Commit Graph

173 Commits (3d66879da5869f133ad65166bcbb25a293723e4d)

Author SHA1 Message Date
Amir Zarrinkafsh 296efe2b32
[MISC] Add missing CLI suite test (#1607)
* [MISC] Add missing CLI suite test

* Add missing test for `authelia version` command in CLI suite.
* Standardise logger calls and swap CSP switch order
2021-01-17 10:23:35 +11:00
Amir Zarrinkafsh 8bab8d47ef
[MISC] Add CLI suite (#1597)
This change adds a new integration testing suite "CLI".

The intent of this suite is to test, validate and capture coverage for Authelia's commands via the CLI.
2021-01-16 21:25:02 +11:00
Amir Zarrinkafsh 81e34d84de
[MISC] Validate all sections of ACLs on startup (#1595)
* [MISC] Validate all sections of ACLs on startup

This change ensure that all sections of the `access_control` key are validated on startup.

* Change error format to clearly identify values
2021-01-16 21:05:41 +11:00
dependabot-preview[bot] 8fa76499cb
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1601)
Bumps haproxy from 2.3.3-alpine to 2.3.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-15 10:45:36 +11:00
dependabot-preview[bot] 6aa0e5fa7d
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1591)
Bumps haproxy from 2.3.2-alpine to 2.3.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-11 10:01:26 +11:00
Amir Zarrinkafsh 9ca0e940da
[FEATURE] Validate ACLs and add network groups (#1568)
* adds validation to ACL's
* adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 21:55:23 +11:00
James Elliott 29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00
Amir Zarrinkafsh b12528a65c
[FEATURE] Display TOTP secret on device registration (#1551)
* This change provides the TOTP secret which allows users to copy and utilise for password managers and other applications.
* Hide TextField if secret isn't present
* This ensure that the TextField is removed on a page or if there is no secret present.
* Add multiple buttons and set default value to OTP URL
* Remove inline icon and add icons under text field which allow copying of the secret key and the whole OTP URL.
* Fix integration tests
* Add notifications on click for secret buttons
* Also remove autoFocus on TextField so a user can identify that the full OTP URL is in focus.
2020-12-29 13:30:00 +11:00
dependabot-preview[bot] ee3ce69f9f
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1548)
Bumps alpine from 3.12.2 to 3.12.3.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-19 14:11:31 +11:00
Amir Zarrinkafsh b989c1b169
[MISC] Refactor and address most errcheck linter ignores (#1511)
* [MISC] Refactor and address most errcheck linter ignores

This is mostly a quality of life change.
When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track.

* Handle errors for regulation marks and remove unnecessary logging
2020-12-16 12:47:31 +11:00
Amir Zarrinkafsh 7c6a86882f
[MISC] Catch OpenLDAP ppolicy error (#1508)
* [MISC] Catch OpenLDAP ppolicy error

Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.

This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.

* Remove password history for integration tests

* Adjust max failures due to regulation trigger

* Fix error handling for password resets

* Refactor and include code suggestions
2020-12-16 12:30:03 +11:00
dependabot-preview[bot] c14af472dd
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1531)
Bumps alpine from 3.12.1 to 3.12.2.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-12-14 09:12:55 +11:00
dependabot-preview[bot] d7fea74177
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1512)
Bumps golang from 1.15.5-alpine to 1.15.6-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-07 12:47:48 +11:00
James Elliott 426f5260ad
[FEATURE] LDAP StartTLS (#1500)
* add start_tls config option
* add StartTLS method to the LDAP conn factory and the mock
* implemented use of the StartTLS method when the config is set to true
* add mock unit tests
* add docs
* add TLS min version support
* add tests to tls version method
* fix lint issues
* minor adjustments
* remove SSL3.0
* add tls consts
* deprecate old filter placeholders
* remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993
* make suite ActiveDirectory use StartTLS
* misc adjustments to docs
* suggested changes from code review
* deprecation notice conformity
* add mock test for LDAPS plus StartTLS
2020-12-03 16:23:52 +11:00
dependabot-preview[bot] c9837568b5
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1501)
Bumps haproxy from 2.3.1-alpine to 2.3.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-03 09:54:21 +11:00
Amir Zarrinkafsh b786b2e1f5
[MISC] Refactor webdriver port initialization (#1491)
This change aims to factorize code introduced in #1467 for webdriver port customisation within the suites.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-28 11:06:42 +11:00
Amir Zarrinkafsh aa64d0c4e5
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460)
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 20:59:22 +11:00
Timo 495e57b46c
[DOCS] Make HAProxy regex case insensitive (#1478) 2020-11-24 12:35:38 +11:00
Amir Zarrinkafsh 6db5455762
[CI] Collect coverage from frontend during integration tests (#1472)
This change will allow us to collect frontend code coverage from our Selenium based integration tests.

Given that the frontend is embedded into the Go binary and the integration tests run with a compiled binary in Docker this poses some issues with the instrumented code and the ability for it to run in this manner. To fix this we need to relax Authelia's CSP for the integration tests. This is achieved by setting the env variable `ENVIRONMENT` to `dev`.
2020-11-19 12:50:34 +11:00
Amir Zarrinkafsh 8e32a4b65f
[CI] Add ability to customise the chromedriver port (#1467)
The development workflow expects chromedriver to be run on the host on port 4444.
There is currently no mechanism to modify this behaviour at runtime, so if another service is running on 4444 tests will just fail silently.

This change introduces the `CHROMEDRIVER_PORT` environment variable which can be utilised to set a custom port.
2020-11-16 21:59:24 +11:00
dependabot-preview[bot] f42b1ea229
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1463)
Bumps haproxy from 2.3.0-alpine to 2.3.1-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-16 11:49:52 +11:00
dependabot-preview[bot] 6e5b930f64
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1464)
Bumps golang from 1.15.4-alpine to 1.15.5-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-16 11:07:44 +11:00
Amir Zarrinkafsh f392f51df6
[MISC] Append log file instead of overwriting (#1450)
* [MISC] Append log file instead of overwriting

If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.

This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.

* Amend documentation for log_file_path
2020-11-13 10:14:45 +11:00
dependabot-preview[bot] a5f07d7ade
[MISC] (deps): Bump haproxy from 2.2.4-alpine to 2.3.0-alpine in /internal/suites/example/compose/haproxy (#1431)
* [MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy

Bumps haproxy from 2.2.4-alpine to 2.3.0-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Fix HAProxy suite

Looks like the new version of HAProxy has config validation which expects a newline at the bottom of `haproxy.cfg`.
CI was failing with the following error:
[NOTICE] 313/021816 (1) : haproxy version is 2.3.0-1c0a722
[ALERT] 313/021816 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:80]: Missing LF on last line, file might have been truncated at position 42.
[ALERT] 313/021816 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 313/021816 (1) : Fatal errors found in configuration.

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-09 13:35:18 +11:00
dependabot-preview[bot] ee0b37c796
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1432)
Bumps golang from 1.15.3-alpine to 1.15.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-09 09:04:06 +11:00
Amir Zarrinkafsh a83ccd7188
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 22:38:08 +11:00
dependabot-preview[bot] 662da9523b
[MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#1407)
Bumps node from 14-alpine to 15-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-26 11:11:37 +11:00
dependabot-preview[bot] 4f50818667
[MISC] (deps): Bump node in /internal/suites/example/compose/authelia (#1406)
Bumps node from 14-alpine to 15-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-26 09:39:06 +11:00
dependabot-preview[bot] 19ba79cfa1
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1400)
Bumps alpine from 3.12.0 to 3.12.1.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-23 17:59:48 +11:00
dependabot-preview[bot] 607e6711f5
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1377)
Bumps golang from 1.15.2-alpine to 1.15.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-16 14:02:33 +11:00
dependabot-preview[bot] 4a9ed76f32
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1359)
Bumps haproxy from 2.2.3-alpine to 2.2.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-08 10:46:43 +11:00
Amir Zarrinkafsh 607f829431
[DOCS] Clean HAProxy examples (#1338)
Remove headers that are not required and fix a typo.
2020-09-23 17:29:46 +10:00
Amir Zarrinkafsh 5b98b4d090
[BUGFIX] Fix HAProxy redirects (#1333)
Including updates to docs examples.
2020-09-23 09:06:26 +10:00
dependabot-preview[bot] 1c08670b06
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1313)
Bumps golang from 1.15.1-alpine to 1.15.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-11 12:28:40 +10:00
dependabot-preview[bot] 01760d167f
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1312)
Bumps haproxy from 2.2.2-alpine to 2.2.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-10 11:21:20 +10:00
Amir Zarrinkafsh 771c220d38
[FEATURE] Support updated haproxy-auth-request (#1310)
* [FEATURE] Support updated haproxy-auth-request
This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments.

* Fix docs indentation

* Add haproxy-lua-http to TLS enabled configuration
2020-09-10 10:52:57 +10:00
dependabot-preview[bot] f8eada87ec
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1301)
Bumps golang from 1.15.0-alpine to 1.15.1-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-04 10:34:48 +10:00
dependabot-preview[bot] e0a0d1e252
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1267)
Bumps golang from 1.14.6-alpine to 1.15.0-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-08-13 11:50:54 +10:00
dependabot-preview[bot] ed17c8fbc4
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1250)
Bumps haproxy from 2.2.1-alpine to 2.2.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-08-04 08:02:35 +10:00
dependabot-preview[bot] f6a616ae3d
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1235)
Bumps haproxy from 2.2.0-alpine to 2.2.1-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-07-28 11:18:16 +10:00
dependabot-preview[bot] 14f17ed9ac
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1214)
Bumps golang from 1.14.5-alpine to 1.14.6-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-07-20 12:42:13 +10:00
James Elliott ea1fae6491
[MISC] Storage Schema Versioning Model (#1057)
* [MISC] Storage Schema Versioning Model 

* fixup go.sum
* remove pq
* fix int to text issue
* fix incorrect SQL text
* use key_name vs key
* use transactions for all queries during upgrades
* fix missing parenthesis
* move upgrades to their own file
* add provider name for future usage in upgrades
* fix missing create config table values
* fix using the const instead of the provider SQL
* import logging once and reuse
* update docs
* remove db at suite teardown
* apply suggestions from code review
* fix mysql
* make errors more uniform
* style changes
* remove commented code sections
* remove commented code sections
* add schema version type
* add sql mock unit tests
* go mod tidy
* test blank row situations
2020-07-16 15:56:08 +10:00
dependabot-preview[bot] 045771161e
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1201)
Bumps golang from 1.14.4-alpine to 1.14.5-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-07-16 11:56:11 +10:00
dependabot-preview[bot] fea58c52e0
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1190)
Bumps haproxy from 2.1-alpine to 2.2.0-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-07-13 14:21:45 +10:00
Amir Zarrinkafsh 29e54c231b
[MISC] Template global config and refactor some /api endpoints (#1135)
* [MISC] Template global config and refactor some /api endpoints
* /api/configuration has been removed in favour of templating said global config
* /api/configuration/extended has been renamed to /api/configuration and display_name has been removed
* /api/user/info has been modified to include display_name

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-06-21 15:40:37 +02:00
vdot0x23 61883437cc
[DEV] Set chromedriver path with env variable (#1123) 2020-06-19 21:25:41 +10:00
Amir Zarrinkafsh e43bc93047
[FEATURE] Add configurable display name to frontend (#1124)
* [FEATURE] Add configurable display name to frontend
This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting.
Similarly for the file based backend a new required key "name" has been introduced.

This can also be used down the line with OIDC as a separate scope.

* Update references from Name to DisplayName
* Update compose bundles to include displayname refs
* Update LDAP automatic profile refresh
* Ensure display name is updated
* Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 20:50:21 +10:00
vdot0x23 6ccc92e47e
do not hardcode /bin/bash (#1122)
Co-authored-by: Victor Büttner <victor@0x23.dk>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-06-18 09:49:13 +02:00
Amir Zarrinkafsh ff7f9a50ab
[FEATURE] Docker simplification and configuration generation (#1113)
* [FEATURE] Docker simplification and configuration generation
The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template.

This will allow more seamless bootstrapping of an environment no matter the deployment method.

We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment.

Users with the old volume mappings have two options:
1. Change their mappings to conform to `/config`
2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping

* Adjust paths relative to `/etc/authelia` and simplify to single volume for compose
* Add generation for file backend based user database
* Refactor Docker volumes and paths to /config
* Refactor Docker WORKDIR to /app
* Fix integration tests
* Update BREAKING.md for v4.20.0
* Run go mod tidy
* Fix log_file_path in miscellaneous.md docs
* Generate config and userdb with 0600 permissions
* Fix log_file_path in config.template.yml
2020-06-17 16:25:35 +10:00
Amir Zarrinkafsh d123fe4785
[CI] Add Codecov support (#1065)
* [CI] Add Codecov support

* [CI] Capture backend coverage from integration tests

* [CI] Remove unnecessary artifacts for coverage build

* [CI] Only run coverage elements where necessary

* [CI] Simplify post-command hook

* Fix yarn dependencies and collect coverage

* [CI] Include cmd/authelia/ path in coverage

* [CI] Exclude internal/suites/ in coverage

Closes #1061.
2020-06-05 10:43:19 +10:00
dependabot-preview[bot] 4f5eb93c4b
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1077)
Bumps golang from 1.14.3-alpine to 1.14.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-06-02 23:28:09 +02:00
Clément Michaud eec6424bc9
[DEV] Debug authelia when running a suite. (#1060)
* [DEV] Debug authelia when running a suite.

This runs dlv debugger within authelia backend container so that an IDE can remote
debug the application using port 2345.

* Apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-06-01 16:50:55 +10:00
dependabot-preview[bot] 1aac6f75cc
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1068)
Bumps alpine from 3.11.6 to 3.12.0.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-06-01 10:42:07 +10:00
Amir Zarrinkafsh b27c1fbae9
[CI] Add PathPrefix integration test suite (#1052)
Add a suite for testing the PathPrefix feature implemented earlier to serve authelia under a multi-purpose domain.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-27 13:55:44 +02:00
Clément Michaud a0e4f8e336
[MISC] Remove executable permission of nginx backend files. (#1040)
* [MISC] Remove executable permission of nginx backend files.

* Set permissions to 644 on k8s tar'd files

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-25 10:54:21 +10:00
Clément Michaud b264e63235
[DEV] Fix permission issue with dev workflow. (#1033)
* [DEV] Fix permission issue with dev workflow.

nginx backend was facing permission denied errors because the permissions of the html
files were too restricted. Moreover those files were added to the docker image while they
could just be mounted as other services.

* Fix Kubernetes integration test

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-21 14:35:22 +10:00
James Elliott 469daedd36
[FEATURE] Delay 1FA Authentication (#993)
* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-21 00:03:15 +02:00
dependabot-preview[bot] 29673195b6
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1024)
Bumps golang from 1.14.2-alpine to 1.14.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-05-17 22:17:10 +02:00
James Elliott 9e7947a193
[DEPRECATE] Environment Variable Secrets (#905)
* remove ENV usages
* fix reader unit tests
* fix standalone suite
* fix k8s suite
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-08 11:01:57 +10:00
Clément Michaud af5754bcab
[MISC] Add coverage for Remote-User and Remote-Groups (#982)
* Fix dev workflow.

* Fix dev workflow.

* Cover Remote-User and Remote-Groups using Traefik.

* Cover Remote-User and Remote-Groups using HAProxy.

* Fix redirection after unauthorized response when using HAProxy.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-06 11:50:37 +10:00
Amir Zarrinkafsh 1600e0f7da
[CI] Add wsl linter (#980)
* [CI] Add wsl linter

* Implement wsl recommendations

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 21:35:32 +02:00
James Elliott c13196a86e
[CI] Enable gosec linter (#979)
* fix tee append
* convert DB table names from var to const
* fixed file modes
* ignored gosec where relevant and safe
2020-05-05 17:57:30 +10:00
Amir Zarrinkafsh be0cc72473
[CI] Add goconst linter (#961)
* [CI] Add goconst linter

* Implement goconst recommendations

* Rename defaultPolicy to denyPolicy

* Change order for test constants

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 18:20:40 +02:00
Amir Zarrinkafsh e67f63ee44
[CI] Add godot linter (#958)
* [CI] Add godot linter

* Implement godot recommendations
2020-05-02 15:06:39 +10:00
Amir Zarrinkafsh f8bd506326
[FEATURE] Embed static assets in Go binary (#916)
* [FEATURE] Embed static assets in Go binary

* Refactor/consolidate code and specify public_html via configuration

* Update docs and config template for assets

* Update AUR package pre-requisites and systemd unit

* Include static assets as Buildkite and GitHub artifacts

* Remove references to PUBLIC_DIR

* Only serve assets via embedded filesystem and remove configuration references

* Update authelia-scripts helper to build the embedded filesystem

* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.

* Move go:generate to satisfy linter
2020-04-29 00:07:20 +10:00
dependabot-preview[bot] ab8db21214
[MISC] (deps): Bump node in /internal/suites/example/compose/authelia (#930)
Bumps node from 12-alpine to 14-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 13:13:03 +10:00
dependabot-preview[bot] 6c0e9f84b0
[MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#929)
Bumps node from 12-alpine to 14-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 12:53:16 +10:00
Clément Michaud 29325ab273
Fix CSP not propagated in default handler. (#915)
Also:
- not hide the CSP header in the dist version of suites.
- Fix CSP errors due to FontAwesome loading stylesheets dynamically.
2020-04-26 00:12:55 +02:00
Daniel Sutton ca4a890fb2
[MISC] Update to alpine 3.11.6 (#917)
* update to alpine 3.11.6

Signed-off-by: Daniel Sutton <daniel@ducksecops.uk>
2020-04-25 22:56:32 +02:00
Amir Zarrinkafsh 54694c4fca
[MISC] Ignore errcheck recommendations for legacy code (#893)
* [MISC] Ignore errcheck recommendations for legacy code
Some of this is likely intended to stay how it is, some could use refactoring, for now we will mark is and ignore it from the linter to be potentially addressed in the future.

* [MISC] Ensure files are gofmt-ed
2020-04-22 13:33:14 +10:00
James Elliott 9e9dee43ac
[FEATURE] Notifier Startup Checks (#889)
* implement SMTP notifier startup check
* check dial, starttls, auth, mail from, rcpt to, reset, and quit
* log the error on failure
* implement mock
* misc optimizations, adjustments, and refactoring
* implement validate_skip config option
* fix comments to end with period
* fix suites that used smtp notifier without a smtp container
* add docs
* add file notifier startup check
* move file mode into const.go
* disable gosec linting on insecureskipverify since it's intended, warned, and discouraged
* minor PR commentary adjustment
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 14:59:38 +10:00
Clément Michaud b12d9d405f
[FEATURE] Add Content-Security-Policy meta to login portal. (#822)
CSP is used to avoid some attacks where the hacker tries to execute
untrusted code in the browser.

The policy is to use assets hosted on the the original website and in order to make CSP work with material UI, a nonce is generated at each request of index.html and injected in the template as well as provided in the Content-Security-Policy header (https://material-ui.com/styles/advanced/#how-does-one-implement-csp)

Fix #815
2020-04-21 10:23:28 +10:00
Clément Michaud 730e88df9d
[FEATURE] Make Authelia serve over TLS in all suites (#864)
* [BUGFIX] Fix dev workflow by using TLS for all suites.

* Fix traefik 1.x and 2.x suites.

* Display authelia logs on suite failure.

* Fix HAProxy suite.

* Extend timeout of test case.

* Display current URL in verify assertion.

* fix doLoginTwoFactor by adding a timeout

* when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal
* fix by adding one second timeout
* bump go version to 1.14.2

* Fix Kube suite and bump dashboard.

* Update dist authelia-frontend to proxy_pass with variable

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Remove debug logs since it's polluting logs.

Also set timeout back to 5 seconds in HA suite.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-14 09:57:28 +10:00
Amir Zarrinkafsh 94fb28c6c0
[MISC] Update Go to 1.14.2 (#863) 2020-04-13 20:14:49 +10:00
Amir Zarrinkafsh 254e5ed239
[MISC] Fix authelia-{backend,frontend} dev server logging and startup (#862)
#767 added an interactive tty to the authelia-frontend server due toe a bump in react-scripts, this in turn consumes all logging and pages on a failure and made it difficult to interact with within the dev workflow.
The tty has been replaced with an open stdin as this also satisfies the react-scripts requirement.

This change also ignores the web directory in the reflex script to avoid errors and long start-ups in the authelia-frontend container.
2020-04-13 15:00:44 +10:00
Amir Zarrinkafsh 0189688588
[MISC] Allow HEAD method on /api/verify (#850)
This is to natively support the upstream HAProxy module haproxy-auth-request without patching.
2020-04-11 12:14:26 +10:00
Amir Zarrinkafsh 76e8142032
[DOCS] Add Remote-User and Remote-Groups headers to Traefik docs and examples (#849) 2020-04-11 11:49:54 +10:00
Amir Zarrinkafsh de2c5836fd
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832)
* [Buildkite] Introduce CI linting with golangci-lint and reviewdog

* Initial pass of golangci-lint

* Add gosimple (megacheck) recommendations

* Add golint recommendations

* [BUGFIX] Migrate authentication traces from v3 mongodb

* Add deadcode recommendations

* [BUGFIX] Fix ShortTimeouts suite when run in dev workflow

* Add unused recommendations

* Add unparam recommendations

* Disable linting on unfixable errors instead of skipping files

* Adjust nolint notation for unparam

* Fix ineffectual assignment to err raised by linter.

* Export environment variable in agent hook

* Add ineffassign recommendations

* Add staticcheck recommendations

* Add gocyclo recommendations

* Adjust ineffassign recommendations

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 11:05:17 +10:00
Amir Zarrinkafsh b692aa73d3
[MISC] Fix dev workflow for Standalone suite (#811)
Since the TLS change was implemented, the Standalone suite attempts to reach authelia-frontend:3001. This only works for the dist/CI based workflow as nginx is run in place of node and the respective ports are exposed.
This change will attempt authelia-frontend:3001 initially for the Standalone suite but given the server is unreachable in the dev workflow, it will mark authelia-frontend:3001 as unavailable for 180s and route all requests to authelia-frontend:3000 instead.
2020-04-06 10:15:05 +10:00
James Elliott 8aade7f40e
[MISC] Update durations to notation format and housekeeping (#824)
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 22:37:21 +10:00
James Elliott 626f5d2949
[FEATURE] Remember Me Configuration (#813)
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis 
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator 
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
2020-04-04 10:11:33 +11:00
Amir Zarrinkafsh d82b46a3ec
[FEATURE] Autofocus on authentication and OTP pages (#806)
* [FEATURE] Autofocus on authentication and OTP pages
This change sets the input focus on the first factor authentication and OTP pages.

The behaviour for the first factor authentication page has also been amended slightly, if an incorrect username or password is provided the password field will be cleared and set as the focus.

One thing to note is that the OTP page does not focus on any re-rendering and this is because the component doesn't handle focusing. This means that the OTP input only is auto-focused when you first visit it, if you enter an incorrect OTP there will be no focus.

Ideally we should be looking for a different library or writing a component for this ourselves in future.

Closes #511.

* Add TODO markers for potential refactor
2020-04-01 10:27:54 +11:00
Clément Michaud 7a3e782dc0
[FEATURE][BREAKING] Allow users to sign in with email. (#792)
* [FEATURE][BREAKING] Allow users to sign in with email.

The users_filter purpose evolved with the introduction of username_attribute
but is reverted here to allow the most flexibility. users_filter is now the
actual filter used for searching the user and not a sub-filter based on the
username_attribute anymore.

* {input} placeholder has been introduced to later deprecate {0} which has been
kept for backward compatibility.
* {username_attribute} and {mail_attribute} are new placeholders used to back
reference other configuration options.

Fix #735

* [MISC] Introduce new placeholders for groups_filter too.

* [MISC] Update BREAKING.md to mention the change regarding users_filter.

* [MISC] Fix unit and integration tests.

* Log an error message in console when U2F is not supported.

* Apply suggestions from code review

* Update BREAKING.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-31 09:36:04 +11:00
Clément Michaud c3a2e70d57
[MISC] Automatically redirect from http to https in suites. (#769) 2020-03-22 17:04:51 +11:00
Clément Michaud 060b4a19f6
[MISC] Fix authelia-frontend dev server startup. (#767)
The latest react-scripts bumps broke the startup of the authelia-frontend
container because the new version of react-scripts behaves differently when
the container is spawned with a pseudo-tty and when there is not.
2020-03-22 13:10:24 +11:00
Amir Zarrinkafsh eeabb96dd0
[BUGFIX] LDAP group retrieval of users with parenthesis in their name (#713)
This aligns the search filter escaping to [RFC4515](https://tools.ietf.org/search/rfc4515).
`base.ldif` has also been updated to be a closer match to RFC 2307.
2020-03-16 19:55:03 +11:00
Clément Michaud cc6650dbcd
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687)
* [BUGFIX] Set username retrieved from authentication backend in session.

In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.

Fixes #561.

* Use uid attribute as unique user identifier in suites.

* Fix the integration tests.

* Update config.template.yml

* Compute user filter based on username attribute and users_filter.

The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.

* Fix LDAP based integration tests.

* Update `users_filter` reference examples
2020-03-15 18:10:25 +11:00
Amir Zarrinkafsh 7d7ad9bd28
[MISC] Adjust TLS log messages (#701)
* [MISC] Adjust TLS log messages

* [MISC] Fix integration tests
2020-03-10 18:14:28 +11:00
Clément Michaud c429488738
[FEATURE] [BREAKING] Support writing logs in a file. (#686)
* [FEATURE] Support writing logs in a file.

* Add documentation about logs file path.

* Rename logs_level and logs_file_path into log_level and log_file_path.

* Update BREAKING.md

Fixes #338

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-09 20:57:53 +01:00
Amir Zarrinkafsh cc25b565c7
[MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively (#685)
* [MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively

* Argon2id memory in MB for Config Template

* Doc Fix

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-03-06 19:40:56 +11:00
Amir Zarrinkafsh 72a3f1e0d7
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684)
When no rule is set to two_factor in ACL configuration, 2FA is
considered disabled. Therefore, when a user cannot be redirected
correctly because no target URL is provided or the URL is unsafe,
the user is either redirected to the default URL or to the
'already authenticated' view instead of the second factor view.

Fixes #683
2020-03-06 11:31:09 +11:00
Amir Zarrinkafsh 0dea0fc82e
[FEATURE] Support MySQL as a storage backend. (#678)
* [FEATURE] Support MySQL as a storage backend.

Fixes #512.

* Fix integration tests and include MySQL in docs.
2020-03-05 10:25:52 +11:00
Clément Michaud faf43de14f
[FEATURE] Add TLS support. (#677)
* [FEATURE] Add TLS support.

Fixes #368.

* [FEATURE] Introduce OnError hook in suites.

This hook allows to perform actions following an erroneous suite
like displaying the logs of Authelia.

* Display Authelia logs of Standalone suite when tests fail.

* Fix Standalone suite.

* Apply suggestions from code review

* Rename ssl_key and ssl_cert into tls_key and tls_cert.
2020-03-03 18:18:25 +11:00
Clément Michaud efb567f3d5
Fix development workflow. (#649)
Suites cannot be run locally anymore following the move of the example
directory into the suites directory.
2020-02-27 10:44:29 +01:00
Amir Zarrinkafsh f1a89de2e7
[MISC] Restructure repo folder layout (#628) 2020-02-09 18:04:27 +01:00
Clément Michaud d1d02d9eae
[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611)
* Redirect to default URL after 1FA when default policy is one_factor.

User is now redirected to the default redirection URL after 1FA if
the default policy is set to one_factor and there is no target URL
or if the target URL is unsafe.

Also, if the default policy is set to one_factor and the user is already
authenticated, if she visits the login portal, the 'already authenticated'
view is displayed with a logout button.

This fixes #581.

* Update users.yml

* Fix permissions issue causing suite test failure
2020-02-05 08:18:02 +11:00
Clément Michaud ea9b408b70
[FIX] Fix default redirection URL not taken into account (#600)
* Remove unused mongo docker-compose file.

* Default redirection URL was not taken into account.

* Fix possible storage options in config template.

* Remove useless checks in u2f registration endpoints.

* Add default redirection url in config of duo suite.

* Fix log line in response handler of 2FA methods.

* Fix integration tests.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-02-01 13:54:50 +01:00
Clement Michaud 2acf8bf21c Add hash-password and migrate commands to authelia binary.
This reduce the size of the docker image and avoid confusing users.

We keep the commands in authelia-scripts too in order to keep the
current workflow of developers.
2020-01-22 11:53:15 +11:00
Clement Michaud bb7781fd2b Use env variables to configure secrets in Standalone suite. 2020-01-22 10:15:25 +11:00
James Elliott 736ed3f212 Misc Spelling Corrections
- Mostly changes to spelling of comments/docs/displayed text
- A few changes to test function names
2020-01-21 12:16:00 +11:00