Commit Graph

437 Commits (7dcab4b9fb5113f9999f27ee71b3b3379fb65678)

Author SHA1 Message Date
renovate[bot] 9cf9aae20b
build(deps): update dependency haproxy to v2.5.7 (#3397)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-18 14:43:24 +10:00
renovate[bot] 1bd862a814
build(deps): update dependency golang to v1.18.2 (#3345)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-11 10:23:48 +10:00
James Elliott bda87db79c
test(suites): caddy (#3305) 2022-05-07 11:55:52 +10:00
Amir Zarrinkafsh cac8919f97
test: add redis restart test back to traefik2 suite (#3298)
* test: add redis restart test back to traefik2 suite

* refactor(suites): mustpress -> mustinput for totp

* refactor(suites): rename suites for test ordering
2022-05-04 11:01:36 +10:00
renovate[bot] f8bb51da4d
build(deps): update dependency traefik to v2.6.6 (#3296)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-04 09:29:51 +10:00
renovate[bot] f88e7dd242
build(deps): update module github.com/go-rod/rod to v0.106.4 (#3042) 2022-05-03 22:37:56 +10:00
renovate[bot] e6ad8fe83e
build(deps): update dependency golang to v1.18.1 (#3019)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-05-03 19:35:44 +10:00
Amir Zarrinkafsh 91c0c81818
refactor(suites): stop integration tests on first failure (#3270)
* refactor(suites): stop integration tests on first failure

* refactor(suites): remove additional nginx instance

* refactor(suites): log relevant containers

* refactor(suites): add traefik2 logs to stdout

* refactor(suites): explicitly enable traefik for tests

* refactor(suites): remove redis restart and duplicate pathprefix tests

* ci(buildkite): allow manual retry on integration tests
2022-05-02 14:50:37 +10:00
renovate[bot] 8ee92231ba
build(deps): update dependency haproxy to v2.5.6 (#3255)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-27 16:12:44 +10:00
James Elliott 06ba312c28
fix(commands): invalid opaque id service name (#3235)
This fixes the service type being openid_connect instead of openid as expected. This also allows bulk generating opaque identifiers for users.
2022-04-25 18:49:18 +10:00
renovate[bot] b18eea039c
build(deps): update node.js to v18 (#3225)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-21 18:28:35 +10:00
Amir Zarrinkafsh daaa16c182
refactor(suites): validate totp inputs (#3218)
This change validates the inputs for the TOTP code entry.
This was previously discarded and left unvalidated during the move to rod from within the integration tests.
2022-04-19 14:11:15 +10:00
Amir Zarrinkafsh 92e219b34b
fix(suites): add missing traefik routes (#3217)
This change includes missing routes for both the Traefik and Traefik2 suites, issues would have manifested running dev mode tests for these suites when attempting to load translations.
2022-04-19 13:36:49 +10:00
James Elliott e56690c2df
refactor(configuration): ensure all keys are validated (#3208)
This ensures keys that exist in slices are validated.
2022-04-16 20:48:07 +10:00
renovate[bot] c5cb36c526
build(deps): update dependency golang to v1.17.9 (#3198)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-15 15:53:15 +10:00
James Elliott 6e0853a81b
build(deps): update dependency golang (#3180) 2022-04-13 14:28:31 +10:00
James Elliott cf93e66391
test(suites): fix backend endpoints (#3158) 2022-04-10 08:05:27 +10:00
Manuel Nuñez 086b97d21f
test(suites): revert por binding (#3155)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-10 07:44:47 +10:00
James Elliott 5a0a15f377
feat(commands): user opaque identifiers commands (#3144)
Add commands for handling user opaque identifiers.
2022-04-09 17:13:19 +10:00
James Elliott 0a970aef8a
feat(oidc): persistent storage (#2965)
This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 15:33:53 +10:00
renovate[bot] 004490c7b1
build(deps): update dependency alpine to v3.15.4 (#3114)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-05 11:15:43 +10:00
Clément Michaud 3ca438e3d5
feat: implement mutual tls in the web server (#3065)
Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface.

Fixes #3041
2022-04-05 09:57:47 +10:00
James Elliott 2502d89682
fix(server): respond with 404/405 appropriately (#3087)
This adjusts the not found handler to not respond with a 404 on not found endpoints that are part of the /api or /.well-known folders, and respond with a 405 when the method isn't implemented.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-04-04 09:58:01 +10:00
Manuel Nuñez bfd5d66ed8
feat(notification): password reset notification custom templates (#2828)
Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully.

Closes #2755, Closes #2756

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 22:24:51 +10:00
James Elliott 36cf662458
refactor: misc password policy refactoring (#3102)
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 10:48:26 +10:00
Manuel Nuñez 8659ba394d
feat(authentication): password policy (#2723)
Implement a password policy with visual feedback in the web portal.

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 08:32:57 +10:00
James Elliott 0116506330
feat(oidc): implement amr claim (#2969)
This adds the amr claim which stores methods used to authenticate with Authelia by the users session.
2022-04-01 22:18:58 +11:00
renovate[bot] df9492ca0e
build(deps): update dependency traefik to v2.6.3 (#3075)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-31 17:00:08 +11:00
renovate[bot] 56048dd199
build(deps): update dependency alpine to v3.15.3 (#3072)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-29 14:08:54 +11:00
renovate[bot] b86c7b5284
build(deps): update dependency traefik to v2.6.2 (#3059)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-26 20:53:04 +11:00
renovate[bot] 2d981f7916
build(deps): update dependency alpine to v3.15.2 (#3051)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-26 19:46:15 +11:00
renovate[bot] 9eb23a301b
build(deps): update dependency alpine to v3.15.1 (#3028)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-17 15:53:30 +11:00
renovate[bot] 99326c2688
build(deps): update dependency haproxy to v2.5.5 (#3018)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-16 13:43:33 +11:00
James Elliott 6d937cf6cc
refactor(model): rename from models (#2968) 2022-03-06 16:47:40 +11:00
James Elliott 8f05846e21
feat: webauthn (#2707)
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 22:20:43 +11:00
James Elliott 1b2af90e5a
feat(commands): totp qr code in png format (#2673)
This allows exporting the TOTP QR code for easy registration when using `authelia storage totp generate` or `authelia storage totp export`.
2022-03-02 18:50:36 +11:00
renovate[bot] f8d9c6eab7
build(deps): update dependency haproxy to v2.5.4 (#2931)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-01 15:04:34 +11:00
James Elliott 3c81e75d79
feat(commands): add access-control check-policy command (#2871)
This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 14:15:01 +11:00
renovate[bot] e286741357
build(deps): update dependency mariadb to v10.8.2 (#2917)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-27 10:12:17 +11:00
renovate[bot] 4b1bd01167
build(deps): update dependency traefik to v2.6.1 (#2912)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-24 21:13:08 +11:00
renovate[bot] eb76de6cdc
build(deps): update dependency haproxy to v2.5.3 (#2897)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-02-24 03:12:26 +11:00
Clément Michaud 5d4003c291
refactor: directly return error where sufficient (#2855) 2022-02-10 09:07:53 +11:00
James Elliott 1772a83190
refactor: apply godot recommendations (#2839) 2022-01-31 16:25:15 +11:00
renovate[bot] d8cf272757
build(deps): update traefik docker tag to v2.5.7 (#2815)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-01-21 13:43:06 +11:00
renovate[bot] 535ad2a697
build(deps): update haproxy docker tag to v2.5.1 (#2793)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-01-12 23:54:50 +11:00
renovate[bot] 2a1e7fc793
build(deps): update traefik docker tag to v2.5.6 (#2738)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-23 10:44:39 +11:00
renovate[bot] 93352aa36b
build(deps): update traefik docker tag to v2.5.5 (#2706)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-12 14:47:03 +11:00
renovate[bot] f9586b99a9
build(deps): update traefik docker tag to v1.7.34 (#2705)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-12 11:15:01 +11:00
James Elliott 104a61ecd6
refactor(web): only fetch totp conf if required (#2663)
Prevents the TOTP user config from being requested when the user has not registered or is already authenticated 2FA.
2021-12-02 21:28:16 +11:00
James Elliott f90ca855e3
feat(storage): postgresql schema and ssl options (#2659)
Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process.
2021-12-02 16:36:03 +11:00
Aram Akhavan 5b3fa1fffb
docs: consistent naming for configuration file (#2626)
* change all instances (file names and docs) of "config.template.yml" to "configuration.template.yml" so its consistent with the expectations of the Dockerfile

* Keep config.template.yml named as is

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update index.html

* revert filename changes and add a note about docker

* refactor: apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-12-02 15:50:05 +11:00
James Elliott 7df242f1e3
refactor: remove ioutil (#2635)
Was deprecated in 1.16 and has more performant options available.
2021-12-02 00:14:15 +11:00
James Elliott ad8e844af6
feat(totp): algorithm and digits config (#2634)
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).

Fixes #1226.
2021-12-01 23:11:29 +11:00
Philipp Staiger 01b77384f9
feat(duo): multi device selection (#2137)
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.

Closes #594. Closes #1039.
2021-12-01 14:32:58 +11:00
James Elliott 9ceee6c660
feat(storage): only store identity token metadata (#2627)
This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
2021-11-30 17:58:21 +11:00
James Elliott 347bd1be77
feat(storage): encrypted secret values (#2588)
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.

Closes #682
2021-11-25 12:56:58 +11:00
renovate[bot] 290e3f7aaa
build(deps): update alpine docker tag to v3.15.0 (#2631)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-25 08:46:44 +11:00
renovate[bot] c128359c74
build(deps): update haproxy docker tag to v2.5.0 (#2624)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-24 11:36:46 +11:00
James Elliott 3695aa8140
feat(storage): primary key for all tables and general qol refactoring (#2431)
This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database.

Fixes #1337
2021-11-23 20:45:38 +11:00
Amir Zarrinkafsh 0be883befb
feat: customizable static assets (#2597)
* feat: customizable static assets

This change provides the means to override specific assets from the embedded Go FS with files situated on disk.

We only allow overriding the following files currently:
* favicon.ico
* logo.png

* refactor(server): make logo string a const

* refactor(suites): override favicon and use ntp3 in traefik2 suite

* test(suites): test logo override in traefik2 suite

* test(suites): test asset override fallback in traefik suite

Closes #1630.
2021-11-15 19:37:58 +11:00
renovate[bot] 50f9dc6a4c
build(deps): update alpine docker tag to v3.14.3 (#2599) 2021-11-13 11:04:11 +11:00
renovate[bot] 6765b97342
build(deps): update mariadb docker tag to v10.7.1 (#2585)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-10 15:57:48 +11:00
renovate[bot] 035d084ada
build(deps): update traefik docker tag to v2.5.4 (#2575)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-09 08:20:38 +11:00
Amir Zarrinkafsh 83488d52a6
refactor(suites): replace selenium with go-rod (#2534)
* refactor(suites): replace selenium with go-rod

This change replaces [tebeka/selenium](https://github.com/tebeka/selenium) with [go-rod](https://github.com/go-rod/rod).

We no longer have a chromedriver/external driver dependency to utilise Selenium as we instead utilise the Chrome Dev Protocol to communicate with the browser.

Rod [documents](https://go-rod.github.io/#/why-rod) benefits of choosing the library as opposed to the available alternatives.
2021-11-06 00:14:42 +11:00
renovate[bot] ed0efb76b3
build(deps): update haproxy docker tag to v2.4.8 (#2563)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-04 12:00:23 +11:00
renovate[bot] 4b904fc321
build(deps): update node.js to v17 (#2523)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-21 09:43:54 +11:00
Amir Zarrinkafsh 9445878ca2
refactor(web): use transformindexhtml vite hook (#2488) 2021-10-11 20:30:02 +11:00
Amir Zarrinkafsh a3e84769b5
feat(web): replace cra with vite (#2457)
* feat(web): replace cra with vite

* fix: add istanbul
* fix: add jest
* fix: inject env vars
* fix: replicate cra output directories
* fix: post-frontend build for go templating
* fix: dynamic publicpath

* fix(web): import resolution with aliases for .module.css files

* refactor(server): baseurl var

* refactor(web): drop babel-jest for esbuild-jest

* refactor(web): add inline sourcemap for coverage bundle

* build(deps): update web deps

* build(deps): downgrade vite-plugin-istanbul to 2.2.0

98bf77dbaa is a breaking change that means production mode builds can no longer be instrumented.

* refactor(web): match frontend name and version

* refactor(web): drop cra readme
2021-10-08 15:00:06 +11:00
renovate[bot] 455499fa93
build(deps): update traefik docker tag to v1.7.33 (#2466)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-08 12:51:30 +11:00
Amir Zarrinkafsh 4161fbd818
ci(codecov): utilise new codecov uploader for coverage (#2467)
* ci(codecov): utilise new codecov uploader for coverage

The codecov bash uploader is being [deprecated](https://docs.codecov.com/docs/about-the-codecov-bash-uploader).

This utilises the new uploader which is recommended.

* ci(codecov): adjust file search path and name uploads

* fix(suites): coverage paths for codecov
2021-10-08 11:17:08 +11:00
Amir Zarrinkafsh 23fdb8d1b9
fix(suites): enable cgo in dev workflow (#2454) 2021-10-07 11:14:15 +11:00
renovate[bot] 65dd2a1341
build(deps): update traefik docker tag to v1.7.32 (#2458)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-07 09:05:05 +11:00
renovate[bot] 451f84f13f
build(deps): update haproxy docker tag to v2.4.7 (#2455) 2021-10-06 20:54:05 +11:00
renovate[bot] 6370c16c95
build(deps): update traefik docker tag to v1.7.31 (#2450)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-06 08:38:29 +11:00
renovate[bot] 28e702f5c8
build(deps): update postgres docker tag to v14 (#2430)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-10-01 11:03:06 +10:00
Amir Zarrinkafsh e8a52f4794
refactor: replace sqlite library with the original cgo variant (#2427)
* refactor: replace sqlite library with the original cgo variant

This change reverts our SQLite library back to the original for compatibility and performance reasons now that we always package with CGO.

* fix: cgo and build flags

* fix: gcc requirement

* fix: gcc in dev workflow too
2021-10-01 09:58:33 +10:00
Amir Zarrinkafsh 3d312cf3b9
refactor: replace yarn with pnpm (#2424)
* Check for pnpm in authelia-scripts
* Improve husky hooks to check for required apps
* Use pnpm in coverage dockerfile
* Use pnpm in dev workflow
* Stop buildx log truncation
* Ignore pnpm lockfile in yamllint
* Update versions required for docker and docker-compose in contributing docs
2021-09-29 17:24:21 +10:00
renovate[bot] 6343f70f01
build(deps): update traefik docker tag to v2.5.3 (#2401)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-21 10:40:22 +10:00
yossbg 05406cfc7b
feat(ntp): check clock sync on startup (#2251)
This adds method to validate the system clock is synchronized on startup. Configuration allows adjusting the server address, enabled state, desync limit, and if the error is fatal.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-09-17 14:44:35 +10:00
renovate[bot] 4da10f9cea
build(deps): update haproxy docker tag to v2.4.4 (#2351)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-08 09:52:49 +10:00
Amir Zarrinkafsh 84f370aa68
fix(suites): prevent dev workflow overriding .healthcheck.env (#2345) 2021-09-06 20:51:58 +10:00
renovate[bot] 9de8aafadf
build(deps): update traefik docker tag to v2.5.2 (#2337)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-09-03 11:59:46 +10:00
renovate[bot] d2bf1eb4e2
build(deps): update alpine docker tag to v3.14.2 (#2325) 2021-08-28 09:13:07 +10:00
renovate[bot] ad16f99e6d
build(deps): update traefik docker tag to v2.5.1 (#2306)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-21 11:03:00 +10:00
renovate[bot] 8ac9ce9367
build(deps): update traefik docker tag to v2.5.0 (#2296)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-19 09:28:05 +10:00
renovate[bot] 956db2dbaa
build(deps): update haproxy docker tag to v2.4.3 (#2295)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-18 14:50:49 +10:00
renovate[bot] 0aba819899
build(deps): update golang docker tag (#2293)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-17 13:46:47 +10:00
renovate[bot] c768144c07
build(deps): update traefik docker tag to v2.4.14 (#2292)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-17 07:30:27 +10:00
James Elliott b4e570358e
fix: include major in go.mod module directive (#2278)
* build: include major in go.mod module directive

* fix: xflags

* revert: cobra changes

* fix: mock doc
2021-08-11 11:16:46 +10:00
renovate[bot] c593ebc573
build(deps): update mariadb docker tag to v10.6.4 (#2274)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-10 07:30:29 +10:00
renovate[bot] cc1ecafc1c
build(deps): update alpine docker tag to v3.14.1 (#2262)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-08-07 06:48:15 +10:00
James Elliott a3b14871ba
perf(authentication): improve ldap dynamic replacement performance (#2239)
This change means we only check the filters for the existence of placeholders that cannot be replaced at startup. We then utilized cached results of that lookup for subsequent replacements.
2021-08-05 14:17:07 +10:00
James Elliott a7e867a699
feat(configuration): replace viper with koanf (#2053)
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 19:55:21 +10:00
James Elliott 158783a9d4
feat(configuration): replace several configuration options (#2209)
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.

BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 21:55:30 +10:00
Clément Michaud bc983ce9f5
fix: user is now redirected when authenticated (#2082)
* fix(handlers,web): user is now redirected when authenticated

Fix: #1788

* remove dead code and fix ci issues

* fix infinite loop in frontend

* fix issue with integration tests

* handle bot recommendation

* fix integration test & add dot to comment

* fix last integration test

* Update api/openapi.yml

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update api/openapi.yml

* Update openapi.yml

* refactor: valid -> safe

* refactor: adjust merge conflicts

* Apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* fix: adjust test return messaging

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-02 16:15:38 +10:00
renovate[bot] 77a51d5c2f
build(deps): update traefik docker tag to v2.4.13 (#2217)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-31 09:53:41 +10:00
renovate[bot] c98b2a7d59
build(deps): update traefik docker tag to v2.4.12 (#2203)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-27 10:29:31 +10:00
James Elliott 911d71204f
fix(handlers): handle xhr requests to /api/verify with 401 (#2189)
This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 13:52:37 +10:00
James Elliott ddeb46b262
fix(handlers): send status 303 auth requests that are not get/head (#2184)
When a request occurs, if the browser is not performing a HTTP GET/HEAD request, the 302 status code is not valid. This commit resolves this. MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302.
2021-07-16 13:43:48 +10:00
renovate[bot] 596346de1e
build(deps): update traefik docker tag to v2.4.11 (#2187)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-16 06:42:05 +10:00
James Elliott c794d57afc
perf(authentication): improve active directory default users filter (#2181)
This adds a performance change to the default Active Directory users filter. Basically as per TechNet the (sAMAccountType=805306368) filter is the same as (&(objectCategory=person)(objectClass=user)) except the performance is better.
2021-07-14 20:30:25 +10:00
renovate[bot] 3537cce660
build(deps): update mariadb docker tag to v10.6.3 (#2180)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-13 22:46:04 +02:00
renovate[bot] d2422e9965
build(deps): update haproxy docker tag to v2.4.2 (#2168)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-07-09 08:49:30 +10:00
James Elliott ef549f851d
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. 
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 09:44:30 +10:00
Philipp Staiger 7ff0a39c02
fix(suites): disable cgo for delve during development (#2129)
#2101 introduced a minor regression when using the authelia scripts suite for developing.

The following issues occurred:

```
[00] # runtime/cgo
[00] cgo: exec gcc: exec: "gcc": executable file not found in $PATH
```

Adding the CGO_ENABLED=0 before the dlv build command in the run-backend-dev.sh fixed the issue.
2021-07-01 10:28:24 +10:00
renovate[bot] 9640b48b60
build(deps): update haproxy docker tag to v2.4.1 (#2120)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-27 14:22:29 +10:00
renovate[bot] 5c78dfaa0d
build(deps): update traefik docker tag to v2.4.9 (#2113)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-23 08:49:05 +10:00
Amir Zarrinkafsh 4cab3a4a4e
refactor: drop cgo requirement for sqlite (#2101)
* refactor: drop cgo requirement for sqlite

Replace github.com/mattn/go-sqlite3 with modernc.org/sqlite which drops our CGO requirement.

* refactor: newline for consistency with dockerfiles
2021-06-22 10:45:33 +10:00
renovate[bot] 986f88fd89
build(deps): update mariadb docker tag to v10.6.2 (#2099)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-19 08:33:13 +10:00
Amir Zarrinkafsh f32a0a7407
test(web): integration test auto theme (#2096)
Allows capturing of code coverage for the `auto` theme in the Standalone suite.
2021-06-18 17:15:58 +10:00
James Elliott 0d7b33022c
build: add enhanced information (#2067)
This commit adjusts the build flags to include version information in the LDFLAGS using the -X options. Additionally this makes the information recorded at build time more comprehensive. All build information can now be obtained via the `authelia build` command, and the `authelia version` command is now `authelia --version`. Lastly this adjusts the Dockerfile to utilize docker cache more effectively.
2021-06-18 14:35:43 +10:00
James Elliott ef3c2faeb5
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089)
This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 11:38:01 +10:00
renovate[bot] 923f7c7aec
build(deps): update alpine docker tag to v3.14.0 (#2084)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-06-16 09:38:02 +10:00
Amir Zarrinkafsh 8a171e6344
ci(golangci-lint): replace golint with revive linter (#2078)
Remove deprecated `golint` linter and replace with `revive` linter.

Also fix outstanding issues due to upgraded linters.
2021-06-11 10:30:53 +10:00
James Elliott 2c42464fc8
refactor(configuration): use key log instead of logging (#2072)
* refactor: logging config key to log

This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging).

* docs: add step to getting started to get the latest tagged commit

This is so we avoid issues with changes on master having differences that don't work on the latest docker tag.

* test: adjust tests

* docs: adjust doc strings
2021-06-08 23:15:43 +10:00
James Elliott cef35fadcd
feat(configuration): add error and warn log levels (#2050)
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
2021-06-01 14:09:50 +10:00
renovate[bot] d28d36b568
build(deps): update haproxy docker tag to v2.4.0 (#2004)
* build(deps): update haproxy docker tag to v2.4.0

* fix(suites): fix haproxy dockerfile user

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-05-26 14:13:53 +10:00
renovate[bot] 6a226ec122
build(deps): update mariadb docker tag to v10.6.1 (#2028)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-05-26 08:28:16 +10:00
renovate[bot] 3ff50ae979
build(deps): update node.js to v16 (#2005) 2021-05-16 00:18:01 +10:00
renovate[bot] f97c0df929
build(deps): update postgres docker tag to v13 (#1987) 2021-05-08 00:40:58 +10:00
James Elliott ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00
renovate[bot] 77c3058368
build(deps): update mariadb docker tag to v10.6.0 (#1958)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-29 15:59:16 +10:00
renovate[bot] b952e9e71d
build(deps): update haproxy docker tag to v2.3.10 (#1942)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-24 10:43:48 +02:00
Amir Zarrinkafsh db55325152
fix(suites): ensure k8s suite utilises the registry cache (#1921) 2021-04-15 12:07:19 +10:00
renovate[bot] 4318bb1e0c
build(deps): update alpine docker tag to v3.13.5 (#1915)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-15 08:54:56 +10:00
James Elliott f0cb75e1e1
fix(handlers): logout redirection validation (#1908) 2021-04-13 10:38:12 +02:00
James Elliott d33d6c2f00
ci: add yamllint (#1895)
This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-11 06:51:00 +10:00
renovate[bot] ad7808d430
build(deps): update traefik docker tag to v1.7.30 (#1897)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-09 09:32:21 +10:00
renovate[bot] 771a0f362e
build(deps): update alpine docker tag to v3.13.4 (#1877)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-01 12:47:51 +11:00
renovate[bot] 92da7a21de
build(deps): update haproxy docker tag to v2.3.9 (#1873)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-31 13:52:05 +11:00
renovate[bot] dbb819dfa5
build(deps): update traefik docker tag to v1.7.29 (#1869)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-30 11:37:38 +11:00
renovate[bot] 5ab334dcdc
build(deps): update haproxy docker tag to v2.3.8 (#1858)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-28 02:06:58 +11:00
renovate[bot] e6929cdf3e
build(deps): update alpine docker tag to v3.13.3 (#1853)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-26 11:30:30 +11:00
renovate[bot] 6d4d1d5e2f
build(deps): update traefik docker tag to v2.4.8 (#1848)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-24 19:34:55 +01:00
renovate[bot] e7c9d55c23
build(deps): update haproxy docker tag to v2.3.7 (#1834)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-17 08:51:46 +11:00
James Elliott a0248cd096
test(suites): short mode skip suites testing (#1823)
This PR changes the suites tests so if go test -short is used, they are skipped per go standards and a message is displayed. Additionally removed some redundant types from suite_high_availability_test.go and adjusted a warning about a nil req var.
2021-03-14 18:08:26 +11:00
James Elliott 5a5efa5e02
fix(server): send 404 on missing api endpoints instead of 405 (#1806)
Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e however this resolves another issue that's related. Additionally this ensures the behavior is tested.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>

Fixes #1520
Closes #1534
2021-03-11 18:36:58 +11:00
James Elliott e041143f87
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider

* refactor(session): use int for ports as per go standards

* refactor(configuration): adjust tests and validation

* refactor(configuration): add err format consts

* refactor(configuration): explicitly map redis structs

* refactor(session): merge redis/redis sentinel providers

* refactor(session): add additional checks to redis providers

* feat(session): add redis cluster provider

* fix: update config for new values

* fix: provide nil certpool to affected tests/mocks

* test: add additional tests to cover uncovered code

* docs: expand explanation of host and nodes relation for redis

* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum

* fix(session): sentinel password

* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config

* test: make entrypoint.sh executable, fix entrypoint.sh if/elif

* test: add redis failover tests

* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging

* test: add sentinel integration test

* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep

* feat: use sentinel failover cluster

* fix: renamed addrs to sentineladdrs upstream

* test(session): sentinel failover

* test: add redis standard back into testing

* test: move redis standalone test to traefik2

* fix/docs: apply suggestions from code review
2021-03-10 10:03:05 +11:00
renovate[bot] 073c558296
build(deps): update traefik docker tag to v2.4.7 (#1790)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-09 14:18:48 +11:00
James Elliott 4dce8f9496
perf(authorizer): preload access control lists (#1640)
* adjust session refresh to always occur (for disabled users)

* feat: adds filtering option for Request Method in ACL's

* simplify flow of internal/authorization/authorizer.go's methods

* implement query string checking

* utilize authorizer.Object fully

* make matchers uniform

* add tests

* add missing request methods

* add frontend enhancements to handle request method

* add request method to 1FA Handler Suite

* add internal ACL representations (preparsing)

* expand on access_control next

* add docs

* remove unnecessary slice for network names and instead just use a plain string

* add warning for ineffectual bypass policy (due to subjects)

* add user/group wildcard support

* fix(authorization): allow subject rules to match anonymous users

* feat(api): add new params

* docs(api): wording adjustments

* test: add request method into testing and proxy docs

* test: add several checks and refactor schema validation for ACL

* test: add integration test for methods acl

* refactor: apply suggestions from code review

* docs(authorization): update description
2021-03-05 15:18:31 +11:00
renovate[bot] 455b859047
build(deps): update haproxy docker tag to v2.3.6 (#1779)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-04 14:15:01 +11:00
renovate[bot] 92154a1193
build(deps): update traefik docker tag to v2.4.6 (#1774)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-02 15:07:51 +11:00
renovate[bot] 64b01b2811
build(deps): update mariadb docker tag to v10.5.9 (#1757)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-23 12:49:16 +11:00
renovate[bot] 17bf3f860b
build(deps): update osixia/openldap docker tag to v1.5.0 (#1749)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 22:08:23 +11:00
renovate[bot] 36d02f9cf5
build(deps): update traefik docker tag to v2.4.5 (#1742)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 16:21:43 +11:00
renovate[bot] 59b3c2cbd8
build(deps): update haproxy docker tag to v2.3.5 (#1737)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 15:06:10 +11:00
Amir Zarrinkafsh 74721a9f41
feat: go:embed static assets (#1733)
* feat: go:embed static assets

Go 1.16 introduced the ability to embed files within a generated binary directly with the go tool chain. This simplifies our dependencies and the significantly improves the development workflow for future developers.

Key points to note:

Due to the inability to embed files that do not reside within the local package we need to duplicate our `config.template.yml` within `internal/configuration`.

To avoid issues with the development workflow empty mock files have been included within `internal/server/public_html`. These are substituted with the respective generated files during the CI/CD and build workflows.

* fix(suites): increase ldap suite test timeout

* fix(server): fix swagger asset CSP
2021-02-22 10:07:06 +11:00
renovate[bot] 79b2b742a8
build(deps): update alpine docker tag to v3.13.2 (#1728)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-18 10:49:39 +11:00
Amir Zarrinkafsh 683c4a70bf
fix(web): improve 2fa enrollment process (#1706)
* refactor(web): improve 2fa enrollment process

This PR will change some of the wording and colours for the 2FA processes in order to provide more clarity and address some accessibility issues for end users.

The following is a summary of the changes:

* One-Time Password ⭢ Time-based One-Time Password
* Security Key ⭢ Security Key - U2F

![Screenshot_2021-02-02-09-36-17](https://user-images.githubusercontent.com/3339418/107138185-17656100-6967-11eb-8fac-9e75c7a82d09.png)


* QRCode ⭢ QR Code

![Screenshot_2021-02-07-05-07-25](https://user-images.githubusercontent.com/3339418/107138196-29df9a80-6967-11eb-811f-d77c9bb0159e.png)

* `Not registered yet?` text to display `Lost device?` if a user has already registered a device of said type

![Screenshot_2021-02-02-10-24-54](https://user-images.githubusercontent.com/3339418/107138205-395ee380-6967-11eb-8826-83e1438dd146.png)

* Change button and text colour in e-mails that Authelia generates
* Change Authelia email footer to be more security conscious

![Screenshot_2021-02-07-04-51-40](https://user-images.githubusercontent.com/3339418/107138211-4085f180-6967-11eb-890b-9d931bd1ce76.png)

The docs have also been updated to clarify the 2fa device enrollment limitation which only allows users to register one of each device type concurrently.

Closes #1560.
2021-02-12 16:59:42 +11:00
renovate[bot] 23f8a059fe
build(deps): update traefik docker tag to v2.4.2 (#1685)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-03 09:42:29 +11:00
renovate[bot] 3d6a9dfca4
build(deps): update traefik docker tag to v2.4.1 (#1681)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-02 10:35:49 +11:00
Amir Zarrinkafsh d17c7e7fc0
refactor(suites): simplify kubernetes suite (#1680)
This PR achieves the following goals:
* Utilise upstream version of kind instead of a patched version which allows binding to networks other than the default "kind"
* Utilises the registry cache which is setup one level above the kind cluster

The former point was required to successfully run our integration tests in a Kubernetes environment, however this is now possible without running a patched version of kind.

The second point is because DockerHub has introduced rate limiting for container downloads. If there are a large number of CI jobs nodes may occasionally be rejected due to the Kubernetes suite not pulling down from the registry cache.
2021-02-02 09:53:44 +11:00
renovate[bot] 006f1eb43b
build(deps): update mariadb docker tag to v10.5.8 (#1660)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:22:12 +11:00
renovate[bot] 985aaaa76b
build(deps): update alpine docker tag to v3.13.1 (#1659)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:06:09 +11:00
renovate[bot] ea913d2992
build(deps): update traefik docker tag to v1.7.28 (#1657)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 11:32:49 +11:00
renovate[bot] ed5e9264f8
build(deps): update mariadb docker tag to v10.4.17 (#1652) 2021-01-31 09:28:43 +11:00
renovate[bot] d4d781ae52
build(deps): update alpine docker tag to v3.13.1 (#1649)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 01:04:46 +11:00
renovate[bot] 72ec9713b3
build(deps): update traefik docker tag (#1674)
* build(deps): update traefik docker tag

* fix(suites): fix traefik2 empty args for matcher PathPrefix

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-31 00:30:41 +11:00
renovate[bot] 14192e11ac
build(deps): update osixia/phpldapadmin docker tag to v0.9.0 (#1673)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:52:54 +11:00
renovate[bot] 6627a54594
build(deps): update osixia/openldap docker tag to v1.4.0 (#1672)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:28:05 +11:00
renovate[bot] d8685418e8
build(deps): update alpine docker tag to v3.12.3 (#1647)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:11:42 +11:00
dependabot-preview[bot] 353b65066c
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1620)
Bumps golang from 1.15.6-alpine to 1.15.7-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-21 22:14:21 +11:00
Amir Zarrinkafsh daa30f3aa3
[FEATURE] Add theme support (#1584)
* [FEATURE] Add theme support

This change allows users to select a theme for Authelia on start-up.

The default will continue to be the existing theme which is known as `light`.
Three new options are now also provided:
* `dark`
* `grey`
* `custom`

The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal.

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>

* Add themes to integration tests

* Remove custom theme

* Fix linting issue in access_control_test.go

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 23:07:40 +11:00
dependabot-preview[bot] 7e13d465e9
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1611)
Bumps alpine from 3.12.3 to 3.13.0.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-18 09:42:44 +11:00
Amir Zarrinkafsh 296efe2b32
[MISC] Add missing CLI suite test (#1607)
* [MISC] Add missing CLI suite test

* Add missing test for `authelia version` command in CLI suite.
* Standardise logger calls and swap CSP switch order
2021-01-17 10:23:35 +11:00
Amir Zarrinkafsh 8bab8d47ef
[MISC] Add CLI suite (#1597)
This change adds a new integration testing suite "CLI".

The intent of this suite is to test, validate and capture coverage for Authelia's commands via the CLI.
2021-01-16 21:25:02 +11:00
Amir Zarrinkafsh 81e34d84de
[MISC] Validate all sections of ACLs on startup (#1595)
* [MISC] Validate all sections of ACLs on startup

This change ensure that all sections of the `access_control` key are validated on startup.

* Change error format to clearly identify values
2021-01-16 21:05:41 +11:00
dependabot-preview[bot] 8fa76499cb
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1601)
Bumps haproxy from 2.3.3-alpine to 2.3.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-15 10:45:36 +11:00
dependabot-preview[bot] 6aa0e5fa7d
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1591)
Bumps haproxy from 2.3.2-alpine to 2.3.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-11 10:01:26 +11:00
Amir Zarrinkafsh 9ca0e940da
[FEATURE] Validate ACLs and add network groups (#1568)
* adds validation to ACL's
* adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 21:55:23 +11:00
James Elliott 29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00
Amir Zarrinkafsh b12528a65c
[FEATURE] Display TOTP secret on device registration (#1551)
* This change provides the TOTP secret which allows users to copy and utilise for password managers and other applications.
* Hide TextField if secret isn't present
* This ensure that the TextField is removed on a page or if there is no secret present.
* Add multiple buttons and set default value to OTP URL
* Remove inline icon and add icons under text field which allow copying of the secret key and the whole OTP URL.
* Fix integration tests
* Add notifications on click for secret buttons
* Also remove autoFocus on TextField so a user can identify that the full OTP URL is in focus.
2020-12-29 13:30:00 +11:00
dependabot-preview[bot] ee3ce69f9f
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1548)
Bumps alpine from 3.12.2 to 3.12.3.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-19 14:11:31 +11:00
Amir Zarrinkafsh b989c1b169
[MISC] Refactor and address most errcheck linter ignores (#1511)
* [MISC] Refactor and address most errcheck linter ignores

This is mostly a quality of life change.
When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track.

* Handle errors for regulation marks and remove unnecessary logging
2020-12-16 12:47:31 +11:00
Amir Zarrinkafsh 7c6a86882f
[MISC] Catch OpenLDAP ppolicy error (#1508)
* [MISC] Catch OpenLDAP ppolicy error

Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.

This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.

* Remove password history for integration tests

* Adjust max failures due to regulation trigger

* Fix error handling for password resets

* Refactor and include code suggestions
2020-12-16 12:30:03 +11:00
dependabot-preview[bot] c14af472dd
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1531)
Bumps alpine from 3.12.1 to 3.12.2.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-12-14 09:12:55 +11:00
dependabot-preview[bot] d7fea74177
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1512)
Bumps golang from 1.15.5-alpine to 1.15.6-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-07 12:47:48 +11:00
James Elliott 426f5260ad
[FEATURE] LDAP StartTLS (#1500)
* add start_tls config option
* add StartTLS method to the LDAP conn factory and the mock
* implemented use of the StartTLS method when the config is set to true
* add mock unit tests
* add docs
* add TLS min version support
* add tests to tls version method
* fix lint issues
* minor adjustments
* remove SSL3.0
* add tls consts
* deprecate old filter placeholders
* remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993
* make suite ActiveDirectory use StartTLS
* misc adjustments to docs
* suggested changes from code review
* deprecation notice conformity
* add mock test for LDAPS plus StartTLS
2020-12-03 16:23:52 +11:00
dependabot-preview[bot] c9837568b5
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1501)
Bumps haproxy from 2.3.1-alpine to 2.3.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-03 09:54:21 +11:00
Amir Zarrinkafsh b786b2e1f5
[MISC] Refactor webdriver port initialization (#1491)
This change aims to factorize code introduced in #1467 for webdriver port customisation within the suites.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-28 11:06:42 +11:00
Amir Zarrinkafsh aa64d0c4e5
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460)
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 20:59:22 +11:00
Timo 495e57b46c
[DOCS] Make HAProxy regex case insensitive (#1478) 2020-11-24 12:35:38 +11:00
Amir Zarrinkafsh 6db5455762
[CI] Collect coverage from frontend during integration tests (#1472)
This change will allow us to collect frontend code coverage from our Selenium based integration tests.

Given that the frontend is embedded into the Go binary and the integration tests run with a compiled binary in Docker this poses some issues with the instrumented code and the ability for it to run in this manner. To fix this we need to relax Authelia's CSP for the integration tests. This is achieved by setting the env variable `ENVIRONMENT` to `dev`.
2020-11-19 12:50:34 +11:00
Amir Zarrinkafsh 8e32a4b65f
[CI] Add ability to customise the chromedriver port (#1467)
The development workflow expects chromedriver to be run on the host on port 4444.
There is currently no mechanism to modify this behaviour at runtime, so if another service is running on 4444 tests will just fail silently.

This change introduces the `CHROMEDRIVER_PORT` environment variable which can be utilised to set a custom port.
2020-11-16 21:59:24 +11:00
dependabot-preview[bot] f42b1ea229
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1463)
Bumps haproxy from 2.3.0-alpine to 2.3.1-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-16 11:49:52 +11:00
dependabot-preview[bot] 6e5b930f64
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1464)
Bumps golang from 1.15.4-alpine to 1.15.5-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-16 11:07:44 +11:00
Amir Zarrinkafsh f392f51df6
[MISC] Append log file instead of overwriting (#1450)
* [MISC] Append log file instead of overwriting

If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.

This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.

* Amend documentation for log_file_path
2020-11-13 10:14:45 +11:00
dependabot-preview[bot] a5f07d7ade
[MISC] (deps): Bump haproxy from 2.2.4-alpine to 2.3.0-alpine in /internal/suites/example/compose/haproxy (#1431)
* [MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy

Bumps haproxy from 2.2.4-alpine to 2.3.0-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Fix HAProxy suite

Looks like the new version of HAProxy has config validation which expects a newline at the bottom of `haproxy.cfg`.
CI was failing with the following error:
[NOTICE] 313/021816 (1) : haproxy version is 2.3.0-1c0a722
[ALERT] 313/021816 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:80]: Missing LF on last line, file might have been truncated at position 42.
[ALERT] 313/021816 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 313/021816 (1) : Fatal errors found in configuration.

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-09 13:35:18 +11:00
dependabot-preview[bot] ee0b37c796
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1432)
Bumps golang from 1.15.3-alpine to 1.15.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-09 09:04:06 +11:00
Amir Zarrinkafsh a83ccd7188
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 22:38:08 +11:00
dependabot-preview[bot] 662da9523b
[MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#1407)
Bumps node from 14-alpine to 15-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-26 11:11:37 +11:00
dependabot-preview[bot] 4f50818667
[MISC] (deps): Bump node in /internal/suites/example/compose/authelia (#1406)
Bumps node from 14-alpine to 15-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-26 09:39:06 +11:00
dependabot-preview[bot] 19ba79cfa1
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1400)
Bumps alpine from 3.12.0 to 3.12.1.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-23 17:59:48 +11:00
dependabot-preview[bot] 607e6711f5
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1377)
Bumps golang from 1.15.2-alpine to 1.15.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-16 14:02:33 +11:00
dependabot-preview[bot] 4a9ed76f32
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1359)
Bumps haproxy from 2.2.3-alpine to 2.2.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-08 10:46:43 +11:00
Amir Zarrinkafsh 607f829431
[DOCS] Clean HAProxy examples (#1338)
Remove headers that are not required and fix a typo.
2020-09-23 17:29:46 +10:00
Amir Zarrinkafsh 5b98b4d090
[BUGFIX] Fix HAProxy redirects (#1333)
Including updates to docs examples.
2020-09-23 09:06:26 +10:00
dependabot-preview[bot] 1c08670b06
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1313)
Bumps golang from 1.15.1-alpine to 1.15.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-11 12:28:40 +10:00
dependabot-preview[bot] 01760d167f
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1312)
Bumps haproxy from 2.2.2-alpine to 2.2.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-10 11:21:20 +10:00
Amir Zarrinkafsh 771c220d38
[FEATURE] Support updated haproxy-auth-request (#1310)
* [FEATURE] Support updated haproxy-auth-request
This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments.

* Fix docs indentation

* Add haproxy-lua-http to TLS enabled configuration
2020-09-10 10:52:57 +10:00