Commit Graph

115 Commits (0e206660ef2a047b2869f88c4c0cebac2d3a8d71)

Author SHA1 Message Date
Amir Zarrinkafsh ff7f9a50ab
[FEATURE] Docker simplification and configuration generation (#1113)
* [FEATURE] Docker simplification and configuration generation
The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template.

This will allow more seamless bootstrapping of an environment no matter the deployment method.

We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment.

Users with the old volume mappings have two options:
1. Change their mappings to conform to `/config`
2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping

* Adjust paths relative to `/etc/authelia` and simplify to single volume for compose
* Add generation for file backend based user database
* Refactor Docker volumes and paths to /config
* Refactor Docker WORKDIR to /app
* Fix integration tests
* Update BREAKING.md for v4.20.0
* Run go mod tidy
* Fix log_file_path in miscellaneous.md docs
* Generate config and userdb with 0600 permissions
* Fix log_file_path in config.template.yml
2020-06-17 16:25:35 +10:00
Amir Zarrinkafsh 2b8acb1a0b
[DOCS] Fix link for K8s setup (#1110) 2020-06-11 16:02:50 +10:00
Clement Michaud 1a1f86adf9
[DOCS] Main logo redirects to root of www.authelia.com. 2020-06-10 22:25:40 +02:00
Clement Michaud 5fc54be078
[DOCS] Try to remove url from docs config. 2020-06-10 21:24:36 +02:00
Clement Michaud fa0c27edea
[DOCS] Add trailing slash in baseurl of documentation. 2020-06-10 21:20:21 +02:00
Clement Michaud 7d4bbd7cea
Serve docs under www.authelia.com/docs. 2020-06-10 21:08:06 +02:00
Clément Michaud b68ed06a0b
[MISC] Configure docs to be served under /docs base url. (#1105) 2020-06-10 21:00:49 +02:00
Clément Michaud 2c0fa811a2
[DOCS] Improve documentation around Remote-User and Remote-Groups usage. (#1091)
* [DOCS] Improve documentation around Remote-User and Remote-Groups usage.

* Update docs/deployment/supported-proxies/index.md

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-06-08 17:17:24 +10:00
Clément Michaud 17f9ab3371
[DOCS] Add google analytics tracking to the documentation. (#1093)
This will allow us to analyze how the documentation is used in order to improve it
accordingly.
2020-06-08 00:44:40 +02:00
Clément Michaud 945eb4a8bf
[DOCS] Add fork me on github ribbon to documentation. (#1081)
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-06-04 13:37:19 +10:00
Clément Michaud d6bea97a93
[DOCS] Add a roadmap section to the documentation. (#1062)
* [DOCS] Add a roadmap section to the documentation.

Adding the roadmap will likely help people figure out what are the next big
topics that might be missing for them to take the leap and use Authelia.
Maybe some users are also waiting for a feature to unlock some use cases.

* Apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-06-01 16:55:58 +10:00
dependabot-preview[bot] 15abe5053a
[MISC] (deps): Bump github-pages and jekyll in /docs (#1051)
Bumps [github-pages](https://github.com/github/pages-gem) and [jekyll](https://github.com/jekyll/jekyll). These dependencies needed to be updated together.

Updates `github-pages` from 204 to 206
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v204...v206)

Updates `jekyll` from 3.8.5 to 3.8.7
- [Release notes](https://github.com/jekyll/jekyll/releases)
- [Changelog](https://github.com/jekyll/jekyll/blob/master/History.markdown)
- [Commits](https://github.com/jekyll/jekyll/compare/v3.8.5...v3.8.7)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-05-26 09:39:54 +10:00
Amir Zarrinkafsh 08d412ece8
[DOCS] Add FAQs to Traefik2 (#1038)
Closes #997.
2020-05-21 16:48:54 +02:00
James Elliott fcd0b5e46a
[FEATURE] Allow Authelia to listen on a specified path (#1027)
* [FEATURE] Allow Authelia to listen on a specified path

* Fix linting and add a couple typescript types

* Template index.html to support base_url

* Update docs and configuration template

* Access base path from body attribute.

* Update CSP

* Fix unit test
Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful.

* Template index.html with ${PUBLIC_URL}

* Define PUBLIC_URL in .env(s)

* Add docs clarification

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 12:20:55 +10:00
James Elliott 469daedd36
[FEATURE] Delay 1FA Authentication (#993)
* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-21 00:03:15 +02:00
dependabot-preview[bot] 41bbb73e9d
[MISC] (deps): [Security] Bump activesupport in /docs (#1030)
Bumps [activesupport](https://github.com/rails/rails) from 6.0.2.1 to 6.0.3.1. **This update includes a security fix.**
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v6.0.3.1/activesupport/CHANGELOG.md)
- [Commits](https://github.com/rails/rails/compare/v6.0.2.1...v6.0.3.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-05-19 08:24:24 +10:00
Clément Michaud fe5ebfb75a
[FEATURE] Bump to fasthttp/session/v2 to support redis unix socket. (#1001)
* [FEATURE] Bump to fasthttp/session/v2 to support redis unix socket.

* Fix lint issues.

* Remove v1 import and fix double import.

* [DOCS] Document use of redis unix socket.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-18 12:45:47 +10:00
James Elliott a4cf2e675f
[DEPRECATE] Remove Google Analytics (#1021)
* it doesn't work with our current CSP
* it's probably not used by anyone
* it isn't in harmony with our security purposes
* literally removes all use of it
* suggestions from code review
* remove useless test.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-16 09:41:42 +10:00
James Elliott 73bd2e4479
[FIX] Hash Password Cmd Not Encoding Provided Salt (#999)
* using authelia hash-password if you provide a salt it doesn't encode it as a base64 string
* this causes invalid salts to be stored if a user manually provided one instead of reliance on the automatic generation
* additionally bumped the minimum required salt length to 8 as per reference spec
* additionally removed the maximum salt length as per reference spec (actually 2^32-1 per int32)
* see docs:
  * https://tools.ietf.org/html/draft-irtf-cfrg-argon2-10
  * https://github.com/P-H-C/phc-winner-argon2
  * https://github.com/P-H-C/phc-string-format
* encode all salts
* fix edge case of false positive in CheckPassword
* bump crypt version and fix tests
2020-05-14 15:55:03 +10:00
Amir Zarrinkafsh 561a3f551c
[DOCS] Fix typos in proxy examples (#1015)
Also include global http -> https redirection in Traefik 2.x example.
2020-05-14 13:26:52 +10:00
Clément Michaud 85933dd25d
Document future possibility to use alternative 1FA methods. (#1000) 2020-05-10 07:46:28 +10:00
James Elliott 9e7947a193
[DEPRECATE] Environment Variable Secrets (#905)
* remove ENV usages
* fix reader unit tests
* fix standalone suite
* fix k8s suite
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-08 11:01:57 +10:00
James Elliott 3f374534ab
[FEATURE] Automatic Profile Refresh - LDAP (#912)
* [FIX] LDAP Not Checking for Updated Groups

* refactor handlers verifyFromSessionCookie
* refactor authorizer selectMatchingObjectRules
* refactor authorizer isDomainMatching
* add authorizer URLHasGroupSubjects method
* add user provider ProviderType method
* update tests
* check for new LDAP groups and update session when:
  * user provider type is LDAP
  * authorization is forbidden
  * URL has rule with group subjects

* Implement Refresh Interval

* add default values for LDAP user provider
* add default for refresh interval
* add schema validator for refresh interval
* add various tests
* rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong
* use Authelia ctx clock
* add check to determine if user is deleted, if so destroy the
* make ldap user not found error a const
* implement GetRefreshSettings in mock

* Use user not found const with FileProvider
* comment exports

* use ctx.Clock instead of time pkg

* add debug logging

* use ptr to reference userSession so we don't have to retrieve it again

* add documenation
* add check for 0 refresh interval to reduce CPU cost
* remove badly copied debug msg

* add group change delta message

* add SliceStringDelta
* refactor ldap refresh to use the new func

* improve delta add/remove log message

* fix incorrect logic in SliceStringDelta
* add tests to SliceStringDelta

* add always config option
* add tests for always config option
* update docs

* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* complete mocks and fix an old one
* show warning when LDAP details failed to update for an unknown reason

* golint fix

* actually fix existing mocks

* use mocks for LDAP refresh testing

* use mocks for LDAP refresh testing for both added and removed groups

* use test mock to verify disabled refresh behaviour
* add information to threat model
* add time const for default Unix() value

* misc adjustments to mocks

* Suggestions from code review

* requested changes
* update emails
* docs updates
* test updates
* misc

* golint fix

* set debug for dev testing

* misc docs and logging updates

* misc grammar/spelling

* use built function for VerifyGet

* fix reviewdog suggestions

* requested changes

* Apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 21:39:25 +02:00
Clément Michaud da5c722cf8
[DOCS] Introduce an FAQ and document forwarded authentication. (#962)
* add FAQ docs section
* add forwarded authentication section to deployments > supported proxies
* apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-03 13:18:13 +10:00
Amir Zarrinkafsh 310c5dc09b
[DOCS] Harmonize Remote-User and Remote-Groups headers in nginx example (#963)
Fixes #957.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 17:10:26 +02:00
Amir Zarrinkafsh 6d8f45513f
[DOCS] Update secrets examples for Docker Compose (#948)
* [DOCS] Update secrets examples for Docker Compose

* Fix typo

* Include examples for Docker Secrets and bind mounted secret files
2020-05-01 16:58:40 +10:00
James Elliott c9e8a924e0
[FEATURE] Buffer size configuration and additional http error handling (#944)
* implement read buffer size config option
* implement write buffer size config option
* implement fasthttp ErrorHandler so we can log errors to Authelia as well
* add struct/schema validation
* add default value
* add docs
* add config key to validator
* refactoring
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 12:03:05 +10:00
Dimitris Zervas c9efae05ad
[DOCS] Add jira auto-login with http headers documentation (#868)
* Add jira auto-login with http headers documentation

* Update two-factor-basic-auth.md

* Create using-remote-user-header-for-sso-with-jira.md
2020-04-29 12:34:05 +10:00
Amir Zarrinkafsh f8bd506326
[FEATURE] Embed static assets in Go binary (#916)
* [FEATURE] Embed static assets in Go binary

* Refactor/consolidate code and specify public_html via configuration

* Update docs and config template for assets

* Update AUR package pre-requisites and systemd unit

* Include static assets as Buildkite and GitHub artifacts

* Remove references to PUBLIC_DIR

* Only serve assets via embedded filesystem and remove configuration references

* Update authelia-scripts helper to build the embedded filesystem

* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.

* Move go:generate to satisfy linter
2020-04-29 00:07:20 +10:00
Amir Zarrinkafsh ff2df8b039
[DOCS] Fix HAProxy typo (#937) 2020-04-28 21:00:10 +10:00
Amir Zarrinkafsh 69859aa5d4
[DOCS] Update HAProxy code syntax style (#936) 2020-04-28 20:53:06 +10:00
Amir Zarrinkafsh dca8a5343a
[DOCS] Update proxy integration example for HAProxy (#935)
* [DOCS] Update proxy integration example for HAProxy

* Minor style tweak

* Update haproxy.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-04-28 19:17:45 +10:00
Clément Michaud 1b8dccb806
Fix broken link in threat model. (#908) 2020-04-24 07:18:16 +10:00
Clément Michaud a3721b69ce
Add mention about TLS support in threat model. (#907)
* Add mention about TLS support in threat model.

* Try to fix title rendering.
2020-04-23 22:59:04 +02:00
James Elliott c1ac25a15b
[FEATURE] Config Validation (#901)
* [FEATURE] Config Validation

* check configuration for invalid keys on startup
* allow users to manually trigger all configuration validation on a file using a cmd
* setup all defaults in config template and run tests against it to prevent accidents
* use tests to check bad configuration values are caught
* use tests to check old configuration values are caught
* add tests for specific key errors
* resolve merge conflicts
* nolint prealloc for test
2020-04-23 11:47:27 +10:00
James Elliott b9fb33d806
[FEATURE] File Secrets (#896)
* [FEATURE] File Secret Loading

* add a validator for secrets
* run the secrets validator before the main config validator
* only allow a secret to be defined in one of: config, env, file env
* remove LF if found in file
* update configuration before main config validation
* fix unit tests
* implement secret testing
* refactor the secrets validator
* make check os agnostic
* update docs
* add warning when user attempts to use ENV instead of ENV file
* discourage ENV in docs
* update config template
* oxford comma
* apply suggestions from code review
* rename Validate to ValidateConfiguration
* add k8s example
* add deprecation notice in docs and warning
* style changes
2020-04-23 11:11:32 +10:00
James Elliott 9e9dee43ac
[FEATURE] Notifier Startup Checks (#889)
* implement SMTP notifier startup check
* check dial, starttls, auth, mail from, rcpt to, reset, and quit
* log the error on failure
* implement mock
* misc optimizations, adjustments, and refactoring
* implement validate_skip config option
* fix comments to end with period
* fix suites that used smtp notifier without a smtp container
* add docs
* add file notifier startup check
* move file mode into const.go
* disable gosec linting on insecureskipverify since it's intended, warned, and discouraged
* minor PR commentary adjustment
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 14:59:38 +10:00
Clément Michaud e7f18377f4
[DOCS] Add threat model documentation under security section. (#872)
* [DOCS] Add threat model documentation under security section.

* Update docs/security/threat-model.md

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-16 18:12:41 +10:00
Dustin Sweigart 951dc71325
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869)
* added support for listing multiple domains and multiple subjects

* updated documentation to show use of multiple domains and subjects

* updated config.template.yml to display multiple domains as a list

* updated config.template.yml to display multiple subjects as a list

* updated docs/configuration/access-control.md to display multiple domains as a list

* updated docs/configuration/access-control.md to display multiple subjects as a list

* removed redundant check that always returned true

* Commentary definition for `weak`
2020-04-16 10:18:11 +10:00
Clément Michaud c5e614c86b
[DOCS] Improve documentation about users unique identifier. (#871)
Following discussion in #865.
2020-04-16 09:46:51 +10:00
James Elliott 92084bc5b2
[MISC] Add http debug routes (#848)
* [MISC] Add debug endpoints to Authelia

* enabled only with trace logging
* allows go tool pprof usage when enabled
* enables both the expvarhandler and pprofhandler from fasthttp
* simplify tls/non-tls listen and serve
* make it easy to define custom settings of the fasthttp server in the future
* make name param optional
* add note about the trace setting in the documentation
2020-04-11 14:59:58 +10:00
James Elliott b0b3d61954
[DOCS] Adjust yaml snippets and misc adjustments (#855)
* [DOCS] Adjust yaml snippets

* use two spaces
* use yaml syntax highlighting
* other misc uniformity changes
* fix misc grammar
* add responsible disclosure link

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 14:46:07 +10:00
James Elliott b3ce7fc379
[BUGFIX] Password hashing schema map mismatch with docs (#852)
* add a nolint for gosec 'possibly hardcoded password' that was incorrect
* make all parameters consistent
* update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing'
* reword some of the docs
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 13:54:18 +10:00
Sohalt 653c1ad815
[DOCS] Fix typo in the template and docs for Postgres (#853)
* update config.template.yml
* update postgres documentation
2020-04-11 12:38:57 +10:00
Amir Zarrinkafsh 76e8142032
[DOCS] Add Remote-User and Remote-Groups headers to Traefik docs and examples (#849) 2020-04-11 11:49:54 +10:00
James Elliott bb1158b91e
[DOCS] Fix Password Hashing Example Spacing (#847) 2020-04-10 10:08:42 +10:00
James Elliott 2fed503e5e
[FEATURE] Customizable Email Subject (#830)
* [FEATURE] Customizable Email Subject

* allow users to optionally change email subject
* this is so they can more easily communicate the source of the email

* Update docs/configuration/notifier/smtp.md

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-09 10:21:28 +10:00
James Elliott 8aade7f40e
[MISC] Update durations to notation format and housekeeping (#824)
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 22:37:21 +10:00
James Elliott 9800421b88
[FEATURE] Disable Reset Password (#823)
* [FEATURE] Disable Reset Password
* add configuration key to authentication_backend called disable_reset_password
* disable_reset_password prevents the API handler for the functionality and the UI element
* disable_reset_password is a boolean
* adjust RememberMeEnabled to be RememberMe instead as it's just unnecessary
* add docs for security measures and in the authentication docs
* updated config.template.yml
* add flexEnd style to align reset password when remember me disabled
* add todo items for ldap user/password validation relating to this
2020-04-05 09:28:09 +10:00
James Elliott 626f5d2949
[FEATURE] Remember Me Configuration (#813)
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis 
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator 
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
2020-04-04 10:11:33 +11:00