Change domain from test.local to example.com

Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
pull/197/head
Clement Michaud 2017-11-02 21:34:07 +01:00
parent bbbffaa3ae
commit a8974a9d8e
44 changed files with 544 additions and 546 deletions

View File

@ -15,14 +15,14 @@ addons:
- libgif-dev - libgif-dev
- google-chrome-stable - google-chrome-stable
hosts: hosts:
- admin.test.local - admin.example.com
- auth.test.local - login.example.com
- single_factor.test.local - single_factor.example.com
- dev.test.local - dev.example.com
- home.test.local - home.example.com
- mx1.mail.test.local - mx1.mail.example.com
- mx2.mail.test.local - mx2.mail.example.com
- public.test.local - public.example.com
before_install: before_install:
- npm install -g npm@'>=2.13.5' - npm install -g npm@'>=2.13.5'

View File

@ -95,14 +95,14 @@ Make sure you don't have anything listening on port 8080 (webserver) and 8085 (w
Add the following lines to your **/etc/hosts** to alias multiple subdomains so that nginx can redirect request to the correct virtual host. Add the following lines to your **/etc/hosts** to alias multiple subdomains so that nginx can redirect request to the correct virtual host.
127.0.0.1 home.test.local 127.0.0.1 home.example.com
127.0.0.1 public.test.local 127.0.0.1 public.example.com
127.0.0.1 dev.test.local 127.0.0.1 dev.example.com
127.0.0.1 admin.test.local 127.0.0.1 admin.example.com
127.0.0.1 mx1.mail.test.local 127.0.0.1 mx1.mail.example.com
127.0.0.1 mx2.mail.test.local 127.0.0.1 mx2.mail.example.com
127.0.0.1 single_factor.test.local 127.0.0.1 single_factor.example.com
127.0.0.1 auth.test.local 127.0.0.1 login.example.com
### Run it! ### Run it!
@ -118,7 +118,7 @@ Use provided container on [DockerHub](https://hub.docker.com/r/clems4ever/authel
./scripts/example-dockerhub/deploy-example.sh ./scripts/example-dockerhub/deploy-example.sh
After few seconds the services should be running and you should be able to visit After few seconds the services should be running and you should be able to visit
[https://home.test.local:8080/](https://home.test.local:8080/). [https://home.example.com:8080/](https://home.example.com:8080/).
When accessing the login page, a self-signed certificate exception should appear, When accessing the login page, a self-signed certificate exception should appear,
it has to be trusted before you can get to the target page. The certificate it has to be trusted before you can get to the target page. The certificate

View File

@ -20,7 +20,7 @@ logs_level: debug
# #
# Note: this parameter is optional. If not provided, user won't # Note: this parameter is optional. If not provided, user won't
# be redirected upon successful authentication. # be redirected upon successful authentication.
default_redirection_url: https://home.test.local:8080/ default_redirection_url: https://home.example.com:8080/
# LDAP configuration # LDAP configuration
# #
@ -77,7 +77,7 @@ ldap:
authentication_methods: authentication_methods:
default_method: two_factor default_method: two_factor
per_subdomain_methods: per_subdomain_methods:
single_factor.test.local: single_factor single_factor.example.com: single_factor
# Access Control # Access Control
# #
@ -120,7 +120,7 @@ access_control:
# The rules that apply to anyone. # The rules that apply to anyone.
# The value is a list of rules. # The value is a list of rules.
any: any:
- domain: public.test.local - domain: public.example.com
policy: allow policy: allow
# Group-based rules. The key is a group name and the value # Group-based rules. The key is a group name and the value
@ -128,13 +128,13 @@ access_control:
groups: groups:
admin: admin:
# All resources in all domains # All resources in all domains
- domain: '*.test.local' - domain: '*.example.com'
policy: allow policy: allow
# Except mx2.mail.test.local (it restricts the first rule) # Except mx2.mail.example.com (it restricts the first rule)
- domain: 'mx2.mail.test.local' - domain: 'mx2.mail.example.com'
policy: deny policy: deny
dev: dev:
- domain: dev.test.local - domain: dev.example.com
policy: allow policy: allow
resources: resources:
- '^/groups/dev/.*$' - '^/groups/dev/.*$'
@ -143,19 +143,19 @@ access_control:
# is a list of rules. # is a list of rules.
users: users:
john: john:
- domain: dev.test.local - domain: dev.example.com
policy: allow policy: allow
resources: resources:
- '^/users/john/.*$' - '^/users/john/.*$'
harry: harry:
- domain: dev.test.local - domain: dev.example.com
policy: allow policy: allow
resources: resources:
- '^/users/harry/.*$' - '^/users/harry/.*$'
bob: bob:
- domain: '*.mail.test.local' - domain: '*.mail.example.com'
policy: allow policy: allow
- domain: 'dev.test.local' - domain: 'dev.example.com'
policy: allow policy: allow
resources: resources:
- '^/users/bob/.*$' - '^/users/bob/.*$'
@ -177,7 +177,7 @@ session:
# The domain to protect. # The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie # Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain of the issuer. # is restricted to the subdomain of the issuer.
domain: test.local domain: example.com
# The redis connection details # The redis connection details
redis: redis:

View File

@ -5,7 +5,6 @@ services:
restart: always restart: always
volumes: volumes:
- ./config.template.yml:/etc/authelia/config.yml:ro - ./config.template.yml:/etc/authelia/config.yml:ro
- ./notifications:/var/lib/authelia/notifications
environment: environment:
- NODE_TLS_REJECT_UNAUTHORIZED=0 - NODE_TLS_REJECT_UNAUTHORIZED=0
depends_on: depends_on:

View File

@ -3,6 +3,6 @@ services:
nginx-authelia: nginx-authelia:
image: nginx:alpine image: nginx:alpine
volumes: volumes:
- ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf - ./example/nginx/authelia/nginx.conf:/etc/nginx/nginx.conf
networks: networks:
- example-network - example-network

View File

@ -1,21 +1,5 @@
# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.
#user nobody;
worker_processes 1; worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events { events {
worker_connections 1024; worker_connections 1024;
} }
@ -23,31 +7,15 @@ events {
http { http {
server { server {
listen 443 ssl; listen 80;
server_name auth.test.local;
ssl on; resolver 127.0.0.11 ipv6=off;
ssl_certificate /etc/ssl/server.crt; set $upstream_endpoint http://authelia;
ssl_certificate_key /etc/ssl/server.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
location / { location / {
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://authelia/; proxy_pass $upstream_endpoint;
proxy_intercept_errors on;
if ($request_method !~ ^(POST)$){
error_page 401 = /error/401;
error_page 403 = /error/403;
error_page 404 = /error/404;
}
} }
} }
} }

View File

@ -5,6 +5,6 @@
</head> </head>
<body> <body>
This is a very important secret!<br/> This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>. Go back to <a href="https://home.example.com:8080/">home page</a>.
</body> </body>
</html> </html>

View File

@ -1,10 +0,0 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>.
</body>
</html>

View File

@ -1,10 +0,0 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>.
</body>
</html>

View File

@ -5,6 +5,6 @@
</head> </head>
<body> <body>
This is a very important secret!<br/> This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>. Go back to <a href="https://home.example.com:8080/">home page</a>.
</body> </body>
</html> </html>

View File

@ -5,6 +5,6 @@
</head> </head>
<body> <body>
This is a very important secret!<br/> This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>. Go back to <a href="https://home.example.com:8080/">home page</a>.
</body> </body>
</html> </html>

View File

@ -5,6 +5,6 @@
</head> </head>
<body> <body>
This is a very important secret!<br/> This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>. Go back to <a href="https://home.example.com:8080/">home page</a>.
</body> </body>
</html> </html>

View File

@ -0,0 +1,10 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.example.com:8080/">home page</a>.
</body>
</html>

View File

@ -0,0 +1,10 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.example.com:8080/">home page</a>.
</body>
</html>

View File

@ -12,51 +12,51 @@
one of the following links to test access control powered by Authelia.<br/> one of the following links to test access control powered by Authelia.<br/>
<ul> <ul>
<li> <li>
public.test.local <a href="https://public.test.local:8080/"> / index.html</a> public.example.com <a href="https://public.example.com:8080/"> / index.html</a>
</li> </li>
<li> <li>
secret.test.local secret.example.com
<ul> <ul>
<li>Groups <li>Groups
<ul> <ul>
<li> <li>
<a href="https://dev.test.local:8080/groups/admin/secret.html"> / groups / admins / secret.html</a> <a href="https://dev.example.com:8080/groups/admin/secret.html"> / groups / admins / secret.html</a>
</li> </li>
<li> <li>
<a href="https://dev.test.local:8080/groups/dev/secret.html"> / groups / dev / secret.html</a> <a href="https://dev.example.com:8080/groups/dev/secret.html"> / groups / dev / secret.html</a>
</li> </li>
</ul> </ul>
</li> </li>
<li>Users <li>Users
<ul> <ul>
<li> <li>
<a href="https://dev.test.local:8080/users/john/secret.html"> / users / john / secret.html</a> <a href="https://dev.example.com:8080/users/john/secret.html"> / users / john / secret.html</a>
</li> </li>
<li> <li>
<a href="https://dev.test.local:8080/users/harry/secret.html"> / users / harry / secret.html</a> <a href="https://dev.example.com:8080/users/harry/secret.html"> / users / harry / secret.html</a>
</li> </li>
<li> <li>
<a href="https://dev.test.local:8080/users/bob/secret.html"> / users / bob / secret.html</a> <a href="https://dev.example.com:8080/users/bob/secret.html"> / users / bob / secret.html</a>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
</li> </li>
<li> <li>
admin.test.local <a href="https://admin.test.local:8080/secret.html"> / secret.html</a> admin.example.com <a href="https://admin.example.com:8080/secret.html"> / secret.html</a>
</li> </li>
<li> <li>
mx1.main.test.local <a href="https://mx1.mail.test.local:8080/secret.html"> / secret.html</a> mx1.main.example.com <a href="https://mx1.mail.example.com:8080/secret.html"> / secret.html</a>
</li> </li>
<li> <li>
mx2.main.test.local <a href="https://mx2.mail.test.local:8080/secret.html"> / secret.html</a> mx2.main.example.com <a href="https://mx2.mail.example.com:8080/secret.html"> / secret.html</a>
</li> </li>
<li> <li>
single_factor.test.local <a href="https://single_factor.test.local:8080/secret.html"> / secret.html</a> single_factor.example.com <a href="https://single_factor.example.com:8080/secret.html"> / secret.html</a>
</li> </li>
</ul> </ul>
You can also log off by visiting the following <a href="https://auth.test.local:8080/logout?redirect=https://home.test.local:8080/">link</a>. You can also log off by visiting the following <a href="https://login.example.com:8080/logout?redirect=https://home.example.com:8080/">link</a>.
<h1>List of users</h1> <h1>List of users</h1>
Here is the list of credentials you can log in with to test access control.<br/> Here is the list of credentials you can log in with to test access control.<br/>
@ -84,7 +84,7 @@ default_policy: deny
# The value is a list of rules. # The value is a list of rules.
any: any:
- domain: public.test.local - domain: public.example.com
policy: allow policy: allow
# Group-based rules. The key is a group name and the value # Group-based rules. The key is a group name and the value
@ -93,13 +93,13 @@ any:
groups: groups:
admin: admin:
# All resources in all domains # All resources in all domains
- domain: '*.test.local' - domain: '*.example.com'
policy: allow policy: allow
# Except mx2.mail.test.local (it restricts the first rule) # Except mx2.mail.example.com (it restricts the first rule)
- domain: 'mx2.mail.test.local' - domain: 'mx2.mail.example.com'
policy: deny policy: deny
dev: dev:
- domain: dev.test.local - domain: dev.example.com
policy: allow policy: allow
resources: resources:
- '^/groups/dev/.*$' - '^/groups/dev/.*$'
@ -109,23 +109,23 @@ groups:
users: users:
john: john:
- domain: dev.test.local - domain: dev.example.com
policy: allow policy: allow
resources: resources:
- '^/users/john/.*$' - '^/users/john/.*$'
harry: harry:
- domain: dev.test.local - domain: dev.example.com
policy: allow policy: allow
resources: resources:
- '^/users/harry/.*$' - '^/users/harry/.*$'
bob: bob:
- domain: '*.mail.test.local' - domain: '*.mail.example.com'
policy: allow policy: allow
- domain: 'dev.test.local' - domain: 'dev.example.com'
policy: allow policy: allow
resources: resources:
- '^/users/bob/.*$' - '^/users/bob/.*$'
- domain: 'dev.test.local' - domain: 'dev.example.com'
policy: allow policy: allow
resources: resources:
- '^/users/harry/.*$'</pre> - '^/users/harry/.*$'</pre>

View File

@ -1,10 +0,0 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>.
</body>
</html>

View File

@ -0,0 +1,10 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.example.com:8080/">home page</a>.
</body>
</html>

View File

@ -1,10 +0,0 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>.
</body>
</html>

View File

@ -7,7 +7,7 @@
<body> <body>
<h1>Public resource</h1> <h1>Public resource</h1>
<p>This is a public resource.<br/> <p>This is a public resource.<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>. Go back to <a href="https://home.example.com:8080/">home page</a>.
</p> </p>
</body> </body>
</html> </html>

View File

@ -0,0 +1,10 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.example.com:8080/">home page</a>.
</body>
</html>

View File

@ -1,10 +0,0 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.test.local:8080/">home page</a>.
</body>
</html>

View File

@ -0,0 +1,10 @@
<html>
<head>
<title>Secret</title>
<link rel="icon" href="/icon.png" type="image/png" />
</head>
<body>
This is a very important secret!<br/>
Go back to <a href="https://home.example.com:8080/">home page</a>.
</body>
</html>

View File

@ -1,21 +1,5 @@
# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.
#user nobody;
worker_processes 1; worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events { events {
worker_connections 1024; worker_connections 1024;
} }
@ -24,38 +8,38 @@ events {
http { http {
server { server {
listen 80; listen 80;
root /usr/share/nginx/html/home.test.local; root /usr/share/nginx/html/home;
server_name home.test.local; server_name home.example.com;
} }
server { server {
listen 80; listen 80;
root /usr/share/nginx/html/public.test.local; root /usr/share/nginx/html/public;
server_name public.test.local; server_name public.example.com;
} }
server { server {
listen 80; listen 80;
root /usr/share/nginx/html/admin.test.local; root /usr/share/nginx/html/admin;
server_name admin.test.local; server_name admin.example.com;
} }
server { server {
listen 80; listen 80;
root /usr/share/nginx/html/dev.test.local; root /usr/share/nginx/html/dev;
server_name dev.test.local; server_name dev.example.com;
} }
server { server {
listen 80; listen 80;
root /usr/share/nginx/html/mail.test.local; root /usr/share/nginx/html/mail;
server_name mx1.mail.test.local mx2.mail.test.local; server_name mx1.mail.example.com mx2.mail.example.com;
} }
server { server {
listen 80; listen 80;
root /usr/share/nginx/html/single_factor.test.local; root /usr/share/nginx/html/single_factor;
server_name single_factor.test.local; server_name single_factor.example.com;
} }
} }

View File

@ -1,30 +1,16 @@
# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.
#user nobody;
worker_processes 1; worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events { events {
worker_connections 1024; worker_connections 1024;
} }
http { http {
server { server {
listen 443 ssl; listen 443 ssl;
server_name home.test.local; server_name login.example.com;
resolver 127.0.0.11 ipv6=off;
set $upstream_endpoint http://nginx-authelia;
ssl on; ssl on;
ssl_certificate /etc/ssl/server.crt; ssl_certificate /etc/ssl/server.crt;
@ -35,14 +21,49 @@ http {
location / { location / {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_intercept_errors on;
proxy_pass http://nginx-backend/; proxy_pass $upstream_endpoint;
if ($request_method !~ ^(POST)$){
error_page 401 = /error/401;
error_page 403 = /error/403;
error_page 404 = /error/404;
}
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
server_name public.test.local; server_name home.example.com;
resolver 127.0.0.11 ipv6=off;
set $upstream_endpoint http://nginx-backend;
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
location / {
proxy_set_header Host $http_host;
proxy_pass $upstream_endpoint;
}
}
server {
listen 443 ssl;
server_name public.example.com;
resolver 127.0.0.11 ipv6=off;
set $upstream_verify http://nginx-authelia/api/verify;
set $upstream_endpoint http://nginx-backend;
set $upstream_headers http://httpbin:8000/headers;
ssl on; ssl on;
ssl_certificate /etc/ssl/server.crt; ssl_certificate /etc/ssl/server.crt;
@ -53,13 +74,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://nginx-authelia/api/verify; proxy_pass $upstream_verify;
} }
location / { location / {
@ -75,10 +96,10 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://login.example.com:8080/error/403;
proxy_pass http://nginx-backend/; proxy_pass $upstream_endpoint;
} }
location /headers { location /headers {
@ -92,16 +113,20 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Custom-Forwarded-Groups $groups; proxy_set_header Custom-Forwarded-Groups $groups;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://login.example.com:8080/error/403;
proxy_pass http://httpbin:8000/headers; proxy_pass $upstream_headers;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
server_name admin.test.local; server_name admin.example.com;
resolver 127.0.0.11 ipv6=off;
set $upstream_verify http://nginx-authelia/api/verify;
set $upstream_endpoint http://nginx-backend;
ssl on; ssl on;
ssl_certificate /etc/ssl/server.crt; ssl_certificate /etc/ssl/server.crt;
@ -112,13 +137,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://nginx-authelia/api/verify; proxy_pass $upstream_verify;
} }
location / { location / {
@ -134,16 +159,20 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://login.example.com:8080/error/403;
proxy_pass http://nginx-backend/; proxy_pass $upstream_endpoint;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
server_name dev.test.local; server_name dev.example.com;
resolver 127.0.0.11 ipv6=off;
set $upstream_verify http://nginx-authelia/api/verify;
set $upstream_endpoint http://nginx-backend;
ssl on; ssl on;
ssl_certificate /etc/ssl/server.crt; ssl_certificate /etc/ssl/server.crt;
@ -154,13 +183,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://nginx-authelia/api/verify; proxy_pass $upstream_verify;
} }
location / { location / {
@ -176,16 +205,20 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://login.example.com:8080/error/403;
proxy_pass http://nginx-backend/; proxy_pass $upstream_endpoint;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
server_name mx1.mail.test.local mx2.mail.test.local; server_name mx1.mail.example.com mx2.mail.example.com;
resolver 127.0.0.11 ipv6=off;
set $upstream_verify http://nginx-authelia/api/verify;
set $upstream_endpoint http://nginx-backend;
ssl on; ssl on;
ssl_certificate /etc/ssl/server.crt; ssl_certificate /etc/ssl/server.crt;
@ -196,13 +229,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://nginx-authelia/api/verify; proxy_pass $upstream_verify;
} }
location / { location / {
@ -218,16 +251,21 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://login.example.com:8080/error/403;
proxy_pass http://nginx-backend/; proxy_pass $upstream_endpoint;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
server_name single_factor.test.local; server_name single_factor.example.com;
resolver 127.0.0.11 ipv6=off;
set $upstream_verify http://nginx-authelia/api/verify;
set $upstream_endpoint http://nginx-backend;
set $upstream_headers http://httpbin:8000/headers;
ssl on; ssl on;
ssl_certificate /etc/ssl/server.crt; ssl_certificate /etc/ssl/server.crt;
@ -238,14 +276,14 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_set_header Proxy-Authorization $http_authorization; proxy_set_header Proxy-Authorization $http_authorization;
proxy_pass http://nginx-authelia/api/verify; proxy_pass $upstream_verify;
} }
location / { location / {
@ -261,10 +299,10 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://login.example.com:8080/error/403;
proxy_pass http://nginx-backend/; proxy_pass $upstream_endpoint;
} }
location /headers { location /headers {
@ -278,10 +316,10 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Custom-Forwarded-Groups $groups; proxy_set_header Custom-Forwarded-Groups $groups;
proxy_pass http://httpbin:8000/headers; error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
error_page 403 = https://login.example.com:8080/error/403;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; proxy_pass $upstream_headers;
error_page 403 = https://auth.test.local:8080/error/403;
} }
} }
} }

View File

@ -3,8 +3,8 @@
set -e set -e
docker-compose \ docker-compose \
-f docker-compose.dockerhub.yml \
-f example/docker-compose.base.yml \ -f example/docker-compose.base.yml \
-f example/authelia/docker-compose.dockerhub.yml \
-f example/mongo/docker-compose.yml \ -f example/mongo/docker-compose.yml \
-f example/redis/docker-compose.yml \ -f example/redis/docker-compose.yml \
-f example/nginx/authelia/docker-compose.yml \ -f example/nginx/authelia/docker-compose.yml \

View File

@ -13,7 +13,11 @@ start_services() {
} }
shut_services() { shut_services() {
$DC_SCRIPT down --remove-orphans containers_exist=`docker ps -aq | wc -l`
if [ "$containers_exist" -ne "0" ]
then
docker rm -f $(docker ps -aq)
fi
} }
expect_services_count() { expect_services_count() {
@ -42,16 +46,18 @@ run_integration_tests() {
run_other_tests() { run_other_tests() {
echo "Test dev environment deployment (commands in README)" echo "Test dev environment deployment (commands in README)"
rm -rf node_modules # rm -rf node_modules
./scripts/build-dev.sh # ./scripts/build-dev.sh
./scripts/example-commit/deploy-example.sh ./scripts/example-commit/deploy-example.sh
expect_services_count $EXPECTED_SERVICES_COUNT expect_services_count $EXPECTED_SERVICES_COUNT
./scripts/example-commit/undeploy-example.sh
} }
run_other_tests_docker() { run_other_tests_docker() {
echo "Test dev docker deployment (commands in README)" echo "Test dev docker deployment (commands in README)"
./scripts/example-dockerhub/deploy-example.sh ./scripts/example-dockerhub/deploy-example.sh
expect_services_count $EXPECTED_SERVICES_COUNT expect_services_count $EXPECTED_SERVICES_COUNT
./scripts/example-dockerhub/undeploy-example.sh
} }

View File

@ -1,13 +1,14 @@
block variables block variables
doctype html
html html
head head
title Authelia - 2FA title Authelia - 2FA
meta(name="viewport", content="width=device-width, initial-scale=1.0")/ meta(name="viewport", content="width=device-width, initial-scale=1.0")
meta(name="robots", content="noindex, nofollow, nosnippet, noarchive")/ meta(name="robots", content="noindex, nofollow, nosnippet, noarchive")
meta(http-equiv="Content-Security-Policy", content="default-src 'self'; img-src 'self' data:;")/ meta(http-equiv="Content-Security-Policy", content="default-src 'self'; img-src 'self' data:;")
link(rel="icon", href="/img/icon.png" type="image/png" sizes="32x32")/ link(rel="icon", href="/img/icon.png" type="image/png" sizes="32x32")
link(rel="stylesheet", type="text/css", href="/css/authelia.css")/ link(rel="stylesheet", type="text/css", href="/css/authelia.css")
if redirection_url if redirection_url
meta(http-equiv="refresh" content="4;url=" + redirection_url) meta(http-equiv="refresh" content="4;url=" + redirection_url)
body body
@ -24,4 +25,4 @@ html
div(class="poweredby col-xs-6 col-xs-offset-4 col-sm-6 col-sm-offset-4 col-md-6 col-md-offset-4") div(class="poweredby col-xs-6 col-xs-offset-4 col-sm-6 col-sm-offset-4 col-md-6 col-md-offset-4")
| Powered by <a class="authelia-brand" href="https://github.com/clems4ever/authelia">Authelia</a> | Powered by <a class="authelia-brand" href="https://github.com/clems4ever/authelia">Authelia</a>
block entrypoint block entrypoint
script(src="/js/authelia.js") script(src="/js/authelia.js", type="text/javascript" )

View File

@ -22,4 +22,4 @@ block content
img(alt='Get it on Apple Store' src='/img/stores/applestore-badge.svg' class="store-badge") img(alt='Get it on Apple Store' src='/img/stores/applestore-badge.svg' class="store-badge")
block entrypoint block entrypoint
script(src="/js/qrcode.min.js") script(src="/js/qrcode.min.js", type="text/javascript" )

View File

@ -13,10 +13,10 @@ describe("test access control manager", function () {
configuration = undefined; configuration = undefined;
accessController = new AccessController(configuration, winston); accessController = new AccessController(configuration, winston);
Assert(accessController.isAccessAllowed("home.test.local", "/", "user1", ["group1", "group2"])); Assert(accessController.isAccessAllowed("home.example.com", "/", "user1", ["group1", "group2"]));
Assert(accessController.isAccessAllowed("home.test.local", "/abc", "user1", ["group1", "group2"])); Assert(accessController.isAccessAllowed("home.example.com", "/abc", "user1", ["group1", "group2"]));
Assert(accessController.isAccessAllowed("home.test.local", "/", "user2", ["group1", "group2"])); Assert(accessController.isAccessAllowed("home.example.com", "/", "user2", ["group1", "group2"]));
Assert(accessController.isAccessAllowed("admin.test.local", "/", "user3", ["group3"])); Assert(accessController.isAccessAllowed("admin.example.com", "/", "user3", ["group3"]));
}); });
}); });

View File

@ -2,66 +2,66 @@ Feature: User has access restricted access to domains
@need-registered-user-john @need-registered-user-john
Scenario: User john has admin access Scenario: User john has admin access
When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F" When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
And I'm redirected to "https://home.test.local:8080/" And I'm redirected to "https://home.example.com:8080/"
Then I have access to: Then I have access to:
| url | | url |
| https://public.test.local:8080/secret.html | | https://public.example.com:8080/secret.html |
| https://dev.test.local:8080/groups/admin/secret.html | | https://dev.example.com:8080/groups/admin/secret.html |
| https://dev.test.local:8080/groups/dev/secret.html | | https://dev.example.com:8080/groups/dev/secret.html |
| https://dev.test.local:8080/users/john/secret.html | | https://dev.example.com:8080/users/john/secret.html |
| https://dev.test.local:8080/users/harry/secret.html | | https://dev.example.com:8080/users/harry/secret.html |
| https://dev.test.local:8080/users/bob/secret.html | | https://dev.example.com:8080/users/bob/secret.html |
| https://admin.test.local:8080/secret.html | | https://admin.example.com:8080/secret.html |
| https://mx1.mail.test.local:8080/secret.html | | https://mx1.mail.example.com:8080/secret.html |
| https://single_factor.test.local:8080/secret.html | | https://single_factor.example.com:8080/secret.html |
And I have no access to: And I have no access to:
| url | | url |
| https://mx2.mail.test.local:8080/secret.html | | https://mx2.mail.example.com:8080/secret.html |
@need-registered-user-bob @need-registered-user-bob
Scenario: User bob has restricted access Scenario: User bob has restricted access
When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F" When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
And I login with user "bob" and password "password" And I login with user "bob" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
And I'm redirected to "https://home.test.local:8080/" And I'm redirected to "https://home.example.com:8080/"
Then I have access to: Then I have access to:
| url | | url |
| https://public.test.local:8080/secret.html | | https://public.example.com:8080/secret.html |
| https://dev.test.local:8080/groups/dev/secret.html | | https://dev.example.com:8080/groups/dev/secret.html |
| https://dev.test.local:8080/users/bob/secret.html | | https://dev.example.com:8080/users/bob/secret.html |
| https://mx1.mail.test.local:8080/secret.html | | https://mx1.mail.example.com:8080/secret.html |
| https://mx2.mail.test.local:8080/secret.html | | https://mx2.mail.example.com:8080/secret.html |
And I have no access to: And I have no access to:
| url | | url |
| https://dev.test.local:8080/groups/admin/secret.html | | https://dev.example.com:8080/groups/admin/secret.html |
| https://admin.test.local:8080/secret.html | | https://admin.example.com:8080/secret.html |
| https://dev.test.local:8080/users/john/secret.html | | https://dev.example.com:8080/users/john/secret.html |
| https://dev.test.local:8080/users/harry/secret.html | | https://dev.example.com:8080/users/harry/secret.html |
| https://single_factor.test.local:8080/secret.html | | https://single_factor.example.com:8080/secret.html |
@need-registered-user-harry @need-registered-user-harry
Scenario: User harry has restricted access Scenario: User harry has restricted access
When I visit "https://auth.test.local:8080?redirect=https%3A%2F%2Fhome.test.local%3A8080%2F" When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
And I login with user "harry" and password "password" And I login with user "harry" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
And I'm redirected to "https://home.test.local:8080/" And I'm redirected to "https://home.example.com:8080/"
Then I have access to: Then I have access to:
| url | | url |
| https://public.test.local:8080/secret.html | | https://public.example.com:8080/secret.html |
| https://dev.test.local:8080/users/harry/secret.html | | https://dev.example.com:8080/users/harry/secret.html |
And I have no access to: And I have no access to:
| url | | url |
| https://dev.test.local:8080/groups/dev/secret.html | | https://dev.example.com:8080/groups/dev/secret.html |
| https://dev.test.local:8080/users/bob/secret.html | | https://dev.example.com:8080/users/bob/secret.html |
| https://dev.test.local:8080/groups/admin/secret.html | | https://dev.example.com:8080/groups/admin/secret.html |
| https://admin.test.local:8080/secret.html | | https://admin.example.com:8080/secret.html |
| https://dev.test.local:8080/users/john/secret.html | | https://dev.example.com:8080/users/john/secret.html |
| https://mx1.mail.test.local:8080/secret.html | | https://mx1.mail.example.com:8080/secret.html |
| https://mx2.mail.test.local:8080/secret.html | | https://mx2.mail.example.com:8080/secret.html |
| https://single_factor.test.local:8080/secret.html | | https://single_factor.example.com:8080/secret.html |

View File

@ -2,33 +2,33 @@ Feature: User is redirected when factors are already validated
@need-registered-user-john @need-registered-user-john
Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step. Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step.
When I visit "https://single_factor.test.local:8080/secret.html" When I visit "https://single_factor.example.com:8080/secret.html"
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html" And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I'm redirected to "https://single_factor.test.local:8080/secret.html" And I'm redirected to "https://single_factor.example.com:8080/secret.html"
And I visit "https://public.test.local:8080/secret.html" And I visit "https://public.example.com:8080/secret.html"
Then I'm redirected to "https://auth.test.local:8080/secondfactor?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
@need-registered-user-john @need-registered-user-john
Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration
When I visit "https://public.test.local:8080/secret.html" When I visit "https://public.example.com:8080/secret.html"
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
And I'm redirected to "https://public.test.local:8080/secret.html" And I'm redirected to "https://public.example.com:8080/secret.html"
And I visit "https://auth.test.local:8080" And I visit "https://login.example.com:8080"
Then I'm redirected to "https://auth.test.local:8080/loggedin" Then I'm redirected to "https://login.example.com:8080/loggedin"
And I sleep for 5 seconds And I sleep for 5 seconds
And I'm redirected to "https://home.test.local:8080/" And I'm redirected to "https://home.example.com:8080/"
@need-registered-user-john @need-registered-user-john
Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL
When I visit "https://public.test.local:8080/secret.html" When I visit "https://public.example.com:8080/secret.html"
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
And I'm redirected to "https://public.test.local:8080/secret.html" And I'm redirected to "https://public.example.com:8080/secret.html"
And I visit "https://auth.test.local:8080?redirect=https://public.test.local:8080/secret.html" And I visit "https://login.example.com:8080?redirect=https://public.example.com:8080/secret.html"
Then I'm redirected to "https://public.test.local:8080/secret.html" Then I'm redirected to "https://public.example.com:8080/secret.html"

View File

@ -1,38 +1,38 @@
Feature: Authentication scenarii Feature: Authentication scenarii
Scenario: User succeeds first factor Scenario: User succeeds first factor
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
When I set field "username" to "bob" When I set field "username" to "bob"
And I set field "password" to "password" And I set field "password" to "password"
And I click on "Sign in" And I click on "Sign in"
Then I'm redirected to "https://auth.test.local:8080/secondfactor" Then I'm redirected to "https://login.example.com:8080/secondfactor"
Scenario: User fails first factor Scenario: User fails first factor
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
When I set field "username" to "john" When I set field "username" to "john"
And I set field "password" to "bad-password" And I set field "password" to "bad-password"
And I click on "Sign in" And I click on "Sign in"
Then I get a notification of type "error" with message "Authentication failed. Please check your credentials." Then I get a notification of type "error" with message "Authentication failed. Please check your credentials."
Scenario: User registers TOTP secret and succeeds authentication Scenario: User registers TOTP secret and succeeds authentication
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I register a TOTP secret called "Sec0" And I register a TOTP secret called "Sec0"
When I visit "https://admin.test.local:8080/secret.html" When I visit "https://admin.example.com:8080/secret.html"
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "Sec0" as TOTP token handle And I use "Sec0" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
Then I'm redirected to "https://admin.test.local:8080/secret.html" Then I'm redirected to "https://admin.example.com:8080/secret.html"
Scenario: User fails TOTP second factor Scenario: User fails TOTP second factor
When I visit "https://admin.test.local:8080/secret.html" When I visit "https://admin.example.com:8080/secret.html"
And I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "BADTOKEN" as TOTP token And I use "BADTOKEN" as TOTP token
And I click on "Sign in" And I click on "Sign in"
Then I get a notification of type "error" with message "Authentication failed. Have you already registered your secret?" Then I get a notification of type "error" with message "Authentication failed. Have you already registered your secret?"
Scenario: Logout redirects user to redirect URL given in parameter Scenario: Logout redirects user to redirect URL given in parameter
When I visit "https://auth.test.local:8080/logout?redirect=https://home.test.local:8080/" When I visit "https://login.example.com:8080/logout?redirect=https://home.example.com:8080/"
Then I'm redirected to "https://home.test.local:8080/" Then I'm redirected to "https://home.example.com:8080/"

View File

@ -1,11 +1,11 @@
Feature: User and groups headers are correctly forwarded to backend Feature: User and groups headers are correctly forwarded to backend
@need-authenticated-user-john @need-authenticated-user-john
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend
When I visit "https://public.test.local:8080/headers" When I visit "https://public.example.com:8080/headers"
Then I see header "Custom-Forwarded-User" set to "john" Then I see header "Custom-Forwarded-User" set to "john"
Then I see header "Custom-Forwarded-Groups" set to "dev,admin" Then I see header "Custom-Forwarded-Groups" set to "dev,admin"
Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend when basic auth is used Scenario: Custom-Forwarded-User and Custom-Forwarded-Groups are correctly forwarded to protected backend when basic auth is used
When I request "https://single_factor.test.local:8080/headers" with username "john" and password "password" using basic authentication When I request "https://single_factor.example.com:8080/headers" with username "john" and password "password" using basic authentication
Then I received header "Custom-Forwarded-User" set to "john" Then I received header "Custom-Forwarded-User" set to "john"
And I received header "Custom-Forwarded-Groups" set to "dev,admin" And I received header "Custom-Forwarded-Groups" set to "dev,admin"

View File

@ -1,70 +1,70 @@
Feature: User is correctly redirected Feature: User is correctly redirected
Scenario: User is redirected to authelia when he is not authenticated Scenario: User is redirected to authelia when he is not authenticated
When I visit "https://public.test.local:8080" When I visit "https://public.example.com:8080"
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2F" Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2F"
@need-registered-user-john @need-registered-user-john
Scenario: User is redirected to home page after several authentication tries Scenario: User is redirected to home page after several authentication tries
When I visit "https://public.test.local:8080/secret.html" When I visit "https://public.example.com:8080/secret.html"
And I login with user "john" and password "badpassword" And I login with user "john" and password "badpassword"
And I wait for notification to disappear And I wait for notification to disappear
And I clear field "username" And I clear field "username"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
Then I'm redirected to "https://public.test.local:8080/secret.html" Then I'm redirected to "https://public.example.com:8080/secret.html"
Scenario: User Harry does not have access to admin domain and thus he must get an error 403 Scenario: User Harry does not have access to admin domain and thus he must get an error 403
When I register TOTP and login with user "harry" and password "password" When I register TOTP and login with user "harry" and password "password"
And I visit "https://admin.test.local:8080/secret.html" And I visit "https://admin.example.com:8080/secret.html"
Then I get an error 403 Then I get an error 403
Scenario: Redirection URL is propagated from restricted page to first factor Scenario: Redirection URL is propagated from restricted page to first factor
When I visit "https://public.test.local:8080/secret.html" When I visit "https://public.example.com:8080/secret.html"
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
Scenario: Redirection URL is propagated from first factor to second factor Scenario: Redirection URL is propagated from first factor to second factor
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I register a TOTP secret called "Sec0" And I register a TOTP secret called "Sec0"
When I visit "https://public.test.local:8080/secret.html" When I visit "https://public.example.com:8080/secret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
Then I'm redirected to "https://auth.test.local:8080/secondfactor?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
Scenario: Redirection URL is used to send user from second factor to target page Scenario: Redirection URL is used to send user from second factor to target page
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I register a TOTP secret called "Sec0" And I register a TOTP secret called "Sec0"
When I visit "https://public.test.local:8080/secret.html" When I visit "https://public.example.com:8080/secret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "Sec0" as TOTP token handle And I use "Sec0" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
Then I'm redirected to "https://public.test.local:8080/secret.html" Then I'm redirected to "https://public.example.com:8080/secret.html"
@need-registered-user-john @need-registered-user-john
Scenario: User is redirected to default URL defined in configuration when authentication is successful Scenario: User is redirected to default URL defined in configuration when authentication is successful
When I visit "https://auth.test.local:8080" When I visit "https://login.example.com:8080"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
Then I'm redirected to "https://home.test.local:8080/" Then I'm redirected to "https://home.example.com:8080/"
Scenario: User is redirected when hitting an error 401 Scenario: User is redirected when hitting an error 401
When I visit "https://auth.test.local:8080/secondfactor/u2f/identity/finish" When I visit "https://login.example.com:8080/secondfactor/u2f/identity/finish"
Then I'm redirected to "https://auth.test.local:8080/error/401" Then I'm redirected to "https://login.example.com:8080/error/401"
And I sleep for 5 seconds And I sleep for 5 seconds
And I'm redirected to "https://home.test.local:8080/" And I'm redirected to "https://home.example.com:8080/"
@need-registered-user-harry @need-registered-user-harry
Scenario: User is redirected when hitting an error 403 Scenario: User is redirected when hitting an error 403
When I visit "https://auth.test.local:8080" When I visit "https://login.example.com:8080"
And I login with user "harry" and password "password" And I login with user "harry" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
And I'm redirected to "https://home.test.local:8080/" And I'm redirected to "https://home.example.com:8080/"
When I visit "https://admin.test.local:8080/secret.html" When I visit "https://admin.example.com:8080/secret.html"
Then I'm redirected to "https://auth.test.local:8080/error/403" Then I'm redirected to "https://login.example.com:8080/error/403"
And I sleep for 5 seconds And I sleep for 5 seconds
And I'm redirected to "https://home.test.local:8080/" And I'm redirected to "https://home.example.com:8080/"

View File

@ -1,14 +1,14 @@
Feature: Register secret for second factor Feature: Register secret for second factor
Scenario: Register a TOTP secret with correct label and issuer Scenario: Register a TOTP secret with correct label and issuer
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
And I login with user "john" and password "password" And I login with user "john" and password "password"
When I register a TOTP secret called "Sec0" When I register a TOTP secret called "Sec0"
Then the otpauth url has label "john" and issuer "authelia.com" Then the otpauth url has label "john" and issuer "authelia.com"
@needs-totp_issuer-config @needs-totp_issuer-config
Scenario: Register a TOTP secret with correct label and custom issuer Scenario: Register a TOTP secret with correct label and custom issuer
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
And I login with user "john" and password "password" And I login with user "john" and password "password"
When I register a TOTP secret called "Sec0" When I register a TOTP secret called "Sec0"
Then the otpauth url has label "john" and issuer "custom.com" Then the otpauth url has label "john" and issuer "custom.com"

View File

@ -3,7 +3,7 @@ Feature: Authelia regulates authentication to avoid brute force
@need-registered-user-blackhat @need-registered-user-blackhat
Scenario: Attacker tries too many authentication in a short period of time and get banned Scenario: Attacker tries too many authentication in a short period of time and get banned
Given I visit "https://auth.test.local:8080/" Given I visit "https://login.example.com:8080/"
And I set field "username" to "blackhat" And I set field "username" to "blackhat"
And I set field "password" to "bad-password" And I set field "password" to "bad-password"
And I click on "Sign in" And I click on "Sign in"
@ -20,7 +20,7 @@ Feature: Authelia regulates authentication to avoid brute force
@need-registered-user-blackhat @need-registered-user-blackhat
Scenario: User is unbanned after a configured amount of time Scenario: User is unbanned after a configured amount of time
Given I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" Given I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
And I set field "username" to "blackhat" And I set field "username" to "blackhat"
And I set field "password" to "bad-password" And I set field "password" to "bad-password"
And I click on "Sign in" And I click on "Sign in"
@ -36,4 +36,4 @@ Feature: Authelia regulates authentication to avoid brute force
And I click on "Sign in" And I click on "Sign in"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
Then I'm redirected to "https://public.test.local:8080/secret.html" Then I'm redirected to "https://public.example.com:8080/secret.html"

View File

@ -1,35 +1,35 @@
Feature: User is able to reset his password Feature: User is able to reset his password
Scenario: User is redirected to password reset page Scenario: User is redirected to password reset page
Given I'm on https://auth.test.local:8080 Given I'm on https://login.example.com:8080
When I click on the link "Forgot password?" When I click on the link "Forgot password?"
Then I'm redirected to "https://auth.test.local:8080/password-reset/request" Then I'm redirected to "https://login.example.com:8080/password-reset/request"
Scenario: User get an email with a link to reset password Scenario: User get an email with a link to reset password
Given I'm on https://auth.test.local:8080/password-reset/request Given I'm on https://login.example.com:8080/password-reset/request
When I set field "username" to "james" When I set field "username" to "james"
And I click on "Reset Password" And I click on "Reset Password"
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password." Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
Scenario: Request password for unexisting user should behave like existing user Scenario: Request password for unexisting user should behave like existing user
Given I'm on https://auth.test.local:8080/password-reset/request Given I'm on https://login.example.com:8080/password-reset/request
When I set field "username" to "fake_user" When I set field "username" to "fake_user"
And I click on "Reset Password" And I click on "Reset Password"
Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password." Then I get a notification of type "success" with message "An email has been sent to you. Follow the link to change your password."
Scenario: User resets his password Scenario: User resets his password
Given I'm on https://auth.test.local:8080/password-reset/request Given I'm on https://login.example.com:8080/password-reset/request
And I set field "username" to "james" And I set field "username" to "james"
And I click on "Reset Password" And I click on "Reset Password"
When I click on the link of the email When I click on the link of the email
And I set field "password1" to "newpassword" And I set field "password1" to "newpassword"
And I set field "password2" to "newpassword" And I set field "password2" to "newpassword"
And I click on "Reset Password" And I click on "Reset Password"
Then I'm redirected to "https://auth.test.local:8080/" Then I'm redirected to "https://login.example.com:8080/"
Scenario: User does not confirm new password Scenario: User does not confirm new password
Given I'm on https://auth.test.local:8080/password-reset/request Given I'm on https://login.example.com:8080/password-reset/request
And I set field "username" to "james" And I set field "username" to "james"
And I click on "Reset Password" And I click on "Reset Password"
When I click on the link of the email When I click on the link of the email

View File

@ -5,13 +5,13 @@ Feature: Authelia keeps user sessions despite the application restart
When the application restarts When the application restarts
Then I have access to: Then I have access to:
| url | | url |
| https://admin.test.local:8080/secret.html | | https://admin.example.com:8080/secret.html |
@need-registered-user-john @need-registered-user-john
Scenario: Secrets are stored even when Authelia restarts Scenario: Secrets are stored even when Authelia restarts
When the application restarts When the application restarts
And I visit "https://admin.test.local:8080/secret.html" and get redirected "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
And I use "REGISTERED" as TOTP token handle And I use "REGISTERED" as TOTP token handle
And I click on "Sign in" And I click on "Sign in"
Then I'm redirected to "https://admin.test.local:8080/secret.html" Then I'm redirected to "https://admin.example.com:8080/secret.html"

View File

@ -3,35 +3,35 @@ Feature: Non authenticated users have no access to certain pages
Scenario: Anonymous user has no access to protected pages Scenario: Anonymous user has no access to protected pages
Then I get the following status code when requesting: Then I get the following status code when requesting:
| url | code | method | | url | code | method |
| https://auth.test.local:8080/secondfactor | 401 | GET | | https://login.example.com:8080/secondfactor | 401 | GET |
| https://auth.test.local:8080/secondfactor/u2f/identity/start | 401 | GET | | https://login.example.com:8080/secondfactor/u2f/identity/start | 401 | GET |
| https://auth.test.local:8080/secondfactor/u2f/identity/finish | 401 | GET | | https://login.example.com:8080/secondfactor/u2f/identity/finish | 401 | GET |
| https://auth.test.local:8080/secondfactor/totp/identity/start | 401 | GET | | https://login.example.com:8080/secondfactor/totp/identity/start | 401 | GET |
| https://auth.test.local:8080/secondfactor/totp/identity/finish | 401 | GET | | https://login.example.com:8080/secondfactor/totp/identity/finish | 401 | GET |
| https://auth.test.local:8080/loggedin | 401 | GET | | https://login.example.com:8080/loggedin | 401 | GET |
| https://auth.test.local:8080/api/totp | 401 | POST | | https://login.example.com:8080/api/totp | 401 | POST |
| https://auth.test.local:8080/api/u2f/sign_request | 401 | GET | | https://login.example.com:8080/api/u2f/sign_request | 401 | GET |
| https://auth.test.local:8080/api/u2f/sign | 401 | POST | | https://login.example.com:8080/api/u2f/sign | 401 | POST |
| https://auth.test.local:8080/api/u2f/register_request | 401 | GET | | https://login.example.com:8080/api/u2f/register_request | 401 | GET |
| https://auth.test.local:8080/api/u2f/register | 401 | POST | | https://login.example.com:8080/api/u2f/register | 401 | POST |
@needs-single_factor-config @needs-single_factor-config
@need-registered-user-john @need-registered-user-john
Scenario: User does not have acces to second factor related endpoints when in single factor mode Scenario: User does not have acces to second factor related endpoints when in single factor mode
Given I post "https://auth.test.local:8080/api/firstfactor" with body: Given I post "https://login.example.com:8080/api/firstfactor" with body:
| key | value | | key | value |
| username | john | | username | john |
| password | password | | password | password |
Then I get the following status code when requesting: Then I get the following status code when requesting:
| url | code | method | | url | code | method |
| https://auth.test.local:8080/secondfactor | 401 | GET | | https://login.example.com:8080/secondfactor | 401 | GET |
| https://auth.test.local:8080/secondfactor/u2f/identity/start | 401 | GET | | https://login.example.com:8080/secondfactor/u2f/identity/start | 401 | GET |
| https://auth.test.local:8080/secondfactor/u2f/identity/finish | 401 | GET | | https://login.example.com:8080/secondfactor/u2f/identity/finish | 401 | GET |
| https://auth.test.local:8080/secondfactor/totp/identity/start | 401 | GET | | https://login.example.com:8080/secondfactor/totp/identity/start | 401 | GET |
| https://auth.test.local:8080/secondfactor/totp/identity/finish | 401 | GET | | https://login.example.com:8080/secondfactor/totp/identity/finish | 401 | GET |
| https://auth.test.local:8080/api/totp | 401 | POST | | https://login.example.com:8080/api/totp | 401 | POST |
| https://auth.test.local:8080/api/u2f/sign_request | 401 | GET | | https://login.example.com:8080/api/u2f/sign_request | 401 | GET |
| https://auth.test.local:8080/api/u2f/sign | 401 | POST | | https://login.example.com:8080/api/u2f/sign | 401 | POST |
| https://auth.test.local:8080/api/u2f/register_request | 401 | GET | | https://login.example.com:8080/api/u2f/register_request | 401 | GET |
| https://auth.test.local:8080/api/u2f/register | 401 | POST | | https://login.example.com:8080/api/u2f/register | 401 | POST |

View File

@ -5,20 +5,20 @@ Feature: Session is closed after a certain amount of time
Scenario: An authenticated user is disconnected after a certain inactivity period Scenario: An authenticated user is disconnected after a certain inactivity period
Given I have access to: Given I have access to:
| url | | url |
| https://public.test.local:8080/secret.html | | https://public.example.com:8080/secret.html |
When I sleep for 6 seconds When I sleep for 6 seconds
And I visit "https://public.test.local:8080/secret.html" And I visit "https://public.example.com:8080/secret.html"
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
@need-authenticated-user-john @need-authenticated-user-john
Scenario: An authenticated user is disconnected after session expiration period Scenario: An authenticated user is disconnected after session expiration period
Given I have access to: Given I have access to:
| url | | url |
| https://public.test.local:8080/secret.html | | https://public.example.com:8080/secret.html |
When I sleep for 4 seconds When I sleep for 4 seconds
And I visit "https://public.test.local:8080/secret.html" And I visit "https://public.example.com:8080/secret.html"
And I sleep for 4 seconds And I sleep for 4 seconds
And I visit "https://public.test.local:8080/secret.html" And I visit "https://public.example.com:8080/secret.html"
And I sleep for 4 seconds And I sleep for 4 seconds
And I visit "https://public.test.local:8080/secret.html" And I visit "https://public.example.com:8080/secret.html"
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"

View File

@ -1,15 +1,15 @@
Feature: User can access certain subdomains with single factor Feature: User can access certain subdomains with single factor
Scenario: User is redirected to service after first factor if allowed Scenario: User is redirected to service after first factor if allowed
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fsingle_factor.test.local%3A8080%2Fsecret.html" When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
Then I'm redirected to "https://single_factor.test.local:8080/secret.html" Then I'm redirected to "https://single_factor.example.com:8080/secret.html"
Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor. Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor.
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
Then I'm redirected to "https://auth.test.local:8080/?redirect=https%3A%2F%2Fadmin.test.local%3A8080%2Fsecret.html" Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
Scenario: User can login using basic authentication Scenario: User can login using basic authentication
When I request "https://single_factor.test.local:8080/secret.html" with username "john" and password "password" using basic authentication When I request "https://single_factor.example.com:8080/secret.html" with username "john" and password "password" using basic authentication
Then I receive the secret page Then I receive the secret page

View File

@ -3,14 +3,14 @@ Feature: Server is configured as a single factor only server
@need-registered-user-john @need-registered-user-john
Scenario: User is redirected to service after first factor if allowed Scenario: User is redirected to service after first factor if allowed
When I visit "https://auth.test.local:8080/?redirect=https%3A%2F%2Fpublic.test.local%3A8080%2Fsecret.html" When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
And I login with user "john" and password "password" And I login with user "john" and password "password"
Then I'm redirected to "https://public.test.local:8080/secret.html" Then I'm redirected to "https://public.example.com:8080/secret.html"
@need-registered-user-john @need-registered-user-john
Scenario: User is correctly redirected according to default redirection URL Scenario: User is correctly redirected according to default redirection URL
When I visit "https://auth.test.local:8080" When I visit "https://login.example.com:8080"
And I login with user "john" and password "password" And I login with user "john" and password "password"
Then I'm redirected to "https://auth.test.local:8080/loggedin" Then I'm redirected to "https://login.example.com:8080/loggedin"
And I sleep for 5 seconds And I sleep for 5 seconds
Then I'm redirected to "https://home.test.local:8080/" Then I'm redirected to "https://home.example.com:8080/"

View File

@ -55,7 +55,9 @@ Cucumber.defineSupportCode(function ({ After, Before }) {
Before({ tags: "@needs-" + tag + "-config", timeout: 20 * 1000 }, function () { Before({ tags: "@needs-" + tag + "-config", timeout: 20 * 1000 }, function () {
return cb() return cb()
.then(function () { .then(function () {
return exec("./scripts/example-commit/dc-example.sh -f docker-compose.test.yml up -d authelia && sleep 1"); return exec("./scripts/example-commit/dc-example.sh -f " +
"./example/authelia/docker-compose.test.yml up -d authelia &&" +
" sleep 1");
}) })
}); });
@ -100,9 +102,9 @@ Cucumber.defineSupportCode(function ({ After, Before }) {
} }
function needAuthenticatedUser(context: any, username: string): BluebirdPromise<void> { function needAuthenticatedUser(context: any, username: string): BluebirdPromise<void> {
return context.visit("https://auth.test.local:8080/logout") return context.visit("https://login.example.com:8080/logout")
.then(function () { .then(function () {
return context.visit("https://auth.test.local:8080/"); return context.visit("https://login.example.com:8080/");
}) })
.then(function () { .then(function () {
return registerUser(context, username); return registerUser(context, username);

View File

@ -152,7 +152,7 @@ function CustomWorld() {
this.registerTotpAndSignin = function (username: string, password: string) { this.registerTotpAndSignin = function (username: string, password: string) {
const totpHandle = "HANDLE"; const totpHandle = "HANDLE";
const authUrl = "https://auth.test.local:8080/"; const authUrl = "https://login.example.com:8080/";
const that = this; const that = this;
return this.visit(authUrl) return this.visit(authUrl)
.then(function () { .then(function () {