Commit Graph

175 Commits (2b75e9840231f441c7927e8a301683c11d321eb5)

Author SHA1 Message Date
James Elliott a44f0cf959
fix: redis sentinel secret missing (#1839)
* fix: redis sentinel secret missing

* refactor: use consts for authentication_backend.file.password errs

* fix: unit test for new default port

* test: cover additional misses

* test: fix windows/linux specific test error

* test: more windows specific tests

* test: remove superfluous url.IsAbs

* test: validator 100% coverage
2021-03-22 20:04:09 +11:00
Amir Zarrinkafsh 66b010cb59
docs: fix haproxy examples for /api/verify?auth=basic (#1835)
The previous examples did not appropriately pass through the WWW-Authenticate header and 401 when the user was unauthenticated therefore not resulting in a basic auth login prompt.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-03-18 19:56:08 +11:00
James Elliott 1a43ca7b8a
docs(authorization): document changed resources behavior (#1819)
I missed documenting this change, but prior to 4.27.0 the query param was never considered when matching resources. But that's no longer the case.

Fixes #1817
2021-03-13 09:36:22 +11:00
David Chidell 5cf11f87c8
docs(authorizer): important headers for access-control networks (#1794)
* Document X-Forwarded-For capabilities within access-control networks

Adds a short paragraph detailing X-Forwarded-For header behaviour
into the documentation.

* Update docs/configuration/access-control.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-03-11 10:18:39 +11:00
James Elliott e041143f87
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider

* refactor(session): use int for ports as per go standards

* refactor(configuration): adjust tests and validation

* refactor(configuration): add err format consts

* refactor(configuration): explicitly map redis structs

* refactor(session): merge redis/redis sentinel providers

* refactor(session): add additional checks to redis providers

* feat(session): add redis cluster provider

* fix: update config for new values

* fix: provide nil certpool to affected tests/mocks

* test: add additional tests to cover uncovered code

* docs: expand explanation of host and nodes relation for redis

* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum

* fix(session): sentinel password

* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config

* test: make entrypoint.sh executable, fix entrypoint.sh if/elif

* test: add redis failover tests

* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging

* test: add sentinel integration test

* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep

* feat: use sentinel failover cluster

* fix: renamed addrs to sentineladdrs upstream

* test(session): sentinel failover

* test: add redis standard back into testing

* test: move redis standalone test to traefik2

* fix/docs: apply suggestions from code review
2021-03-10 10:03:05 +11:00
James Elliott 4dce8f9496
perf(authorizer): preload access control lists (#1640)
* adjust session refresh to always occur (for disabled users)

* feat: adds filtering option for Request Method in ACL's

* simplify flow of internal/authorization/authorizer.go's methods

* implement query string checking

* utilize authorizer.Object fully

* make matchers uniform

* add tests

* add missing request methods

* add frontend enhancements to handle request method

* add request method to 1FA Handler Suite

* add internal ACL representations (preparsing)

* expand on access_control next

* add docs

* remove unnecessary slice for network names and instead just use a plain string

* add warning for ineffectual bypass policy (due to subjects)

* add user/group wildcard support

* fix(authorization): allow subject rules to match anonymous users

* feat(api): add new params

* docs(api): wording adjustments

* test: add request method into testing and proxy docs

* test: add several checks and refactor schema validation for ACL

* test: add integration test for methods acl

* refactor: apply suggestions from code review

* docs(authorization): update description
2021-03-05 15:18:31 +11:00
Amir Zarrinkafsh 2a1f5e3f8d
fix(configuration): lower argon2id default memory requirements (#1762)
* fix(configuration): lower argon2id default memory requirements

The current default hashing value of 1024MB (1GB) is far too aggressive to cover all use cases.
Reducing this number and encouraging users to to read the documentation and tune will result in less issues and a better user experience.

* test: fix broken tests
2021-03-03 20:19:28 +11:00
ThinkChaos ba65a3db82
feat(handlers): authorization header switch via query param to /api/verify (#1563)
* [FEATURE] Add auth query param to /api/verify (#1353)

When `/api/verify` is called with `?auth=basic`, use the standard
Authorization header instead of Proxy-Authorization.

* [FIX] Better basic auth error reporting

* [FIX] Return 401 when using basic auth instead of redirecting

* [TESTS] Add tests for auth=basic query param

* [DOCS] Mention auth=basic argument and provide nginx example

* docs: add/adjust basic auth query arg docs for proxies

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-02-24 10:35:04 +11:00
Amir Zarrinkafsh 683c4a70bf
fix(web): improve 2fa enrollment process (#1706)
* refactor(web): improve 2fa enrollment process

This PR will change some of the wording and colours for the 2FA processes in order to provide more clarity and address some accessibility issues for end users.

The following is a summary of the changes:

* One-Time Password ⭢ Time-based One-Time Password
* Security Key ⭢ Security Key - U2F

![Screenshot_2021-02-02-09-36-17](https://user-images.githubusercontent.com/3339418/107138185-17656100-6967-11eb-8fac-9e75c7a82d09.png)


* QRCode ⭢ QR Code

![Screenshot_2021-02-07-05-07-25](https://user-images.githubusercontent.com/3339418/107138196-29df9a80-6967-11eb-811f-d77c9bb0159e.png)

* `Not registered yet?` text to display `Lost device?` if a user has already registered a device of said type

![Screenshot_2021-02-02-10-24-54](https://user-images.githubusercontent.com/3339418/107138205-395ee380-6967-11eb-8826-83e1438dd146.png)

* Change button and text colour in e-mails that Authelia generates
* Change Authelia email footer to be more security conscious

![Screenshot_2021-02-07-04-51-40](https://user-images.githubusercontent.com/3339418/107138211-4085f180-6967-11eb-890b-9d931bd1ce76.png)

The docs have also been updated to clarify the 2fa device enrollment limitation which only allows users to register one of each device type concurrently.

Closes #1560.
2021-02-12 16:59:42 +11:00
Amir Zarrinkafsh e091032279
docs: update contribution guidelines (#1666)
* docs: update contribution guidelines

* add release commit message type

* update none/empty scope definition

* add go mod tidy post update option
2021-01-30 19:29:07 +11:00
dependabot-preview[bot] d93ddc420a
[MISC] (deps-dev): Bump github-pages from 210 to 211 in /docs (#1635)
Bumps [github-pages](https://github.com/github/pages-gem) from 210 to 211.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v210...v211)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-28 09:16:03 +11:00
dependabot-preview[bot] 5967416538
[MISC] (deps-dev): Bump github-pages from 209 to 210 in /docs (#1625)
Bumps [github-pages](https://github.com/github/pages-gem) from 209 to 210.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v209...v210)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-25 11:05:12 +11:00
Amir Zarrinkafsh 87af0d3112
[DOCS] Update contributors (#1623)
This change also modifies the contributors to introduce [All Contributors](https://allcontributors.org/).
2021-01-22 14:24:25 +11:00
Amir Zarrinkafsh daa30f3aa3
[FEATURE] Add theme support (#1584)
* [FEATURE] Add theme support

This change allows users to select a theme for Authelia on start-up.

The default will continue to be the existing theme which is known as `light`.
Three new options are now also provided:
* `dark`
* `grey`
* `custom`

The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal.

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>

* Add themes to integration tests

* Remove custom theme

* Fix linting issue in access_control_test.go

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 23:07:40 +11:00
James Elliott 712288555c
[BUGFIX] Fix incorrect docs and Certificate PEM extensions (#1589)
* add .crt to the PEM extensions scanned for
* fix documentation on the extensions allowed
* add trace logging to the loading process to help debug in the future
2021-01-10 22:10:45 +11:00
dependabot-preview[bot] 5feb845914
[MISC] (deps): [Security] Bump nokogiri from 1.10.10 to 1.11.0 in /docs (#1579)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.10 to 1.11.0. **This update includes a security fix.**
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.10...v1.11.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-05 09:38:06 +11:00
Amir Zarrinkafsh 9ca0e940da
[FEATURE] Validate ACLs and add network groups (#1568)
* adds validation to ACL's
* adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 21:55:23 +11:00
James Elliott 29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00
Kristof Mattei b20f62b015
Update example to set correct internal trusted ranges. (#1575) 2021-01-02 07:36:12 +11:00
Amir Zarrinkafsh 1debc820fa
[DOCS] Fix typo in IPv6 address notes (#1566) 2020-12-30 06:33:57 +11:00
James Elliott 2763aefe81
[BUGFIX] Static Session Expiration Key (#1564)
* [BUGFIX] Static Session Expiration Key

* keys for session expiration are random for each instance of Authelia
* this is caused by upstream setting it to a random value
* using a temporary bugfix fork of github.com/fasthttp/session to resolve locally
* add some misc doc additions
2020-12-29 12:44:47 +11:00
ZMiguel Valdiviesso 39bb2d2d1a
Add config example for LDAP groupOfUniqueNames group structure (#1549)
* Add config example for groupOfUniqueNames group structure

* Update ldap.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-12-22 08:16:20 +11:00
Amir Zarrinkafsh f2282f78a9
[DOCS] Add notes for IPv6 literal address (#1541) 2020-12-16 11:31:39 +11:00
Begley Brothers (Development) a7968bc77b
[DOCS] Update hash-password example with single quotes (#1537)
* [Doc] Single quote the hash-password input

Closes #1536

* Update docs/configuration/authentication/file.md

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-12-16 11:07:51 +11:00
Clément Michaud 86c4577127
[DOCS] Add a note on regexps in ACLs (#1533)
Fixes #1523
2020-12-16 11:00:58 +11:00
James Elliott 426f5260ad
[FEATURE] LDAP StartTLS (#1500)
* add start_tls config option
* add StartTLS method to the LDAP conn factory and the mock
* implemented use of the StartTLS method when the config is set to true
* add mock unit tests
* add docs
* add TLS min version support
* add tests to tls version method
* fix lint issues
* minor adjustments
* remove SSL3.0
* add tls consts
* deprecate old filter placeholders
* remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993
* make suite ActiveDirectory use StartTLS
* misc adjustments to docs
* suggested changes from code review
* deprecation notice conformity
* add mock test for LDAPS plus StartTLS
2020-12-03 16:23:52 +11:00
James Elliott 365304a684
[FEATURE] Add Optional Check for Session Username on VerifyGet (#1427)
* Adding the Session-Username header to the /api/verify endpoint when using cookie auth will check the value stored in the session store for the username and the header value are the same.
* use strings.EqualFold to compare case insensitively
* add docs
* add unit tests
* invalidate session if it is theoretically hijacked and log it as a warning (can only be determined if the header doesn't match the cookie)
* add example PAM script
* go mod tidy
* go mod bump to 1.15
2020-12-02 10:03:44 +11:00
Amir Zarrinkafsh ba04d1072b
[BUGFIX] Make username_attribute a mandatory placeholder in users_filter (#1449)
* [BUGFIX] Make username_attribute a mandatory placeholder in users_filter

Not including the `username_attribute` in the `users_filter` will cause issues with the LDAP session refresh and will result in session resets when the refresh interval has expired.

This change makes said attribute mandatory for the `users_filter`.

* Update version referenced in docs for fix
2020-11-28 00:30:27 +11:00
Amir Zarrinkafsh aa64d0c4e5
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460)
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 20:59:22 +11:00
Amir Zarrinkafsh a29eeb52b6
[FEATURE] Add JSON log formatting option (#1488)
This change adds the ability to format Authelia's log output as JSON.

Example below:
```
{"level":"info","msg":"Logging severity set to info","time":"2020-01-01T00:00:00+11:00"}
{"level":"info","msg":"Authelia is listening for non-TLS connections on 0.0.0.0:9091","time":"2020-01-01T00:00:00+11:00"}
```
2020-11-25 10:46:41 +11:00
Amir Zarrinkafsh 3832b55312
[DOCS] Fix links in Contributing (#1484) 2020-11-24 12:47:12 +11:00
Timo 495e57b46c
[DOCS] Make HAProxy regex case insensitive (#1478) 2020-11-24 12:35:38 +11:00
Lukas Klass 518bc67ef9
[DOCS] Clarify use of multiple subjects in ACLs and their logical evaluation (#1454)
* Clarify use of multiple subjects and their logical evaluation

* Update docs/configuration/access-control.md

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-13 10:30:23 +11:00
Amir Zarrinkafsh f392f51df6
[MISC] Append log file instead of overwriting (#1450)
* [MISC] Append log file instead of overwriting

If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.

This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.

* Amend documentation for log_file_path
2020-11-13 10:14:45 +11:00
Amir Zarrinkafsh 29af1aac6a
[DOCS] Update session docs to clarify encryption (#1448)
This looks like it just fell out of sync with what actually already exists within the [`config.template.yml`](695cd5bf8f/config.template.yml (L291)).
2020-11-13 07:45:46 +11:00
James Elliott 956dbfb8de
[BUGFIX] Add ability to specify SMTP HELO/EHLO identifier (#1416)
* add docs
* add configuration option for SMTP called `identifier`
* default should act the same as before
2020-11-05 10:22:10 +11:00
Amir Zarrinkafsh a83ccd7188
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 22:38:08 +11:00
akusei af2ae328e7
[FEATURE] Container privilege de-escalation (#1370)
* support for running as non-root

* forgot to save file

* removed write perms for user on entrypoint script

* preserve existing user behavior

* fix entrypoint permissions to account for non-root user

* typo in chmod on line 63

* better entrypoint script; moved to root

* execute bit

* support for running as non-root

* forgot to save file

* removed write perms for user on entrypoint script

* preserve existing user behavior

* fix entrypoint permissions to account for non-root user

* typo in chmod on line 63

* better entrypoint script; moved to root

* execute bit

* very rough draft documentation

* added missing header

* typo changes -> changed

* Update entrypoint.sh

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

looks good

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-10-19 10:12:21 +11:00
alexw1982 0ba634ffee
[DOCS] Update Fail2Ban security measures (#1349)
* [Docs] Security measures - Fail2Ban

Minor changes / improvements to the text

* Update measures.md

* Update docs/security/measures.md
2020-10-17 13:44:48 +11:00
dependabot-preview[bot] e0c44966e5
[MISC] (deps): Bump just-the-docs from 0.3.2 to 0.3.3 in /docs (#1375)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.2 to 0.3.3.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.2...v0.3.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-15 15:13:34 +11:00
dependabot-preview[bot] 0e34ae78fd
[MISC] (deps-dev): Bump github-pages from 208 to 209 in /docs (#1368)
Bumps [github-pages](https://github.com/github/pages-gem) from 208 to 209.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v208...v209)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-11 22:33:50 +11:00
alexw1982 adf6b7878d
[DOCS] Add fail2ban security measures (#1344)
* Update measures.md

Closes #1176.
2020-09-30 11:40:26 +10:00
dependabot-preview[bot] 3f65547e3b
[MISC] (deps-dev): Bump github-pages from 207 to 208 in /docs (#1345)
Bumps [github-pages](https://github.com/github/pages-gem) from 207 to 208.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v207...v208)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-29 12:22:36 +10:00
thehedgefrog 86ecc03640
Updated secrets.md with a functional DaemonSet (#1287)
* Updated secrets.md with a functional DaemonSet

* changed TCP socket for API endpoints
2020-09-25 09:48:24 +10:00
Amir Zarrinkafsh 607f829431
[DOCS] Clean HAProxy examples (#1338)
Remove headers that are not required and fix a typo.
2020-09-23 17:29:46 +10:00
Amir Zarrinkafsh 5b98b4d090
[BUGFIX] Fix HAProxy redirects (#1333)
Including updates to docs examples.
2020-09-23 09:06:26 +10:00
Amir Zarrinkafsh 8d68886b5b
[DOCS] Fix default layout (#1329) 2020-09-19 00:58:41 +10:00
dependabot-preview[bot] 35a7e954a2
[MISC] (deps): Bump just-the-docs from 0.3.1 to 0.3.2 in /docs (#1320)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.1...v0.3.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-19 00:34:08 +10:00
Amir Zarrinkafsh 771c220d38
[FEATURE] Support updated haproxy-auth-request (#1310)
* [FEATURE] Support updated haproxy-auth-request
This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments.

* Fix docs indentation

* Add haproxy-lua-http to TLS enabled configuration
2020-09-10 10:52:57 +10:00
James Elliott a92b0bff1d
[FEATURE] Plain Text Email Notifications (#1238)
* add a plain text email template
* use plain text email template for file based emails
* add config option to SMTP emails named disable_html_emails
  * config option is a boolean that when set to true will only send plain text emails
* add docs for more complex SMTP notifier options
* update template
* add rfc1341 multipart logic to notifier
* check for errors after identity_verification

* * fix nil ptr
* go mod tidy
* remove needless checks

* * use multipart/atlernative instead

* * add rfc5322 compliant date header

* * fix linting issues
2020-08-21 12:16:23 +10:00