* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
* This change provides the TOTP secret which allows users to copy and utilise for password managers and other applications.
* Hide TextField if secret isn't present
* This ensure that the TextField is removed on a page or if there is no secret present.
* Add multiple buttons and set default value to OTP URL
* Remove inline icon and add icons under text field which allow copying of the secret key and the whole OTP URL.
* Fix integration tests
* Add notifications on click for secret buttons
* Also remove autoFocus on TextField so a user can identify that the full OTP URL is in focus.
* [MISC] Refactor and address most errcheck linter ignores
This is mostly a quality of life change.
When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track.
* Handle errors for regulation marks and remove unnecessary logging
* [MISC] Catch OpenLDAP ppolicy error
Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.
This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.
* Remove password history for integration tests
* Adjust max failures due to regulation trigger
* Fix error handling for password resets
* Refactor and include code suggestions
* add start_tls config option
* add StartTLS method to the LDAP conn factory and the mock
* implemented use of the StartTLS method when the config is set to true
* add mock unit tests
* add docs
* add TLS min version support
* add tests to tls version method
* fix lint issues
* minor adjustments
* remove SSL3.0
* add tls consts
* deprecate old filter placeholders
* remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993
* make suite ActiveDirectory use StartTLS
* misc adjustments to docs
* suggested changes from code review
* deprecation notice conformity
* add mock test for LDAPS plus StartTLS
This change aims to factorize code introduced in #1467 for webdriver port customisation within the suites.
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
This change will allow us to collect frontend code coverage from our Selenium based integration tests.
Given that the frontend is embedded into the Go binary and the integration tests run with a compiled binary in Docker this poses some issues with the instrumented code and the ability for it to run in this manner. To fix this we need to relax Authelia's CSP for the integration tests. This is achieved by setting the env variable `ENVIRONMENT` to `dev`.
The development workflow expects chromedriver to be run on the host on port 4444.
There is currently no mechanism to modify this behaviour at runtime, so if another service is running on 4444 tests will just fail silently.
This change introduces the `CHROMEDRIVER_PORT` environment variable which can be utilised to set a custom port.
* [MISC] Append log file instead of overwriting
If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.
This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.
* Amend documentation for log_file_path
* [MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy
Bumps haproxy from 2.2.4-alpine to 2.3.0-alpine.
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Fix HAProxy suite
Looks like the new version of HAProxy has config validation which expects a newline at the bottom of `haproxy.cfg`.
CI was failing with the following error:
[NOTICE] 313/021816 (1) : haproxy version is 2.3.0-1c0a722
[ALERT] 313/021816 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:80]: Missing LF on last line, file might have been truncated at position 42.
[ALERT] 313/021816 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 313/021816 (1) : Fatal errors found in configuration.
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [FEATURE] Support updated haproxy-auth-request
This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments.
* Fix docs indentation
* Add haproxy-lua-http to TLS enabled configuration
* [MISC] Storage Schema Versioning Model
* fixup go.sum
* remove pq
* fix int to text issue
* fix incorrect SQL text
* use key_name vs key
* use transactions for all queries during upgrades
* fix missing parenthesis
* move upgrades to their own file
* add provider name for future usage in upgrades
* fix missing create config table values
* fix using the const instead of the provider SQL
* import logging once and reuse
* update docs
* remove db at suite teardown
* apply suggestions from code review
* fix mysql
* make errors more uniform
* style changes
* remove commented code sections
* remove commented code sections
* add schema version type
* add sql mock unit tests
* go mod tidy
* test blank row situations
* [MISC] Template global config and refactor some /api endpoints
* /api/configuration has been removed in favour of templating said global config
* /api/configuration/extended has been renamed to /api/configuration and display_name has been removed
* /api/user/info has been modified to include display_name
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
* [FEATURE] Add configurable display name to frontend
This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting.
Similarly for the file based backend a new required key "name" has been introduced.
This can also be used down the line with OIDC as a separate scope.
* Update references from Name to DisplayName
* Update compose bundles to include displayname refs
* Update LDAP automatic profile refresh
* Ensure display name is updated
* Fix bug which prevented trace logging for profile refresh to not trigger
* [FEATURE] Docker simplification and configuration generation
The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template.
This will allow more seamless bootstrapping of an environment no matter the deployment method.
We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment.
Users with the old volume mappings have two options:
1. Change their mappings to conform to `/config`
2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping
* Adjust paths relative to `/etc/authelia` and simplify to single volume for compose
* Add generation for file backend based user database
* Refactor Docker volumes and paths to /config
* Refactor Docker WORKDIR to /app
* Fix integration tests
* Update BREAKING.md for v4.20.0
* Run go mod tidy
* Fix log_file_path in miscellaneous.md docs
* Generate config and userdb with 0600 permissions
* Fix log_file_path in config.template.yml
* [CI] Add Codecov support
* [CI] Capture backend coverage from integration tests
* [CI] Remove unnecessary artifacts for coverage build
* [CI] Only run coverage elements where necessary
* [CI] Simplify post-command hook
* Fix yarn dependencies and collect coverage
* [CI] Include cmd/authelia/ path in coverage
* [CI] Exclude internal/suites/ in coverage
Closes#1061.
* [DEV] Debug authelia when running a suite.
This runs dlv debugger within authelia backend container so that an IDE can remote
debug the application using port 2345.
* Apply suggestions from code review
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Add a suite for testing the PathPrefix feature implemented earlier to serve authelia under a multi-purpose domain.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
* [MISC] Remove executable permission of nginx backend files.
* Set permissions to 644 on k8s tar'd files
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [DEV] Fix permission issue with dev workflow.
nginx backend was facing permission denied errors because the permissions of the html
files were too restricted. Moreover those files were added to the docker image while they
could just be mounted as other services.
* Fix Kubernetes integration test
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
* Fix dev workflow.
* Fix dev workflow.
* Cover Remote-User and Remote-Groups using Traefik.
* Cover Remote-User and Remote-Groups using HAProxy.
* Fix redirection after unauthorized response when using HAProxy.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [FEATURE] Embed static assets in Go binary
* Refactor/consolidate code and specify public_html via configuration
* Update docs and config template for assets
* Update AUR package pre-requisites and systemd unit
* Include static assets as Buildkite and GitHub artifacts
* Remove references to PUBLIC_DIR
* Only serve assets via embedded filesystem and remove configuration references
* Update authelia-scripts helper to build the embedded filesystem
* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.
* Move go:generate to satisfy linter
* [MISC] Ignore errcheck recommendations for legacy code
Some of this is likely intended to stay how it is, some could use refactoring, for now we will mark is and ignore it from the linter to be potentially addressed in the future.
* [MISC] Ensure files are gofmt-ed
* implement SMTP notifier startup check
* check dial, starttls, auth, mail from, rcpt to, reset, and quit
* log the error on failure
* implement mock
* misc optimizations, adjustments, and refactoring
* implement validate_skip config option
* fix comments to end with period
* fix suites that used smtp notifier without a smtp container
* add docs
* add file notifier startup check
* move file mode into const.go
* disable gosec linting on insecureskipverify since it's intended, warned, and discouraged
* minor PR commentary adjustment
* apply suggestions from code review
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
CSP is used to avoid some attacks where the hacker tries to execute
untrusted code in the browser.
The policy is to use assets hosted on the the original website and in order to make CSP work with material UI, a nonce is generated at each request of index.html and injected in the template as well as provided in the Content-Security-Policy header (https://material-ui.com/styles/advanced/#how-does-one-implement-csp)
Fix#815
* [BUGFIX] Fix dev workflow by using TLS for all suites.
* Fix traefik 1.x and 2.x suites.
* Display authelia logs on suite failure.
* Fix HAProxy suite.
* Extend timeout of test case.
* Display current URL in verify assertion.
* fix doLoginTwoFactor by adding a timeout
* when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal
* fix by adding one second timeout
* bump go version to 1.14.2
* Fix Kube suite and bump dashboard.
* Update dist authelia-frontend to proxy_pass with variable
* Apply suggestions from code review
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
* Apply suggestions from code review
Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
* Remove debug logs since it's polluting logs.
Also set timeout back to 5 seconds in HA suite.
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
#767 added an interactive tty to the authelia-frontend server due toe a bump in react-scripts, this in turn consumes all logging and pages on a failure and made it difficult to interact with within the dev workflow.
The tty has been replaced with an open stdin as this also satisfies the react-scripts requirement.
This change also ignores the web directory in the reflex script to avoid errors and long start-ups in the authelia-frontend container.
Since the TLS change was implemented, the Standalone suite attempts to reach authelia-frontend:3001. This only works for the dist/CI based workflow as nginx is run in place of node and the respective ports are exposed.
This change will attempt authelia-frontend:3001 initially for the Standalone suite but given the server is unreachable in the dev workflow, it will mark authelia-frontend:3001 as unavailable for 180s and route all requests to authelia-frontend:3000 instead.
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
* [FEATURE] Autofocus on authentication and OTP pages
This change sets the input focus on the first factor authentication and OTP pages.
The behaviour for the first factor authentication page has also been amended slightly, if an incorrect username or password is provided the password field will be cleared and set as the focus.
One thing to note is that the OTP page does not focus on any re-rendering and this is because the component doesn't handle focusing. This means that the OTP input only is auto-focused when you first visit it, if you enter an incorrect OTP there will be no focus.
Ideally we should be looking for a different library or writing a component for this ourselves in future.
Closes#511.
* Add TODO markers for potential refactor
* [FEATURE][BREAKING] Allow users to sign in with email.
The users_filter purpose evolved with the introduction of username_attribute
but is reverted here to allow the most flexibility. users_filter is now the
actual filter used for searching the user and not a sub-filter based on the
username_attribute anymore.
* {input} placeholder has been introduced to later deprecate {0} which has been
kept for backward compatibility.
* {username_attribute} and {mail_attribute} are new placeholders used to back
reference other configuration options.
Fix#735
* [MISC] Introduce new placeholders for groups_filter too.
* [MISC] Update BREAKING.md to mention the change regarding users_filter.
* [MISC] Fix unit and integration tests.
* Log an error message in console when U2F is not supported.
* Apply suggestions from code review
* Update BREAKING.md
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
The latest react-scripts bumps broke the startup of the authelia-frontend
container because the new version of react-scripts behaves differently when
the container is spawned with a pseudo-tty and when there is not.
This aligns the search filter escaping to [RFC4515](https://tools.ietf.org/search/rfc4515).
`base.ldif` has also been updated to be a closer match to RFC 2307.
* [BUGFIX] Set username retrieved from authentication backend in session.
In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.
Fixes#561.
* Use uid attribute as unique user identifier in suites.
* Fix the integration tests.
* Update config.template.yml
* Compute user filter based on username attribute and users_filter.
The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.
* Fix LDAP based integration tests.
* Update `users_filter` reference examples
* [FEATURE] Support writing logs in a file.
* Add documentation about logs file path.
* Rename logs_level and logs_file_path into log_level and log_file_path.
* Update BREAKING.md
Fixes#338
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively
* Argon2id memory in MB for Config Template
* Doc Fix
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
When no rule is set to two_factor in ACL configuration, 2FA is
considered disabled. Therefore, when a user cannot be redirected
correctly because no target URL is provided or the URL is unsafe,
the user is either redirected to the default URL or to the
'already authenticated' view instead of the second factor view.
Fixes#683
* [FEATURE] Add TLS support.
Fixes#368.
* [FEATURE] Introduce OnError hook in suites.
This hook allows to perform actions following an erroneous suite
like displaying the logs of Authelia.
* Display Authelia logs of Standalone suite when tests fail.
* Fix Standalone suite.
* Apply suggestions from code review
* Rename ssl_key and ssl_cert into tls_key and tls_cert.
* Redirect to default URL after 1FA when default policy is one_factor.
User is now redirected to the default redirection URL after 1FA if
the default policy is set to one_factor and there is no target URL
or if the target URL is unsafe.
Also, if the default policy is set to one_factor and the user is already
authenticated, if she visits the login portal, the 'already authenticated'
view is displayed with a logout button.
This fixes#581.
* Update users.yml
* Fix permissions issue causing suite test failure
* Remove unused mongo docker-compose file.
* Default redirection URL was not taken into account.
* Fix possible storage options in config template.
* Remove useless checks in u2f registration endpoints.
* Add default redirection url in config of duo suite.
* Fix log line in response handler of 2FA methods.
* Fix integration tests.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
This reduce the size of the docker image and avoid confusing users.
We keep the commands in authelia-scripts too in order to keep the
current workflow of developers.
* Update Traefik 1.x to v1.7.20 for integration tests
* Add suite for Traefik 2.x
* Refactor Traefik2 suite to utilise Docker labels
* Move Traefik2 middleware definition to a file based provider
* Expose Traefik2 dashboard
The API/Dashboard can be reached at https://traefik.example.com:8080/
* Move Traefik frontend/backend definitions to Docker labels
* Move Traefik2 router/service definitions to Docker labels
* Normalise all Traefik configuration via labels and commands
When the the middleware issue with Traefik 2.x (#476) is resolved this means all Traefik related configuration can be self-contained within the respective docker-compose.yml files.
* Define ports for Authelia frontend/backend services
* Adjust Traefik2 suite to new dev workflow
* Normalise all Traefik2 middlewares via labels
* Fix typo in middleware and comment labels specifying Traefik version
* Encode URL set to rd parameter.
URL encoding that parameter solves PR #476.
Some URL parameters set during redirection were magically disappearing
after the redirection due to the authentication process. By using URL encoding,
those parameters should not be stripped anymore.
* Fix integration tests.
Instead of checking the value of the cookie expiration we rely
on the boolean stored in the user session to check whether inactivity
timeout should be disabled.
* Build docker image upfront in CI and use it in integration tests.
Previously, the development workflow was broken because the container
generated from Dockerfile.CI was used in dev environments but the binary
was not pre-built as it is on buildkite. I propose to just remove that
image and use the "to be published" image instead in integration tests.
This will have several advantages:
- Fix the dev workflow.
- Remove CI arch from authelia-scripts build command
- Optimize CI time in buildkite since we'll cache a way small artifact
- We don't build authelia more than once for earch arch.
* Fix suites and only build ARM images on master or tagged commits
* Optimise pipeline dependencies and Kubernetes suite to utilise cache
* Run unit tests and docker image build in parallel.
* Fix suite trying to write on read only fs.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* Remove Travis and promote Buildkite
* Add Docker Size badge to README.md
* Call MicroBadger webhook to update metadata for shields
Add updateMicroBadger function and refactor publishDockerReadme to be called explicitly instead of on every deployManifest call.
- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
- disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
- allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
- allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
- writing future test suites and startup checks more easily
- organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes
Providing a GA tracking ID allows administrators to analyze
how the portal is used by their users in large environments,
i.e., with many users.
This will make even more sense when we have users and admins
management interfaces.
When a user use Authelia for the first time no device is enrolled in DB.
Now we test that the user does see the "not registered" message when
no device is enrolled and see the standard 2FA method when a device is
already enrolled.