Commit Graph

138 Commits (568f210b2b764ebc0a18295bdf0589b66e9291d9)

Author SHA1 Message Date
Clement Michaud 563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
Dylan Smith c62b85e37d Less restrictive email handler - replace gmail with generic 2017-10-25 19:28:56 +11:00
Clement Michaud 12a8626ef7 Make per_subdomain_methods optional in configuration file 2017-10-15 20:01:16 +02:00
Clement Michaud ce264ff4d3 Add {dn} as an available matcher in LDAP groups filter
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.

e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.

Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
Clement Michaud 1ab09b71d4 Specify the sender email in Gmail and Smtp notifier configuration
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
Clément Michaud d5035b8704 Merge pull request #131 from clems4ever/disable-second-factor
Allow basic authentication in configuration
2017-10-09 23:27:36 +02:00
Clément Michaud 2641fb1620 Merge pull request #130 from clems4ever/revert-filesystem-notifier
Revert filesystem notifier
2017-10-09 01:58:06 +02:00
Clement Michaud c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud 346c559141 Make file system an available notifier option for testing purpose 2017-10-08 22:48:20 +02:00
Clement Michaud 78f6028c1b Improve logging format for clarity
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
2017-10-08 22:33:50 +02:00
Clement Michaud 66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clement Michaud 4cd78f3f83 Add SMTP notifier as an available option in configuration
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.

Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
Clement Michaud cf16272a73 Refine access control with per resource ACLs
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
Clement Michaud 64c06fd6b8 Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-03 12:48:35 +02:00
Clement Michaud 20536abf8b Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 22:38:26 +02:00
Clement Michaud c12a085f8e Replace mocha integration tests by cucumber tests 2017-07-31 22:20:33 +02:00
Clement Michaud e45ac39c8f Add Mongo as scalable and resilient storage backend 2017-07-31 00:29:00 +02:00
Clement Michaud fd59044f5e Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-19 20:59:39 +02:00
Clement Michaud 8f152d2328 Fix example environment 2017-07-14 19:05:42 +02:00
Clement Michaud 925b58fabc Add redis option to the express-session middleware 2017-07-13 23:14:31 +02:00
Clement Michaud e56c2492ed Fix integration test and package Travis scripts 2017-06-29 13:09:08 +02:00
Clement Michaud ddf1e48535 Refactor client to make it responsive and testable 2017-06-16 18:16:38 +02:00
Paul Casto ca918c761c domain for cookie - issue in example 2017-04-08 19:14:57 -04:00
Clement Michaud 7d21f8d5df Edit README to make the user add more subdomains in /etc/hosts for testing the example locally 2017-03-25 19:10:59 +01:00
Clement Michaud b403cfe2f8 Rework the configuration of the access control to allow default policy for certain domains 2017-03-25 18:38:14 +01:00
Clement Michaud 38a4570b24 Edit the README to add an access control section and update the user base 2017-03-25 15:41:11 +01:00
Clement Michaud e310478e6d Allow per user access control rules 2017-03-25 15:28:57 +01:00
Clement Michaud 2a73b1a431 Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains 2017-03-25 15:17:21 +01:00
Clement Michaud 4b93338bae Move config adaptation into a module and make it testable 2017-03-22 22:28:54 +01:00
Clement Michaud c7e4f76b9c Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP 2017-03-16 01:25:55 +01:00
Clement Michaud 606ddc7308 Handle SSO over multiple subdomains 2017-03-15 23:07:57 +01:00
Clement Michaud d29aac78d0 Create a filesystem notifier for simple getting started 2017-01-28 19:59:15 +01:00
Clement Michaud 7e41c68aa7 Remove TOTP password from the configuration 2017-01-28 18:30:07 +01:00
Clement Michaud 05046338ed Implement password reset 2017-01-27 01:20:03 +01:00
Clement Michaud 320998ef78 Set the level of logs in the config file 2017-01-22 18:18:19 +01:00
Clement Michaud d3db94105e Registration process sends an email to allow user to register its U2F device 2017-01-22 17:54:45 +01:00