Commit Graph

143 Commits (9445878ca2c26c8898255ab43f6464aab0c3c286)

Author SHA1 Message Date
Amir Zarrinkafsh 9445878ca2
refactor(web): use transformindexhtml vite hook (#2488) 2021-10-11 20:30:02 +11:00
Clément Michaud 1f28bc9b26
docs: provide installation guidelines for installing missing tools (#2481) 2021-10-09 20:41:02 +02:00
Amir Zarrinkafsh a3e84769b5
feat(web): replace cra with vite (#2457)
* feat(web): replace cra with vite

* fix: add istanbul
* fix: add jest
* fix: inject env vars
* fix: replicate cra output directories
* fix: post-frontend build for go templating
* fix: dynamic publicpath

* fix(web): import resolution with aliases for .module.css files

* refactor(server): baseurl var

* refactor(web): drop babel-jest for esbuild-jest

* refactor(web): add inline sourcemap for coverage bundle

* build(deps): update web deps

* build(deps): downgrade vite-plugin-istanbul to 2.2.0

98bf77dbaa is a breaking change that means production mode builds can no longer be instrumented.

* refactor(web): match frontend name and version

* refactor(web): drop cra readme
2021-10-08 15:00:06 +11:00
Amir Zarrinkafsh 982e1c2638
ci(buildkite): perform frontend install for renovate deps (#2463) 2021-10-07 10:14:52 +11:00
Amir Zarrinkafsh 26de57a297
ci(buildkite): skip front/backend builds for renovate deps (#2462)
* ci(buildkite): skip front/backend builds for renovate deps

* ci(buildkite): make unit-test artifact compression conditional
2021-10-07 09:45:37 +11:00
Amir Zarrinkafsh 3d312cf3b9
refactor: replace yarn with pnpm (#2424)
* Check for pnpm in authelia-scripts
* Improve husky hooks to check for required apps
* Use pnpm in coverage dockerfile
* Use pnpm in dev workflow
* Stop buildx log truncation
* Ignore pnpm lockfile in yamllint
* Update versions required for docker and docker-compose in contributing docs
2021-09-29 17:24:21 +10:00
Amir Zarrinkafsh f37cb76f6f
feat(web): remove sourcemap generation (#2423) 2021-09-28 17:09:31 +10:00
Amir Zarrinkafsh c9f5b3de88
feat(web): replace babel-loader and terser with esbuild (#2422) 2021-09-28 16:27:06 +10:00
Amir Zarrinkafsh d7763a20ec
build(deps): update swagger-ui to v3.52.3 (#2412) 2021-09-26 12:25:14 +10:00
Amir Zarrinkafsh bd6a8e3ea2
feat: hardened authelia binaries (#2410)
* feat: hardened authelia binaries

This change ensures that all Authelia binaries which are compiled and distributed are hardened with the following standards:

* RELRO
* Stack canary
* NX
* PIE/ASLR
* Stripped RPATH AND RUNPATH
* Stripped Symbols
* Fortify

The musl variants currently [do not support Fortify](https://wiki.musl-libc.org/future-ideas.html#Fortify).

* refactor: docker pull for authelia/crossbuild in background
2021-09-26 12:08:47 +10:00
Amir Zarrinkafsh 92ec00d7c5
feat: builds with gox and buildx (#2381)
* feat: builds with gox and buildx

This change builds all of Authelia respective binaries in parallel within a single step and distributes as necessary to subsequent steps, we now also build and distribute for the following OS/Architecture: freebsd/amd64.

Our CI/CD pipeline now also utilises docker buildx as a default for builds and pushes.

* refactor: clean up docker helper

* Remove `authelia-scripts docker push-image` command as all pushes will be performed with buildx and manifests
* Rename the --arch flag to --container
* Add Dockerfile.dev for users that want to build an Authelia container from source without utilising suites
* Set Dockerfile.dev as default for `authelia-scripts docker build` command

* refactor: variant -> container
2021-09-16 22:39:18 +10:00
Amir Zarrinkafsh 719447b719
build(deps): update swagger-ui to v3.52.2 (#2374) 2021-09-14 16:17:13 +10:00
Amir Zarrinkafsh 4b3e7ac724
build(deps): update swagger-ui to v3.52.1 (#2367) 2021-09-13 18:33:51 +10:00
James Elliott b4e570358e
fix: include major in go.mod module directive (#2278)
* build: include major in go.mod module directive

* fix: xflags

* revert: cobra changes

* fix: mock doc
2021-08-11 11:16:46 +10:00
Amir Zarrinkafsh 6033b7df70
build(deps): update swagger-ui to v3.52.0 (#2276) 2021-08-10 11:20:44 +10:00
Amir Zarrinkafsh 2c3bc4a133
fix(cmd): remove microbadger references (#2243)
MicroBadger is dead, so we need to remove all references of it.
2021-08-05 16:36:45 +10:00
James Elliott a7e867a699
feat(configuration): replace viper with koanf (#2053)
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 19:55:21 +10:00
Amir Zarrinkafsh 03274c171e
build(deps): update swagger-ui to v3.51.2 (#2222) 2021-08-02 14:55:34 +10:00
James Elliott 31c5c820f0
refactor(authentication): log ldap warning on startup in rare condition (#2141)
This is so on startup administrators who have a LDAP server implementation that may not support password hashing by default are clearly warned. This only triggers if the disable password reset option is not enabled, we cannot find the extension OID for the Extended Password Modify Operation, and the implementation is not Active Directory. Active Directory has it's own method for this which doesn't advertise an OID.
2021-07-04 15:44:11 +10:00
James Elliott ef549f851d
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. 
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 09:44:30 +10:00
Amir Zarrinkafsh c8b51d1190
build(deps): update swagger-ui to v3.51.1 (#2140) 2021-07-02 19:08:10 +10:00
James Elliott cb71df5d9b
feat(authentiation): check ldap support for extended operations on startup (#2133)
* feat(authentiation): check ldap server on startup

This PR adds a startup check to the LDAP authentication backend. It additionally adds support for checking supportedExtension OIDs, currently only checking passwdModifyOID (1.3.6.1.4.1.4203.1.11.3). This can relatively easily be enhanced to add detection for other rootDSE capabilities like supportedControl and supportedCapabilities as necessary.

* test(authentication): add unit tests for new feature

* refactor(authentication): factorize ldap user provider newup

* refactor: minor adjustments
2021-07-02 09:16:16 +10:00
Amir Zarrinkafsh 756aee507f
refactor: cra build path (#2117)
* refactor: cra build path

The `authelia-scripts` helper currently performs steps to move files around in different stages of development and CI/CD.

We now utilise the `BUILD_PATH` environment variable to adjust the output directory for the web frontend from the default of `./web/build/` simplifying the helper somewhat.

Additionally we no longer build the Go binary in the unit test stage of our CI/CD as this is not necessary.

* fix: build output directory in coverage dockerfile
2021-06-25 21:53:20 +10:00
Amir Zarrinkafsh 41f1162651
build(deps): update swagger-ui to v3.51.0 (#2118) 2021-06-25 18:46:50 +10:00
Amir Zarrinkafsh 8db0bc9ae1
refactor: drop qemu binary requirement (#2116)
QEMU binaries no longer need to be baked into containers.
2021-06-24 18:24:47 +10:00
Amir Zarrinkafsh 4cab3a4a4e
refactor: drop cgo requirement for sqlite (#2101)
* refactor: drop cgo requirement for sqlite

Replace github.com/mattn/go-sqlite3 with modernc.org/sqlite which drops our CGO requirement.

* refactor: newline for consistency with dockerfiles
2021-06-22 10:45:33 +10:00
James Elliott 0d7b33022c
build: add enhanced information (#2067)
This commit adjusts the build flags to include version information in the LDFLAGS using the -X options. Additionally this makes the information recorded at build time more comprehensive. All build information can now be obtained via the `authelia build` command, and the `authelia version` command is now `authelia --version`. Lastly this adjusts the Dockerfile to utilize docker cache more effectively.
2021-06-18 14:35:43 +10:00
James Elliott ef3c2faeb5
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089)
This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 11:38:01 +10:00
Amir Zarrinkafsh 8a171e6344
ci(golangci-lint): replace golint with revive linter (#2078)
Remove deprecated `golint` linter and replace with `revive` linter.

Also fix outstanding issues due to upgraded linters.
2021-06-11 10:30:53 +10:00
Amir Zarrinkafsh 50878b1e7f
build(deps): update swagger-ui to v3.50.0 (#2070) 2021-06-08 10:59:03 +10:00
James Elliott cef35fadcd
feat(configuration): add error and warn log levels (#2050)
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
2021-06-01 14:09:50 +10:00
Amir Zarrinkafsh 05df642f3e
feat: add option to keep stdout logging with log_file_path (#2037)
Currently if a `log_file_path` is defined Authelia will redirect all logging from standard output to said defined location. This change allows users to keep standard output logging along with a defined `log_file_path`.
2021-05-31 14:02:54 +10:00
Amir Zarrinkafsh a31a17b222
fix(cmd): retry clean tag logic for dockerhub (#1976)
This change will ensure that if the curl command for the cleaning of Docker tags on DockerHub fails it will be reattempted up to 2 more times (total of 3) with a 10 second sleep between each attempt.

The clean tag logic itself within curl attempts to execute the http request upto 3 times so this will ensure a maximum of 9 attempts.
2021-05-05 17:09:31 +10:00
James Elliott a984e2700b
refactor: use fatal log message on oidc init error (#1973)
Instead of using panic() when an unknown error was detected on OP initialization, use logger.Fatalf. This provides a more useful output to the user.
2021-05-05 10:50:24 +10:00
James Elliott ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00
Amir Zarrinkafsh 9f3bd0e589
build(deps): update swagger-ui to v3.48.0 (#1967) 2021-05-04 08:31:50 +10:00
James Elliott cc4f47f21c
fix: removed deprecated smtp/ldap options (#1912)
This removes the deprecated options from 4.25. This includes the LDAP filters which allow {0} or {1} placeholders. The new aliases are documented. Additionally it refactors the keys validator to use uniform messages for most replaced keys.
2021-04-16 11:44:37 +10:00
Amir Zarrinkafsh fab6813093
build(deps): update swagger-ui to v3.46.0 (#1891) 2021-04-07 12:48:26 +10:00
Amir Zarrinkafsh e816a2e563
ci: publish docker images to ghcr (#1860)
* ci: publish docker images to ghcr

* ci: remove ghcr images with no tags

* ci: remove unnecessary ghcr jq args for empty tags

* ci: move ghcr empty tag clean up

Publishes Docker container images on both DockerHub and GitHub Container Registry.
2021-03-30 09:17:19 +11:00
Amir Zarrinkafsh 6855898f92
build(deps): update swagger-ui to v3.45.0 (#1861) 2021-03-29 10:55:09 +11:00
James Elliott e041143f87
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider

* refactor(session): use int for ports as per go standards

* refactor(configuration): adjust tests and validation

* refactor(configuration): add err format consts

* refactor(configuration): explicitly map redis structs

* refactor(session): merge redis/redis sentinel providers

* refactor(session): add additional checks to redis providers

* feat(session): add redis cluster provider

* fix: update config for new values

* fix: provide nil certpool to affected tests/mocks

* test: add additional tests to cover uncovered code

* docs: expand explanation of host and nodes relation for redis

* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum

* fix(session): sentinel password

* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config

* test: make entrypoint.sh executable, fix entrypoint.sh if/elif

* test: add redis failover tests

* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging

* test: add sentinel integration test

* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep

* feat: use sentinel failover cluster

* fix: renamed addrs to sentineladdrs upstream

* test(session): sentinel failover

* test: add redis standard back into testing

* test: move redis standalone test to traefik2

* fix/docs: apply suggestions from code review
2021-03-10 10:03:05 +11:00
Amir Zarrinkafsh 74721a9f41
feat: go:embed static assets (#1733)
* feat: go:embed static assets

Go 1.16 introduced the ability to embed files within a generated binary directly with the go tool chain. This simplifies our dependencies and the significantly improves the development workflow for future developers.

Key points to note:

Due to the inability to embed files that do not reside within the local package we need to duplicate our `config.template.yml` within `internal/configuration`.

To avoid issues with the development workflow empty mock files have been included within `internal/server/public_html`. These are substituted with the respective generated files during the CI/CD and build workflows.

* fix(suites): increase ldap suite test timeout

* fix(server): fix swagger asset CSP
2021-02-22 10:07:06 +11:00
Amir Zarrinkafsh 59fa332088
build(deps): update swagger-ui to v3.43.0 (#1717) 2021-02-12 21:16:46 +11:00
Amir Zarrinkafsh f60af69187
build(deps): update swagger-ui to v3.42.0 (#1700) 2021-02-05 10:21:18 +11:00
Amir Zarrinkafsh 5eebeb68fc
build(deps): update swagger-ui to v3.41.1 (#1683) 2021-02-02 19:21:03 +11:00
Amir Zarrinkafsh 6965d06854
[CI] Fix DockerHub README update (#1628)
Since introducing the All Contributors spec for our README.md we have been unable to sync and update the README to DockerHub.

This is because DockerHub has a 25000 character limit and the All Contributors spec exceeds this. So we retain a similar README to the prior for the contributors section only for DockerHub.
2021-01-25 10:05:28 +11:00
Amir Zarrinkafsh 296efe2b32
[MISC] Add missing CLI suite test (#1607)
* [MISC] Add missing CLI suite test

* Add missing test for `authelia version` command in CLI suite.
* Standardise logger calls and swap CSP switch order
2021-01-17 10:23:35 +11:00
Amir Zarrinkafsh d92e4b94d6
[MISC] Update Swagger UI to 3.40.0 (#1606) 2021-01-16 20:31:13 +11:00
Amir Zarrinkafsh 079d069cd6
[CI] Update QEMU to v5.2.0-2 (#1582) 2021-01-05 12:54:37 +11:00
James Elliott 29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00