Commit Graph

280 Commits (91c0c81818d88707f32c4ab9b94c85603b672b9a)

Author SHA1 Message Date
Amir Zarrinkafsh 91c0c81818
refactor(suites): stop integration tests on first failure (#3270)
* refactor(suites): stop integration tests on first failure

* refactor(suites): remove additional nginx instance

* refactor(suites): log relevant containers

* refactor(suites): add traefik2 logs to stdout

* refactor(suites): explicitly enable traefik for tests

* refactor(suites): remove redis restart and duplicate pathprefix tests

* ci(buildkite): allow manual retry on integration tests
2022-05-02 14:50:37 +10:00
renovate[bot] 8ee92231ba
build(deps): update dependency haproxy to v2.5.6 (#3255)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-27 16:12:44 +10:00
James Elliott 06ba312c28
fix(commands): invalid opaque id service name (#3235)
This fixes the service type being openid_connect instead of openid as expected. This also allows bulk generating opaque identifiers for users.
2022-04-25 18:49:18 +10:00
renovate[bot] b18eea039c
build(deps): update node.js to v18 (#3225)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-21 18:28:35 +10:00
Amir Zarrinkafsh daaa16c182
refactor(suites): validate totp inputs (#3218)
This change validates the inputs for the TOTP code entry.
This was previously discarded and left unvalidated during the move to rod from within the integration tests.
2022-04-19 14:11:15 +10:00
Amir Zarrinkafsh 92e219b34b
fix(suites): add missing traefik routes (#3217)
This change includes missing routes for both the Traefik and Traefik2 suites, issues would have manifested running dev mode tests for these suites when attempting to load translations.
2022-04-19 13:36:49 +10:00
James Elliott e56690c2df
refactor(configuration): ensure all keys are validated (#3208)
This ensures keys that exist in slices are validated.
2022-04-16 20:48:07 +10:00
renovate[bot] c5cb36c526
build(deps): update dependency golang to v1.17.9 (#3198)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-15 15:53:15 +10:00
James Elliott 6e0853a81b
build(deps): update dependency golang (#3180) 2022-04-13 14:28:31 +10:00
James Elliott cf93e66391
test(suites): fix backend endpoints (#3158) 2022-04-10 08:05:27 +10:00
Manuel Nuñez 086b97d21f
test(suites): revert por binding (#3155)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-10 07:44:47 +10:00
James Elliott 5a0a15f377
feat(commands): user opaque identifiers commands (#3144)
Add commands for handling user opaque identifiers.
2022-04-09 17:13:19 +10:00
James Elliott 0a970aef8a
feat(oidc): persistent storage (#2965)
This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 15:33:53 +10:00
renovate[bot] 004490c7b1
build(deps): update dependency alpine to v3.15.4 (#3114)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-04-05 11:15:43 +10:00
Clément Michaud 3ca438e3d5
feat: implement mutual tls in the web server (#3065)
Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface.

Fixes #3041
2022-04-05 09:57:47 +10:00
James Elliott 2502d89682
fix(server): respond with 404/405 appropriately (#3087)
This adjusts the not found handler to not respond with a 404 on not found endpoints that are part of the /api or /.well-known folders, and respond with a 405 when the method isn't implemented.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-04-04 09:58:01 +10:00
Manuel Nuñez bfd5d66ed8
feat(notification): password reset notification custom templates (#2828)
Implemented a system to allow overriding email templates, including the remote IP, and sending email notifications when the password was reset successfully.

Closes #2755, Closes #2756

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 22:24:51 +10:00
James Elliott 36cf662458
refactor: misc password policy refactoring (#3102)
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 10:48:26 +10:00
Manuel Nuñez 8659ba394d
feat(authentication): password policy (#2723)
Implement a password policy with visual feedback in the web portal.

Co-authored-by: Manuel Nuñez <@mind-ar>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-03 08:32:57 +10:00
James Elliott 0116506330
feat(oidc): implement amr claim (#2969)
This adds the amr claim which stores methods used to authenticate with Authelia by the users session.
2022-04-01 22:18:58 +11:00
renovate[bot] df9492ca0e
build(deps): update dependency traefik to v2.6.3 (#3075)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-31 17:00:08 +11:00
renovate[bot] 56048dd199
build(deps): update dependency alpine to v3.15.3 (#3072)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-29 14:08:54 +11:00
renovate[bot] b86c7b5284
build(deps): update dependency traefik to v2.6.2 (#3059)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-26 20:53:04 +11:00
renovate[bot] 2d981f7916
build(deps): update dependency alpine to v3.15.2 (#3051)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-26 19:46:15 +11:00
renovate[bot] 9eb23a301b
build(deps): update dependency alpine to v3.15.1 (#3028)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-03-17 15:53:30 +11:00
renovate[bot] 99326c2688
build(deps): update dependency haproxy to v2.5.5 (#3018)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-16 13:43:33 +11:00
James Elliott 6d937cf6cc
refactor(model): rename from models (#2968) 2022-03-06 16:47:40 +11:00
James Elliott 8f05846e21
feat: webauthn (#2707)
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 22:20:43 +11:00
James Elliott 1b2af90e5a
feat(commands): totp qr code in png format (#2673)
This allows exporting the TOTP QR code for easy registration when using `authelia storage totp generate` or `authelia storage totp export`.
2022-03-02 18:50:36 +11:00
renovate[bot] f8d9c6eab7
build(deps): update dependency haproxy to v2.5.4 (#2931)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-03-01 15:04:34 +11:00
James Elliott 3c81e75d79
feat(commands): add access-control check-policy command (#2871)
This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 14:15:01 +11:00
renovate[bot] e286741357
build(deps): update dependency mariadb to v10.8.2 (#2917)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-27 10:12:17 +11:00
renovate[bot] 4b1bd01167
build(deps): update dependency traefik to v2.6.1 (#2912)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-24 21:13:08 +11:00
renovate[bot] eb76de6cdc
build(deps): update dependency haproxy to v2.5.3 (#2897)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-02-24 03:12:26 +11:00
Clément Michaud 5d4003c291
refactor: directly return error where sufficient (#2855) 2022-02-10 09:07:53 +11:00
James Elliott 1772a83190
refactor: apply godot recommendations (#2839) 2022-01-31 16:25:15 +11:00
renovate[bot] d8cf272757
build(deps): update traefik docker tag to v2.5.7 (#2815)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-01-21 13:43:06 +11:00
renovate[bot] 535ad2a697
build(deps): update haproxy docker tag to v2.5.1 (#2793)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-01-12 23:54:50 +11:00
renovate[bot] 2a1e7fc793
build(deps): update traefik docker tag to v2.5.6 (#2738)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-23 10:44:39 +11:00
renovate[bot] 93352aa36b
build(deps): update traefik docker tag to v2.5.5 (#2706)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-12 14:47:03 +11:00
renovate[bot] f9586b99a9
build(deps): update traefik docker tag to v1.7.34 (#2705)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-12-12 11:15:01 +11:00
James Elliott 104a61ecd6
refactor(web): only fetch totp conf if required (#2663)
Prevents the TOTP user config from being requested when the user has not registered or is already authenticated 2FA.
2021-12-02 21:28:16 +11:00
James Elliott f90ca855e3
feat(storage): postgresql schema and ssl options (#2659)
Adds the schema name and all ssl options for PostgreSQL. Also a significant refactor of the storage validation process.
2021-12-02 16:36:03 +11:00
Aram Akhavan 5b3fa1fffb
docs: consistent naming for configuration file (#2626)
* change all instances (file names and docs) of "config.template.yml" to "configuration.template.yml" so its consistent with the expectations of the Dockerfile

* Keep config.template.yml named as is

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update index.html

* revert filename changes and add a note about docker

* refactor: apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-12-02 15:50:05 +11:00
James Elliott 7df242f1e3
refactor: remove ioutil (#2635)
Was deprecated in 1.16 and has more performant options available.
2021-12-02 00:14:15 +11:00
James Elliott ad8e844af6
feat(totp): algorithm and digits config (#2634)
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).

Fixes #1226.
2021-12-01 23:11:29 +11:00
Philipp Staiger 01b77384f9
feat(duo): multi device selection (#2137)
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.

Closes #594. Closes #1039.
2021-12-01 14:32:58 +11:00
James Elliott 9ceee6c660
feat(storage): only store identity token metadata (#2627)
This change makes it so only metadata about tokens is stored. Tokens can still be resigned due to conversion methods that convert from the JWT type to the database type. This should be more efficient and should mean we don't have to encrypt tokens or token info in the database at least for now.
2021-11-30 17:58:21 +11:00
James Elliott 347bd1be77
feat(storage): encrypted secret values (#2588)
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.

Closes #682
2021-11-25 12:56:58 +11:00
renovate[bot] 290e3f7aaa
build(deps): update alpine docker tag to v3.15.0 (#2631)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-11-25 08:46:44 +11:00