MfvD/r8kEPLsDTl2u/Ye0q4igVDJq9tOtb2enhlz +HtipYhzzNwEzQwy3tjzP9xpQG6XE6/JW20gQaBvoRBN64DMgRlh1/8ZVyYE8v/B1 +vRVpSgmyCdDJeaRYZ6J+hO3LXBXU20CVZsM5VQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlrBVtyTWJQWRimLeZXr2 +mrOzy2gwDQYJKoZIhvcNAQELBQADggEBAKXjAw5v8VTM6EDiUvR8XdiikYkycAG/ +hcEt+QLkkBb72+tUNYbr57YJeJuqQcaPTBUQrIXsID8JV5dQJFfyIG2s3G0iuN70 +W4fSRPqsSBIcyOK+2APLjkYV8qwLdh03Lyll4SZo7PCK8ItemsIK1NWhd74N49fm ++a8eyY5bgfA0FMkjY/ts4gAnYExGRoLOQRu/CgOvBlj2KQUrSNptze1rNlP32b63 +eUv1wf/ajK2TxI1pQgkeu2lM3Tyu7q7J4UVn0UY0wtZvHtw2+UBGKZB3ok6ejBy2 +HMjgLGuayGjhyUN8zRkuSvBynuI2wGhIlHklEbaQW5oFKbniXRqdzc4= +-----END CERTIFICATE----- diff --git a/internal/suites/common/pki/gen.sh b/internal/suites/common/pki/gen.sh index 3be773738..7331639bd 100755 --- a/internal/suites/common/pki/gen.sh +++ b/internal/suites/common/pki/gen.sh @@ -1,5 +1,7 @@ #!/bin/bash -go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki -n 'Authelia Development Standalone Root CA' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --ca -go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ -n '*.example.com' --sans '*.example.com,example.com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle -go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ --file.certificate public.backend.crt --file.certificate-bundle public.backend.bundle.crt --file.private-key private.backend.pem -n 'login.example.com' --sans 'login.example.com,authelia' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle +# go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki/ca -n 'Authelia Development Standalone Root CA' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --ca +# cp ./internal/suites/common/pki/ca/ca.public.crt ./internal/suites/common/pki/ca.public.crt +go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca -n '*.example.com' --sans '*.example.com,example.com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle +go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca --file.certificate public.backend.crt --file.certificate-bundle public.backend.bundle.crt --file.private-key private.backend.pem -n 'login.example.com' --sans 'login.example.com,authelia' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle +go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca --file.certificate public.oidc.crt --file.certificate-bundle public.oidc.bundle.crt --file.private-key private.oidc.pem -n 'login.example.com' --sans 'login.example.com,login.example1.com,login.example2.com,login.example3,com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle diff --git a/internal/suites/common/pki/private.oidc.pem b/internal/suites/common/pki/private.oidc.pem new file mode 100644 index 000000000..ef8f5741b --- /dev/null +++ b/internal/suites/common/pki/private.oidc.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0x+u2Kkd1VZGkj7FDwgoXQp0fx1mx5VXd2VEJN9yYTXzlNRZ +Taw8WrOcud7hsBPw3DkhbCjEzvw0Ee+DjwtSCotKbtsBwjyLCegjluPHKUvsVNYZ +m19TxYY2erx7gohdEcmCGnpWSPRUAKBasIfpM0q6LXG70o8vTuKS82Ub++Sgl1Pa +kRL/e/KBUYFZksGEMK1oiPiOtRoJF+vUhRf46ZBg3aZ/HLNvcT5TAMgRRws+K3ek +C5+h5oXFexUosj2DCxcjTbsL7C5nqfR3jwmjrBaGN8KnloEDvC84+OsN/nE2PLa5 +c1kTlRCvKd0gmRuucOKsJ6zvYf/hAqp/WCj1MQIDAQABAoIBAAOHCP3XvYbd/Sne +YJ6CrWH4lb+19wyooyB8kanoDdov85TuA1v3375IN/snDTBK9QBI+BT9jWRD9H7E +OLeAIevJLgIyKJJdPpl4xndz8NTwzs8QELd23Uh0mJ5uXcXtj1iHvGPC3YQ0iN7F +zx4Z9zyDKB8wQkofWFQCFyB39QK9ZGDW4ZstVb57fS62SuqFPW/rO2qSpsuUUwgy +Z2P2NqoqtqLIyw3qbsJCArzGoHuMCtjKDYenf8wJxORAsAGAREj71w2bQ20cMMIA +w30jgoXtEC9zS2BOb3mUBHiDOKnn4vwlNd7wiLPdZIGP75G4EkI4AHLhJQ1a5YuF +8E6V9AECgYEA1LSQVdWggvHTQnj5PHr5k7+YkL/MeIvOkLW5s0r7Lt3x45bAFaQh +XVZIXrynv62IZmTzCPwOwrXGJJieT0Ctom0XHgtp8nu7Okxk4AISRfjy7J03EXsJ +cS508IJ1B3HZepGvVwp+geJ0r9JmQ19JqZsJ7VENYoPKtYRZ9aV7CUECgYEA/hi1 +Yw2FcSBk/kXVlcWvKtohY6NISgI5U1Kp7T16ZH3anpew6WwQ3GfueVet714BdwaZ +knqiiMvaTAOG66KYHCzRBSeXOozT/0N9AfKqS1y7xW+mR2nUrAiWCL95uZpB9SxE +3gylWULV4/+wlF006tEcJ5qiXymAAYv+wEg+f/ECgYBu2XLm6J/v3esFF1p8RHJQ +p2bw+KOspt+N1sbiQ09IC26F9wg/vvuMUu0AQj0BzYPqKO3nXsSqgGS0qbzG/KQA +o+2KQNSEBCt8pFdlzm6LfMPMv9n1CDPRgi57MOGgcZqvH8FLETMAqW26O2ID9mLD +OwMfZEAfeSNpGYJwXD8UgQKBgQC+0k1+Csx47YwKzOUeqivncZL7occLFWp5oa3N +ZYsB5uYEjgSk96wd6ctUwzzzc1SET6eLMp/XPcg9p7RuR1gWaK28QkQ3C0W2ALfj +e5raJ9U366YjIV4+p+AMx8chVLBN8CXz3+lZBHFe3Ul90hWIduu+7kkcUC06fCkf +u+F78QKBgFajhBPESe344ixG/fASpsVe2Yg14SgYCeWkinOe856zABY8dkfWWBIq +KX2eq1WJXErHWDuuNPP3Jol1CouqqHseqYQ+SaOhlHdoGws70bsIvBHrtj7NiEQZ +HFLhEk+OnnG+wJ1jQ5cseA4kbTuPjEL0NNVk7OSndiuxnnDbe91R +-----END RSA PRIVATE KEY----- diff --git a/internal/suites/common/pki/public.oidc.bundle.crt b/internal/suites/common/pki/public.oidc.bundle.crt new file mode 100644 index 000000000..0874215dd --- /dev/null +++ b/internal/suites/common/pki/public.oidc.bundle.crt @@ -0,0 +1,44 @@ +-----BEGIN CERTIFICATE----- +MIID3zCCAsegAwIBAgIQZjmlbZI+QaeqQpApxA2eDjANBgkqhkiG9w0BAQsFADBb +MREwDwYDVQQKEwhBdXRoZWxpYTEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxMDAuBgNV +BAMTJ0F1dGhlbGlhIERldmVsb3BtZW50IFN0YW5kYWxvbmUgUm9vdCBDQTAgFw0w +MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowRTERMA8GA1UEChMIQXV0aGVs +aWExFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQQDExFsb2dpbi5leGFtcGxl +LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMfrtipHdVWRpI+ +xQ8IKF0KdH8dZseVV3dlRCTfcmE185TUWU2sPFqznLne4bAT8Nw5IWwoxM78NBHv +g48LUgqLSm7bAcI8iwnoI5bjxylL7FTWGZtfU8WGNnq8e4KIXRHJghp6Vkj0VACg +WrCH6TNKui1xu9KPL07ikvNlG/vkoJdT2pES/3vygVGBWZLBhDCtaIj4jrUaCRfr +1IUX+OmQYN2mfxyzb3E+UwDIEUcLPit3pAufoeaFxXsVKLI9gwsXI027C+wuZ6n0 +d48Jo6wWhjfCp5aBA7wvOPjrDf5xNjy2uXNZE5UQryndIJkbrnDirCes72H/4QKq +f1go9TECAwEAAaOBsjCBrzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSWsFW3JNYlBZGKYt5levaa +s7PLaDBZBgNVHREEUjBQghFsb2dpbi5leGFtcGxlLmNvbYISbG9naW4uZXhhbXBs +ZTEuY29tghJsb2dpbi5leGFtcGxlMi5jb22CDmxvZ2luLmV4YW1wbGUzggNjb20w +DQYJKoZIhvcNAQELBQADggEBAH46LB6fFF+5dbFhEa8rsDX17oZPVsIMHi+vhmMh +aS5IACOpmc3q/yyhZelNwB/MRzlPziQwpqwr9B5SQ9UOBvZDuv9ESXYHlVHSIGo9 ++3Ax9fvxLVpF3E62whr+d8YHjXE85UgUKaDAWYCAVB7fkY7WfyS3t8IxgJVa+oMZ +sLeI4YmheKdgRZsE+83VcNUVuGhsh3R5NKFo46tonpbdx13Eg2k3IInKAkZmTA5D +YoPfPTDbd1BOC+h2C0s+guUyoG1Fi5DzS/x8xNoRcZ7/fkdcboAXa8dlVZeqGRky +ddYggjZYnqGaD9qKFAox4EqkCYB1XwNeUPUapdvGICC7UGc= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDhTCCAm2gAwIBAgIRAPl83YWFsuwIwxBRmdJyLLQwDQYJKoZIhvcNAQELBQAw +WzERMA8GA1UEChMIQXV0aGVsaWExFDASBgNVBAsTC0RldmVsb3BtZW50MTAwLgYD +VQQDEydBdXRoZWxpYSBEZXZlbG9wbWVudCBTdGFuZGFsb25lIFJvb3QgQ0EwIBcN +MDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMFsxETAPBgNVBAoTCEF1dGhl +bGlhMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEwMC4GA1UEAxMnQXV0aGVsaWEgRGV2 +ZWxvcG1lbnQgU3RhbmRhbG9uZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA2RtD74ISXHruAIIkIRTLGf5VK0b7iN5+CPW8qWjg74PCnid1 +3DOqVCZ3HSXMP0iaH5rd+WAYojQo5Z1uZ75tXgzYjt6tyXG5H1nN1fkmjkHyNORP +abOZtngVaixvlT/hsONXszFdqogXhhI4DtEo0lvxJcnOHER4QVylM4YgDMF85jXi +VD893Y6Luik9B6FXLVK9iAJ5MfvD/r8kEPLsDTl2u/Ye0q4igVDJq9tOtb2enhlz +HtipYhzzNwEzQwy3tjzP9xpQG6XE6/JW20gQaBvoRBN64DMgRlh1/8ZVyYE8v/B1 +vRVpSgmyCdDJeaRYZ6J+hO3LXBXU20CVZsM5VQIDAQABo0IwQDAOBgNVHQ8BAf8E +BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlrBVtyTWJQWRimLeZXr2 +mrOzy2gwDQYJKoZIhvcNAQELBQADggEBAKXjAw5v8VTM6EDiUvR8XdiikYkycAG/ +hcEt+QLkkBb72+tUNYbr57YJeJuqQcaPTBUQrIXsID8JV5dQJFfyIG2s3G0iuN70 +W4fSRPqsSBIcyOK+2APLjkYV8qwLdh03Lyll4SZo7PCK8ItemsIK1NWhd74N49fm ++a8eyY5bgfA0FMkjY/ts4gAnYExGRoLOQRu/CgOvBlj2KQUrSNptze1rNlP32b63 +eUv1wf/ajK2TxI1pQgkeu2lM3Tyu7q7J4UVn0UY0wtZvHtw2+UBGKZB3ok6ejBy2 +HMjgLGuayGjhyUN8zRkuSvBynuI2wGhIlHklEbaQW5oFKbniXRqdzc4= +-----END CERTIFICATE----- diff --git a/internal/suites/common/pki/public.oidc.crt b/internal/suites/common/pki/public.oidc.crt new file mode 100644 index 000000000..e0a658852 --- /dev/null +++ b/internal/suites/common/pki/public.oidc.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3zCCAsegAwIBAgIQZjmlbZI+QaeqQpApxA2eDjANBgkqhkiG9w0BAQsFADBb +MREwDwYDVQQKEwhBdXRoZWxpYTEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxMDAuBgNV +BAMTJ0F1dGhlbGlhIERldmVsb3BtZW50IFN0YW5kYWxvbmUgUm9vdCBDQTAgFw0w +MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowRTERMA8GA1UEChMIQXV0aGVs +aWExFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQQDExFsb2dpbi5leGFtcGxl +LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMfrtipHdVWRpI+ +xQ8IKF0KdH8dZseVV3dlRCTfcmE185TUWU2sPFqznLne4bAT8Nw5IWwoxM78NBHv +g48LUgqLSm7bAcI8iwnoI5bjxylL7FTWGZtfU8WGNnq8e4KIXRHJghp6Vkj0VACg +WrCH6TNKui1xu9KPL07ikvNlG/vkoJdT2pES/3vygVGBWZLBhDCtaIj4jrUaCRfr +1IUX+OmQYN2mfxyzb3E+UwDIEUcLPit3pAufoeaFxXsVKLI9gwsXI027C+wuZ6n0 +d48Jo6wWhjfCp5aBA7wvOPjrDf5xNjy2uXNZE5UQryndIJkbrnDirCes72H/4QKq +f1go9TECAwEAAaOBsjCBrzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSWsFW3JNYlBZGKYt5levaa +s7PLaDBZBgNVHREEUjBQghFsb2dpbi5leGFtcGxlLmNvbYISbG9naW4uZXhhbXBs +ZTEuY29tghJsb2dpbi5leGFtcGxlMi5jb22CDmxvZ2luLmV4YW1wbGUzggNjb20w +DQYJKoZIhvcNAQELBQADggEBAH46LB6fFF+5dbFhEa8rsDX17oZPVsIMHi+vhmMh +aS5IACOpmc3q/yyhZelNwB/MRzlPziQwpqwr9B5SQ9UOBvZDuv9ESXYHlVHSIGo9 ++3Ax9fvxLVpF3E62whr+d8YHjXE85UgUKaDAWYCAVB7fkY7WfyS3t8IxgJVa+oMZ +sLeI4YmheKdgRZsE+83VcNUVuGhsh3R5NKFo46tonpbdx13Eg2k3IInKAkZmTA5D +YoPfPTDbd1BOC+h2C0s+guUyoG1Fi5DzS/x8xNoRcZ7/fkdcboAXa8dlVZeqGRky +ddYggjZYnqGaD9qKFAox4EqkCYB1XwNeUPUapdvGICC7UGc= +-----END CERTIFICATE----- diff --git a/internal/suites/example/kube/authelia/authelia.yml b/internal/suites/example/kube/authelia/authelia.yml index 90e138189..39450cc63 100644 --- a/internal/suites/example/kube/authelia/authelia.yml +++ b/internal/suites/example/kube/authelia/authelia.yml @@ -33,7 +33,7 @@ spec: mountPath: /config/configuration.yml readOnly: true - name: authelia-ssl - mountPath: /config/ssl + mountPath: /pki readOnly: true - name: secrets mountPath: /config/secrets diff --git a/internal/suites/example/kube/authelia/configs/configuration.yml b/internal/suites/example/kube/authelia/configs/configuration.yml index 165f79a93..8b8dc8180 100644 --- a/internal/suites/example/kube/authelia/configs/configuration.yml +++ b/internal/suites/example/kube/authelia/configs/configuration.yml @@ -8,8 +8,8 @@ default_redirection_url: https://home.example.com:8080 server: port: 443 tls: - certificate: /config/ssl/public.backend.crt - key: /config/ssl/private.backend.pem + certificate: /pki/public.backend.crt + key: /pki/private.backend.pem log: level: debug diff --git a/internal/utils/crypto_test.go b/internal/utils/crypto_test.go index 4104a3ab5..99ab52cf8 100644 --- a/internal/utils/crypto_test.go +++ b/internal/utils/crypto_test.go @@ -54,7 +54,7 @@ func TestShouldNotReturnErrWhenX509DirectoryExist(t *testing.T) { func TestShouldReadCertsFromDirectoryButNotKeys(t *testing.T) { pool, warnings, errors := NewX509CertPool("../suites/common/pki/") assert.NotNil(t, pool) - require.Len(t, errors, 2) + require.Len(t, errors, 3) if runtime.GOOS == "windows" { require.Len(t, warnings, 1) @@ -64,7 +64,8 @@ func TestShouldReadCertsFromDirectoryButNotKeys(t *testing.T) { } assert.EqualError(t, errors[0], "could not import certificate private.backend.pem") - assert.EqualError(t, errors[1], "could not import certificate private.pem") + assert.EqualError(t, errors[1], "could not import certificate private.oidc.pem") + assert.EqualError(t, errors[2], "could not import certificate private.pem") } func TestShouldGenerateCertificateAndPersistIt(t *testing.T) { From 1a5178a8a5d67de9e19eb35eb5088c35792c9a89 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 11 Feb 2023 16:35:53 +1100 Subject: [PATCH 2/3] build(deps): update alpine docker tag to v3.17.2 (#4910) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.coverage | 2 +- Dockerfile.dev | 2 +- internal/suites/example/compose/samba/Dockerfile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index a7a55d1ca..4108056dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # =================================== # ===== Authelia official image ===== # =================================== -FROM alpine:3.17.1 +FROM alpine:3.17.2 ARG TARGETOS ARG TARGETARCH diff --git a/Dockerfile.coverage b/Dockerfile.coverage index eaa527249..37d014a9e 100644 --- a/Dockerfile.coverage +++ b/Dockerfile.coverage @@ -46,7 +46,7 @@ RUN \ # =================================== # ===== Authelia official image ===== # =================================== -FROM alpine:3.17.1 +FROM alpine:3.17.2 RUN apk --no-cache add ca-certificates tzdata diff --git a/Dockerfile.dev b/Dockerfile.dev index 76294f44e..5f81e4f0e 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -43,7 +43,7 @@ RUN \ # =================================== # ===== Authelia official image ===== # =================================== -FROM alpine:3.17.1 +FROM alpine:3.17.2 WORKDIR /app diff --git a/internal/suites/example/compose/samba/Dockerfile b/internal/suites/example/compose/samba/Dockerfile index ae420250c..c46fa9d98 100644 --- a/internal/suites/example/compose/samba/Dockerfile +++ b/internal/suites/example/compose/samba/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17.1 +FROM alpine:3.17.2 RUN \ apk add --no-cache \ From 2888ee7f41ed69d94807cef681ec0158f2e66241 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 11 Feb 2023 21:45:26 +1100 Subject: [PATCH 3/3] refactor(commands): services (#4914) Misc refactoring of the services logic to simplify the --- internal/commands/const.go | 4 + internal/commands/context.go | 10 -- internal/commands/root.go | 194 +------------------- internal/commands/services.go | 311 +++++++++++++++++++++++++++++++++ internal/server/const.go | 9 - internal/server/handlers.go | 14 +- internal/server/server.go | 48 +++-- internal/server/server_test.go | 2 +- internal/suites/environment.go | 2 +- 9 files changed, 348 insertions(+), 246 deletions(-) create mode 100644 internal/commands/services.go diff --git a/internal/commands/const.go b/internal/commands/const.go index ea56d2f5b..2e322a2c4 100644 --- a/internal/commands/const.go +++ b/internal/commands/const.go @@ -772,3 +772,7 @@ Layouts: ANSIC: Mon Jan _2 15:04:05 2006 Date: 2006-01-02` ) + +const ( + fmtLogServerListening = "Server is listening for %s connections on '%s' path '%s'" +) diff --git a/internal/commands/context.go b/internal/commands/context.go index 9a9e367d1..64282acb6 100644 --- a/internal/commands/context.go +++ b/internal/commands/context.go @@ -9,7 +9,6 @@ import ( "github.com/sirupsen/logrus" "github.com/spf13/cobra" "github.com/spf13/pflag" - "golang.org/x/sync/errgroup" "github.com/authelia/authelia/v4/internal/authentication" "github.com/authelia/authelia/v4/internal/authorization" @@ -35,14 +34,8 @@ import ( func NewCmdCtx() *CmdCtx { ctx := context.Background() - ctx, cancel := context.WithCancel(ctx) - - group, ctx := errgroup.WithContext(ctx) - return &CmdCtx{ Context: ctx, - cancel: cancel, - group: group, log: logging.Logger(), providers: middlewares.Providers{ Random: &random.Cryptographical{}, @@ -55,9 +48,6 @@ func NewCmdCtx() *CmdCtx { type CmdCtx struct { context.Context - cancel context.CancelFunc - group *errgroup.Group - log *logrus.Logger config *schema.Configuration diff --git a/internal/commands/root.go b/internal/commands/root.go index 7b728eb5a..7d57095b5 100644 --- a/internal/commands/root.go +++ b/internal/commands/root.go @@ -2,21 +2,13 @@ package commands import ( "fmt" - "net" "os" - "os/signal" - "path/filepath" "strings" - "syscall" - "github.com/fsnotify/fsnotify" "github.com/spf13/cobra" - "github.com/valyala/fasthttp" - "github.com/authelia/authelia/v4/internal/authentication" "github.com/authelia/authelia/v4/internal/logging" "github.com/authelia/authelia/v4/internal/model" - "github.com/authelia/authelia/v4/internal/server" "github.com/authelia/authelia/v4/internal/utils" ) @@ -95,195 +87,11 @@ func (ctx *CmdCtx) RootRunE(_ *cobra.Command, _ []string) (err error) { ctx.cconfig = nil - runServices(ctx) + servicesRun(ctx) return nil } -//nolint:gocyclo // Complexity is required in this function. -func runServices(ctx *CmdCtx) { - defer ctx.cancel() - - quit := make(chan os.Signal, 1) - - signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM) - - defer signal.Stop(quit) - - var ( - mainServer, metricsServer *fasthttp.Server - mainListener, metricsListener net.Listener - ) - - ctx.group.Go(func() (err error) { - defer func() { - if r := recover(); r != nil { - ctx.log.WithError(recoverErr(r)).Errorf("Server (main) critical error caught (recovered)") - } - }() - - if mainServer, mainListener, err = server.CreateDefaultServer(*ctx.config, ctx.providers); err != nil { - ctx.log.WithError(err).Error("Create Server (main) returned error") - - return err - } - - if err = mainServer.Serve(mainListener); err != nil { - ctx.log.WithError(err).Error("Server (main) returned error") - - return err - } - - return nil - }) - - ctx.group.Go(func() (err error) { - if ctx.providers.Metrics == nil { - return nil - } - - defer func() { - if r := recover(); r != nil { - ctx.log.WithError(recoverErr(r)).Errorf("Server (metrics) critical error caught (recovered)") - } - }() - - if metricsServer, metricsListener, err = server.CreateMetricsServer(ctx.config.Telemetry.Metrics); err != nil { - ctx.log.WithError(err).Error("Create Server (metrics) returned error") - - return err - } - - if err = metricsServer.Serve(metricsListener); err != nil { - ctx.log.WithError(err).Error("Server (metrics) returned error") - - return err - } - - return nil - }) - - if ctx.config.AuthenticationBackend.File != nil && ctx.config.AuthenticationBackend.File.Watch { - provider := ctx.providers.UserProvider.(*authentication.FileUserProvider) - if watcher, err := runServiceFileWatcher(ctx, ctx.config.AuthenticationBackend.File.Path, provider); err != nil { - ctx.log.WithError(err).Errorf("File Watcher (user database) start returned error") - } else { - defer func(watcher *fsnotify.Watcher) { - if err := watcher.Close(); err != nil { - ctx.log.WithError(err).Errorf("File Watcher (user database) close returned error") - } - }(watcher) - } - } - - select { - case s := <-quit: - switch s { - case syscall.SIGINT: - ctx.log.Debugf("Shutdown started due to SIGINT") - case syscall.SIGQUIT: - ctx.log.Debugf("Shutdown started due to SIGQUIT") - } - case <-ctx.Done(): - ctx.log.Debugf("Shutdown started due to context completion") - } - - ctx.cancel() - - ctx.log.Infof("Shutting down") - - var err error - - if mainServer != nil { - if err = mainServer.Shutdown(); err != nil { - ctx.log.WithError(err).Errorf("Error occurred shutting down the server") - } - } - - if metricsServer != nil { - if err = metricsServer.Shutdown(); err != nil { - ctx.log.WithError(err).Errorf("Error occurred shutting down the metrics server") - } - } - - if err = ctx.providers.StorageProvider.Close(); err != nil { - ctx.log.WithError(err).Errorf("Error occurred closing the database connection") - } - - if err = ctx.group.Wait(); err != nil { - ctx.log.WithError(err).Errorf("Error occurred waiting for shutdown") - } -} - -type ReloadFilter func(path string) (skipped bool) - -type ProviderReload interface { - Reload() (reloaded bool, err error) -} - -func runServiceFileWatcher(ctx *CmdCtx, path string, reload ProviderReload) (watcher *fsnotify.Watcher, err error) { - if watcher, err = fsnotify.NewWatcher(); err != nil { - return nil, err - } - - failed := make(chan struct{}) - - var directory, filename string - - if path != "" { - directory, filename = filepath.Dir(path), filepath.Base(path) - } - - ctx.group.Go(func() error { - for { - select { - case <-failed: - return nil - case event, ok := <-watcher.Events: - if !ok { - return nil - } - - if filename != filepath.Base(event.Name) { - ctx.log.WithField("file", event.Name).WithField("op", event.Op).Tracef("File modification detected to irrelevant file") - break - } - - switch { - case event.Op&fsnotify.Write == fsnotify.Write, event.Op&fsnotify.Create == fsnotify.Create: - ctx.log.WithField("file", event.Name).WithField("op", event.Op).Debug("File modification detected") - - switch reloaded, err := reload.Reload(); { - case err != nil: - ctx.log.WithField("file", event.Name).WithField("op", event.Op).WithError(err).Error("Error occurred reloading file") - case reloaded: - ctx.log.WithField("file", event.Name).Info("Reloaded file successfully") - default: - ctx.log.WithField("file", event.Name).Debug("Reload of file was triggered but it was skipped") - } - case event.Op&fsnotify.Remove == fsnotify.Remove: - ctx.log.WithField("file", event.Name).WithField("op", event.Op).Debug("Remove of file was detected") - } - case err, ok := <-watcher.Errors: - if !ok { - return nil - } - ctx.log.WithError(err).Errorf("Error while watching files") - } - } - }) - - if err := watcher.Add(directory); err != nil { - failed <- struct{}{} - - return nil, err - } - - ctx.log.WithField("directory", directory).WithField("file", filename).Debug("Directory is being watched for changes to the file") - - return watcher, nil -} - func doStartupChecks(ctx *CmdCtx) { var ( failures []string diff --git a/internal/commands/services.go b/internal/commands/services.go new file mode 100644 index 000000000..3d5223ed8 --- /dev/null +++ b/internal/commands/services.go @@ -0,0 +1,311 @@ +package commands + +import ( + "context" + "fmt" + "net" + "os" + "os/signal" + "path/filepath" + "strings" + "sync" + "syscall" + + "github.com/fsnotify/fsnotify" + "github.com/sirupsen/logrus" + "github.com/valyala/fasthttp" + "golang.org/x/sync/errgroup" + + "github.com/authelia/authelia/v4/internal/authentication" + "github.com/authelia/authelia/v4/internal/server" +) + +// NewServerService creates a new ServerService with the appropriate logger etc. +func NewServerService(name string, server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, log *logrus.Logger) (service *ServerService) { + return &ServerService{ + server: server, + listener: listener, + paths: paths, + isTLS: isTLS, + log: log.WithFields(map[string]any{"service": "server", "server": name}), + } +} + +// NewFileWatcherService creates a new FileWatcherService with the appropriate logger etc. +func NewFileWatcherService(name, path string, reload ProviderReload, log *logrus.Logger) (service *FileWatcherService, err error) { + if path == "" { + return nil, fmt.Errorf("path must be specified") + } + + var info os.FileInfo + + if info, err = os.Stat(path); err != nil { + return nil, fmt.Errorf("error stating file '%s': %w", path, err) + } + + if path, err = filepath.Abs(path); err != nil { + return nil, fmt.Errorf("error determining absolute path of file '%s': %w", path, err) + } + + var watcher *fsnotify.Watcher + + if watcher, err = fsnotify.NewWatcher(); err != nil { + return nil, err + } + + entry := log.WithFields(map[string]any{"service": "watcher", "watcher": name}) + + if info.IsDir() { + service = &FileWatcherService{ + watcher: watcher, + reload: reload, + log: entry, + directory: filepath.Clean(path), + } + } else { + service = &FileWatcherService{ + watcher: watcher, + reload: reload, + log: entry, + directory: filepath.Dir(path), + file: filepath.Base(path), + } + } + + if err = service.watcher.Add(service.directory); err != nil { + return nil, fmt.Errorf("failed to add path '%s' to watch list: %w", path, err) + } + + return service, nil +} + +// ProviderReload represents the required methods to support reloading a provider. +type ProviderReload interface { + Reload() (reloaded bool, err error) +} + +// Service represents the required methods to support handling a service. +type Service interface { + Run() (err error) + Shutdown() +} + +// ServerService is a Service which runs a webserver. +type ServerService struct { + server *fasthttp.Server + paths []string + isTLS bool + listener net.Listener + log *logrus.Entry +} + +// Run the ServerService. +func (service *ServerService) Run() (err error) { + defer func() { + if r := recover(); r != nil { + service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)") + } + }() + + service.log.Infof(fmtLogServerListening, connectionType(service.isTLS), service.listener.Addr().String(), strings.Join(service.paths, "' and '")) + + if err = service.server.Serve(service.listener); err != nil { + service.log.WithError(err).Error("Error returned attempting to serve requests") + + return err + } + + return nil +} + +// Shutdown the ServerService. +func (service *ServerService) Shutdown() { + if err := service.server.Shutdown(); err != nil { + service.log.WithError(err).Error("Error occurred during shutdown") + } +} + +// FileWatcherService is a Service that watches files for changes. +type FileWatcherService struct { + watcher *fsnotify.Watcher + reload ProviderReload + + log *logrus.Entry + file string + directory string +} + +// Run the FileWatcherService. +func (service *FileWatcherService) Run() (err error) { + defer func() { + if r := recover(); r != nil { + service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)") + } + }() + + service.log.WithField("file", filepath.Join(service.directory, service.file)).Info("Watching for file changes to the file") + + for { + select { + case event, ok := <-service.watcher.Events: + if !ok { + return nil + } + + if service.file != "" && service.file != filepath.Base(event.Name) { + service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Tracef("File modification detected to irrelevant file") + break + } + + switch { + case event.Op&fsnotify.Write == fsnotify.Write, event.Op&fsnotify.Create == fsnotify.Create: + service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Debug("File modification was detected") + + var reloaded bool + + switch reloaded, err = service.reload.Reload(); { + case err != nil: + service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).WithError(err).Error("Error occurred during reload") + case reloaded: + service.log.WithField("file", event.Name).Info("Reloaded successfully") + default: + service.log.WithField("file", event.Name).Debug("Reload of was triggered but it was skipped") + } + case event.Op&fsnotify.Remove == fsnotify.Remove: + service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Debug("File remove was detected") + } + case err, ok := <-service.watcher.Errors: + if !ok { + return nil + } + + service.log.WithError(err).Errorf("Error while watching files") + } + } +} + +// Shutdown the FileWatcherService. +func (service *FileWatcherService) Shutdown() { + if err := service.watcher.Close(); err != nil { + service.log.WithError(err).Error("Error occurred during shutdown") + } +} + +func svcSvrMainFunc(ctx *CmdCtx) (service Service) { + switch svr, listener, paths, isTLS, err := server.CreateDefaultServer(ctx.config, ctx.providers); { + case err != nil: + ctx.log.WithError(err).Fatal("Create Server Service (main) returned error") + case svr != nil && listener != nil: + service = NewServerService("main", svr, listener, paths, isTLS, ctx.log) + default: + ctx.log.Fatal("Create Server Service (main) failed") + } + + return service +} + +func svcSvrMetricsFunc(ctx *CmdCtx) (service Service) { + switch svr, listener, paths, isTLS, err := server.CreateMetricsServer(ctx.config, ctx.providers); { + case err != nil: + ctx.log.WithError(err).Fatal("Create Server Service (metrics) returned error") + case svr != nil && listener != nil: + service = NewServerService("metrics", svr, listener, paths, isTLS, ctx.log) + default: + ctx.log.Debug("Create Server Service (metrics) skipped") + } + + return service +} + +func svcWatcherUsersFunc(ctx *CmdCtx) (service Service) { + var err error + + if ctx.config.AuthenticationBackend.File != nil && ctx.config.AuthenticationBackend.File.Watch { + provider := ctx.providers.UserProvider.(*authentication.FileUserProvider) + + if service, err = NewFileWatcherService("users", ctx.config.AuthenticationBackend.File.Path, provider, ctx.log); err != nil { + ctx.log.WithError(err).Fatal("Create Watcher Service (users) returned error") + } + } + + return service +} + +func connectionType(isTLS bool) string { + if isTLS { + return "TLS" + } + + return "non-TLS" +} + +func servicesRun(ctx *CmdCtx) { + cctx, cancel := context.WithCancel(ctx) + + group, cctx := errgroup.WithContext(cctx) + + defer cancel() + + quit := make(chan os.Signal, 1) + + signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM) + + defer signal.Stop(quit) + + var ( + services []Service + ) + + for _, serviceFunc := range []func(ctx *CmdCtx) Service{ + svcSvrMainFunc, svcSvrMetricsFunc, + svcWatcherUsersFunc, + } { + if service := serviceFunc(ctx); service != nil { + services = append(services, service) + + group.Go(service.Run) + } + } + + ctx.log.Info("Startup Complete") + + select { + case s := <-quit: + switch s { + case syscall.SIGINT: + ctx.log.WithField("signal", "SIGINT").Debugf("Shutdown started due to signal") + case syscall.SIGTERM: + ctx.log.WithField("signal", "SIGTERM").Debugf("Shutdown started due to signal") + } + case <-cctx.Done(): + ctx.log.Debugf("Shutdown started due to context completion") + } + + cancel() + + ctx.log.Infof("Shutting down") + + wgShutdown := &sync.WaitGroup{} + + for _, service := range services { + go func() { + service.Shutdown() + + wgShutdown.Done() + }() + + wgShutdown.Add(1) + } + + wgShutdown.Wait() + + var err error + + if err = ctx.providers.StorageProvider.Close(); err != nil { + ctx.log.WithError(err).Error("Error occurred closing database connections") + } + + if err = group.Wait(); err != nil { + ctx.log.WithError(err).Errorf("Error occurred waiting for shutdown") + } +} diff --git a/internal/server/const.go b/internal/server/const.go index 069797b65..abbc52206 100644 --- a/internal/server/const.go +++ b/internal/server/const.go @@ -83,12 +83,3 @@ const ( tmplCSPSwaggerNonce = "default-src 'self'; img-src 'self' https://validator.swagger.io data:; object-src 'none'; script-src 'self' 'unsafe-inline' 'nonce-%s'; style-src 'self' 'nonce-%s'; base-uri 'self'" tmplCSPSwagger = "default-src 'self'; img-src 'self' https://validator.swagger.io data:; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; base-uri 'self'" ) - -const ( - connNonTLS = "non-TLS" - connTLS = "TLS" -) - -const ( - fmtLogServerInit = "Initializing %s for %s connections on '%s' path '%s'" -) diff --git a/internal/server/handlers.go b/internal/server/handlers.go index 106fea7fd..8bd7717a8 100644 --- a/internal/server/handlers.go +++ b/internal/server/handlers.go @@ -92,10 +92,10 @@ func handleNotFound(next fasthttp.RequestHandler) fasthttp.RequestHandler { } //nolint:gocyclo -func handleRouter(config schema.Configuration, providers middlewares.Providers) fasthttp.RequestHandler { +func handleRouter(config *schema.Configuration, providers middlewares.Providers) fasthttp.RequestHandler { log := logging.Logger() - optsTemplatedFile := NewTemplatedFileOptions(&config) + optsTemplatedFile := NewTemplatedFileOptions(config) serveIndexHandler := ServeTemplatedFile(providers.Templates.GetAssetIndexTemplate(), optsTemplatedFile) serveOpenAPIHandler := ServeTemplatedOpenAPI(providers.Templates.GetAssetOpenAPIIndexTemplate(), optsTemplatedFile) @@ -104,7 +104,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers) handlerPublicHTML := newPublicHTMLEmbeddedHandler() handlerLocales := newLocalesEmbeddedHandler() - bridge := middlewares.NewBridgeBuilder(config, providers). + bridge := middlewares.NewBridgeBuilder(*config, providers). WithPreMiddlewares(middlewares.SecurityHeaders).Build() policyCORSPublicGET := middlewares.NewCORSPolicyBuilder(). @@ -141,11 +141,11 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers) r.GET("/api/"+file, handlerPublicHTML) } - middlewareAPI := middlewares.NewBridgeBuilder(config, providers). + middlewareAPI := middlewares.NewBridgeBuilder(*config, providers). WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone). Build() - middleware1FA := middlewares.NewBridgeBuilder(config, providers). + middleware1FA := middlewares.NewBridgeBuilder(*config, providers). WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone). WithPostMiddlewares(middlewares.Require1FA). Build() @@ -162,7 +162,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers) for name, endpoint := range config.Server.Endpoints.Authz { uri := path.Join(pathAuthz, name) - authz := handlers.NewAuthzBuilder().WithConfig(&config).WithEndpointConfig(endpoint).Build() + authz := handlers.NewAuthzBuilder().WithConfig(config).WithEndpointConfig(endpoint).Build() handler := middlewares.Wrap(metricsVRMW, bridge(authz.Handler)) @@ -268,7 +268,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers) } if providers.OpenIDConnect != nil { - bridgeOIDC := middlewares.NewBridgeBuilder(config, providers).WithPreMiddlewares( + bridgeOIDC := middlewares.NewBridgeBuilder(*config, providers).WithPreMiddlewares( middlewares.SecurityHeaders, middlewares.SecurityHeadersCSPNoneOpenIDConnect, middlewares.SecurityHeadersNoStore, ).Build() diff --git a/internal/server/server.go b/internal/server/server.go index 319c708bc..1841cfaa7 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -7,7 +7,6 @@ import ( "net" "os" "strconv" - "strings" "github.com/sirupsen/logrus" "github.com/valyala/fasthttp" @@ -18,9 +17,9 @@ import ( ) // CreateDefaultServer Create Authelia's internal webserver with the given configuration and providers. -func CreateDefaultServer(config schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, err error) { +func CreateDefaultServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, err error) { if err = providers.Templates.LoadTemplatedAssets(assets); err != nil { - return nil, nil, fmt.Errorf("failed to load templated assets: %w", err) + return nil, nil, nil, false, fmt.Errorf("failed to load templated assets: %w", err) } server = &fasthttp.Server{ @@ -38,15 +37,14 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov address := net.JoinHostPort(config.Server.Host, strconv.Itoa(config.Server.Port)) var ( - connectionType string connectionScheme string ) if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" { - connectionType, connectionScheme = connTLS, schemeHTTPS + isTLS, connectionScheme = true, schemeHTTPS if err = server.AppendCert(config.Server.TLS.Certificate, config.Server.TLS.Key); err != nil { - return nil, nil, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err) + return nil, nil, nil, false, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err) } if len(config.Server.TLS.ClientCertificates) > 0 { @@ -56,7 +54,7 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov for _, path := range config.Server.TLS.ClientCertificates { if cert, err = os.ReadFile(path); err != nil { - return nil, nil, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err) + return nil, nil, nil, false, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err) } caCertPool.AppendCertsFromPEM(cert) @@ -69,51 +67,51 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov } if listener, err = tls.Listen("tcp", address, server.TLSConfig.Clone()); err != nil { - return nil, nil, fmt.Errorf("unable to initialize tcp listener: %w", err) + return nil, nil, nil, false, fmt.Errorf("unable to initialize tcp listener: %w", err) } } else { - connectionType, connectionScheme = connNonTLS, schemeHTTP + connectionScheme = schemeHTTP if listener, err = net.Listen("tcp", address); err != nil { - return nil, nil, fmt.Errorf("unable to initialize tcp listener: %w", err) + return nil, nil, nil, false, fmt.Errorf("unable to initialize tcp listener: %w", err) } } if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Host, config.Server.Path, config.Server.Port); err != nil { - return nil, nil, fmt.Errorf("unable to configure healthcheck: %w", err) + return nil, nil, nil, false, fmt.Errorf("unable to configure healthcheck: %w", err) } - paths := []string{"/"} + paths = []string{"/"} if config.Server.Path != "" { paths = append(paths, config.Server.Path) } - logging.Logger().Infof(fmtLogServerInit, "server", connectionType, listener.Addr().String(), strings.Join(paths, "' and '")) - - return server, listener, nil + return server, listener, paths, isTLS, nil } // CreateMetricsServer creates a metrics server. -func CreateMetricsServer(config schema.TelemetryMetricsConfig) (server *fasthttp.Server, listener net.Listener, err error) { - if listener, err = config.Address.Listener(); err != nil { - return nil, nil, err +func CreateMetricsServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, tls bool, err error) { + if providers.Metrics == nil { + return } server = &fasthttp.Server{ ErrorHandler: handleError(), NoDefaultServerHeader: true, Handler: handleMetrics(), - ReadBufferSize: config.Buffers.Read, - WriteBufferSize: config.Buffers.Write, - ReadTimeout: config.Timeouts.Read, - WriteTimeout: config.Timeouts.Write, - IdleTimeout: config.Timeouts.Idle, + ReadBufferSize: config.Telemetry.Metrics.Buffers.Read, + WriteBufferSize: config.Telemetry.Metrics.Buffers.Write, + ReadTimeout: config.Telemetry.Metrics.Timeouts.Read, + WriteTimeout: config.Telemetry.Metrics.Timeouts.Write, + IdleTimeout: config.Telemetry.Metrics.Timeouts.Idle, Logger: logging.LoggerPrintf(logrus.DebugLevel), } - logging.Logger().Infof(fmtLogServerInit, "server (metrics)", connNonTLS, listener.Addr().String(), "/metrics") + if listener, err = config.Telemetry.Metrics.Address.Listener(); err != nil { + return nil, nil, nil, false, err + } - return server, listener, nil + return server, listener, []string{"/metrics"}, false, nil } diff --git a/internal/server/server_test.go b/internal/server/server_test.go index 9b6dfa992..1712ae8c8 100644 --- a/internal/server/server_test.go +++ b/internal/server/server_test.go @@ -152,7 +152,7 @@ func NewTLSServerContext(configuration schema.Configuration) (serverContext *TLS return nil, err } - s, listener, err := CreateDefaultServer(configuration, providers) + s, listener, _, _, err := CreateDefaultServer(&configuration, providers) if err != nil { return nil, err diff --git a/internal/suites/environment.go b/internal/suites/environment.go index 80f5ac260..0c79b898d 100644 --- a/internal/suites/environment.go +++ b/internal/suites/environment.go @@ -42,7 +42,7 @@ func waitUntilAutheliaBackendIsReady(dockerEnvironment *DockerEnvironment) error 90*time.Second, dockerEnvironment, "authelia-backend", - []string{"Initializing server for"}) + []string{"Startup Complete"}) } func waitUntilAutheliaFrontendIsReady(dockerEnvironment *DockerEnvironment) error {