Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work.pull/197/head
parent
bbbffaa3ae
commit
a8974a9d8e
16
.travis.yml
16
.travis.yml
|
@ -15,14 +15,14 @@ addons:
|
||||||
- libgif-dev
|
- libgif-dev
|
||||||
- google-chrome-stable
|
- google-chrome-stable
|
||||||
hosts:
|
hosts:
|
||||||
- admin.test.local
|
- admin.example.com
|
||||||
- auth.test.local
|
- login.example.com
|
||||||
- single_factor.test.local
|
- single_factor.example.com
|
||||||
- dev.test.local
|
- dev.example.com
|
||||||
- home.test.local
|
- home.example.com
|
||||||
- mx1.mail.test.local
|
- mx1.mail.example.com
|
||||||
- mx2.mail.test.local
|
- mx2.mail.example.com
|
||||||
- public.test.local
|
- public.example.com
|
||||||
|
|
||||||
before_install:
|
before_install:
|
||||||
- npm install -g npm@'>=2.13.5'
|
- npm install -g npm@'>=2.13.5'
|
||||||
|
|
18
README.md
18
README.md
|
@ -95,14 +95,14 @@ Make sure you don't have anything listening on port 8080 (webserver) and 8085 (w
|
||||||
|
|
||||||
Add the following lines to your **/etc/hosts** to alias multiple subdomains so that nginx can redirect request to the correct virtual host.
|
Add the following lines to your **/etc/hosts** to alias multiple subdomains so that nginx can redirect request to the correct virtual host.
|
||||||
|
|
||||||
127.0.0.1 home.test.local
|
127.0.0.1 home.example.com
|
||||||
127.0.0.1 public.test.local
|
127.0.0.1 public.example.com
|
||||||
127.0.0.1 dev.test.local
|
127.0.0.1 dev.example.com
|
||||||
127.0.0.1 admin.test.local
|
127.0.0.1 admin.example.com
|
||||||
127.0.0.1 mx1.mail.test.local
|
127.0.0.1 mx1.mail.example.com
|
||||||
127.0.0.1 mx2.mail.test.local
|
127.0.0.1 mx2.mail.example.com
|
||||||
127.0.0.1 single_factor.test.local
|
127.0.0.1 single_factor.example.com
|
||||||
127.0.0.1 auth.test.local
|
127.0.0.1 login.example.com
|
||||||
|
|
||||||
### Run it!
|
### Run it!
|
||||||
|
|
||||||
|
@ -118,7 +118,7 @@ Use provided container on [DockerHub](https://hub.docker.com/r/clems4ever/authel
|
||||||
./scripts/example-dockerhub/deploy-example.sh
|
./scripts/example-dockerhub/deploy-example.sh
|
||||||
|
|
||||||
After few seconds the services should be running and you should be able to visit
|
After few seconds the services should be running and you should be able to visit
|
||||||
[https://home.test.local:8080/](https://home.test.local:8080/).
|
[https://home.example.com:8080/](https://home.example.com:8080/).
|
||||||
|
|
||||||
When accessing the login page, a self-signed certificate exception should appear,
|
When accessing the login page, a self-signed certificate exception should appear,
|
||||||
it has to be trusted before you can get to the target page. The certificate
|
it has to be trusted before you can get to the target page. The certificate
|
||||||
|
|
|
@ -20,7 +20,7 @@ logs_level: debug
|
||||||
#
|
#
|
||||||
# Note: this parameter is optional. If not provided, user won't
|
# Note: this parameter is optional. If not provided, user won't
|
||||||
# be redirected upon successful authentication.
|
# be redirected upon successful authentication.
|
||||||
default_redirection_url: https://home.test.local:8080/
|
default_redirection_url: https://home.example.com:8080/
|
||||||
|
|
||||||
# LDAP configuration
|
# LDAP configuration
|
||||||
#
|
#
|
||||||
|
@ -77,7 +77,7 @@ ldap:
|
||||||
authentication_methods:
|
authentication_methods:
|
||||||
default_method: two_factor
|
default_method: two_factor
|
||||||
per_subdomain_methods:
|
per_subdomain_methods:
|
||||||
single_factor.test.local: single_factor
|
single_factor.example.com: single_factor
|
||||||
|
|
||||||
# Access Control
|
# Access Control
|
||||||
#
|
#
|
||||||
|
@ -120,7 +120,7 @@ access_control:
|
||||||
# The rules that apply to anyone.
|
# The rules that apply to anyone.
|
||||||
# The value is a list of rules.
|
# The value is a list of rules.
|
||||||
any:
|
any:
|
||||||
- domain: public.test.local
|
- domain: public.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
|
|
||||||
# Group-based rules. The key is a group name and the value
|
# Group-based rules. The key is a group name and the value
|
||||||
|
@ -128,13 +128,13 @@ access_control:
|
||||||
groups:
|
groups:
|
||||||
admin:
|
admin:
|
||||||
# All resources in all domains
|
# All resources in all domains
|
||||||
- domain: '*.test.local'
|
- domain: '*.example.com'
|
||||||
policy: allow
|
policy: allow
|
||||||
# Except mx2.mail.test.local (it restricts the first rule)
|
# Except mx2.mail.example.com (it restricts the first rule)
|
||||||
- domain: 'mx2.mail.test.local'
|
- domain: 'mx2.mail.example.com'
|
||||||
policy: deny
|
policy: deny
|
||||||
dev:
|
dev:
|
||||||
- domain: dev.test.local
|
- domain: dev.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/groups/dev/.*$'
|
- '^/groups/dev/.*$'
|
||||||
|
@ -143,19 +143,19 @@ access_control:
|
||||||
# is a list of rules.
|
# is a list of rules.
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
- domain: dev.test.local
|
- domain: dev.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/users/john/.*$'
|
- '^/users/john/.*$'
|
||||||
harry:
|
harry:
|
||||||
- domain: dev.test.local
|
- domain: dev.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/users/harry/.*$'
|
- '^/users/harry/.*$'
|
||||||
bob:
|
bob:
|
||||||
- domain: '*.mail.test.local'
|
- domain: '*.mail.example.com'
|
||||||
policy: allow
|
policy: allow
|
||||||
- domain: 'dev.test.local'
|
- domain: 'dev.example.com'
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/users/bob/.*$'
|
- '^/users/bob/.*$'
|
||||||
|
@ -177,7 +177,7 @@ session:
|
||||||
# The domain to protect.
|
# The domain to protect.
|
||||||
# Note: the authenticator must also be in that domain. If empty, the cookie
|
# Note: the authenticator must also be in that domain. If empty, the cookie
|
||||||
# is restricted to the subdomain of the issuer.
|
# is restricted to the subdomain of the issuer.
|
||||||
domain: test.local
|
domain: example.com
|
||||||
|
|
||||||
# The redis connection details
|
# The redis connection details
|
||||||
redis:
|
redis:
|
||||||
|
|
|
@ -5,7 +5,6 @@ services:
|
||||||
restart: always
|
restart: always
|
||||||
volumes:
|
volumes:
|
||||||
- ./config.template.yml:/etc/authelia/config.yml:ro
|
- ./config.template.yml:/etc/authelia/config.yml:ro
|
||||||
- ./notifications:/var/lib/authelia/notifications
|
|
||||||
environment:
|
environment:
|
||||||
- NODE_TLS_REJECT_UNAUTHORIZED=0
|
- NODE_TLS_REJECT_UNAUTHORIZED=0
|
||||||
depends_on:
|
depends_on:
|
|
@ -3,6 +3,6 @@ services:
|
||||||
nginx-authelia:
|
nginx-authelia:
|
||||||
image: nginx:alpine
|
image: nginx:alpine
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
|
- ./example/nginx/authelia/nginx.conf:/etc/nginx/nginx.conf
|
||||||
networks:
|
networks:
|
||||||
- example-network
|
- example-network
|
||||||
|
|
|
@ -1,21 +1,5 @@
|
||||||
# nginx-sso - example nginx config
|
|
||||||
#
|
|
||||||
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
|
|
||||||
#
|
|
||||||
# This is an example config for using nginx with the nginx-sso cookie system.
|
|
||||||
# For simplicity, this config sets up two fictional vhosts that you can use to
|
|
||||||
# test against both components of the nginx-sso system: ssoauth & ssologin.
|
|
||||||
# In a real deployment, these vhosts would be separate hosts.
|
|
||||||
|
|
||||||
#user nobody;
|
|
||||||
worker_processes 1;
|
worker_processes 1;
|
||||||
|
|
||||||
#error_log logs/error.log;
|
|
||||||
#error_log logs/error.log notice;
|
|
||||||
#error_log logs/error.log info;
|
|
||||||
|
|
||||||
#pid logs/nginx.pid;
|
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
@ -23,31 +7,15 @@ events {
|
||||||
|
|
||||||
http {
|
http {
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 80;
|
||||||
server_name auth.test.local;
|
|
||||||
|
|
||||||
ssl on;
|
resolver 127.0.0.11 ipv6=off;
|
||||||
ssl_certificate /etc/ssl/server.crt;
|
set $upstream_endpoint http://authelia;
|
||||||
ssl_certificate_key /etc/ssl/server.key;
|
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
proxy_pass http://authelia/;
|
proxy_pass $upstream_endpoint;
|
||||||
|
|
||||||
proxy_intercept_errors on;
|
|
||||||
|
|
||||||
if ($request_method !~ ^(POST)$){
|
|
||||||
error_page 401 = /error/401;
|
|
||||||
error_page 403 = /error/403;
|
|
||||||
error_page 404 = /error/404;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,6 @@
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
This is a very important secret!<br/>
|
This is a very important secret!<br/>
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
|
@ -1,10 +0,0 @@
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>Secret</title>
|
|
||||||
<link rel="icon" href="/icon.png" type="image/png" />
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
This is a very important secret!<br/>
|
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -1,10 +0,0 @@
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>Secret</title>
|
|
||||||
<link rel="icon" href="/icon.png" type="image/png" />
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
This is a very important secret!<br/>
|
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -5,6 +5,6 @@
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
This is a very important secret!<br/>
|
This is a very important secret!<br/>
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
|
@ -5,6 +5,6 @@
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
This is a very important secret!<br/>
|
This is a very important secret!<br/>
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
|
@ -5,6 +5,6 @@
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
This is a very important secret!<br/>
|
This is a very important secret!<br/>
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
|
@ -0,0 +1,10 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Secret</title>
|
||||||
|
<link rel="icon" href="/icon.png" type="image/png" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
This is a very important secret!<br/>
|
||||||
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1,10 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Secret</title>
|
||||||
|
<link rel="icon" href="/icon.png" type="image/png" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
This is a very important secret!<br/>
|
||||||
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -12,51 +12,51 @@
|
||||||
one of the following links to test access control powered by Authelia.<br/>
|
one of the following links to test access control powered by Authelia.<br/>
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
public.test.local <a href="https://public.test.local:8080/"> / index.html</a>
|
public.example.com <a href="https://public.example.com:8080/"> / index.html</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
secret.test.local
|
secret.example.com
|
||||||
<ul>
|
<ul>
|
||||||
<li>Groups
|
<li>Groups
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://dev.test.local:8080/groups/admin/secret.html"> / groups / admins / secret.html</a>
|
<a href="https://dev.example.com:8080/groups/admin/secret.html"> / groups / admins / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://dev.test.local:8080/groups/dev/secret.html"> / groups / dev / secret.html</a>
|
<a href="https://dev.example.com:8080/groups/dev/secret.html"> / groups / dev / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li>Users
|
<li>Users
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://dev.test.local:8080/users/john/secret.html"> / users / john / secret.html</a>
|
<a href="https://dev.example.com:8080/users/john/secret.html"> / users / john / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://dev.test.local:8080/users/harry/secret.html"> / users / harry / secret.html</a>
|
<a href="https://dev.example.com:8080/users/harry/secret.html"> / users / harry / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<a href="https://dev.test.local:8080/users/bob/secret.html"> / users / bob / secret.html</a>
|
<a href="https://dev.example.com:8080/users/bob/secret.html"> / users / bob / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
admin.test.local <a href="https://admin.test.local:8080/secret.html"> / secret.html</a>
|
admin.example.com <a href="https://admin.example.com:8080/secret.html"> / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
mx1.main.test.local <a href="https://mx1.mail.test.local:8080/secret.html"> / secret.html</a>
|
mx1.main.example.com <a href="https://mx1.mail.example.com:8080/secret.html"> / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
mx2.main.test.local <a href="https://mx2.mail.test.local:8080/secret.html"> / secret.html</a>
|
mx2.main.example.com <a href="https://mx2.mail.example.com:8080/secret.html"> / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
single_factor.test.local <a href="https://single_factor.test.local:8080/secret.html"> / secret.html</a>
|
single_factor.example.com <a href="https://single_factor.example.com:8080/secret.html"> / secret.html</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
You can also log off by visiting the following <a href="https://auth.test.local:8080/logout?redirect=https://home.test.local:8080/">link</a>.
|
You can also log off by visiting the following <a href="https://login.example.com:8080/logout?redirect=https://home.example.com:8080/">link</a>.
|
||||||
|
|
||||||
<h1>List of users</h1>
|
<h1>List of users</h1>
|
||||||
Here is the list of credentials you can log in with to test access control.<br/>
|
Here is the list of credentials you can log in with to test access control.<br/>
|
||||||
|
@ -84,7 +84,7 @@ default_policy: deny
|
||||||
# The value is a list of rules.
|
# The value is a list of rules.
|
||||||
|
|
||||||
any:
|
any:
|
||||||
- domain: public.test.local
|
- domain: public.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
|
|
||||||
# Group-based rules. The key is a group name and the value
|
# Group-based rules. The key is a group name and the value
|
||||||
|
@ -93,13 +93,13 @@ any:
|
||||||
groups:
|
groups:
|
||||||
admin:
|
admin:
|
||||||
# All resources in all domains
|
# All resources in all domains
|
||||||
- domain: '*.test.local'
|
- domain: '*.example.com'
|
||||||
policy: allow
|
policy: allow
|
||||||
# Except mx2.mail.test.local (it restricts the first rule)
|
# Except mx2.mail.example.com (it restricts the first rule)
|
||||||
- domain: 'mx2.mail.test.local'
|
- domain: 'mx2.mail.example.com'
|
||||||
policy: deny
|
policy: deny
|
||||||
dev:
|
dev:
|
||||||
- domain: dev.test.local
|
- domain: dev.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/groups/dev/.*$'
|
- '^/groups/dev/.*$'
|
||||||
|
@ -109,23 +109,23 @@ groups:
|
||||||
|
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
- domain: dev.test.local
|
- domain: dev.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/users/john/.*$'
|
- '^/users/john/.*$'
|
||||||
harry:
|
harry:
|
||||||
- domain: dev.test.local
|
- domain: dev.example.com
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/users/harry/.*$'
|
- '^/users/harry/.*$'
|
||||||
bob:
|
bob:
|
||||||
- domain: '*.mail.test.local'
|
- domain: '*.mail.example.com'
|
||||||
policy: allow
|
policy: allow
|
||||||
- domain: 'dev.test.local'
|
- domain: 'dev.example.com'
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/users/bob/.*$'
|
- '^/users/bob/.*$'
|
||||||
- domain: 'dev.test.local'
|
- domain: 'dev.example.com'
|
||||||
policy: allow
|
policy: allow
|
||||||
resources:
|
resources:
|
||||||
- '^/users/harry/.*$'</pre>
|
- '^/users/harry/.*$'</pre>
|
|
@ -1,10 +0,0 @@
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>Secret</title>
|
|
||||||
<link rel="icon" href="/icon.png" type="image/png" />
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
This is a very important secret!<br/>
|
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Secret</title>
|
||||||
|
<link rel="icon" href="/icon.png" type="image/png" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
This is a very important secret!<br/>
|
||||||
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -1,10 +0,0 @@
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>Secret</title>
|
|
||||||
<link rel="icon" href="/icon.png" type="image/png" />
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
This is a very important secret!<br/>
|
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -7,7 +7,7 @@
|
||||||
<body>
|
<body>
|
||||||
<h1>Public resource</h1>
|
<h1>Public resource</h1>
|
||||||
<p>This is a public resource.<br/>
|
<p>This is a public resource.<br/>
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
</p>
|
</p>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
|
@ -0,0 +1,10 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Secret</title>
|
||||||
|
<link rel="icon" href="/icon.png" type="image/png" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
This is a very important secret!<br/>
|
||||||
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -1,10 +0,0 @@
|
||||||
<html>
|
|
||||||
<head>
|
|
||||||
<title>Secret</title>
|
|
||||||
<link rel="icon" href="/icon.png" type="image/png" />
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
This is a very important secret!<br/>
|
|
||||||
Go back to <a href="https://home.test.local:8080/">home page</a>.
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Secret</title>
|
||||||
|
<link rel="icon" href="/icon.png" type="image/png" />
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
This is a very important secret!<br/>
|
||||||
|
Go back to <a href="https://home.example.com:8080/">home page</a>.
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -1,21 +1,5 @@
|
||||||
# nginx-sso - example nginx config
|
|
||||||
#
|
|
||||||
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
|
|
||||||
#
|
|
||||||
# This is an example config for using nginx with the nginx-sso cookie system.
|
|
||||||
# For simplicity, this config sets up two fictional vhosts that you can use to
|
|
||||||
# test against both components of the nginx-sso system: ssoauth & ssologin.
|
|
||||||
# In a real deployment, these vhosts would be separate hosts.
|
|
||||||
|
|
||||||
#user nobody;
|
|
||||||
worker_processes 1;
|
worker_processes 1;
|
||||||
|
|
||||||
#error_log logs/error.log;
|
|
||||||
#error_log logs/error.log notice;
|
|
||||||
#error_log logs/error.log info;
|
|
||||||
|
|
||||||
#pid logs/nginx.pid;
|
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
@ -24,38 +8,38 @@ events {
|
||||||
http {
|
http {
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
root /usr/share/nginx/html/home.test.local;
|
root /usr/share/nginx/html/home;
|
||||||
server_name home.test.local;
|
server_name home.example.com;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
root /usr/share/nginx/html/public.test.local;
|
root /usr/share/nginx/html/public;
|
||||||
server_name public.test.local;
|
server_name public.example.com;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
root /usr/share/nginx/html/admin.test.local;
|
root /usr/share/nginx/html/admin;
|
||||||
server_name admin.test.local;
|
server_name admin.example.com;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
root /usr/share/nginx/html/dev.test.local;
|
root /usr/share/nginx/html/dev;
|
||||||
server_name dev.test.local;
|
server_name dev.example.com;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
root /usr/share/nginx/html/mail.test.local;
|
root /usr/share/nginx/html/mail;
|
||||||
server_name mx1.mail.test.local mx2.mail.test.local;
|
server_name mx1.mail.example.com mx2.mail.example.com;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
root /usr/share/nginx/html/single_factor.test.local;
|
root /usr/share/nginx/html/single_factor;
|
||||||
server_name single_factor.test.local;
|
server_name single_factor.example.com;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,30 +1,16 @@
|
||||||
# nginx-sso - example nginx config
|
|
||||||
#
|
|
||||||
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
|
|
||||||
#
|
|
||||||
# This is an example config for using nginx with the nginx-sso cookie system.
|
|
||||||
# For simplicity, this config sets up two fictional vhosts that you can use to
|
|
||||||
# test against both components of the nginx-sso system: ssoauth & ssologin.
|
|
||||||
# In a real deployment, these vhosts would be separate hosts.
|
|
||||||
|
|
||||||
#user nobody;
|
|
||||||
worker_processes 1;
|
worker_processes 1;
|
||||||
|
|
||||||
#error_log logs/error.log;
|
|
||||||
#error_log logs/error.log notice;
|
|
||||||
#error_log logs/error.log info;
|
|
||||||
|
|
||||||
#pid logs/nginx.pid;
|
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
http {
|
http {
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name home.test.local;
|
server_name login.example.com;
|
||||||
|
|
||||||
|
resolver 127.0.0.11 ipv6=off;
|
||||||
|
set $upstream_endpoint http://nginx-authelia;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate /etc/ssl/server.crt;
|
ssl_certificate /etc/ssl/server.crt;
|
||||||
|
@ -35,14 +21,49 @@ http {
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_intercept_errors on;
|
||||||
|
|
||||||
proxy_pass http://nginx-backend/;
|
proxy_pass $upstream_endpoint;
|
||||||
|
|
||||||
|
if ($request_method !~ ^(POST)$){
|
||||||
|
error_page 401 = /error/401;
|
||||||
|
error_page 403 = /error/403;
|
||||||
|
error_page 404 = /error/404;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name public.test.local;
|
server_name home.example.com;
|
||||||
|
|
||||||
|
resolver 127.0.0.11 ipv6=off;
|
||||||
|
set $upstream_endpoint http://nginx-backend;
|
||||||
|
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate /etc/ssl/server.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/server.key;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_pass $upstream_endpoint;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name public.example.com;
|
||||||
|
|
||||||
|
resolver 127.0.0.11 ipv6=off;
|
||||||
|
set $upstream_verify http://nginx-authelia/api/verify;
|
||||||
|
set $upstream_endpoint http://nginx-backend;
|
||||||
|
set $upstream_headers http://httpbin:8000/headers;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate /etc/ssl/server.crt;
|
ssl_certificate /etc/ssl/server.crt;
|
||||||
|
@ -53,13 +74,13 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass http://nginx-authelia/api/verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -75,10 +96,10 @@ http {
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://login.example.com:8080/error/403;
|
||||||
|
|
||||||
proxy_pass http://nginx-backend/;
|
proxy_pass $upstream_endpoint;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /headers {
|
location /headers {
|
||||||
|
@ -92,16 +113,20 @@ http {
|
||||||
auth_request_set $groups $upstream_http_remote_groups;
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
proxy_set_header Custom-Forwarded-Groups $groups;
|
proxy_set_header Custom-Forwarded-Groups $groups;
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://login.example.com:8080/error/403;
|
||||||
|
|
||||||
proxy_pass http://httpbin:8000/headers;
|
proxy_pass $upstream_headers;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name admin.test.local;
|
server_name admin.example.com;
|
||||||
|
|
||||||
|
resolver 127.0.0.11 ipv6=off;
|
||||||
|
set $upstream_verify http://nginx-authelia/api/verify;
|
||||||
|
set $upstream_endpoint http://nginx-backend;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate /etc/ssl/server.crt;
|
ssl_certificate /etc/ssl/server.crt;
|
||||||
|
@ -112,13 +137,13 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass http://nginx-authelia/api/verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -134,16 +159,20 @@ http {
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://login.example.com:8080/error/403;
|
||||||
|
|
||||||
proxy_pass http://nginx-backend/;
|
proxy_pass $upstream_endpoint;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name dev.test.local;
|
server_name dev.example.com;
|
||||||
|
|
||||||
|
resolver 127.0.0.11 ipv6=off;
|
||||||
|
set $upstream_verify http://nginx-authelia/api/verify;
|
||||||
|
set $upstream_endpoint http://nginx-backend;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate /etc/ssl/server.crt;
|
ssl_certificate /etc/ssl/server.crt;
|
||||||
|
@ -154,13 +183,13 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass http://nginx-authelia/api/verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -176,16 +205,20 @@ http {
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://login.example.com:8080/error/403;
|
||||||
|
|
||||||
proxy_pass http://nginx-backend/;
|
proxy_pass $upstream_endpoint;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name mx1.mail.test.local mx2.mail.test.local;
|
server_name mx1.mail.example.com mx2.mail.example.com;
|
||||||
|
|
||||||
|
resolver 127.0.0.11 ipv6=off;
|
||||||
|
set $upstream_verify http://nginx-authelia/api/verify;
|
||||||
|
set $upstream_endpoint http://nginx-backend;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate /etc/ssl/server.crt;
|
ssl_certificate /etc/ssl/server.crt;
|
||||||
|
@ -196,13 +229,13 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass http://nginx-authelia/api/verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -218,16 +251,21 @@ http {
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://login.example.com:8080/error/403;
|
||||||
|
|
||||||
proxy_pass http://nginx-backend/;
|
proxy_pass $upstream_endpoint;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
server_name single_factor.test.local;
|
server_name single_factor.example.com;
|
||||||
|
|
||||||
|
resolver 127.0.0.11 ipv6=off;
|
||||||
|
set $upstream_verify http://nginx-authelia/api/verify;
|
||||||
|
set $upstream_endpoint http://nginx-backend;
|
||||||
|
set $upstream_headers http://httpbin:8000/headers;
|
||||||
|
|
||||||
ssl on;
|
ssl on;
|
||||||
ssl_certificate /etc/ssl/server.crt;
|
ssl_certificate /etc/ssl/server.crt;
|
||||||
|
@ -238,14 +276,14 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
proxy_set_header Proxy-Authorization $http_authorization;
|
proxy_set_header Proxy-Authorization $http_authorization;
|
||||||
|
|
||||||
proxy_pass http://nginx-authelia/api/verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
@ -261,10 +299,10 @@ http {
|
||||||
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
error_page 403 = https://login.example.com:8080/error/403;
|
||||||
|
|
||||||
proxy_pass http://nginx-backend/;
|
proxy_pass $upstream_endpoint;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /headers {
|
location /headers {
|
||||||
|
@ -278,10 +316,10 @@ http {
|
||||||
auth_request_set $groups $upstream_http_remote_groups;
|
auth_request_set $groups $upstream_http_remote_groups;
|
||||||
proxy_set_header Custom-Forwarded-Groups $groups;
|
proxy_set_header Custom-Forwarded-Groups $groups;
|
||||||
|
|
||||||
proxy_pass http://httpbin:8000/headers;
|
error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
|
||||||
|
error_page 403 = https://login.example.com:8080/error/403;
|
||||||
|
|
||||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
proxy_pass $upstream_headers;
|
||||||
error_page 403 = https://auth.test.local:8080/error/403;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,8 +3,8 @@
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
docker-compose \
|
docker-compose \
|
||||||
|
-f docker-compose.dockerhub.yml \
|
||||||
-f example/docker-compose.base.yml \
|
-f example/docker-compose.base.yml \
|
||||||
-f example/authelia/docker-compose.dockerhub.yml \
|
|
||||||
-f example/mongo/docker-compose.yml \
|
-f example/mongo/docker-compose.yml \
|
||||||
-f example/redis/docker-compose.yml \
|
-f example/redis/docker-compose.yml \
|
||||||
-f example/nginx/authelia/docker-compose.yml \
|
-f example/nginx/authelia/docker-compose.yml \
|
||||||
|
|
|
@ -13,7 +13,11 @@ start_services() {
|
||||||
}
|
}
|
||||||
|
|
||||||
shut_services() {
|
shut_services() {
|
||||||
$DC_SCRIPT down --remove-orphans
|
containers_exist=`docker ps -aq | wc -l`
|
||||||
|
if [ "$containers_exist" -ne "0" ]
|
||||||
|
then
|
||||||
|
docker rm -f $(docker ps -aq)
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
expect_services_count() {
|
expect_services_count() {
|
||||||
|
@ -42,16 +46,18 @@ run_integration_tests() {
|
||||||
|
|
||||||
run_other_tests() {
|
run_other_tests() {
|
||||||
echo "Test dev environment deployment (commands in README)"
|
echo "Test dev environment deployment (commands in README)"
|
||||||
rm -rf node_modules
|
# rm -rf node_modules
|
||||||
./scripts/build-dev.sh
|
# ./scripts/build-dev.sh
|
||||||
./scripts/example-commit/deploy-example.sh
|
./scripts/example-commit/deploy-example.sh
|
||||||
expect_services_count $EXPECTED_SERVICES_COUNT
|
expect_services_count $EXPECTED_SERVICES_COUNT
|
||||||
|
./scripts/example-commit/undeploy-example.sh
|
||||||
}
|
}
|
||||||
|
|
||||||
run_other_tests_docker() {
|
run_other_tests_docker() {
|
||||||
echo "Test dev docker deployment (commands in README)"
|
echo "Test dev docker deployment (commands in README)"
|
||||||
./scripts/example-dockerhub/deploy-example.sh
|
./scripts/example-dockerhub/deploy-example.sh
|
||||||
expect_services_count $EXPECTED_SERVICES_COUNT
|
expect_services_count $EXPECTED_SERVICES_COUNT
|
||||||
|
./scripts/example-dockerhub/undeploy-example.sh
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
block variables
|
block variables
|
||||||
|
|
||||||
|
doctype html
|
||||||
html
|
html
|
||||||
head
|
head
|
||||||
title Authelia - 2FA
|
title Authelia - 2FA
|
||||||
meta(name="viewport", content="width=device-width, initial-scale=1.0")/
|
meta(name="viewport", content="width=device-width, initial-scale=1.0")
|
||||||
meta(name="robots", content="noindex, nofollow, nosnippet, noarchive")/
|
meta(name="robots", content="noindex, nofollow, nosnippet, noarchive")
|
||||||
meta(http-equiv="Content-Security-Policy", content="default-src 'self'; img-src 'self' data:;")/
|
meta(http-equiv="Content-Security-Policy", content="default-src 'self'; img-src 'self' data:;")
|
||||||
link(rel="icon", href="/img/icon.png" type="image/png" sizes="32x32")/
|
link(rel="icon", href="/img/icon.png" type="image/png" sizes="32x32")
|
||||||
link(rel="stylesheet", type="text/css", href="/css/authelia.css")/
|
link(rel="stylesheet", type="text/css", href="/css/authelia.css")
|
||||||
if redirection_url
|
if redirection_url
|
||||||
meta(http-equiv="refresh" content="4;url=" + redirection_url)
|
meta(http-equiv="refresh" content="4;url=" + redirection_url)
|
||||||
body
|
body
|
||||||
|
@ -24,4 +25,4 @@ html
|
||||||
div(class="poweredby col-xs-6 col-xs-offset-4 col-sm-6 col-sm-offset-4 col-md-6 col-md-offset-4")
|
div(class="poweredby col-xs-6 col-xs-offset-4 col-sm-6 col-sm-offset-4 col-md-6 col-md-offset-4")
|
||||||
| Powered by <a class="authelia-brand" href="https://github.com/clems4ever/authelia">Authelia</a>
|
| Powered by <a class="authelia-brand" href="https://github.com/clems4ever/authelia">Authelia</a>
|
||||||
block entrypoint
|
block entrypoint
|
||||||
script(src="/js/authelia.js")
|
script(src="/js/authelia.js", type="text/javascript" )
|
|
@ -22,4 +22,4 @@ block content
|
||||||
img(alt='Get it on Apple Store' src='/img/stores/applestore-badge.svg' class="store-badge")
|
img(alt='Get it on Apple Store' src='/img/stores/applestore-badge.svg' class="store-badge")
|
||||||
|
|
||||||
block entrypoint
|
block entrypoint
|
||||||
script(src="/js/qrcode.min.js")
|
script(src="/js/qrcode.min.js", type="text/javascript" )
|
||||||
|
|
|
@ -13,10 +13,10 @@ describe("test access control manager", function () {
|
||||||
configuration = undefined;
|
configuration = undefined;
|
||||||
accessController = new AccessController(configuration, winston);
|
accessController = new AccessController(configuration, winston);
|
||||||
|
|
||||||
Assert(accessController.isAccessAllowed("home.test.local", "/", "user1", ["group1", "group2"]));
|
Assert(accessController.isAccessAllowed("home.example.com", "/", "user1", ["group1", "group2"]));
|
||||||
Assert(accessController.isAccessAllowed("home.test.local", "/abc", "user1", ["group1", "group2"]));
|
Assert(accessController.isAccessAllowed("home.example.com", "/abc", "user1", ["group1", "group2"]));
|
||||||
Assert(accessController.isAccessAllowed("home.test.local", "/", "user2", ["group1", "group2"]));
|
Assert(accessController.isAccessAllowed("home.example.com", "/", "user2", ["group1", "group2"]));
|
||||||
Assert(accessController.isAccessAllowed("admin.test.local", "/", "user3", ["group3"]));
|
Assert(accessController.isAccessAllowed("admin.example.com", "/", "user3", ["group3"]));
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
@ -2,66 +2,66 @@ Feature: User has access restricted access to domains
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User john has admin access
|
Scenario: User john has admin access
|
||||||
When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F"
|
When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
And I'm redirected to "https://home.test.local:8080/"
|
And I'm redirected to "https://home.example.com:8080/"
|
||||||
Then I have access to:
|
Then I have access to:
|
||||||
| url |
|
| url |
|
||||||
| https://public.test.local:8080/secret.html |
|
| https://public.example.com:8080/secret.html |
|
||||||
| https://dev.test.local:8080/groups/admin/secret.html |
|
| https://dev.example.com:8080/groups/admin/secret.html |
|
||||||
| https://dev.test.local:8080/groups/dev/secret.html |
|
| https://dev.example.com:8080/groups/dev/secret.html |
|
||||||
| https://dev.test.local:8080/users/john/secret.html |
|
| https://dev.example.com:8080/users/john/secret.html |
|
||||||
| https://dev.test.local:8080/users/harry/secret.html |
|
| https://dev.example.com:8080/users/harry/secret.html |
|
||||||
| https://dev.test.local:8080/users/bob/secret.html |
|
| https://dev.example.com:8080/users/bob/secret.html |
|
||||||
| https://admin.test.local:8080/secret.html |
|
| https://admin.example.com:8080/secret.html |
|
||||||
| https://mx1.mail.test.local:8080/secret.html |
|
| https://mx1.mail.example.com:8080/secret.html |
|
||||||
| https://single_factor.test.local:8080/secret.html |
|
| https://single_factor.example.com:8080/secret.html |
|
||||||
And I have no access to:
|
And I have no access to:
|
||||||
| url |
|
| url |
|
||||||
| https://mx2.mail.test.local:8080/secret.html |
|
| https://mx2.mail.example.com:8080/secret.html |
|
||||||
|
|
||||||
@need-registered-user-bob
|
@need-registered-user-bob
|
||||||
Scenario: User bob has restricted access
|
Scenario: User bob has restricted access
|
||||||
When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F"
|
When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
|
||||||
And I login with user "bob" and password "password"
|
And I login with user "bob" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
And I'm redirected to "https://home.test.local:8080/"
|
And I'm redirected to "https://home.example.com:8080/"
|
||||||
Then I have access to:
|
Then I have access to:
|
||||||
| url |
|
| url |
|
||||||
| https://public.test.local:8080/secret.html |
|
| https://public.example.com:8080/secret.html |
|
||||||
| https://dev.test.local:8080/groups/dev/secret.html |
|
| https://dev.example.com:8080/groups/dev/secret.html |
|
||||||
| https://dev.test.local:8080/users/bob/secret.html |
|
| https://dev.example.com:8080/users/bob/secret.html |
|
||||||
| https://mx1.mail.test.local:8080/secret.html |
|
| https://mx1.mail.example.com:8080/secret.html |
|
||||||
| https://mx2.mail.test.local:8080/secret.html |
|
| https://mx2.mail.example.com:8080/secret.html |
|
||||||
And I have no access to:
|
And I have no access to:
|
||||||
| url |
|
| url |
|
||||||
| https://dev.test.local:8080/groups/admin/secret.html |
|
| https://dev.example.com:8080/groups/admin/secret.html |
|
||||||
| https://admin.test.local:8080/secret.html |
|
| https://admin.example.com:8080/secret.html |
|
||||||
| https://dev.test.local:8080/users/john/secret.html |
|
| https://dev.example.com:8080/users/john/secret.html |
|
||||||
| https://dev.test.local:8080/users/harry/secret.html |
|
| https://dev.example.com:8080/users/harry/secret.html |
|
||||||
| https://single_factor.test.local:8080/secret.html |
|
| https://single_factor.example.com:8080/secret.html |
|
||||||
|
|
||||||
@need-registered-user-harry
|
@need-registered-user-harry
|
||||||
Scenario: User harry has restricted access
|
Scenario: User harry has restricted access
|
||||||
When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F"
|
When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
|
||||||
And I login with user "harry" and password "password"
|
And I login with user "harry" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
And I'm redirected to "https://home.test.local:8080/"
|
And I'm redirected to "https://home.example.com:8080/"
|
||||||
Then I have access to:
|
Then I have access to:
|
||||||
| url |
|
| url |
|
||||||
| https://public.test.local:8080/secret.html |
|
| https://public.example.com:8080/secret.html |
|
||||||
| https://dev.test.local:8080/users/harry/secret.html |
|
| https://dev.example.com:8080/users/harry/secret.html |
|
||||||
And I have no access to:
|
And I have no access to:
|
||||||
| url |
|
| url |
|
||||||
| https://dev.test.local:8080/groups/dev/secret.html |
|
| https://dev.example.com:8080/groups/dev/secret.html |
|
||||||
| https://dev.test.local:8080/users/bob/secret.html |
|
| https://dev.example.com:8080/users/bob/secret.html |
|
||||||
| https://dev.test.local:8080/groups/admin/secret.html |
|
| https://dev.example.com:8080/groups/admin/secret.html |
|
||||||
| https://admin.test.local:8080/secret.html |
|
| https://admin.example.com:8080/secret.html |
|
||||||
| https://dev.test.local:8080/users/john/secret.html |
|
| https://dev.example.com:8080/users/john/secret.html |
|
||||||
| https://mx1.mail.test.local:8080/secret.html |
|
| https://mx1.mail.example.com:8080/secret.html |
|
||||||
| https://mx2.mail.test.local:8080/secret.html |
|
| https://mx2.mail.example.com:8080/secret.html |
|
||||||
| https://single_factor.test.local:8080/secret.html |
|
| https://single_factor.example.com:8080/secret.html |
|
|
@ -2,33 +2,33 @@ Feature: User is redirected when factors are already validated
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step.
|
Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step.
|
||||||
When I visit "https://single_factor.test.local:8080/secret.html"
|
When I visit "https://single_factor.example.com:8080/secret.html"
|
||||||
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html"
|
And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I'm redirected to "https://single_factor.test.local:8080/secret.html"
|
And I'm redirected to "https://single_factor.example.com:8080/secret.html"
|
||||||
And I visit "https://public.test.local:8080/secret.html"
|
And I visit "https://public.example.com:8080/secret.html"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/secondfactor?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration
|
Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration
|
||||||
When I visit "https://public.test.local:8080/secret.html"
|
When I visit "https://public.example.com:8080/secret.html"
|
||||||
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
And I'm redirected to "https://public.test.local:8080/secret.html"
|
And I'm redirected to "https://public.example.com:8080/secret.html"
|
||||||
And I visit "https://auth.test.local:8080"
|
And I visit "https://login.example.com:8080"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/loggedin"
|
Then I'm redirected to "https://login.example.com:8080/loggedin"
|
||||||
And I sleep for 5 seconds
|
And I sleep for 5 seconds
|
||||||
And I'm redirected to "https://home.test.local:8080/"
|
And I'm redirected to "https://home.example.com:8080/"
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL
|
Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL
|
||||||
When I visit "https://public.test.local:8080/secret.html"
|
When I visit "https://public.example.com:8080/secret.html"
|
||||||
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
And I'm redirected to "https://public.test.local:8080/secret.html"
|
And I'm redirected to "https://public.example.com:8080/secret.html"
|
||||||
And I visit "https://auth.test.local:8080?redirect=https://public.test.local:8080/secret.html"
|
And I visit "https://login.example.com:8080?redirect=https://public.example.com:8080/secret.html"
|
||||||
Then I'm redirected to "https://public.test.local:8080/secret.html"
|
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
||||||
|
|
|
@ -1,38 +1,38 @@
|
||||||
Feature: Authentication scenarii
|
Feature: Authentication scenarii
|
||||||
|
|
||||||
Scenario: User succeeds first factor
|
Scenario: User succeeds first factor
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
When I set field "username" to "bob"
|
When I set field "username" to "bob"
|
||||||
And I set field "password" to "password"
|
And I set field "password" to "password"
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/secondfactor"
|
Then I'm redirected to "https://login.example.com:8080/secondfactor"
|
||||||
|
|
||||||
Scenario: User fails first factor
|
Scenario: User fails first factor
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
When I set field "username" to "john"
|
When I set field "username" to "john"
|
||||||
And I set field "password" to "bad-password"
|
And I set field "password" to "bad-password"
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
Then I get a notification of type "error" with message "Authentication failed. Please check your credentials."
|
||||||
|
|
||||||
Scenario: User registers TOTP secret and succeeds authentication
|
Scenario: User registers TOTP secret and succeeds authentication
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I register a TOTP secret called "Sec0"
|
And I register a TOTP secret called "Sec0"
|
||||||
When I visit "https://admin.test.local:8080/secret.html"
|
When I visit "https://admin.example.com:8080/secret.html"
|
||||||
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "Sec0" as TOTP token handle
|
And I use "Sec0" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I'm redirected to "https://admin.test.local:8080/secret.html"
|
Then I'm redirected to "https://admin.example.com:8080/secret.html"
|
||||||
|
|
||||||
Scenario: User fails TOTP second factor
|
Scenario: User fails TOTP second factor
|
||||||
When I visit "https://admin.test.local:8080/secret.html"
|
When I visit "https://admin.example.com:8080/secret.html"
|
||||||
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "BADTOKEN" as TOTP token
|
And I use "BADTOKEN" as TOTP token
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I get a notification of type "error" with message "Authentication failed. Have you already registered your secret?"
|
Then I get a notification of type "error" with message "Authentication failed. Have you already registered your secret?"
|
||||||
|
|
||||||
Scenario: Logout redirects user to redirect URL given in parameter
|
Scenario: Logout redirects user to redirect URL given in parameter
|
||||||
When I visit "https://auth.test.local:8080/logout?redirect=https://home.test.local:8080/"
|
When I visit "https://login.example.com:8080/logout?redirect=https://home.example.com:8080/"
|
||||||
Then I'm redirected to "https://home.test.local:8080/"
|
Then I'm redirected to "https://home.example.com:8080/"
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
Feature: User and groups headers are correctly forwarded to backend
|
Feature: User and groups headers are correctly forwarded to backend
|
||||||
@need-authenticated-user-john
|
@need-authenticated-user-john
|
||||||
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend
|
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend
|
||||||
When I visit "https://public.test.local:8080/headers"
|
When I visit "https://public.example.com:8080/headers"
|
||||||
Then I see header "Custom-Forwarded-User" set to "john"
|
Then I see header "Custom-Forwarded-User" set to "john"
|
||||||
Then I see header "Custom-Forwarded-Groups" set to "dev,admin"
|
Then I see header "Custom-Forwarded-Groups" set to "dev,admin"
|
||||||
|
|
||||||
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend when basic auth is used
|
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend when basic auth is used
|
||||||
When I request "https://single_factor.test.local:8080/headers" with username "john" and password "password" using basic authentication
|
When I request "https://single_factor.example.com:8080/headers" with username "john" and password "password" using basic authentication
|
||||||
Then I received header "Custom-Forwarded-User" set to "john"
|
Then I received header "Custom-Forwarded-User" set to "john"
|
||||||
And I received header "Custom-Forwarded-Groups" set to "dev,admin"
|
And I received header "Custom-Forwarded-Groups" set to "dev,admin"
|
|
@ -1,70 +1,70 @@
|
||||||
Feature: User is correctly redirected
|
Feature: User is correctly redirected
|
||||||
|
|
||||||
Scenario: User is redirected to authelia when he is not authenticated
|
Scenario: User is redirected to authelia when he is not authenticated
|
||||||
When I visit "https://public.test.local:8080"
|
When I visit "https://public.example.com:8080"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2F"
|
Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2F"
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User is redirected to home page after several authentication tries
|
Scenario: User is redirected to home page after several authentication tries
|
||||||
When I visit "https://public.test.local:8080/secret.html"
|
When I visit "https://public.example.com:8080/secret.html"
|
||||||
And I login with user "john" and password "badpassword"
|
And I login with user "john" and password "badpassword"
|
||||||
And I wait for notification to disappear
|
And I wait for notification to disappear
|
||||||
And I clear field "username"
|
And I clear field "username"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I'm redirected to "https://public.test.local:8080/secret.html"
|
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
||||||
|
|
||||||
Scenario: User Harry does not have access to admin domain and thus he must get an error 403
|
Scenario: User Harry does not have access to admin domain and thus he must get an error 403
|
||||||
When I register TOTP and login with user "harry" and password "password"
|
When I register TOTP and login with user "harry" and password "password"
|
||||||
And I visit "https://admin.test.local:8080/secret.html"
|
And I visit "https://admin.example.com:8080/secret.html"
|
||||||
Then I get an error 403
|
Then I get an error 403
|
||||||
|
|
||||||
Scenario: Redirection URL is propagated from restricted page to first factor
|
Scenario: Redirection URL is propagated from restricted page to first factor
|
||||||
When I visit "https://public.test.local:8080/secret.html"
|
When I visit "https://public.example.com:8080/secret.html"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
|
|
||||||
Scenario: Redirection URL is propagated from first factor to second factor
|
Scenario: Redirection URL is propagated from first factor to second factor
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I register a TOTP secret called "Sec0"
|
And I register a TOTP secret called "Sec0"
|
||||||
When I visit "https://public.test.local:8080/secret.html"
|
When I visit "https://public.example.com:8080/secret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/secondfactor?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
|
|
||||||
Scenario: Redirection URL is used to send user from second factor to target page
|
Scenario: Redirection URL is used to send user from second factor to target page
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I register a TOTP secret called "Sec0"
|
And I register a TOTP secret called "Sec0"
|
||||||
When I visit "https://public.test.local:8080/secret.html"
|
When I visit "https://public.example.com:8080/secret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "Sec0" as TOTP token handle
|
And I use "Sec0" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I'm redirected to "https://public.test.local:8080/secret.html"
|
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User is redirected to default URL defined in configuration when authentication is successful
|
Scenario: User is redirected to default URL defined in configuration when authentication is successful
|
||||||
When I visit "https://auth.test.local:8080"
|
When I visit "https://login.example.com:8080"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I'm redirected to "https://home.test.local:8080/"
|
Then I'm redirected to "https://home.example.com:8080/"
|
||||||
|
|
||||||
|
|
||||||
Scenario: User is redirected when hitting an error 401
|
Scenario: User is redirected when hitting an error 401
|
||||||
When I visit "https://auth.test.local:8080/secondfactor/u2f/identity/finish"
|
When I visit "https://login.example.com:8080/secondfactor/u2f/identity/finish"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/error/401"
|
Then I'm redirected to "https://login.example.com:8080/error/401"
|
||||||
And I sleep for 5 seconds
|
And I sleep for 5 seconds
|
||||||
And I'm redirected to "https://home.test.local:8080/"
|
And I'm redirected to "https://home.example.com:8080/"
|
||||||
|
|
||||||
@need-registered-user-harry
|
@need-registered-user-harry
|
||||||
Scenario: User is redirected when hitting an error 403
|
Scenario: User is redirected when hitting an error 403
|
||||||
When I visit "https://auth.test.local:8080"
|
When I visit "https://login.example.com:8080"
|
||||||
And I login with user "harry" and password "password"
|
And I login with user "harry" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
And I'm redirected to "https://home.test.local:8080/"
|
And I'm redirected to "https://home.example.com:8080/"
|
||||||
When I visit "https://admin.test.local:8080/secret.html"
|
When I visit "https://admin.example.com:8080/secret.html"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/error/403"
|
Then I'm redirected to "https://login.example.com:8080/error/403"
|
||||||
And I sleep for 5 seconds
|
And I sleep for 5 seconds
|
||||||
And I'm redirected to "https://home.test.local:8080/"
|
And I'm redirected to "https://home.example.com:8080/"
|
|
@ -1,14 +1,14 @@
|
||||||
Feature: Register secret for second factor
|
Feature: Register secret for second factor
|
||||||
|
|
||||||
Scenario: Register a TOTP secret with correct label and issuer
|
Scenario: Register a TOTP secret with correct label and issuer
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
When I register a TOTP secret called "Sec0"
|
When I register a TOTP secret called "Sec0"
|
||||||
Then the otpauth url has label "john" and issuer "authelia.com"
|
Then the otpauth url has label "john" and issuer "authelia.com"
|
||||||
|
|
||||||
@needs-totp_issuer-config
|
@needs-totp_issuer-config
|
||||||
Scenario: Register a TOTP secret with correct label and custom issuer
|
Scenario: Register a TOTP secret with correct label and custom issuer
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
When I register a TOTP secret called "Sec0"
|
When I register a TOTP secret called "Sec0"
|
||||||
Then the otpauth url has label "john" and issuer "custom.com"
|
Then the otpauth url has label "john" and issuer "custom.com"
|
|
@ -3,7 +3,7 @@ Feature: Authelia regulates authentication to avoid brute force
|
||||||
|
|
||||||
@need-registered-user-blackhat
|
@need-registered-user-blackhat
|
||||||
Scenario: Attacker tries too many authentication in a short period of time and get banned
|
Scenario: Attacker tries too many authentication in a short period of time and get banned
|
||||||
Given I visit "https://auth.test.local:8080/"
|
Given I visit "https://login.example.com:8080/"
|
||||||
And I set field "username" to "blackhat"
|
And I set field "username" to "blackhat"
|
||||||
And I set field "password" to "bad-password"
|
And I set field "password" to "bad-password"
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
|
@ -20,7 +20,7 @@ Feature: Authelia regulates authentication to avoid brute force
|
||||||
|
|
||||||
@need-registered-user-blackhat
|
@need-registered-user-blackhat
|
||||||
Scenario: User is unbanned after a configured amount of time
|
Scenario: User is unbanned after a configured amount of time
|
||||||
Given I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
Given I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
And I set field "username" to "blackhat"
|
And I set field "username" to "blackhat"
|
||||||
And I set field "password" to "bad-password"
|
And I set field "password" to "bad-password"
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
|
@ -36,4 +36,4 @@ Feature: Authelia regulates authentication to avoid brute force
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I'm redirected to "https://public.test.local:8080/secret.html"
|
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
|
@ -1,35 +1,35 @@
|
||||||
Feature: User is able to reset his password
|
Feature: User is able to reset his password
|
||||||
|
|
||||||
Scenario: User is redirected to password reset page
|
Scenario: User is redirected to password reset page
|
||||||
Given I'm on https://auth.test.local:8080
|
Given I'm on https://login.example.com:8080
|
||||||
When I click on the link "Forgot password?"
|
When I click on the link "Forgot password?"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/password-reset/request"
|
Then I'm redirected to "https://login.example.com:8080/password-reset/request"
|
||||||
|
|
||||||
Scenario: User get an email with a link to reset password
|
Scenario: User get an email with a link to reset password
|
||||||
Given I'm on https://auth.test.local:8080/password-reset/request
|
Given I'm on https://login.example.com:8080/password-reset/request
|
||||||
When I set field "username" to "james"
|
When I set field "username" to "james"
|
||||||
And I click on "Reset Password"
|
And I click on "Reset Password"
|
||||||
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
|
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
|
||||||
|
|
||||||
Scenario: Request password for unexisting user should behave like existing user
|
Scenario: Request password for unexisting user should behave like existing user
|
||||||
Given I'm on https://auth.test.local:8080/password-reset/request
|
Given I'm on https://login.example.com:8080/password-reset/request
|
||||||
When I set field "username" to "fake_user"
|
When I set field "username" to "fake_user"
|
||||||
And I click on "Reset Password"
|
And I click on "Reset Password"
|
||||||
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
|
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
|
||||||
|
|
||||||
Scenario: User resets his password
|
Scenario: User resets his password
|
||||||
Given I'm on https://auth.test.local:8080/password-reset/request
|
Given I'm on https://login.example.com:8080/password-reset/request
|
||||||
And I set field "username" to "james"
|
And I set field "username" to "james"
|
||||||
And I click on "Reset Password"
|
And I click on "Reset Password"
|
||||||
When I click on the link of the email
|
When I click on the link of the email
|
||||||
And I set field "password1" to "newpassword"
|
And I set field "password1" to "newpassword"
|
||||||
And I set field "password2" to "newpassword"
|
And I set field "password2" to "newpassword"
|
||||||
And I click on "Reset Password"
|
And I click on "Reset Password"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/"
|
Then I'm redirected to "https://login.example.com:8080/"
|
||||||
|
|
||||||
|
|
||||||
Scenario: User does not confirm new password
|
Scenario: User does not confirm new password
|
||||||
Given I'm on https://auth.test.local:8080/password-reset/request
|
Given I'm on https://login.example.com:8080/password-reset/request
|
||||||
And I set field "username" to "james"
|
And I set field "username" to "james"
|
||||||
And I click on "Reset Password"
|
And I click on "Reset Password"
|
||||||
When I click on the link of the email
|
When I click on the link of the email
|
||||||
|
|
|
@ -5,13 +5,13 @@ Feature: Authelia keeps user sessions despite the application restart
|
||||||
When the application restarts
|
When the application restarts
|
||||||
Then I have access to:
|
Then I have access to:
|
||||||
| url |
|
| url |
|
||||||
| https://admin.test.local:8080/secret.html |
|
| https://admin.example.com:8080/secret.html |
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: Secrets are stored even when Authelia restarts
|
Scenario: Secrets are stored even when Authelia restarts
|
||||||
When the application restarts
|
When the application restarts
|
||||||
And I visit "https://admin.test.local:8080/secret.html" and get redirected "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
And I use "REGISTERED" as TOTP token handle
|
And I use "REGISTERED" as TOTP token handle
|
||||||
And I click on "Sign in"
|
And I click on "Sign in"
|
||||||
Then I'm redirected to "https://admin.test.local:8080/secret.html"
|
Then I'm redirected to "https://admin.example.com:8080/secret.html"
|
|
@ -3,35 +3,35 @@ Feature: Non authenticated users have no access to certain pages
|
||||||
Scenario: Anonymous user has no access to protected pages
|
Scenario: Anonymous user has no access to protected pages
|
||||||
Then I get the following status code when requesting:
|
Then I get the following status code when requesting:
|
||||||
| url | code | method |
|
| url | code | method |
|
||||||
| https://auth.test.local:8080/secondfactor | 401 | GET |
|
| https://login.example.com:8080/secondfactor | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/u2f/identity/start | 401 | GET |
|
| https://login.example.com:8080/secondfactor/u2f/identity/start | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/u2f/identity/finish | 401 | GET |
|
| https://login.example.com:8080/secondfactor/u2f/identity/finish | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/totp/identity/start | 401 | GET |
|
| https://login.example.com:8080/secondfactor/totp/identity/start | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/totp/identity/finish | 401 | GET |
|
| https://login.example.com:8080/secondfactor/totp/identity/finish | 401 | GET |
|
||||||
| https://auth.test.local:8080/loggedin | 401 | GET |
|
| https://login.example.com:8080/loggedin | 401 | GET |
|
||||||
| https://auth.test.local:8080/api/totp | 401 | POST |
|
| https://login.example.com:8080/api/totp | 401 | POST |
|
||||||
| https://auth.test.local:8080/api/u2f/sign_request | 401 | GET |
|
| https://login.example.com:8080/api/u2f/sign_request | 401 | GET |
|
||||||
| https://auth.test.local:8080/api/u2f/sign | 401 | POST |
|
| https://login.example.com:8080/api/u2f/sign | 401 | POST |
|
||||||
| https://auth.test.local:8080/api/u2f/register_request | 401 | GET |
|
| https://login.example.com:8080/api/u2f/register_request | 401 | GET |
|
||||||
| https://auth.test.local:8080/api/u2f/register | 401 | POST |
|
| https://login.example.com:8080/api/u2f/register | 401 | POST |
|
||||||
|
|
||||||
|
|
||||||
@needs-single_factor-config
|
@needs-single_factor-config
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User does not have acces to second factor related endpoints when in single factor mode
|
Scenario: User does not have acces to second factor related endpoints when in single factor mode
|
||||||
Given I post "https://auth.test.local:8080/api/firstfactor" with body:
|
Given I post "https://login.example.com:8080/api/firstfactor" with body:
|
||||||
| key | value |
|
| key | value |
|
||||||
| username | john |
|
| username | john |
|
||||||
| password | password |
|
| password | password |
|
||||||
Then I get the following status code when requesting:
|
Then I get the following status code when requesting:
|
||||||
| url | code | method |
|
| url | code | method |
|
||||||
| https://auth.test.local:8080/secondfactor | 401 | GET |
|
| https://login.example.com:8080/secondfactor | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/u2f/identity/start | 401 | GET |
|
| https://login.example.com:8080/secondfactor/u2f/identity/start | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/u2f/identity/finish | 401 | GET |
|
| https://login.example.com:8080/secondfactor/u2f/identity/finish | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/totp/identity/start | 401 | GET |
|
| https://login.example.com:8080/secondfactor/totp/identity/start | 401 | GET |
|
||||||
| https://auth.test.local:8080/secondfactor/totp/identity/finish | 401 | GET |
|
| https://login.example.com:8080/secondfactor/totp/identity/finish | 401 | GET |
|
||||||
| https://auth.test.local:8080/api/totp | 401 | POST |
|
| https://login.example.com:8080/api/totp | 401 | POST |
|
||||||
| https://auth.test.local:8080/api/u2f/sign_request | 401 | GET |
|
| https://login.example.com:8080/api/u2f/sign_request | 401 | GET |
|
||||||
| https://auth.test.local:8080/api/u2f/sign | 401 | POST |
|
| https://login.example.com:8080/api/u2f/sign | 401 | POST |
|
||||||
| https://auth.test.local:8080/api/u2f/register_request | 401 | GET |
|
| https://login.example.com:8080/api/u2f/register_request | 401 | GET |
|
||||||
| https://auth.test.local:8080/api/u2f/register | 401 | POST |
|
| https://login.example.com:8080/api/u2f/register | 401 | POST |
|
|
@ -5,20 +5,20 @@ Feature: Session is closed after a certain amount of time
|
||||||
Scenario: An authenticated user is disconnected after a certain inactivity period
|
Scenario: An authenticated user is disconnected after a certain inactivity period
|
||||||
Given I have access to:
|
Given I have access to:
|
||||||
| url |
|
| url |
|
||||||
| https://public.test.local:8080/secret.html |
|
| https://public.example.com:8080/secret.html |
|
||||||
When I sleep for 6 seconds
|
When I sleep for 6 seconds
|
||||||
And I visit "https://public.test.local:8080/secret.html"
|
And I visit "https://public.example.com:8080/secret.html"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
|
|
||||||
@need-authenticated-user-john
|
@need-authenticated-user-john
|
||||||
Scenario: An authenticated user is disconnected after session expiration period
|
Scenario: An authenticated user is disconnected after session expiration period
|
||||||
Given I have access to:
|
Given I have access to:
|
||||||
| url |
|
| url |
|
||||||
| https://public.test.local:8080/secret.html |
|
| https://public.example.com:8080/secret.html |
|
||||||
When I sleep for 4 seconds
|
When I sleep for 4 seconds
|
||||||
And I visit "https://public.test.local:8080/secret.html"
|
And I visit "https://public.example.com:8080/secret.html"
|
||||||
And I sleep for 4 seconds
|
And I sleep for 4 seconds
|
||||||
And I visit "https://public.test.local:8080/secret.html"
|
And I visit "https://public.example.com:8080/secret.html"
|
||||||
And I sleep for 4 seconds
|
And I sleep for 4 seconds
|
||||||
And I visit "https://public.test.local:8080/secret.html"
|
And I visit "https://public.example.com:8080/secret.html"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
|
@ -1,15 +1,15 @@
|
||||||
Feature: User can access certain subdomains with single factor
|
Feature: User can access certain subdomains with single factor
|
||||||
|
|
||||||
Scenario: User is redirected to service after first factor if allowed
|
Scenario: User is redirected to service after first factor if allowed
|
||||||
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html"
|
When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
Then I'm redirected to "https://single_factor.test.local:8080/secret.html"
|
Then I'm redirected to "https://single_factor.example.com:8080/secret.html"
|
||||||
|
|
||||||
Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor.
|
Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor.
|
||||||
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html"
|
Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||||
|
|
||||||
Scenario: User can login using basic authentication
|
Scenario: User can login using basic authentication
|
||||||
When I request "https://single_factor.test.local:8080/secret.html" with username "john" and password "password" using basic authentication
|
When I request "https://single_factor.example.com:8080/secret.html" with username "john" and password "password" using basic authentication
|
||||||
Then I receive the secret page
|
Then I receive the secret page
|
|
@ -3,14 +3,14 @@ Feature: Server is configured as a single factor only server
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User is redirected to service after first factor if allowed
|
Scenario: User is redirected to service after first factor if allowed
|
||||||
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html"
|
When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
Then I'm redirected to "https://public.test.local:8080/secret.html"
|
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
||||||
|
|
||||||
@need-registered-user-john
|
@need-registered-user-john
|
||||||
Scenario: User is correctly redirected according to default redirection URL
|
Scenario: User is correctly redirected according to default redirection URL
|
||||||
When I visit "https://auth.test.local:8080"
|
When I visit "https://login.example.com:8080"
|
||||||
And I login with user "john" and password "password"
|
And I login with user "john" and password "password"
|
||||||
Then I'm redirected to "https://auth.test.local:8080/loggedin"
|
Then I'm redirected to "https://login.example.com:8080/loggedin"
|
||||||
And I sleep for 5 seconds
|
And I sleep for 5 seconds
|
||||||
Then I'm redirected to "https://home.test.local:8080/"
|
Then I'm redirected to "https://home.example.com:8080/"
|
||||||
|
|
|
@ -55,7 +55,9 @@ Cucumber.defineSupportCode(function ({ After, Before }) {
|
||||||
Before({ tags: "@needs-" + tag + "-config", timeout: 20 * 1000 }, function () {
|
Before({ tags: "@needs-" + tag + "-config", timeout: 20 * 1000 }, function () {
|
||||||
return cb()
|
return cb()
|
||||||
.then(function () {
|
.then(function () {
|
||||||
return exec("./scripts/example-commit/dc-example.sh -f docker-compose.test.yml up -d authelia && sleep 1");
|
return exec("./scripts/example-commit/dc-example.sh -f " +
|
||||||
|
"./example/authelia/docker-compose.test.yml up -d authelia &&" +
|
||||||
|
" sleep 1");
|
||||||
})
|
})
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -100,9 +102,9 @@ Cucumber.defineSupportCode(function ({ After, Before }) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function needAuthenticatedUser(context: any, username: string): BluebirdPromise<void> {
|
function needAuthenticatedUser(context: any, username: string): BluebirdPromise<void> {
|
||||||
return context.visit("https://auth.test.local:8080/logout")
|
return context.visit("https://login.example.com:8080/logout")
|
||||||
.then(function () {
|
.then(function () {
|
||||||
return context.visit("https://auth.test.local:8080/");
|
return context.visit("https://login.example.com:8080/");
|
||||||
})
|
})
|
||||||
.then(function () {
|
.then(function () {
|
||||||
return registerUser(context, username);
|
return registerUser(context, username);
|
||||||
|
|
|
@ -152,7 +152,7 @@ function CustomWorld() {
|
||||||
|
|
||||||
this.registerTotpAndSignin = function (username: string, password: string) {
|
this.registerTotpAndSignin = function (username: string, password: string) {
|
||||||
const totpHandle = "HANDLE";
|
const totpHandle = "HANDLE";
|
||||||
const authUrl = "https://auth.test.local:8080/";
|
const authUrl = "https://login.example.com:8080/";
|
||||||
const that = this;
|
const that = this;
|
||||||
return this.visit(authUrl)
|
return this.visit(authUrl)
|
||||||
.then(function () {
|
.then(function () {
|
||||||
|
|
Loading…
Reference in New Issue