* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
* [MISC] Catch OpenLDAP ppolicy error
Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.
This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.
* Remove password history for integration tests
* Adjust max failures due to regulation trigger
* Fix error handling for password resets
* Refactor and include code suggestions
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
This change will allow us to collect frontend code coverage from our Selenium based integration tests.
Given that the frontend is embedded into the Go binary and the integration tests run with a compiled binary in Docker this poses some issues with the instrumented code and the ability for it to run in this manner. To fix this we need to relax Authelia's CSP for the integration tests. This is achieved by setting the env variable `ENVIRONMENT` to `dev`.
* [MISC] Append log file instead of overwriting
If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.
This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.
* Amend documentation for log_file_path
* [MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy
Bumps haproxy from 2.2.4-alpine to 2.3.0-alpine.
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Fix HAProxy suite
Looks like the new version of HAProxy has config validation which expects a newline at the bottom of `haproxy.cfg`.
CI was failing with the following error:
[NOTICE] 313/021816 (1) : haproxy version is 2.3.0-1c0a722
[ALERT] 313/021816 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:80]: Missing LF on last line, file might have been truncated at position 42.
[ALERT] 313/021816 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 313/021816 (1) : Fatal errors found in configuration.
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [FEATURE] Support updated haproxy-auth-request
This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments.
* Fix docs indentation
* Add haproxy-lua-http to TLS enabled configuration
* [FEATURE] Add configurable display name to frontend
This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting.
Similarly for the file based backend a new required key "name" has been introduced.
This can also be used down the line with OIDC as a separate scope.
* Update references from Name to DisplayName
* Update compose bundles to include displayname refs
* Update LDAP automatic profile refresh
* Ensure display name is updated
* Fix bug which prevented trace logging for profile refresh to not trigger
* [FEATURE] Docker simplification and configuration generation
The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template.
This will allow more seamless bootstrapping of an environment no matter the deployment method.
We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment.
Users with the old volume mappings have two options:
1. Change their mappings to conform to `/config`
2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping
* Adjust paths relative to `/etc/authelia` and simplify to single volume for compose
* Add generation for file backend based user database
* Refactor Docker volumes and paths to /config
* Refactor Docker WORKDIR to /app
* Fix integration tests
* Update BREAKING.md for v4.20.0
* Run go mod tidy
* Fix log_file_path in miscellaneous.md docs
* Generate config and userdb with 0600 permissions
* Fix log_file_path in config.template.yml
* [CI] Add Codecov support
* [CI] Capture backend coverage from integration tests
* [CI] Remove unnecessary artifacts for coverage build
* [CI] Only run coverage elements where necessary
* [CI] Simplify post-command hook
* Fix yarn dependencies and collect coverage
* [CI] Include cmd/authelia/ path in coverage
* [CI] Exclude internal/suites/ in coverage
Closes#1061.
* [DEV] Debug authelia when running a suite.
This runs dlv debugger within authelia backend container so that an IDE can remote
debug the application using port 2345.
* Apply suggestions from code review
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Add a suite for testing the PathPrefix feature implemented earlier to serve authelia under a multi-purpose domain.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
* [MISC] Remove executable permission of nginx backend files.
* Set permissions to 644 on k8s tar'd files
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [DEV] Fix permission issue with dev workflow.
nginx backend was facing permission denied errors because the permissions of the html
files were too restricted. Moreover those files were added to the docker image while they
could just be mounted as other services.
* Fix Kubernetes integration test
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* Fix dev workflow.
* Fix dev workflow.
* Cover Remote-User and Remote-Groups using Traefik.
* Cover Remote-User and Remote-Groups using HAProxy.
* Fix redirection after unauthorized response when using HAProxy.
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
* [FEATURE] Embed static assets in Go binary
* Refactor/consolidate code and specify public_html via configuration
* Update docs and config template for assets
* Update AUR package pre-requisites and systemd unit
* Include static assets as Buildkite and GitHub artifacts
* Remove references to PUBLIC_DIR
* Only serve assets via embedded filesystem and remove configuration references
* Update authelia-scripts helper to build the embedded filesystem
* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.
* Move go:generate to satisfy linter
James Elliott
dependabot-preview[bot]
Amir Zarrinkafsh
Timo
vdot0x23
Clément Michaud
Daniel Sutton