diff --git a/.travis.yml b/.travis.yml index a2dfb8024..1b4bae8fc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,14 +15,14 @@ addons: - libgif-dev - google-chrome-stable hosts: - - admin.test.local - - auth.test.local - - single_factor.test.local - - dev.test.local - - home.test.local - - mx1.mail.test.local - - mx2.mail.test.local - - public.test.local + - admin.example.com + - login.example.com + - single_factor.example.com + - dev.example.com + - home.example.com + - mx1.mail.example.com + - mx2.mail.example.com + - public.example.com before_install: - npm install -g npm@'>=2.13.5' diff --git a/README.md b/README.md index fa7035b5f..682b5ce3b 100644 --- a/README.md +++ b/README.md @@ -95,14 +95,14 @@ Make sure you don't have anything listening on port 8080 (webserver) and 8085 (w Add the following lines to your **/etc/hosts** to alias multiple subdomains so that nginx can redirect request to the correct virtual host. - 127.0.0.1 home.test.local - 127.0.0.1 public.test.local - 127.0.0.1 dev.test.local - 127.0.0.1 admin.test.local - 127.0.0.1 mx1.mail.test.local - 127.0.0.1 mx2.mail.test.local - 127.0.0.1 single_factor.test.local - 127.0.0.1 auth.test.local + 127.0.0.1 home.example.com + 127.0.0.1 public.example.com + 127.0.0.1 dev.example.com + 127.0.0.1 admin.example.com + 127.0.0.1 mx1.mail.example.com + 127.0.0.1 mx2.mail.example.com + 127.0.0.1 single_factor.example.com + 127.0.0.1 login.example.com ### Run it! @@ -118,7 +118,7 @@ Use provided container on [DockerHub](https://hub.docker.com/r/clems4ever/authel ./scripts/example-dockerhub/deploy-example.sh After few seconds the services should be running and you should be able to visit -[https://home.test.local:8080/](https://home.test.local:8080/). +[https://home.example.com:8080/](https://home.example.com:8080/). When accessing the login page, a self-signed certificate exception should appear, it has to be trusted before you can get to the target page. The certificate diff --git a/config.template.yml b/config.template.yml index 1e39396e1..5927551cf 100644 --- a/config.template.yml +++ b/config.template.yml @@ -20,7 +20,7 @@ logs_level: debug # # Note: this parameter is optional. If not provided, user won't # be redirected upon successful authentication. -default_redirection_url: https://home.test.local:8080/ +default_redirection_url: https://home.example.com:8080/ # LDAP configuration # @@ -77,7 +77,7 @@ ldap: authentication_methods: default_method: two_factor per_subdomain_methods: - single_factor.test.local: single_factor + single_factor.example.com: single_factor # Access Control # @@ -120,7 +120,7 @@ access_control: # The rules that apply to anyone. # The value is a list of rules. any: - - domain: public.test.local + - domain: public.example.com policy: allow # Group-based rules. The key is a group name and the value @@ -128,13 +128,13 @@ access_control: groups: admin: # All resources in all domains - - domain: '*.test.local' + - domain: '*.example.com' policy: allow - # Except mx2.mail.test.local (it restricts the first rule) - - domain: 'mx2.mail.test.local' + # Except mx2.mail.example.com (it restricts the first rule) + - domain: 'mx2.mail.example.com' policy: deny dev: - - domain: dev.test.local + - domain: dev.example.com policy: allow resources: - '^/groups/dev/.*$' @@ -143,19 +143,19 @@ access_control: # is a list of rules. users: john: - - domain: dev.test.local + - domain: dev.example.com policy: allow resources: - '^/users/john/.*$' harry: - - domain: dev.test.local + - domain: dev.example.com policy: allow resources: - '^/users/harry/.*$' bob: - - domain: '*.mail.test.local' + - domain: '*.mail.example.com' policy: allow - - domain: 'dev.test.local' + - domain: 'dev.example.com' policy: allow resources: - '^/users/bob/.*$' @@ -177,7 +177,7 @@ session: # The domain to protect. # Note: the authenticator must also be in that domain. If empty, the cookie # is restricted to the subdomain of the issuer. - domain: test.local + domain: example.com # The redis connection details redis: diff --git a/example/authelia/docker-compose.dockerhub.yml b/docker-compose.dockerhub.yml similarity index 83% rename from example/authelia/docker-compose.dockerhub.yml rename to docker-compose.dockerhub.yml index 7c68dec9a..ce17e86ee 100644 --- a/example/authelia/docker-compose.dockerhub.yml +++ b/docker-compose.dockerhub.yml @@ -5,7 +5,6 @@ services: restart: always volumes: - ./config.template.yml:/etc/authelia/config.yml:ro - - ./notifications:/var/lib/authelia/notifications environment: - NODE_TLS_REJECT_UNAUTHORIZED=0 depends_on: diff --git a/example/nginx/authelia/docker-compose.yml b/example/nginx/authelia/docker-compose.yml index 1b560657c..cd590620e 100644 --- a/example/nginx/authelia/docker-compose.yml +++ b/example/nginx/authelia/docker-compose.yml @@ -3,6 +3,6 @@ services: nginx-authelia: image: nginx:alpine volumes: - - ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf + - ./example/nginx/authelia/nginx.conf:/etc/nginx/nginx.conf networks: - example-network diff --git a/example/nginx/authelia/nginx.conf b/example/nginx/authelia/nginx.conf index 7305ba703..44405c818 100644 --- a/example/nginx/authelia/nginx.conf +++ b/example/nginx/authelia/nginx.conf @@ -1,21 +1,5 @@ -# nginx-sso - example nginx config -# -# (c) 2015 by Johannes Gilger -# -# This is an example config for using nginx with the nginx-sso cookie system. -# For simplicity, this config sets up two fictional vhosts that you can use to -# test against both components of the nginx-sso system: ssoauth & ssologin. -# In a real deployment, these vhosts would be separate hosts. - -#user nobody; worker_processes 1; -#error_log logs/error.log; -#error_log logs/error.log notice; -#error_log logs/error.log info; - -#pid logs/nginx.pid; - events { worker_connections 1024; } @@ -23,31 +7,15 @@ events { http { server { - listen 443 ssl; - server_name auth.test.local; + listen 80; - ssl on; - ssl_certificate /etc/ssl/server.crt; - ssl_certificate_key /etc/ssl/server.key; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; + resolver 127.0.0.11 ipv6=off; + set $upstream_endpoint http://authelia; location / { - proxy_set_header X-Original-URI $request_uri; proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://authelia/; - - proxy_intercept_errors on; - - if ($request_method !~ ^(POST)$){ - error_page 401 = /error/401; - error_page 403 = /error/403; - error_page 404 = /error/404; - } + proxy_pass $upstream_endpoint; } } } diff --git a/example/nginx/backend/html/admin.test.local/secret.html b/example/nginx/backend/html/admin/secret.html similarity index 71% rename from example/nginx/backend/html/admin.test.local/secret.html rename to example/nginx/backend/html/admin/secret.html index 386bd8931..b44f4b6cc 100644 --- a/example/nginx/backend/html/admin.test.local/secret.html +++ b/example/nginx/backend/html/admin/secret.html @@ -5,6 +5,6 @@ This is a very important secret!
- Go back to home page. + Go back to home page. diff --git a/example/nginx/backend/html/dev.test.local/users/harry/secret.html b/example/nginx/backend/html/dev.test.local/users/harry/secret.html deleted file mode 100644 index 386bd8931..000000000 --- a/example/nginx/backend/html/dev.test.local/users/harry/secret.html +++ /dev/null @@ -1,10 +0,0 @@ - - - Secret - - - - This is a very important secret!
- Go back to home page. - - diff --git a/example/nginx/backend/html/dev.test.local/users/john/secret.html b/example/nginx/backend/html/dev.test.local/users/john/secret.html deleted file mode 100644 index 386bd8931..000000000 --- a/example/nginx/backend/html/dev.test.local/users/john/secret.html +++ /dev/null @@ -1,10 +0,0 @@ - - - Secret - - - - This is a very important secret!
- Go back to home page. - - diff --git a/example/nginx/backend/html/dev.test.local/groups/admin/secret.html b/example/nginx/backend/html/dev/groups/admin/secret.html similarity index 71% rename from example/nginx/backend/html/dev.test.local/groups/admin/secret.html rename to example/nginx/backend/html/dev/groups/admin/secret.html index 386bd8931..b44f4b6cc 100644 --- a/example/nginx/backend/html/dev.test.local/groups/admin/secret.html +++ b/example/nginx/backend/html/dev/groups/admin/secret.html @@ -5,6 +5,6 @@ This is a very important secret!
- Go back to home page. + Go back to home page. diff --git a/example/nginx/backend/html/dev.test.local/groups/dev/secret.html b/example/nginx/backend/html/dev/groups/dev/secret.html similarity index 71% rename from example/nginx/backend/html/dev.test.local/groups/dev/secret.html rename to example/nginx/backend/html/dev/groups/dev/secret.html index 386bd8931..b44f4b6cc 100644 --- a/example/nginx/backend/html/dev.test.local/groups/dev/secret.html +++ b/example/nginx/backend/html/dev/groups/dev/secret.html @@ -5,6 +5,6 @@ This is a very important secret!
- Go back to home page. + Go back to home page. diff --git a/example/nginx/backend/html/dev.test.local/users/bob/secret.html b/example/nginx/backend/html/dev/users/bob/secret.html similarity index 71% rename from example/nginx/backend/html/dev.test.local/users/bob/secret.html rename to example/nginx/backend/html/dev/users/bob/secret.html index 386bd8931..b44f4b6cc 100644 --- a/example/nginx/backend/html/dev.test.local/users/bob/secret.html +++ b/example/nginx/backend/html/dev/users/bob/secret.html @@ -5,6 +5,6 @@ This is a very important secret!
- Go back to home page. + Go back to home page. diff --git a/example/nginx/backend/html/dev/users/harry/secret.html b/example/nginx/backend/html/dev/users/harry/secret.html new file mode 100644 index 000000000..b44f4b6cc --- /dev/null +++ b/example/nginx/backend/html/dev/users/harry/secret.html @@ -0,0 +1,10 @@ + + + Secret + + + + This is a very important secret!
+ Go back to home page. + + diff --git a/example/nginx/backend/html/dev/users/john/secret.html b/example/nginx/backend/html/dev/users/john/secret.html new file mode 100644 index 000000000..b44f4b6cc --- /dev/null +++ b/example/nginx/backend/html/dev/users/john/secret.html @@ -0,0 +1,10 @@ + + + Secret + + + + This is a very important secret!
+ Go back to home page. + + diff --git a/example/nginx/backend/html/home.test.local/index.html b/example/nginx/backend/html/home/index.html similarity index 65% rename from example/nginx/backend/html/home.test.local/index.html rename to example/nginx/backend/html/home/index.html index ffeb37d56..49f2dde04 100644 --- a/example/nginx/backend/html/home.test.local/index.html +++ b/example/nginx/backend/html/home/index.html @@ -12,51 +12,51 @@ one of the following links to test access control powered by Authelia.
- You can also log off by visiting the following link. + You can also log off by visiting the following link.

List of users

Here is the list of credentials you can log in with to test access control.
@@ -84,7 +84,7 @@ default_policy: deny # The value is a list of rules. any: - - domain: public.test.local + - domain: public.example.com policy: allow # Group-based rules. The key is a group name and the value @@ -93,13 +93,13 @@ any: groups: admin: # All resources in all domains - - domain: '*.test.local' + - domain: '*.example.com' policy: allow - # Except mx2.mail.test.local (it restricts the first rule) - - domain: 'mx2.mail.test.local' + # Except mx2.mail.example.com (it restricts the first rule) + - domain: 'mx2.mail.example.com' policy: deny dev: - - domain: dev.test.local + - domain: dev.example.com policy: allow resources: - '^/groups/dev/.*$' @@ -109,23 +109,23 @@ groups: users: john: - - domain: dev.test.local + - domain: dev.example.com policy: allow resources: - '^/users/john/.*$' harry: - - domain: dev.test.local + - domain: dev.example.com policy: allow resources: - '^/users/harry/.*$' bob: - - domain: '*.mail.test.local' + - domain: '*.mail.example.com' policy: allow - - domain: 'dev.test.local' + - domain: 'dev.example.com' policy: allow resources: - '^/users/bob/.*$' - - domain: 'dev.test.local' + - domain: 'dev.example.com' policy: allow resources: - '^/users/harry/.*$' diff --git a/example/nginx/backend/html/mail.test.local/secret.html b/example/nginx/backend/html/mail.test.local/secret.html deleted file mode 100644 index 386bd8931..000000000 --- a/example/nginx/backend/html/mail.test.local/secret.html +++ /dev/null @@ -1,10 +0,0 @@ - - - Secret - - - - This is a very important secret!
- Go back to home page. - - diff --git a/example/nginx/backend/html/mail/secret.html b/example/nginx/backend/html/mail/secret.html new file mode 100644 index 000000000..b44f4b6cc --- /dev/null +++ b/example/nginx/backend/html/mail/secret.html @@ -0,0 +1,10 @@ + + + Secret + + + + This is a very important secret!
+ Go back to home page. + + diff --git a/example/nginx/backend/html/public.test.local/secret.html b/example/nginx/backend/html/public.test.local/secret.html deleted file mode 100644 index 386bd8931..000000000 --- a/example/nginx/backend/html/public.test.local/secret.html +++ /dev/null @@ -1,10 +0,0 @@ - - - Secret - - - - This is a very important secret!
- Go back to home page. - - diff --git a/example/nginx/backend/html/public.test.local/index.html b/example/nginx/backend/html/public/index.html similarity index 76% rename from example/nginx/backend/html/public.test.local/index.html rename to example/nginx/backend/html/public/index.html index d5629c05e..733f9580e 100644 --- a/example/nginx/backend/html/public.test.local/index.html +++ b/example/nginx/backend/html/public/index.html @@ -7,7 +7,7 @@

Public resource

This is a public resource.
- Go back to home page. + Go back to home page.

diff --git a/example/nginx/backend/html/public/secret.html b/example/nginx/backend/html/public/secret.html new file mode 100644 index 000000000..b44f4b6cc --- /dev/null +++ b/example/nginx/backend/html/public/secret.html @@ -0,0 +1,10 @@ + + + Secret + + + + This is a very important secret!
+ Go back to home page. + + diff --git a/example/nginx/backend/html/single_factor.test.local/secret.html b/example/nginx/backend/html/single_factor.test.local/secret.html deleted file mode 100644 index 386bd8931..000000000 --- a/example/nginx/backend/html/single_factor.test.local/secret.html +++ /dev/null @@ -1,10 +0,0 @@ - - - Secret - - - - This is a very important secret!
- Go back to home page. - - diff --git a/example/nginx/backend/html/single_factor/secret.html b/example/nginx/backend/html/single_factor/secret.html new file mode 100644 index 000000000..b44f4b6cc --- /dev/null +++ b/example/nginx/backend/html/single_factor/secret.html @@ -0,0 +1,10 @@ + + + Secret + + + + This is a very important secret!
+ Go back to home page. + + diff --git a/example/nginx/backend/nginx.conf b/example/nginx/backend/nginx.conf index 106d1782c..55afb666c 100644 --- a/example/nginx/backend/nginx.conf +++ b/example/nginx/backend/nginx.conf @@ -1,21 +1,5 @@ -# nginx-sso - example nginx config -# -# (c) 2015 by Johannes Gilger -# -# This is an example config for using nginx with the nginx-sso cookie system. -# For simplicity, this config sets up two fictional vhosts that you can use to -# test against both components of the nginx-sso system: ssoauth & ssologin. -# In a real deployment, these vhosts would be separate hosts. - -#user nobody; worker_processes 1; -#error_log logs/error.log; -#error_log logs/error.log notice; -#error_log logs/error.log info; - -#pid logs/nginx.pid; - events { worker_connections 1024; } @@ -24,38 +8,38 @@ events { http { server { listen 80; - root /usr/share/nginx/html/home.test.local; - server_name home.test.local; + root /usr/share/nginx/html/home; + server_name home.example.com; } server { listen 80; - root /usr/share/nginx/html/public.test.local; - server_name public.test.local; + root /usr/share/nginx/html/public; + server_name public.example.com; } server { listen 80; - root /usr/share/nginx/html/admin.test.local; - server_name admin.test.local; + root /usr/share/nginx/html/admin; + server_name admin.example.com; } server { listen 80; - root /usr/share/nginx/html/dev.test.local; - server_name dev.test.local; + root /usr/share/nginx/html/dev; + server_name dev.example.com; } server { listen 80; - root /usr/share/nginx/html/mail.test.local; - server_name mx1.mail.test.local mx2.mail.test.local; + root /usr/share/nginx/html/mail; + server_name mx1.mail.example.com mx2.mail.example.com; } server { listen 80; - root /usr/share/nginx/html/single_factor.test.local; - server_name single_factor.test.local; + root /usr/share/nginx/html/single_factor; + server_name single_factor.example.com; } } diff --git a/example/nginx/portal/nginx.conf b/example/nginx/portal/nginx.conf index 0f597d935..c7d4016b0 100644 --- a/example/nginx/portal/nginx.conf +++ b/example/nginx/portal/nginx.conf @@ -1,30 +1,16 @@ -# nginx-sso - example nginx config -# -# (c) 2015 by Johannes Gilger -# -# This is an example config for using nginx with the nginx-sso cookie system. -# For simplicity, this config sets up two fictional vhosts that you can use to -# test against both components of the nginx-sso system: ssoauth & ssologin. -# In a real deployment, these vhosts would be separate hosts. - -#user nobody; worker_processes 1; -#error_log logs/error.log; -#error_log logs/error.log notice; -#error_log logs/error.log info; - -#pid logs/nginx.pid; - events { worker_connections 1024; } - http { server { listen 443 ssl; - server_name home.test.local; + server_name login.example.com; + + resolver 127.0.0.11 ipv6=off; + set $upstream_endpoint http://nginx-authelia; ssl on; ssl_certificate /etc/ssl/server.crt; @@ -35,199 +21,49 @@ http { location / { proxy_set_header Host $http_host; - - proxy_pass http://nginx-backend/; - } - } - - server { - listen 443 ssl; - server_name public.test.local; - - ssl on; - ssl_certificate /etc/ssl/server.crt; - ssl_certificate_key /etc/ssl/server.key; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; - - location /auth_verify { - internal; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header Content-Length ""; + proxy_intercept_errors on; - proxy_pass http://nginx-authelia/api/verify; - } + proxy_pass $upstream_endpoint; - location / { - auth_request /auth_verify; - - auth_request_set $redirect $upstream_http_redirect; - - auth_request_set $user $upstream_http_remote_user; - proxy_set_header X-Forwarded-User $user; - - auth_request_set $groups $upstream_http_remote_groups; - proxy_set_header Remote-Groups $groups; - - proxy_set_header Host $http_host; - - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; - error_page 403 = https://auth.test.local:8080/error/403; - - proxy_pass http://nginx-backend/; - } - - location /headers { - auth_request /auth_verify; - - auth_request_set $redirect $upstream_http_redirect; - - auth_request_set $user $upstream_http_remote_user; - proxy_set_header Custom-Forwarded-User $user; - - auth_request_set $groups $upstream_http_remote_groups; - proxy_set_header Custom-Forwarded-Groups $groups; - - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; - error_page 403 = https://auth.test.local:8080/error/403; - - proxy_pass http://httpbin:8000/headers; - } - } - - server { - listen 443 ssl; - server_name admin.test.local; - - ssl on; - ssl_certificate /etc/ssl/server.crt; - ssl_certificate_key /etc/ssl/server.key; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; - - location /auth_verify { - internal; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header Content-Length ""; - - proxy_pass http://nginx-authelia/api/verify; - } - - location / { - auth_request /auth_verify; - - auth_request_set $redirect $upstream_http_redirect; - - auth_request_set $user $upstream_http_remote_user; - proxy_set_header X-Forwarded-User $user; - - auth_request_set $groups $upstream_http_remote_groups; - proxy_set_header Remote-Groups $groups; - - proxy_set_header Host $http_host; - - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; - error_page 403 = https://auth.test.local:8080/error/403; - - proxy_pass http://nginx-backend/; - } - } - - server { - listen 443 ssl; - server_name dev.test.local; - - ssl on; - ssl_certificate /etc/ssl/server.crt; - ssl_certificate_key /etc/ssl/server.key; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; - - location /auth_verify { - internal; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header Content-Length ""; - - proxy_pass http://nginx-authelia/api/verify; - } - - location / { - auth_request /auth_verify; - - auth_request_set $redirect $upstream_http_redirect; - - auth_request_set $user $upstream_http_remote_user; - proxy_set_header X-Forwarded-User $user; - - auth_request_set $groups $upstream_http_remote_groups; - proxy_set_header Remote-Groups $groups; - - proxy_set_header Host $http_host; - - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; - error_page 403 = https://auth.test.local:8080/error/403; - - proxy_pass http://nginx-backend/; - } - } - - server { - listen 443 ssl; - server_name mx1.mail.test.local mx2.mail.test.local; - - ssl on; - ssl_certificate /etc/ssl/server.crt; - ssl_certificate_key /etc/ssl/server.key; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; - - location /auth_verify { - internal; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_set_header Content-Length ""; - - proxy_pass http://nginx-authelia/api/verify; - } - - location / { - auth_request /auth_verify; - - auth_request_set $redirect $upstream_http_redirect; - - auth_request_set $user $upstream_http_remote_user; - proxy_set_header X-Forwarded-User $user; - - auth_request_set $groups $upstream_http_remote_groups; - proxy_set_header Remote-Groups $groups; - - proxy_set_header Host $http_host; - - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; - error_page 403 = https://auth.test.local:8080/error/403; - - proxy_pass http://nginx-backend/; + if ($request_method !~ ^(POST)$){ + error_page 401 = /error/401; + error_page 403 = /error/403; + error_page 404 = /error/404; + } } } server { listen 443 ssl; - server_name single_factor.test.local; + server_name home.example.com; + + resolver 127.0.0.11 ipv6=off; + set $upstream_endpoint http://nginx-backend; + + ssl on; + ssl_certificate /etc/ssl/server.crt; + ssl_certificate_key /etc/ssl/server.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + location / { + proxy_set_header Host $http_host; + proxy_pass $upstream_endpoint; + } + } + + server { + listen 443 ssl; + server_name public.example.com; + + resolver 127.0.0.11 ipv6=off; + set $upstream_verify http://nginx-authelia/api/verify; + set $upstream_endpoint http://nginx-backend; + set $upstream_headers http://httpbin:8000/headers; ssl on; ssl_certificate /etc/ssl/server.crt; @@ -238,33 +74,32 @@ http { location /auth_verify { internal; + proxy_set_header Host $http_host; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; proxy_set_header Content-Length ""; - proxy_set_header Proxy-Authorization $http_authorization; - proxy_pass http://nginx-authelia/api/verify; + proxy_pass $upstream_verify; } location / { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; - + auth_request_set $user $upstream_http_remote_user; proxy_set_header X-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; - proxy_set_header Host $http_host; + proxy_set_header Host $http_host; - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; - error_page 403 = https://auth.test.local:8080/error/403; + error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 403 = https://login.example.com:8080/error/403; - proxy_pass http://nginx-backend/; + proxy_pass $upstream_endpoint; } location /headers { @@ -278,10 +113,213 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Custom-Forwarded-Groups $groups; - proxy_pass http://httpbin:8000/headers; + error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 403 = https://login.example.com:8080/error/403; - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; - error_page 403 = https://auth.test.local:8080/error/403; + proxy_pass $upstream_headers; + } + } + + server { + listen 443 ssl; + server_name admin.example.com; + + resolver 127.0.0.11 ipv6=off; + set $upstream_verify http://nginx-authelia/api/verify; + set $upstream_endpoint http://nginx-backend; + + ssl on; + ssl_certificate /etc/ssl/server.crt; + ssl_certificate_key /etc/ssl/server.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + location /auth_verify { + internal; + proxy_set_header Host $http_host; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Content-Length ""; + + proxy_pass $upstream_verify; + } + + location / { + auth_request /auth_verify; + + auth_request_set $redirect $upstream_http_redirect; + + auth_request_set $user $upstream_http_remote_user; + proxy_set_header X-Forwarded-User $user; + + auth_request_set $groups $upstream_http_remote_groups; + proxy_set_header Remote-Groups $groups; + + proxy_set_header Host $http_host; + + error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 403 = https://login.example.com:8080/error/403; + + proxy_pass $upstream_endpoint; + } + } + + server { + listen 443 ssl; + server_name dev.example.com; + + resolver 127.0.0.11 ipv6=off; + set $upstream_verify http://nginx-authelia/api/verify; + set $upstream_endpoint http://nginx-backend; + + ssl on; + ssl_certificate /etc/ssl/server.crt; + ssl_certificate_key /etc/ssl/server.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + location /auth_verify { + internal; + proxy_set_header Host $http_host; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Content-Length ""; + + proxy_pass $upstream_verify; + } + + location / { + auth_request /auth_verify; + + auth_request_set $redirect $upstream_http_redirect; + + auth_request_set $user $upstream_http_remote_user; + proxy_set_header X-Forwarded-User $user; + + auth_request_set $groups $upstream_http_remote_groups; + proxy_set_header Remote-Groups $groups; + + proxy_set_header Host $http_host; + + error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 403 = https://login.example.com:8080/error/403; + + proxy_pass $upstream_endpoint; + } + } + + server { + listen 443 ssl; + server_name mx1.mail.example.com mx2.mail.example.com; + + resolver 127.0.0.11 ipv6=off; + set $upstream_verify http://nginx-authelia/api/verify; + set $upstream_endpoint http://nginx-backend; + + ssl on; + ssl_certificate /etc/ssl/server.crt; + ssl_certificate_key /etc/ssl/server.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + location /auth_verify { + internal; + proxy_set_header Host $http_host; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Content-Length ""; + + proxy_pass $upstream_verify; + } + + location / { + auth_request /auth_verify; + + auth_request_set $redirect $upstream_http_redirect; + + auth_request_set $user $upstream_http_remote_user; + proxy_set_header X-Forwarded-User $user; + + auth_request_set $groups $upstream_http_remote_groups; + proxy_set_header Remote-Groups $groups; + + proxy_set_header Host $http_host; + + error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 403 = https://login.example.com:8080/error/403; + + proxy_pass $upstream_endpoint; + } + } + + server { + listen 443 ssl; + server_name single_factor.example.com; + + resolver 127.0.0.11 ipv6=off; + set $upstream_verify http://nginx-authelia/api/verify; + set $upstream_endpoint http://nginx-backend; + set $upstream_headers http://httpbin:8000/headers; + + ssl on; + ssl_certificate /etc/ssl/server.crt; + ssl_certificate_key /etc/ssl/server.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + location /auth_verify { + internal; + proxy_set_header Host $http_host; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Content-Length ""; + proxy_set_header Proxy-Authorization $http_authorization; + + proxy_pass $upstream_verify; + } + + location / { + auth_request /auth_verify; + + auth_request_set $redirect $upstream_http_redirect; + + auth_request_set $user $upstream_http_remote_user; + proxy_set_header X-Forwarded-User $user; + + auth_request_set $groups $upstream_http_remote_groups; + proxy_set_header Remote-Groups $groups; + + proxy_set_header Host $http_host; + + error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 403 = https://login.example.com:8080/error/403; + + proxy_pass $upstream_endpoint; + } + + location /headers { + auth_request /auth_verify; + + auth_request_set $redirect $upstream_http_redirect; + + auth_request_set $user $upstream_http_remote_user; + proxy_set_header Custom-Forwarded-User $user; + + auth_request_set $groups $upstream_http_remote_groups; + proxy_set_header Custom-Forwarded-Groups $groups; + + error_page 401 =302 https://login.example.com:8080?redirect=$redirect; + error_page 403 = https://login.example.com:8080/error/403; + + proxy_pass $upstream_headers; } } } diff --git a/scripts/example-dockerhub/dc-example.sh b/scripts/example-dockerhub/dc-example.sh index 10a452f53..9ce3e2ea1 100755 --- a/scripts/example-dockerhub/dc-example.sh +++ b/scripts/example-dockerhub/dc-example.sh @@ -3,8 +3,8 @@ set -e docker-compose \ + -f docker-compose.dockerhub.yml \ -f example/docker-compose.base.yml \ - -f example/authelia/docker-compose.dockerhub.yml \ -f example/mongo/docker-compose.yml \ -f example/redis/docker-compose.yml \ -f example/nginx/authelia/docker-compose.yml \ diff --git a/scripts/integration-tests.sh b/scripts/integration-tests.sh index 02d137442..4635166e5 100755 --- a/scripts/integration-tests.sh +++ b/scripts/integration-tests.sh @@ -13,7 +13,11 @@ start_services() { } shut_services() { - $DC_SCRIPT down --remove-orphans + containers_exist=`docker ps -aq | wc -l` + if [ "$containers_exist" -ne "0" ] + then + docker rm -f $(docker ps -aq) + fi } expect_services_count() { @@ -42,16 +46,18 @@ run_integration_tests() { run_other_tests() { echo "Test dev environment deployment (commands in README)" - rm -rf node_modules - ./scripts/build-dev.sh + # rm -rf node_modules + # ./scripts/build-dev.sh ./scripts/example-commit/deploy-example.sh expect_services_count $EXPECTED_SERVICES_COUNT + ./scripts/example-commit/undeploy-example.sh } run_other_tests_docker() { echo "Test dev docker deployment (commands in README)" ./scripts/example-dockerhub/deploy-example.sh expect_services_count $EXPECTED_SERVICES_COUNT + ./scripts/example-dockerhub/undeploy-example.sh } diff --git a/server/src/views/layout/layout.pug b/server/src/views/layout/layout.pug index eaf315aee..2ee8434a0 100644 --- a/server/src/views/layout/layout.pug +++ b/server/src/views/layout/layout.pug @@ -1,13 +1,14 @@ block variables +doctype html html head title Authelia - 2FA - meta(name="viewport", content="width=device-width, initial-scale=1.0")/ - meta(name="robots", content="noindex, nofollow, nosnippet, noarchive")/ - meta(http-equiv="Content-Security-Policy", content="default-src 'self'; img-src 'self' data:;")/ - link(rel="icon", href="/img/icon.png" type="image/png" sizes="32x32")/ - link(rel="stylesheet", type="text/css", href="/css/authelia.css")/ + meta(name="viewport", content="width=device-width, initial-scale=1.0") + meta(name="robots", content="noindex, nofollow, nosnippet, noarchive") + meta(http-equiv="Content-Security-Policy", content="default-src 'self'; img-src 'self' data:;") + link(rel="icon", href="/img/icon.png" type="image/png" sizes="32x32") + link(rel="stylesheet", type="text/css", href="/css/authelia.css") if redirection_url meta(http-equiv="refresh" content="4;url=" + redirection_url) body @@ -24,4 +25,4 @@ html div(class="poweredby col-xs-6 col-xs-offset-4 col-sm-6 col-sm-offset-4 col-md-6 col-md-offset-4") | Powered by Authelia block entrypoint - script(src="/js/authelia.js") \ No newline at end of file + script(src="/js/authelia.js", type="text/javascript" ) \ No newline at end of file diff --git a/server/src/views/totp-register.pug b/server/src/views/totp-register.pug index 4436d82e3..1b4d98354 100644 --- a/server/src/views/totp-register.pug +++ b/server/src/views/totp-register.pug @@ -22,4 +22,4 @@ block content img(alt='Get it on Apple Store' src='/img/stores/applestore-badge.svg' class="store-badge") block entrypoint - script(src="/js/qrcode.min.js") + script(src="/js/qrcode.min.js", type="text/javascript" ) diff --git a/server/test/access_control/AccessController.test.ts b/server/test/access_control/AccessController.test.ts index d0df7a901..322c3540a 100644 --- a/server/test/access_control/AccessController.test.ts +++ b/server/test/access_control/AccessController.test.ts @@ -13,10 +13,10 @@ describe("test access control manager", function () { configuration = undefined; accessController = new AccessController(configuration, winston); - Assert(accessController.isAccessAllowed("home.test.local", "/", "user1", ["group1", "group2"])); - Assert(accessController.isAccessAllowed("home.test.local", "/abc", "user1", ["group1", "group2"])); - Assert(accessController.isAccessAllowed("home.test.local", "/", "user2", ["group1", "group2"])); - Assert(accessController.isAccessAllowed("admin.test.local", "/", "user3", ["group3"])); + Assert(accessController.isAccessAllowed("home.example.com", "/", "user1", ["group1", "group2"])); + Assert(accessController.isAccessAllowed("home.example.com", "/abc", "user1", ["group1", "group2"])); + Assert(accessController.isAccessAllowed("home.example.com", "/", "user2", ["group1", "group2"])); + Assert(accessController.isAccessAllowed("admin.example.com", "/", "user3", ["group3"])); }); }); diff --git a/test/features/access-control.feature b/test/features/access-control.feature index 1e01e5d46..197619fad 100644 --- a/test/features/access-control.feature +++ b/test/features/access-control.feature @@ -2,66 +2,66 @@ Feature: User has access restricted access to domains @need-registered-user-john Scenario: User john has admin access - When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F" + When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - And I'm redirected to "https://home.test.local:8080/" + And I'm redirected to "https://home.example.com:8080/" Then I have access to: | url | - | https://public.test.local:8080/secret.html | - | https://dev.test.local:8080/groups/admin/secret.html | - | https://dev.test.local:8080/groups/dev/secret.html | - | https://dev.test.local:8080/users/john/secret.html | - | https://dev.test.local:8080/users/harry/secret.html | - | https://dev.test.local:8080/users/bob/secret.html | - | https://admin.test.local:8080/secret.html | - | https://mx1.mail.test.local:8080/secret.html | - | https://single_factor.test.local:8080/secret.html | + | https://public.example.com:8080/secret.html | + | https://dev.example.com:8080/groups/admin/secret.html | + | https://dev.example.com:8080/groups/dev/secret.html | + | https://dev.example.com:8080/users/john/secret.html | + | https://dev.example.com:8080/users/harry/secret.html | + | https://dev.example.com:8080/users/bob/secret.html | + | https://admin.example.com:8080/secret.html | + | https://mx1.mail.example.com:8080/secret.html | + | https://single_factor.example.com:8080/secret.html | And I have no access to: | url | - | https://mx2.mail.test.local:8080/secret.html | + | https://mx2.mail.example.com:8080/secret.html | @need-registered-user-bob Scenario: User bob has restricted access - When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F" + When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F" And I login with user "bob" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - And I'm redirected to "https://home.test.local:8080/" + And I'm redirected to "https://home.example.com:8080/" Then I have access to: | url | - | https://public.test.local:8080/secret.html | - | https://dev.test.local:8080/groups/dev/secret.html | - | https://dev.test.local:8080/users/bob/secret.html | - | https://mx1.mail.test.local:8080/secret.html | - | https://mx2.mail.test.local:8080/secret.html | + | https://public.example.com:8080/secret.html | + | https://dev.example.com:8080/groups/dev/secret.html | + | https://dev.example.com:8080/users/bob/secret.html | + | https://mx1.mail.example.com:8080/secret.html | + | https://mx2.mail.example.com:8080/secret.html | And I have no access to: | url | - | https://dev.test.local:8080/groups/admin/secret.html | - | https://admin.test.local:8080/secret.html | - | https://dev.test.local:8080/users/john/secret.html | - | https://dev.test.local:8080/users/harry/secret.html | - | https://single_factor.test.local:8080/secret.html | + | https://dev.example.com:8080/groups/admin/secret.html | + | https://admin.example.com:8080/secret.html | + | https://dev.example.com:8080/users/john/secret.html | + | https://dev.example.com:8080/users/harry/secret.html | + | https://single_factor.example.com:8080/secret.html | @need-registered-user-harry Scenario: User harry has restricted access - When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F" + When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F" And I login with user "harry" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - And I'm redirected to "https://home.test.local:8080/" + And I'm redirected to "https://home.example.com:8080/" Then I have access to: | url | - | https://public.test.local:8080/secret.html | - | https://dev.test.local:8080/users/harry/secret.html | + | https://public.example.com:8080/secret.html | + | https://dev.example.com:8080/users/harry/secret.html | And I have no access to: | url | - | https://dev.test.local:8080/groups/dev/secret.html | - | https://dev.test.local:8080/users/bob/secret.html | - | https://dev.test.local:8080/groups/admin/secret.html | - | https://admin.test.local:8080/secret.html | - | https://dev.test.local:8080/users/john/secret.html | - | https://mx1.mail.test.local:8080/secret.html | - | https://mx2.mail.test.local:8080/secret.html | - | https://single_factor.test.local:8080/secret.html | \ No newline at end of file + | https://dev.example.com:8080/groups/dev/secret.html | + | https://dev.example.com:8080/users/bob/secret.html | + | https://dev.example.com:8080/groups/admin/secret.html | + | https://admin.example.com:8080/secret.html | + | https://dev.example.com:8080/users/john/secret.html | + | https://mx1.mail.example.com:8080/secret.html | + | https://mx2.mail.example.com:8080/secret.html | + | https://single_factor.example.com:8080/secret.html | \ No newline at end of file diff --git a/test/features/auth-portal-redirection.feature b/test/features/auth-portal-redirection.feature index 988c1d09f..a0fa36235 100644 --- a/test/features/auth-portal-redirection.feature +++ b/test/features/auth-portal-redirection.feature @@ -2,33 +2,33 @@ Feature: User is redirected when factors are already validated @need-registered-user-john Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step. - When I visit "https://single_factor.test.local:8080/secret.html" - And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html" + When I visit "https://single_factor.example.com:8080/secret.html" + And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" - And I'm redirected to "https://single_factor.test.local:8080/secret.html" - And I visit "https://public.test.local:8080/secret.html" - Then I'm redirected to "https://auth.test.local:8080/secondfactor?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + And I'm redirected to "https://single_factor.example.com:8080/secret.html" + And I visit "https://public.example.com:8080/secret.html" + Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" @need-registered-user-john Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration - When I visit "https://public.test.local:8080/secret.html" - And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + When I visit "https://public.example.com:8080/secret.html" + And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - And I'm redirected to "https://public.test.local:8080/secret.html" - And I visit "https://auth.test.local:8080" - Then I'm redirected to "https://auth.test.local:8080/loggedin" + And I'm redirected to "https://public.example.com:8080/secret.html" + And I visit "https://login.example.com:8080" + Then I'm redirected to "https://login.example.com:8080/loggedin" And I sleep for 5 seconds - And I'm redirected to "https://home.test.local:8080/" + And I'm redirected to "https://home.example.com:8080/" @need-registered-user-john Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL - When I visit "https://public.test.local:8080/secret.html" - And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + When I visit "https://public.example.com:8080/secret.html" + And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - And I'm redirected to "https://public.test.local:8080/secret.html" - And I visit "https://auth.test.local:8080?redirect=https://public.test.local:8080/secret.html" - Then I'm redirected to "https://public.test.local:8080/secret.html" + And I'm redirected to "https://public.example.com:8080/secret.html" + And I visit "https://login.example.com:8080?redirect=https://public.example.com:8080/secret.html" + Then I'm redirected to "https://public.example.com:8080/secret.html" diff --git a/test/features/authentication.feature b/test/features/authentication.feature index f71794006..79dcfaf43 100644 --- a/test/features/authentication.feature +++ b/test/features/authentication.feature @@ -1,38 +1,38 @@ Feature: Authentication scenarii Scenario: User succeeds first factor - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" When I set field "username" to "bob" And I set field "password" to "password" And I click on "Sign in" - Then I'm redirected to "https://auth.test.local:8080/secondfactor" + Then I'm redirected to "https://login.example.com:8080/secondfactor" Scenario: User fails first factor - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" When I set field "username" to "john" And I set field "password" to "bad-password" And I click on "Sign in" Then I get a notification of type "error" with message "Authentication failed. Please check your credentials." Scenario: User registers TOTP secret and succeeds authentication - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" And I login with user "john" and password "password" And I register a TOTP secret called "Sec0" - When I visit "https://admin.test.local:8080/secret.html" - And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" + When I visit "https://admin.example.com:8080/secret.html" + And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "Sec0" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://admin.test.local:8080/secret.html" + Then I'm redirected to "https://admin.example.com:8080/secret.html" Scenario: User fails TOTP second factor - When I visit "https://admin.test.local:8080/secret.html" - And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" + When I visit "https://admin.example.com:8080/secret.html" + And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "BADTOKEN" as TOTP token And I click on "Sign in" Then I get a notification of type "error" with message "Authentication failed. Have you already registered your secret?" Scenario: Logout redirects user to redirect URL given in parameter - When I visit "https://auth.test.local:8080/logout?redirect=https://home.test.local:8080/" - Then I'm redirected to "https://home.test.local:8080/" + When I visit "https://login.example.com:8080/logout?redirect=https://home.example.com:8080/" + Then I'm redirected to "https://home.example.com:8080/" diff --git a/test/features/forward-headers.feature b/test/features/forward-headers.feature index a55a81cbc..b5bbc0b5c 100644 --- a/test/features/forward-headers.feature +++ b/test/features/forward-headers.feature @@ -1,11 +1,11 @@ Feature: User and groups headers are correctly forwarded to backend @need-authenticated-user-john Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend - When I visit "https://public.test.local:8080/headers" + When I visit "https://public.example.com:8080/headers" Then I see header "Custom-Forwarded-User" set to "john" Then I see header "Custom-Forwarded-Groups" set to "dev,admin" Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend when basic auth is used - When I request "https://single_factor.test.local:8080/headers" with username "john" and password "password" using basic authentication + When I request "https://single_factor.example.com:8080/headers" with username "john" and password "password" using basic authentication Then I received header "Custom-Forwarded-User" set to "john" And I received header "Custom-Forwarded-Groups" set to "dev,admin" \ No newline at end of file diff --git a/test/features/redirection.feature b/test/features/redirection.feature index d6fafe618..978580030 100644 --- a/test/features/redirection.feature +++ b/test/features/redirection.feature @@ -1,70 +1,70 @@ Feature: User is correctly redirected Scenario: User is redirected to authelia when he is not authenticated - When I visit "https://public.test.local:8080" - Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2F" + When I visit "https://public.example.com:8080" + Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2F" @need-registered-user-john Scenario: User is redirected to home page after several authentication tries - When I visit "https://public.test.local:8080/secret.html" + When I visit "https://public.example.com:8080/secret.html" And I login with user "john" and password "badpassword" And I wait for notification to disappear And I clear field "username" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://public.test.local:8080/secret.html" + Then I'm redirected to "https://public.example.com:8080/secret.html" Scenario: User Harry does not have access to admin domain and thus he must get an error 403 When I register TOTP and login with user "harry" and password "password" - And I visit "https://admin.test.local:8080/secret.html" + And I visit "https://admin.example.com:8080/secret.html" Then I get an error 403 Scenario: Redirection URL is propagated from restricted page to first factor - When I visit "https://public.test.local:8080/secret.html" - Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + When I visit "https://public.example.com:8080/secret.html" + Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" Scenario: Redirection URL is propagated from first factor to second factor - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" And I login with user "john" and password "password" And I register a TOTP secret called "Sec0" - When I visit "https://public.test.local:8080/secret.html" + When I visit "https://public.example.com:8080/secret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://auth.test.local:8080/secondfactor?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" Scenario: Redirection URL is used to send user from second factor to target page - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" And I login with user "john" and password "password" And I register a TOTP secret called "Sec0" - When I visit "https://public.test.local:8080/secret.html" + When I visit "https://public.example.com:8080/secret.html" And I login with user "john" and password "password" And I use "Sec0" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://public.test.local:8080/secret.html" + Then I'm redirected to "https://public.example.com:8080/secret.html" @need-registered-user-john Scenario: User is redirected to default URL defined in configuration when authentication is successful - When I visit "https://auth.test.local:8080" + When I visit "https://login.example.com:8080" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://home.test.local:8080/" + Then I'm redirected to "https://home.example.com:8080/" Scenario: User is redirected when hitting an error 401 - When I visit "https://auth.test.local:8080/secondfactor/u2f/identity/finish" - Then I'm redirected to "https://auth.test.local:8080/error/401" + When I visit "https://login.example.com:8080/secondfactor/u2f/identity/finish" + Then I'm redirected to "https://login.example.com:8080/error/401" And I sleep for 5 seconds - And I'm redirected to "https://home.test.local:8080/" + And I'm redirected to "https://home.example.com:8080/" @need-registered-user-harry Scenario: User is redirected when hitting an error 403 - When I visit "https://auth.test.local:8080" + When I visit "https://login.example.com:8080" And I login with user "harry" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - And I'm redirected to "https://home.test.local:8080/" - When I visit "https://admin.test.local:8080/secret.html" - Then I'm redirected to "https://auth.test.local:8080/error/403" + And I'm redirected to "https://home.example.com:8080/" + When I visit "https://admin.example.com:8080/secret.html" + Then I'm redirected to "https://login.example.com:8080/error/403" And I sleep for 5 seconds - And I'm redirected to "https://home.test.local:8080/" \ No newline at end of file + And I'm redirected to "https://home.example.com:8080/" \ No newline at end of file diff --git a/test/features/registration.feature b/test/features/registration.feature index 1f0d5e83e..c1c92b52f 100644 --- a/test/features/registration.feature +++ b/test/features/registration.feature @@ -1,14 +1,14 @@ Feature: Register secret for second factor Scenario: Register a TOTP secret with correct label and issuer - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" And I login with user "john" and password "password" When I register a TOTP secret called "Sec0" Then the otpauth url has label "john" and issuer "authelia.com" @needs-totp_issuer-config Scenario: Register a TOTP secret with correct label and custom issuer - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" And I login with user "john" and password "password" When I register a TOTP secret called "Sec0" Then the otpauth url has label "john" and issuer "custom.com" \ No newline at end of file diff --git a/test/features/regulation.feature b/test/features/regulation.feature index fb8b99580..48d5849cc 100644 --- a/test/features/regulation.feature +++ b/test/features/regulation.feature @@ -3,7 +3,7 @@ Feature: Authelia regulates authentication to avoid brute force @need-registered-user-blackhat Scenario: Attacker tries too many authentication in a short period of time and get banned - Given I visit "https://auth.test.local:8080/" + Given I visit "https://login.example.com:8080/" And I set field "username" to "blackhat" And I set field "password" to "bad-password" And I click on "Sign in" @@ -20,7 +20,7 @@ Feature: Authelia regulates authentication to avoid brute force @need-registered-user-blackhat Scenario: User is unbanned after a configured amount of time - Given I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + Given I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I set field "username" to "blackhat" And I set field "password" to "bad-password" And I click on "Sign in" @@ -36,4 +36,4 @@ Feature: Authelia regulates authentication to avoid brute force And I click on "Sign in" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://public.test.local:8080/secret.html" \ No newline at end of file + Then I'm redirected to "https://public.example.com:8080/secret.html" \ No newline at end of file diff --git a/test/features/reset-password.feature b/test/features/reset-password.feature index ba893f655..33cf93b17 100644 --- a/test/features/reset-password.feature +++ b/test/features/reset-password.feature @@ -1,35 +1,35 @@ Feature: User is able to reset his password Scenario: User is redirected to password reset page - Given I'm on https://auth.test.local:8080 + Given I'm on https://login.example.com:8080 When I click on the link "Forgot password?" - Then I'm redirected to "https://auth.test.local:8080/password-reset/request" + Then I'm redirected to "https://login.example.com:8080/password-reset/request" Scenario: User get an email with a link to reset password - Given I'm on https://auth.test.local:8080/password-reset/request + Given I'm on https://login.example.com:8080/password-reset/request When I set field "username" to "james" And I click on "Reset Password" Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password." Scenario: Request password for unexisting user should behave like existing user - Given I'm on https://auth.test.local:8080/password-reset/request + Given I'm on https://login.example.com:8080/password-reset/request When I set field "username" to "fake_user" And I click on "Reset Password" Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password." Scenario: User resets his password - Given I'm on https://auth.test.local:8080/password-reset/request + Given I'm on https://login.example.com:8080/password-reset/request And I set field "username" to "james" And I click on "Reset Password" When I click on the link of the email And I set field "password1" to "newpassword" And I set field "password2" to "newpassword" And I click on "Reset Password" - Then I'm redirected to "https://auth.test.local:8080/" + Then I'm redirected to "https://login.example.com:8080/" Scenario: User does not confirm new password - Given I'm on https://auth.test.local:8080/password-reset/request + Given I'm on https://login.example.com:8080/password-reset/request And I set field "username" to "james" And I click on "Reset Password" When I click on the link of the email diff --git a/test/features/resilience.feature b/test/features/resilience.feature index 8debd46c1..fb1806326 100644 --- a/test/features/resilience.feature +++ b/test/features/resilience.feature @@ -5,13 +5,13 @@ Feature: Authelia keeps user sessions despite the application restart When the application restarts Then I have access to: | url | - | https://admin.test.local:8080/secret.html | + | https://admin.example.com:8080/secret.html | @need-registered-user-john Scenario: Secrets are stored even when Authelia restarts When the application restarts - And I visit "https://admin.test.local:8080/secret.html" and get redirected "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" + And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" And I use "REGISTERED" as TOTP token handle And I click on "Sign in" - Then I'm redirected to "https://admin.test.local:8080/secret.html" \ No newline at end of file + Then I'm redirected to "https://admin.example.com:8080/secret.html" \ No newline at end of file diff --git a/test/features/restrictions.feature b/test/features/restrictions.feature index ab72b6d82..2e33371d1 100644 --- a/test/features/restrictions.feature +++ b/test/features/restrictions.feature @@ -3,35 +3,35 @@ Feature: Non authenticated users have no access to certain pages Scenario: Anonymous user has no access to protected pages Then I get the following status code when requesting: | url | code | method | - | https://auth.test.local:8080/secondfactor | 401 | GET | - | https://auth.test.local:8080/secondfactor/u2f/identity/start | 401 | GET | - | https://auth.test.local:8080/secondfactor/u2f/identity/finish | 401 | GET | - | https://auth.test.local:8080/secondfactor/totp/identity/start | 401 | GET | - | https://auth.test.local:8080/secondfactor/totp/identity/finish | 401 | GET | - | https://auth.test.local:8080/loggedin | 401 | GET | - | https://auth.test.local:8080/api/totp | 401 | POST | - | https://auth.test.local:8080/api/u2f/sign_request | 401 | GET | - | https://auth.test.local:8080/api/u2f/sign | 401 | POST | - | https://auth.test.local:8080/api/u2f/register_request | 401 | GET | - | https://auth.test.local:8080/api/u2f/register | 401 | POST | + | https://login.example.com:8080/secondfactor | 401 | GET | + | https://login.example.com:8080/secondfactor/u2f/identity/start | 401 | GET | + | https://login.example.com:8080/secondfactor/u2f/identity/finish | 401 | GET | + | https://login.example.com:8080/secondfactor/totp/identity/start | 401 | GET | + | https://login.example.com:8080/secondfactor/totp/identity/finish | 401 | GET | + | https://login.example.com:8080/loggedin | 401 | GET | + | https://login.example.com:8080/api/totp | 401 | POST | + | https://login.example.com:8080/api/u2f/sign_request | 401 | GET | + | https://login.example.com:8080/api/u2f/sign | 401 | POST | + | https://login.example.com:8080/api/u2f/register_request | 401 | GET | + | https://login.example.com:8080/api/u2f/register | 401 | POST | @needs-single_factor-config @need-registered-user-john Scenario: User does not have acces to second factor related endpoints when in single factor mode - Given I post "https://auth.test.local:8080/api/firstfactor" with body: + Given I post "https://login.example.com:8080/api/firstfactor" with body: | key | value | | username | john | | password | password | Then I get the following status code when requesting: | url | code | method | - | https://auth.test.local:8080/secondfactor | 401 | GET | - | https://auth.test.local:8080/secondfactor/u2f/identity/start | 401 | GET | - | https://auth.test.local:8080/secondfactor/u2f/identity/finish | 401 | GET | - | https://auth.test.local:8080/secondfactor/totp/identity/start | 401 | GET | - | https://auth.test.local:8080/secondfactor/totp/identity/finish | 401 | GET | - | https://auth.test.local:8080/api/totp | 401 | POST | - | https://auth.test.local:8080/api/u2f/sign_request | 401 | GET | - | https://auth.test.local:8080/api/u2f/sign | 401 | POST | - | https://auth.test.local:8080/api/u2f/register_request | 401 | GET | - | https://auth.test.local:8080/api/u2f/register | 401 | POST | \ No newline at end of file + | https://login.example.com:8080/secondfactor | 401 | GET | + | https://login.example.com:8080/secondfactor/u2f/identity/start | 401 | GET | + | https://login.example.com:8080/secondfactor/u2f/identity/finish | 401 | GET | + | https://login.example.com:8080/secondfactor/totp/identity/start | 401 | GET | + | https://login.example.com:8080/secondfactor/totp/identity/finish | 401 | GET | + | https://login.example.com:8080/api/totp | 401 | POST | + | https://login.example.com:8080/api/u2f/sign_request | 401 | GET | + | https://login.example.com:8080/api/u2f/sign | 401 | POST | + | https://login.example.com:8080/api/u2f/register_request | 401 | GET | + | https://login.example.com:8080/api/u2f/register | 401 | POST | \ No newline at end of file diff --git a/test/features/session-timeout.feature b/test/features/session-timeout.feature index ebf429a42..c9947e5f8 100644 --- a/test/features/session-timeout.feature +++ b/test/features/session-timeout.feature @@ -5,20 +5,20 @@ Feature: Session is closed after a certain amount of time Scenario: An authenticated user is disconnected after a certain inactivity period Given I have access to: | url | - | https://public.test.local:8080/secret.html | + | https://public.example.com:8080/secret.html | When I sleep for 6 seconds - And I visit "https://public.test.local:8080/secret.html" - Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + And I visit "https://public.example.com:8080/secret.html" + Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" @need-authenticated-user-john Scenario: An authenticated user is disconnected after session expiration period Given I have access to: | url | - | https://public.test.local:8080/secret.html | + | https://public.example.com:8080/secret.html | When I sleep for 4 seconds - And I visit "https://public.test.local:8080/secret.html" + And I visit "https://public.example.com:8080/secret.html" And I sleep for 4 seconds - And I visit "https://public.test.local:8080/secret.html" + And I visit "https://public.example.com:8080/secret.html" And I sleep for 4 seconds - And I visit "https://public.test.local:8080/secret.html" - Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" \ No newline at end of file + And I visit "https://public.example.com:8080/secret.html" + Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" \ No newline at end of file diff --git a/test/features/single-factor-domain.feature b/test/features/single-factor-domain.feature index f15d9c4cd..ff2ec279e 100644 --- a/test/features/single-factor-domain.feature +++ b/test/features/single-factor-domain.feature @@ -1,15 +1,15 @@ Feature: User can access certain subdomains with single factor Scenario: User is redirected to service after first factor if allowed - When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://single_factor.test.local:8080/secret.html" + Then I'm redirected to "https://single_factor.example.com:8080/secret.html" Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor. - When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" + Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html" Scenario: User can login using basic authentication - When I request "https://single_factor.test.local:8080/secret.html" with username "john" and password "password" using basic authentication + When I request "https://single_factor.example.com:8080/secret.html" with username "john" and password "password" using basic authentication Then I receive the secret page \ No newline at end of file diff --git a/test/features/single-factor-only-server.feature b/test/features/single-factor-only-server.feature index b52c03aca..e6b8b9f08 100644 --- a/test/features/single-factor-only-server.feature +++ b/test/features/single-factor-only-server.feature @@ -3,14 +3,14 @@ Feature: Server is configured as a single factor only server @need-registered-user-john Scenario: User is redirected to service after first factor if allowed - When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" + When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html" And I login with user "john" and password "password" - Then I'm redirected to "https://public.test.local:8080/secret.html" + Then I'm redirected to "https://public.example.com:8080/secret.html" @need-registered-user-john Scenario: User is correctly redirected according to default redirection URL - When I visit "https://auth.test.local:8080" + When I visit "https://login.example.com:8080" And I login with user "john" and password "password" - Then I'm redirected to "https://auth.test.local:8080/loggedin" + Then I'm redirected to "https://login.example.com:8080/loggedin" And I sleep for 5 seconds - Then I'm redirected to "https://home.test.local:8080/" + Then I'm redirected to "https://home.example.com:8080/" diff --git a/test/features/step_definitions/hooks.ts b/test/features/step_definitions/hooks.ts index afef2bda8..0123a5666 100644 --- a/test/features/step_definitions/hooks.ts +++ b/test/features/step_definitions/hooks.ts @@ -55,7 +55,9 @@ Cucumber.defineSupportCode(function ({ After, Before }) { Before({ tags: "@needs-" + tag + "-config", timeout: 20 * 1000 }, function () { return cb() .then(function () { - return exec("./scripts/example-commit/dc-example.sh -f docker-compose.test.yml up -d authelia && sleep 1"); + return exec("./scripts/example-commit/dc-example.sh -f " + + "./example/authelia/docker-compose.test.yml up -d authelia &&" + + " sleep 1"); }) }); @@ -100,9 +102,9 @@ Cucumber.defineSupportCode(function ({ After, Before }) { } function needAuthenticatedUser(context: any, username: string): BluebirdPromise { - return context.visit("https://auth.test.local:8080/logout") + return context.visit("https://login.example.com:8080/logout") .then(function () { - return context.visit("https://auth.test.local:8080/"); + return context.visit("https://login.example.com:8080/"); }) .then(function () { return registerUser(context, username); diff --git a/test/features/support/world.ts b/test/features/support/world.ts index ce63e76e8..32f3ce396 100644 --- a/test/features/support/world.ts +++ b/test/features/support/world.ts @@ -152,7 +152,7 @@ function CustomWorld() { this.registerTotpAndSignin = function (username: string, password: string) { const totpHandle = "HANDLE"; - const authUrl = "https://auth.test.local:8080/"; + const authUrl = "https://login.example.com:8080/"; const that = this; return this.visit(authUrl) .then(function () {