Commit Graph

42 Commits (792afbc47665c92f27951d6955e97b83d9307429)

Author SHA1 Message Date
Clement Michaud a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud bbbffaa3ae Split nginx service into portal, backend and authelia services
This setup is closer to real production infrastructure.
2017-11-03 00:20:10 +01:00
Clement Michaud b8c8c3bd75 Move docker-compose files to the example directory 2017-11-03 00:20:10 +01:00
Clement Michaud 009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud 6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clement Michaud 7b68a543bf Strengthen password in LDAP using SHA512 crypt algorithm
Uses the crypt() function to do password encryption. This function handles
several schemes such as: MD5, Blowfish, SHA1, SHA2.
SHA-512 is used in Authelia for best security.
The algorithm is fully described in
https://www.akkadia.org/drepper/SHA-crypt.txt

The 'crypt3' npm package has been added as a dependency to use the crypt()
function. The package needs to be compiled in order to call the c function,
that's why python, make and C++ compiler are installed temporarily in the
Docker image.
2017-10-31 07:27:36 +01:00
Clement Michaud 22d56b1faa Change basicauth.test.local into single_factor.test.local 2017-10-31 07:27:36 +01:00
Clement Michaud 99b04809a5 Provide information about fake webmail in home page of example 2017-10-31 07:27:23 +01:00
Clement Michaud 056565a968 Add X-Frame-Options header to avoid ability to embed websites in iframes 2017-10-16 20:56:26 +02:00
Clement Michaud f523e5335f Use HSTS in example 2017-10-16 20:56:26 +02:00
Clement Michaud 92b78f7c15 Enable secure and httpOnly option for sessions
These are 2 measures for improving security of cookies. One is used to
not send the cookie over HTTP (only HTTPS) and the other tells the browser to
disallow client-side code accessing the cookie.
2017-10-16 20:56:26 +02:00
Clement Michaud 8cf58d7b31 Add tests on headers forwarded to backend
Ensure Remote-User and Remote-Groups can be forwarded to the backend app.
2017-10-14 22:11:56 +02:00
Clement Michaud c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud 4cbf6efa42 Disable second factor for certain subdomain 2017-09-26 23:09:33 +02:00
Clement Michaud f564174998 Remove FileSystem notifier completely 2017-09-24 23:20:51 +02:00
Clement Michaud 4cd78f3f83 Add SMTP notifier as an available option in configuration
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.

Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
Clément Michaud 7a2b45a66f Merge pull request #95 from clems4ever/acl-by-resources
Refine access control with per resource ACLs
2017-09-24 21:54:18 +02:00
Clement Michaud cf16272a73 Refine access control with per resource ACLs
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
Clement Michaud e48b196f38 Add Content-Length header to the forwarded request to Authelia
It seems nginx is closing the connection for some backends if
`proxy_set_header Content-Length "";` is not added to the
verification endpoint.
2017-09-23 18:02:21 +02:00
Clement Michaud d005b83365 Set headers values Remote-User and Remote-Groups in /verify response 2017-09-22 21:25:15 +02:00
Clement Michaud 0a33b2d5ee Add logs to detect redis connection issues earlier
Before this fix, the application was simply crashing during execution
when connection to redis was failing.

Now, it is correctly handled with failing promises and logs have been
enabled to clearly see the problem
2017-09-22 20:52:05 +02:00
Clement Michaud 7128970a53 Add redirection URL as a query parameter during authentication
Before this fix, the redirection URL was stored in the user session,
but this has a big drawback since user could open several pages in
browser and thus override the redirection URL leading the user to
be incorrectly redirected.
2017-09-22 17:53:18 +02:00
FrozenDragoon e644fe7b7b Split example scripts, allow running example using pre-built docker container (example-dockerhub) or build build from source, as it is now (example-commit). 2017-09-05 06:32:50 -05:00
FrozenDragoon fa6134e7f5 Don't build a new container for ldap, pass the variables via docker-compose. 2017-09-05 06:17:52 -05:00
Clement Michaud 64c06fd6b8 Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-03 12:48:35 +02:00
Clement Michaud 928209dc98 Fix redirection after authentication and error page when accessing restricted pages 2017-08-03 00:41:13 +02:00
Clement Michaud c12a085f8e Replace mocha integration tests by cucumber tests 2017-07-31 22:20:33 +02:00
Clement Michaud e45ac39c8f Add Mongo as scalable and resilient storage backend 2017-07-31 00:29:00 +02:00
Clement Michaud 24d4176a39 Secret page contains a link with wrong port to redirect the user to home page 2017-07-19 00:35:55 +02:00
Clement Michaud 6d5fc84693 Add an icon to the webpages of example 2017-07-16 16:19:44 +02:00
Clement Michaud 8f152d2328 Fix example environment 2017-07-14 19:05:42 +02:00
Clement Michaud f516aaf243 Adding one integration test for redis 2017-07-14 00:25:11 +02:00
Clement Michaud e56c2492ed Fix integration test and package Travis scripts 2017-06-29 13:09:08 +02:00
Clement Michaud 0414d28e2b Fix LDAP binding non working on servers with restricted ACL rules and add unit tests 2017-06-29 11:29:33 +02:00
Clement Michaud ddf1e48535 Refactor client to make it responsive and testable 2017-06-16 18:16:38 +02:00
Clement Michaud 6d24e82835 Remove '/authentication/' base path from endpoint URLs 2017-05-14 17:41:56 +02:00
Clement Michaud b403cfe2f8 Rework the configuration of the access control to allow default policy for certain domains 2017-03-25 18:38:14 +01:00
Clement Michaud 2a73b1a431 Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains 2017-03-25 15:17:21 +01:00
Clement Michaud c7e4f76b9c Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP 2017-03-16 01:25:55 +01:00
Clement Michaud 606ddc7308 Handle SSO over multiple subdomains 2017-03-15 23:07:57 +01:00
Clement Michaud 05046338ed Implement password reset 2017-01-27 01:20:03 +01:00
Clement Michaud d3db94105e Registration process sends an email to allow user to register its U2F device 2017-01-22 17:54:45 +01:00