Commit Graph

485 Commits (36cf662458326ef2f1e70f9ee304715152616048)

Author SHA1 Message Date
Amir Zarrinkafsh 9445878ca2
refactor(web): use transformindexhtml vite hook (#2488) 2021-10-11 20:30:02 +11:00
James Elliott 0d7777e3f5
fix(server): provide correct scheme to templated files (#2486)
This utilizes the context of the request and configuration to determine the correct scheme to use for the base URL.

Fixes #2485. Fixes #2476.
2021-10-10 21:19:47 +11:00
Amir Zarrinkafsh a3e84769b5
feat(web): replace cra with vite (#2457)
* feat(web): replace cra with vite

* fix: add istanbul
* fix: add jest
* fix: inject env vars
* fix: replicate cra output directories
* fix: post-frontend build for go templating
* fix: dynamic publicpath

* fix(web): import resolution with aliases for .module.css files

* refactor(server): baseurl var

* refactor(web): drop babel-jest for esbuild-jest

* refactor(web): add inline sourcemap for coverage bundle

* build(deps): update web deps

* build(deps): downgrade vite-plugin-istanbul to 2.2.0

98bf77dbaa is a breaking change that means production mode builds can no longer be instrumented.

* refactor(web): match frontend name and version

* refactor(web): drop cra readme
2021-10-08 15:00:06 +11:00
renovate[bot] 455499fa93
build(deps): update traefik docker tag to v1.7.33 (#2466)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-08 12:51:30 +11:00
James Elliott f3c2539e12
fix(session): session id generator situational panic (#2471)
* fix(session): replace session id generator
This replaces the fasthttp session generator with a more generic one.
2021-10-08 12:34:43 +11:00
Amir Zarrinkafsh 4161fbd818
ci(codecov): utilise new codecov uploader for coverage (#2467)
* ci(codecov): utilise new codecov uploader for coverage

The codecov bash uploader is being [deprecated](https://docs.codecov.com/docs/about-the-codecov-bash-uploader).

This utilises the new uploader which is recommended.

* ci(codecov): adjust file search path and name uploads

* fix(suites): coverage paths for codecov
2021-10-08 11:17:08 +11:00
Amir Zarrinkafsh 23fdb8d1b9
fix(suites): enable cgo in dev workflow (#2454) 2021-10-07 11:14:15 +11:00
renovate[bot] 65dd2a1341
build(deps): update traefik docker tag to v1.7.32 (#2458)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-07 09:05:05 +11:00
renovate[bot] 451f84f13f
build(deps): update haproxy docker tag to v2.4.7 (#2455) 2021-10-06 20:54:05 +11:00
renovate[bot] 6370c16c95
build(deps): update traefik docker tag to v1.7.31 (#2450)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-06 08:38:29 +11:00
Michael Campbell 5db9adc7e3
docs: fix broken url in config.template.yml (#2443)
* docs: fix broken url in config.template.yml
2021-10-04 12:13:54 +11:00
renovate[bot] 28e702f5c8
build(deps): update postgres docker tag to v14 (#2430)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-01 11:03:06 +10:00
Amir Zarrinkafsh e8a52f4794
refactor: replace sqlite library with the original cgo variant (#2427)
* refactor: replace sqlite library with the original cgo variant

This change reverts our SQLite library back to the original for compatibility and performance reasons now that we always package with CGO.

* fix: cgo and build flags

* fix: gcc requirement

* fix: gcc in dev workflow too
2021-10-01 09:58:33 +10:00
Amir Zarrinkafsh 3d312cf3b9
refactor: replace yarn with pnpm (#2424)
* Check for pnpm in authelia-scripts
* Improve husky hooks to check for required apps
* Use pnpm in coverage dockerfile
* Use pnpm in dev workflow
* Stop buildx log truncation
* Ignore pnpm lockfile in yamllint
* Update versions required for docker and docker-compose in contributing docs
2021-09-29 17:24:21 +10:00
James Elliott 6a75fc6f67
build(deps): update module github.com/golang-jwt/jwt/v4 to v4.1.0 (#2418) 2021-09-26 22:06:11 +10:00
renovate[bot] 6343f70f01
build(deps): update traefik docker tag to v2.5.3 (#2401)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-21 10:40:22 +10:00
James Elliott aed9099ce2
refactor: factorize startup checks (#2386)
* refactor: factorize startup checks

* refactor: address linting issues
2021-09-17 19:53:59 +10:00
Clément Michaud 92d328926d
refactor(handlers): lower case error messages (#2289)
* refactor(handlers): lower case error messages

also refactor verifyAuth function to detect malicious activity both with session
cookie and authorization header.

* refacto(handlers): simplify error construction

* fix(handlers): check prefix in authorization header to determine auth method

* fix(handlers): determining the method should be done with headers instead of query arg

* refacto(handlers): rollback changes of verifyAuth

* don't lowercase log messages

* Apply suggestions from code review

Make sure logger errors are not lowercased.

* fix: uppercase logger errors and remove unused param

* Do not lowercase logger errors
* Remove unused param targetURL
* Rename url variable to not conflict with imported package

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-09-17 15:53:40 +10:00
yossbg 05406cfc7b
feat(ntp): check clock sync on startup (#2251)
This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-09-17 14:44:35 +10:00
Amir Zarrinkafsh 11032bdf93
fix(server): remove obselete memory check warning (#2380)
Given the fact that many Linux OSes are defaulting to CGroups v2 and also Authelia changing the default memory config for argon2id this warning is now obselete.
2021-09-16 12:26:34 +10:00
Alex Gustafsson a88c5588e8
feat: add config flag to hash-password tool (#2047)
This change implements a --config flag for the hash-password which parses the config and validates it just as it would at run-time. The values specified in the config replace those specified as parameters.

* feat(cmd): add config flag to hash-password tool
* fix(cmd): fix linting issue

Closes: #1709.
2021-09-16 10:20:42 +10:00
James Elliott 2f03b02fc9
fix(session): handle redis logging properly (#2350)
This catches redis logs and displays them via our logging utility.
2021-09-09 13:08:21 +10:00
renovate[bot] 4da10f9cea
build(deps): update haproxy docker tag to v2.4.4 (#2351)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-08 09:52:49 +10:00
Amir Zarrinkafsh 84f370aa68
fix(suites): prevent dev workflow overriding .healthcheck.env (#2345) 2021-09-06 20:51:58 +10:00
renovate[bot] 9de8aafadf
build(deps): update traefik docker tag to v2.5.2 (#2337)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-03 11:59:46 +10:00
renovate[bot] d2bf1eb4e2
build(deps): update alpine docker tag to v3.14.2 (#2325) 2021-08-28 09:13:07 +10:00
James Elliott 8d102ce5d8
refactor(session): remove unencrypted session fallback (#2314)
This removes a temporary session fallback for unencrypted sessions.
2021-08-26 21:48:14 +10:00
renovate[bot] ad16f99e6d
build(deps): update traefik docker tag to v2.5.1 (#2306)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-21 11:03:00 +10:00
Amir Zarrinkafsh aa20dad04b
refactor(configuration): add import commentary for golint (#2303) 2021-08-20 11:42:35 +10:00
renovate[bot] 8ac9ce9367
build(deps): update traefik docker tag to v2.5.0 (#2296)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-19 09:28:05 +10:00
renovate[bot] 956db2dbaa
build(deps): update haproxy docker tag to v2.4.3 (#2295)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-18 14:50:49 +10:00
renovate[bot] 0aba819899
build(deps): update golang docker tag (#2293)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-17 13:46:47 +10:00
renovate[bot] c768144c07
build(deps): update traefik docker tag to v2.4.14 (#2292)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-17 07:30:27 +10:00
James Elliott b4e570358e
fix: include major in go.mod module directive (#2278)
* build: include major in go.mod module directive

* fix: xflags

* revert: cobra changes

* fix: mock doc
2021-08-11 11:16:46 +10:00
James Elliott c0ebe3eb8c
fix(notifier): use sane default connection timeout (#2273) 2021-08-10 10:52:41 +10:00
Amir Zarrinkafsh e2ebdb7e41
fix: oidc issuer path and strip path middleware (#2272)
* fix: oidc issuer path and strip path middleware

This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content.

* fix: only log the token error and general refactoring

* refactor: factorize base_url functions

* refactor(server): include all paths in startup logging

* refactor: factorize

* refactor: GetExternalRootURL -> ExternalRootURL

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 10:31:08 +10:00
renovate[bot] c593ebc573
build(deps): update mariadb docker tag to v10.6.4 (#2274)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-10 07:30:29 +10:00
James Elliott 997036f9c3
fix(configuration): make notifier logging consistent and more specific (#2268)
This ensures the notifier logs are more specific to give people a clear picture of if they either have no notifier specified or multiple.
2021-08-07 13:58:08 +10:00
renovate[bot] cc1ecafc1c
build(deps): update alpine docker tag to v3.14.1 (#2262)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-07 06:48:15 +10:00
James Elliott 9ebad9bec2
fix(storage): set sane default connection timeout (#2256)
This sets a sane default connection timeout for SQL connections.
2021-08-06 15:35:14 +10:00
James Elliott 9789ad070b
fix(configuration): ldap timeout option not recognized as valid (#2252)
This is so an unexpected error doesn't occur when someone uses the new ldap timeout key which we missed adding to the list of valid keys in b2a49e1780.
2021-08-06 09:28:52 +10:00
James Elliott 655ae98ced
fix(notifier): regression in startup check (#2248)
The changes in the koanf commit a7e867a699 introduced a regression in the startup procedure that prevented the option to disable the startup check from having an effect. This ensures the startup check is not performed if it is disabled as it was intended.
2021-08-05 20:41:56 +10:00
James Elliott 13ae1b4f26
fix(configuration): missing oidc minimum_parameter_entropy validator key (#2244)
* fix(oidc): missing validator key

* revert: return removed key

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-05 17:19:17 +10:00
James Elliott b2a49e1780
feat(authentication): allow customizable ldap connection timeout (#2240)
This implements both a connection timeout for LDAP connections, and makes it configurable by administrators. The default is 5s. The reason for this commit is currently if a connection to an LDAP server cannot be established it does not timeout in a reasonable period.
2021-08-05 14:30:00 +10:00
James Elliott a3b14871ba
perf(authentication): improve ldap dynamic replacement performance (#2239)
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 14:17:07 +10:00
James Elliott c5c6bda8b0
refactor: configuration agnostic healthcheck (#2231)
This makes the healthcheck simple and configured directly by Authelia's configuration on startup.
2021-08-05 14:02:07 +10:00
Clément Michaud e693302c75
fix(storage): use lower case in error messages (#2145)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-04 09:36:53 +10:00
Clément Michaud 4a570489d1
fix(server): use lower case in error messages (#2151)
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-04 09:18:20 +10:00
Amir Zarrinkafsh 28991dd71a
fix(oidc): do not lower case in log messages (#2236) 2021-08-04 08:54:45 +10:00
James Elliott f7b358e72a
build(deps): update module github.com/golang-jwt/jwt to v4 (#2235) 2021-08-04 07:38:07 +10:00
James Elliott a7e867a699
feat(configuration): replace viper with koanf (#2053)
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 19:55:21 +10:00
James Elliott 942fd69776
docs(logging): fix invalid key log_file (#2226)
A small fix to the documentation regarding migrating configuration.
2021-08-03 10:44:21 +10:00
James Elliott 158783a9d4
feat(configuration): replace several configuration options (#2209)
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.

BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 21:55:30 +10:00
James Elliott ac17841721
fix(handlers): make user banned message consistent (#2223)
This is so the user banned API message is consistent with other authentication failed messages, even in the API.
2021-08-02 16:54:20 +10:00
Clément Michaud bc983ce9f5
fix: user is now redirected when authenticated (#2082)
* fix(handlers,web): user is now redirected when authenticated

Fix: #1788

* remove dead code and fix ci issues

* fix infinite loop in frontend

* fix issue with integration tests

* handle bot recommendation

* fix integration test & add dot to comment

* fix last integration test

* Update api/openapi.yml

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update api/openapi.yml

* Update openapi.yml

* refactor: valid -> safe

* refactor: adjust merge conflicts

* Apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* fix: adjust test return messaging

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-02 16:15:38 +10:00
renovate[bot] 77a51d5c2f
build(deps): update traefik docker tag to v2.4.13 (#2217)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-31 09:53:41 +10:00
Georg Lauterbach 5ed0636f77
fix(notifier): remove SMTPS warning (#2200)
Removes a warning about SMTPS when using port 465 and replaces it with info about SUBMISSIONS.
2021-07-30 13:15:12 +10:00
renovate[bot] c98b2a7d59
build(deps): update traefik docker tag to v2.4.12 (#2203)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-27 10:29:31 +10:00
James Elliott 911d71204f
fix(handlers): handle xhr requests to /api/verify with 401 (#2189)
This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 13:52:37 +10:00
James Elliott ddeb46b262
fix(handlers): send status 303 auth requests that are not get/head (#2184)
When a request occurs, if the browser is not performing a HTTP GET/HEAD request, the 302 status code is not valid. This commit resolves this. MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302.
2021-07-16 13:43:48 +10:00
renovate[bot] 596346de1e
build(deps): update traefik docker tag to v2.4.11 (#2187)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-16 06:42:05 +10:00
James Elliott 8342a46ba1
feat(oidc): implement client type public (#2171)
This implements the public option for clients which allows using Authelia as an OpenID Connect Provider for cli applications and SPA's where the client secret cannot be considered secure.
2021-07-15 21:02:03 +10:00
James Elliott c794d57afc
perf(authentication): improve active directory default users filter (#2181)
This adds a performance change to the default Active Directory users filter. Basically as per TechNet the (sAMAccountType=805306368) filter is the same as (&(objectCategory=person)(objectClass=user)) except the performance is better.
2021-07-14 20:30:25 +10:00
renovate[bot] 3537cce660
build(deps): update mariadb docker tag to v10.6.3 (#2180)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-13 22:46:04 +02:00
James Elliott f292050822
fix(authentication): ldap connection left open (#2179)
The recent ldap changes in cb71df5 left a connection to the LDAP server open at startup. This resolves this which prevents an ugly log message and unnecessary open sockets.
2021-07-13 21:12:50 +10:00
James Elliott 143db66445
feat(oidc): userinfo endpoint (#2146)
This is a required endpoint for OIDC and is one we missed in our initial implementation. Also adds some rudamentary documentaiton about the implemented endpoints.
2021-07-10 14:56:33 +10:00
renovate[bot] d2422e9965
build(deps): update haproxy docker tag to v2.4.2 (#2168)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-09 08:49:30 +10:00
Clément Michaud 21f9056c00
fix(oidc): use lower case in log messages (#2153) 2021-07-08 12:44:43 +10:00
Clément Michaud 98d9cad62e
fix(regulation): use lower case in error messages (#2152) 2021-07-08 12:04:43 +10:00
Clément Michaud 2d634e9b20
fix(session): use lower case in error messages (#2150) 2021-07-08 11:33:22 +10:00
Arsenović Arsen 8ee0597486
feat(authentication): use the passwordmodify exop for pwd resets with ldap (#2124)
Implement the LDAP password modify extended operation for LDAP providers that advertise they support it.
2021-07-06 19:13:17 +10:00
James Elliott 31c5c820f0
refactor(authentication): log ldap warning on startup in rare condition (#2141)
This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.
2021-07-04 15:44:11 +10:00
James Elliott ef549f851d
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. 
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 09:44:30 +10:00
Clément Michaud 2dbd7ed219
fix(utils): use lower case in error messages (#2144) 2021-07-04 08:08:24 +10:00
James Elliott b2638d4af9
fix(authentication): use passwdmodify oid instead of whoami oid (#2139)
This is the correct OID for the passwdModify Extended Operation.
2021-07-02 11:33:10 +10:00
James Elliott cb71df5d9b
feat(authentiation): check ldap support for extended operations on startup (#2133)
* feat(authentiation): check ldap server on startup

This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary.

* test(authentication): add unit tests for new feature

* refactor(authentication): factorize ldap user provider newup

* refactor: minor adjustments
2021-07-02 09:16:16 +10:00
Philipp Staiger 7ff0a39c02
fix(suites): disable cgo for delve during development (#2129)
#2101 introduced a minor regression when using the authelia scripts suite for developing.

The following issues occurred:

```
[00] # runtime/cgo
[00] cgo: exec gcc: exec: "gcc": executable file not found in $PATH
```

Adding the CGO_ENABLED=0 before the dlv build command in the run-backend-dev.sh fixed the issue.
2021-07-01 10:28:24 +10:00
renovate[bot] 9640b48b60
build(deps): update haproxy docker tag to v2.4.1 (#2120)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-27 14:22:29 +10:00
renovate[bot] 5c78dfaa0d
build(deps): update traefik docker tag to v2.4.9 (#2113)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-23 08:49:05 +10:00
Amir Zarrinkafsh 4cab3a4a4e
refactor: drop cgo requirement for sqlite (#2101)
* refactor: drop cgo requirement for sqlite

Replace github.com/mattn/go-sqlite3 with modernc.org/sqlite which drops our CGO requirement.

* refactor: newline for consistency with dockerfiles
2021-06-22 10:45:33 +10:00
renovate[bot] 986f88fd89
build(deps): update mariadb docker tag to v10.6.2 (#2099)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-19 08:33:13 +10:00
Amir Zarrinkafsh f32a0a7407
test(web): integration test auto theme (#2096)
Allows capturing of code coverage for the `auto` theme in the Standalone suite.
2021-06-18 17:15:58 +10:00
James Elliott 0d7b33022c
build: add enhanced information (#2067)
This commit adjusts the build flags to include version information in the LDFLAGS using the -X options. Additionally this makes the information recorded at build time more comprehensive. All build information can now be obtained via the `authelia build` command, and the `authelia version` command is now `authelia --version`. Lastly this adjusts the Dockerfile to utilize docker cache more effectively.
2021-06-18 14:35:43 +10:00
James Elliott ef3c2faeb5
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089)
This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 11:38:01 +10:00
James Elliott 438555886e
build(deps): replace jwt-go (#2092)
This replaces github.com/dgrijalva/jwt-go and github.com/form3tech-oss/jwt-go with github.com/golang-jwt/jwt which will be the maintained package going forward.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-06-18 10:39:19 +10:00
Alex Gustafsson 150116a172
feat(web): implement automatic theme switch for light/dark (#2046)
* Implement an automatic theme

The "auto" theme will automatically switch between "dark" and "light"
depending on user preference. This allows for automatic dark mode.

* fix(configuration): allow the "auto" theme when validating

The new theme "auto" was not allowed to be used in a configuration file.

* docs: clarify what critera controls the automatic theme

How the "auto" theme functioned was unclear.

* docs: typeset themes as code

* fix(web): apply useEffector to media query watch

* docs: add technical details

* fix(configuration): resolve merge conflicts
2021-06-17 16:42:03 +10:00
James Elliott fcfff9748c
feat(handlers): synology password complexity err on reset (#2083)
This responds to the client with the correct error when used with Synology LDAP servers.
2021-06-16 12:50:14 +10:00
renovate[bot] 923f7c7aec
build(deps): update alpine docker tag to v3.14.0 (#2084)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-16 09:38:02 +10:00
Amir Zarrinkafsh 8a171e6344
ci(golangci-lint): replace golint with revive linter (#2078)
Remove deprecated `golint` linter and replace with `revive` linter.

Also fix outstanding issues due to upgraded linters.
2021-06-11 10:30:53 +10:00
James Elliott 2c42464fc8
refactor(configuration): use key log instead of logging (#2072)
* refactor: logging config key to log

This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging).

* docs: add step to getting started to get the latest tagged commit

This is so we avoid issues with changes on master having differences that don't work on the latest docker tag.

* test: adjust tests

* docs: adjust doc strings
2021-06-08 23:15:43 +10:00
James Elliott cef35fadcd
feat(configuration): add error and warn log levels (#2050)
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
2021-06-01 14:09:50 +10:00
Amir Zarrinkafsh 05df642f3e
feat: add option to keep stdout logging with log_file_path (#2037)
Currently if a `log_file_path` is defined Authelia will redirect all logging from standard output to said defined location. This change allows users to keep standard output logging along with a defined `log_file_path`.
2021-05-31 14:02:54 +10:00
renovate[bot] d28d36b568
build(deps): update haproxy docker tag to v2.4.0 (#2004)
* build(deps): update haproxy docker tag to v2.4.0

* fix(suites): fix haproxy dockerfile user

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-05-26 14:13:53 +10:00
renovate[bot] 6a226ec122
build(deps): update mariadb docker tag to v10.6.1 (#2028)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-05-26 08:28:16 +10:00
James Elliott c62dbd43d6
fix(handlers): align response status codes for the verify endpoint (#2016)
This aligns all response status codes on the /api/verify endpoint when an error occurs, making it impossible to determine the actual reason for the failure.
2021-05-21 14:03:44 +02:00
renovate[bot] 3ff50ae979
build(deps): update node.js to v16 (#2005) 2021-05-16 00:18:01 +10:00
James Elliott 46c8a25c15
fix(oidc): implement required subject types supported meta (#1996)
The well known openid-configuration should have the subject_types_supported meta values.
2021-05-11 11:00:29 +10:00
renovate[bot] f97c0df929
build(deps): update postgres docker tag to v13 (#1987) 2021-05-08 00:40:58 +10:00
James Elliott c0ac8bf5ad
fix: include the jwk key id in the jwt for validation (#1983)
This is so the sig key used to sign the JWT can be verified using the JWKS endpoint.

Fixes #1979
2021-05-07 11:59:39 +10:00
Amir Zarrinkafsh a31a17b222
fix(cmd): retry clean tag logic for dockerhub (#1976)
This change will ensure that if the curl command for the cleaning of Docker tags on DockerHub fails it will be reattempted up to 2 more times (total of 3) with a 10 second sleep between each attempt.

The clean tag logic itself within curl attempts to execute the http request upto 3 times so this will ensure a maximum of 9 attempts.
2021-05-05 17:09:31 +10:00
James Elliott ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00
renovate[bot] 77c3058368
build(deps): update mariadb docker tag to v10.6.0 (#1958)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-29 15:59:16 +10:00
renovate[bot] b952e9e71d
build(deps): update haproxy docker tag to v2.3.10 (#1942)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-24 10:43:48 +02:00
James Elliott 706fbfdb2c
fix(session): ensure default cookie samesite value is lax (#1926)
This implements a change to the default behaviour of the cookies generated by the sessions package. The old behaviour was to set the SameSite=None, this changes it to SameSite=Lax. Additionally this puts the option in the hands of the end-user so they can decide for themselves what the best option is.
2021-04-18 10:02:04 +10:00
James Elliott cc4f47f21c
fix: removed deprecated smtp/ldap options (#1912)
This removes the deprecated options from 4.25. This includes the LDAP filters which allow {0} or {1} placeholders. The new aliases are documented. Additionally it refactors the keys validator to use uniform messages for most replaced keys.
2021-04-16 11:44:37 +10:00
Amir Zarrinkafsh db55325152
fix(suites): ensure k8s suite utilises the registry cache (#1921) 2021-04-15 12:07:19 +10:00
renovate[bot] 4318bb1e0c
build(deps): update alpine docker tag to v3.13.5 (#1915)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-15 08:54:56 +10:00
James Elliott 1e30b00f7e
fix(validator): misleading warning for empty acl domains (#1898)
This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number.
2021-04-14 20:53:23 +10:00
James Elliott f0cb75e1e1
fix(handlers): logout redirection validation (#1908) 2021-04-13 10:38:12 +02:00
James Elliott 9e7b73bd56
refactor(authentication): add trace logs for the user/group baseDN (#1904)
This logs the baseDN for user and group searching on startup as well as the users filter (with just input remaining). Additionally refactors the location of a few log messages, and exposes the logger to the provider to reduce calls to logging.Logger().
2021-04-12 11:10:50 +10:00
James Elliott 08e674b62f
docs: refactor several areas of documentation (#1726)
Updated all links to use https://www.authelia.com/docs/.
Removed all comment sections from documented configuration on the documentation site and replaced them with their own sections.
Made all documentation inside config.template.yml double hashes, and made all commented configuration sections single quoted.
Added .yamllint.yaml to express our desired YAML styles.
Added a style guide.
Refactored many documentation areas to be 120 char widths where possible. It's by no means exhaustive but is a large start.
Added a statelessness guide for the pending Kubernetes chart introduction.
Added labels to configuration documentation and made many areas uniform.
2021-04-11 21:25:03 +10:00
James Elliott d33d6c2f00
ci: add yamllint (#1895)
This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-11 06:51:00 +10:00
renovate[bot] ad7808d430
build(deps): update traefik docker tag to v1.7.30 (#1897)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-09 09:32:21 +10:00
renovate[bot] 771a0f362e
build(deps): update alpine docker tag to v3.13.4 (#1877)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-01 12:47:51 +11:00
renovate[bot] 92da7a21de
build(deps): update haproxy docker tag to v2.3.9 (#1873)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-31 13:52:05 +11:00
Amir Zarrinkafsh aa03981024
fix(notification): don't remove file based notifier on start up (#1862)
Attempting to run Authelia with least privilege principle as the `nobody` user and a file based notifier will cause issues during start up as the user cannot remove the notification file.

Given that ioutil.WriteFile truncates the file before writing the removal should not be necessary.

Fixes #1846.
2021-03-31 13:27:31 +11:00
renovate[bot] dbb819dfa5
build(deps): update traefik docker tag to v1.7.29 (#1869)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-30 11:37:38 +11:00
renovate[bot] 5ab334dcdc
build(deps): update haproxy docker tag to v2.3.8 (#1858)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-28 02:06:58 +11:00
renovate[bot] e6929cdf3e
build(deps): update alpine docker tag to v3.13.3 (#1853)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-26 11:30:30 +11:00
renovate[bot] 6d4d1d5e2f
build(deps): update traefik docker tag to v2.4.8 (#1848)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-24 19:34:55 +01:00
James Elliott a44f0cf959
fix: redis sentinel secret missing (#1839)
* fix: redis sentinel secret missing

* refactor: use consts for authentication_backend.file.password errs

* fix: unit test for new default port

* test: cover additional misses

* test: fix windows/linux specific test error

* test: more windows specific tests

* test: remove superfluous url.IsAbs

* test: validator 100% coverage
2021-03-22 20:04:09 +11:00
renovate[bot] e7c9d55c23
build(deps): update haproxy docker tag to v2.3.7 (#1834)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-17 08:51:46 +11:00
James Elliott a0248cd096
test(suites): short mode skip suites testing (#1823)
This PR changes the suites tests so if go test -short is used, they are skipped per go standards and a message is displayed. Additionally removed some redundant types from suite_high_availability_test.go and adjusted a warning about a nil req var.
2021-03-14 18:08:26 +11:00
James Elliott e3e8df26f2
refactor(session): use github.com/fasthttp/session/v2 instead of github.com/authelia/session/v2 (#1809)
Reverts to the upstream library instead of our maintenance fork.
2021-03-13 16:06:19 +11:00
James Elliott 391c8671e9
fix(handlers): log user as '<anonymous>' instead of a blank string (#1808) 2021-03-13 15:52:07 +11:00
James Elliott 5a5efa5e02
fix(server): send 404 on missing api endpoints instead of 405 (#1806)
Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e however this resolves another issue that's related. Additionally this ensures the behavior is tested.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>

Fixes #1520
Closes #1534
2021-03-11 18:36:58 +11:00
James Elliott c310049faa
refactor(authentication): use crypto constant time compare (#1800)
* refactor(authentication): use crypto constant time compare

Improve security with usage of the crypto/subtle ConstantTimeCompare() method for hash comparison.

Fixes #1799

* docs: add explicit labels for chat types
2021-03-11 12:08:49 +11:00
James Elliott e041143f87
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider

* refactor(session): use int for ports as per go standards

* refactor(configuration): adjust tests and validation

* refactor(configuration): add err format consts

* refactor(configuration): explicitly map redis structs

* refactor(session): merge redis/redis sentinel providers

* refactor(session): add additional checks to redis providers

* feat(session): add redis cluster provider

* fix: update config for new values

* fix: provide nil certpool to affected tests/mocks

* test: add additional tests to cover uncovered code

* docs: expand explanation of host and nodes relation for redis

* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum

* fix(session): sentinel password

* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config

* test: make entrypoint.sh executable, fix entrypoint.sh if/elif

* test: add redis failover tests

* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging

* test: add sentinel integration test

* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep

* feat: use sentinel failover cluster

* fix: renamed addrs to sentineladdrs upstream

* test(session): sentinel failover

* test: add redis standard back into testing

* test: move redis standalone test to traefik2

* fix/docs: apply suggestions from code review
2021-03-10 10:03:05 +11:00
renovate[bot] 073c558296
build(deps): update traefik docker tag to v2.4.7 (#1790)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-09 14:18:48 +11:00
James Elliott 4dce8f9496
perf(authorizer): preload access control lists (#1640)
* adjust session refresh to always occur (for disabled users)

* feat: adds filtering option for Request Method in ACL's

* simplify flow of internal/authorization/authorizer.go's methods

* implement query string checking

* utilize authorizer.Object fully

* make matchers uniform

* add tests

* add missing request methods

* add frontend enhancements to handle request method

* add request method to 1FA Handler Suite

* add internal ACL representations (preparsing)

* expand on access_control next

* add docs

* remove unnecessary slice for network names and instead just use a plain string

* add warning for ineffectual bypass policy (due to subjects)

* add user/group wildcard support

* fix(authorization): allow subject rules to match anonymous users

* feat(api): add new params

* docs(api): wording adjustments

* test: add request method into testing and proxy docs

* test: add several checks and refactor schema validation for ACL

* test: add integration test for methods acl

* refactor: apply suggestions from code review

* docs(authorization): update description
2021-03-05 15:18:31 +11:00
renovate[bot] 455b859047
build(deps): update haproxy docker tag to v2.3.6 (#1779)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-04 14:15:01 +11:00
Amir Zarrinkafsh 2a1f5e3f8d
fix(configuration): lower argon2id default memory requirements (#1762)
* fix(configuration): lower argon2id default memory requirements

The current default hashing value of 1024MB (1GB) is far too aggressive to cover all use cases.
Reducing this number and encouraging users to to read the documentation and tune will result in less issues and a better user experience.

* test: fix broken tests
2021-03-03 20:19:28 +11:00
renovate[bot] 92154a1193
build(deps): update traefik docker tag to v2.4.6 (#1774)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-02 15:07:51 +11:00
ThinkChaos ba65a3db82
feat(handlers): authorization header switch via query param to /api/verify (#1563)
* [FEATURE] Add auth query param to /api/verify (#1353)

When `/api/verify` is called with `?auth=basic`, use the standard
Authorization header instead of Proxy-Authorization.

* [FIX] Better basic auth error reporting

* [FIX] Return 401 when using basic auth instead of redirecting

* [TESTS] Add tests for auth=basic query param

* [DOCS] Mention auth=basic argument and provide nginx example

* docs: add/adjust basic auth query arg docs for proxies

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-02-24 10:35:04 +11:00
renovate[bot] 64b01b2811
build(deps): update mariadb docker tag to v10.5.9 (#1757)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-23 12:49:16 +11:00
renovate[bot] 17bf3f860b
build(deps): update osixia/openldap docker tag to v1.5.0 (#1749)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 22:08:23 +11:00
renovate[bot] 36d02f9cf5
build(deps): update traefik docker tag to v2.4.5 (#1742)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 16:21:43 +11:00
renovate[bot] 59b3c2cbd8
build(deps): update haproxy docker tag to v2.3.5 (#1737)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 15:06:10 +11:00
Amir Zarrinkafsh 74721a9f41
feat: go:embed static assets (#1733)
* feat: go:embed static assets

Go 1.16 introduced the ability to embed files within a generated binary directly with the go tool chain. This simplifies our dependencies and the significantly improves the development workflow for future developers.

Key points to note:

Due to the inability to embed files that do not reside within the local package we need to duplicate our `config.template.yml` within `internal/configuration`.

To avoid issues with the development workflow empty mock files have been included within `internal/server/public_html`. These are substituted with the respective generated files during the CI/CD and build workflows.

* fix(suites): increase ldap suite test timeout

* fix(server): fix swagger asset CSP
2021-02-22 10:07:06 +11:00
renovate[bot] 79b2b742a8
build(deps): update alpine docker tag to v3.13.2 (#1728)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-18 10:49:39 +11:00
Amir Zarrinkafsh 683c4a70bf
fix(web): improve 2fa enrollment process (#1706)
* refactor(web): improve 2fa enrollment process

This PR will change some of the wording and colours for the 2FA processes in order to provide more clarity and address some accessibility issues for end users.

The following is a summary of the changes:

* One-Time Password ⭢ Time-based One-Time Password
* Security Key ⭢ Security Key - U2F

![Screenshot_2021-02-02-09-36-17](https://user-images.githubusercontent.com/3339418/107138185-17656100-6967-11eb-8fac-9e75c7a82d09.png)


* QRCode ⭢ QR Code

![Screenshot_2021-02-07-05-07-25](https://user-images.githubusercontent.com/3339418/107138196-29df9a80-6967-11eb-811f-d77c9bb0159e.png)

* `Not registered yet?` text to display `Lost device?` if a user has already registered a device of said type

![Screenshot_2021-02-02-10-24-54](https://user-images.githubusercontent.com/3339418/107138205-395ee380-6967-11eb-8826-83e1438dd146.png)

* Change button and text colour in e-mails that Authelia generates
* Change Authelia email footer to be more security conscious

![Screenshot_2021-02-07-04-51-40](https://user-images.githubusercontent.com/3339418/107138211-4085f180-6967-11eb-890b-9d931bd1ce76.png)

The docs have also been updated to clarify the 2fa device enrollment limitation which only allows users to register one of each device type concurrently.

Closes #1560.
2021-02-12 16:59:42 +11:00
renovate[bot] 23f8a059fe
build(deps): update traefik docker tag to v2.4.2 (#1685)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-03 09:42:29 +11:00
James Elliott 60ff16b518
fix(handlers): refresh user details on all domains (#1642)
* fix(handlers): refresh user details on all domains 

* previously sessions only got checked for updated details if the domain had group subjects attached
* this meant disabled or deleted accounts did not get detected until the session expired or the user visited a domain protected by a group subject
* this patch fixes this issue and simplifies some logic surrounding the check

* add tests

simplify IsStringSlicesDifferent so it only iterates once

* add another test for IsStringSlicesDifferent
2021-02-02 12:01:46 +11:00
renovate[bot] 3d6a9dfca4
build(deps): update traefik docker tag to v2.4.1 (#1681)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-02 10:35:49 +11:00
Amir Zarrinkafsh d17c7e7fc0
refactor(suites): simplify kubernetes suite (#1680)
This PR achieves the following goals:
* Utilise upstream version of kind instead of a patched version which allows binding to networks other than the default "kind"
* Utilises the registry cache which is setup one level above the kind cluster

The former point was required to successfully run our integration tests in a Kubernetes environment, however this is now possible without running a patched version of kind.

The second point is because DockerHub has introduced rate limiting for container downloads. If there are a large number of CI jobs nodes may occasionally be rejected due to the Kubernetes suite not pulling down from the registry cache.
2021-02-02 09:53:44 +11:00
renovate[bot] 006f1eb43b
build(deps): update mariadb docker tag to v10.5.8 (#1660)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:22:12 +11:00
renovate[bot] 985aaaa76b
build(deps): update alpine docker tag to v3.13.1 (#1659)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:06:09 +11:00
renovate[bot] ea913d2992
build(deps): update traefik docker tag to v1.7.28 (#1657)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 11:32:49 +11:00
renovate[bot] ed5e9264f8
build(deps): update mariadb docker tag to v10.4.17 (#1652) 2021-01-31 09:28:43 +11:00
renovate[bot] d4d781ae52
build(deps): update alpine docker tag to v3.13.1 (#1649)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 01:04:46 +11:00