Commit Graph

22 Commits (c11e44aa179ca29a30ea822a81dace55311756a0)

Author SHA1 Message Date
James Elliott 3d2da0b070
feat(oidc): client authentication modes (#5150)
This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 20:58:18 +10:00
James Elliott 598ea2bb19
feat(configuration): disallow public suffix domains (#4855)
This adds a check to the domains configuration to ensure the domain value is not part of the public suffix list at https://publicsuffix.org. These domains are special and users cannot write cookies with this domain value, this makes them unusable with Authelia and this more readily makes that apparent.
2023-02-02 16:34:49 +11:00
Manuel Nuñez 8b29cf7ee8
feat(session): multiple session cookie domains (#3754)
This adds support to configure multiple session cookie domains.

Closes #1198

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 21:57:44 +11:00
James Elliott 203cb19c2f
fix(configuration): missing warning about session domain (#4417)
This adds some helpful configuration warnings and fixes a few misconfiguration issues.
2022-11-24 10:16:23 +11:00
James Elliott 1ea29cb2c2
feat(storage): unix socket support (#4231)
Support for unix sockets for MySQL and PostgreSQL.
2022-10-22 16:41:27 +11:00
James Elliott 9532823a99
feat(configuration): mtls clients (#4221)
This implements mTLS support for LDAP, Redis, and SMTP. Specified via the tls.certificate_chain and tls.private_key options.

Closes #4044
2022-10-21 19:41:33 +11:00
James Elliott b43ee50368
fix(configuration): remember me duration disabled impossible (#2997)
This fixes an issue not properly resolved by db6dd32151.
2022-03-13 13:51:23 +11:00
James Elliott db6dd32151
fix(configuration): cannot disable remember me (#2985)
This allows users to disable remember me again.
2022-03-10 09:01:04 +11:00
James Elliott 6276883f04
refactor(configuration): utilize time duration decode hook (#2938)
This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable.
2022-03-02 17:40:26 +11:00
James Elliott 3c81e75d79
feat(commands): add access-control check-policy command (#2871)
This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 14:15:01 +11:00
James Elliott 1772a83190
refactor: apply godot recommendations (#2839) 2022-01-31 16:25:15 +11:00
James Elliott b4e570358e
fix: include major in go.mod module directive (#2278)
* build: include major in go.mod module directive

* fix: xflags

* revert: cobra changes

* fix: mock doc
2021-08-11 11:16:46 +10:00
James Elliott 706fbfdb2c
fix(session): ensure default cookie samesite value is lax (#1926)
This implements a change to the default behaviour of the cookies generated by the sessions package. The old behaviour was to set the SameSite=None, this changes it to SameSite=Lax. Additionally this puts the option in the hands of the end-user so they can decide for themselves what the best option is.
2021-04-18 10:02:04 +10:00
James Elliott e041143f87
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider

* refactor(session): use int for ports as per go standards

* refactor(configuration): adjust tests and validation

* refactor(configuration): add err format consts

* refactor(configuration): explicitly map redis structs

* refactor(session): merge redis/redis sentinel providers

* refactor(session): add additional checks to redis providers

* feat(session): add redis cluster provider

* fix: update config for new values

* fix: provide nil certpool to affected tests/mocks

* test: add additional tests to cover uncovered code

* docs: expand explanation of host and nodes relation for redis

* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum

* fix(session): sentinel password

* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config

* test: make entrypoint.sh executable, fix entrypoint.sh if/elif

* test: add redis failover tests

* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging

* test: add sentinel integration test

* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep

* feat: use sentinel failover cluster

* fix: renamed addrs to sentineladdrs upstream

* test(session): sentinel failover

* test: add redis standard back into testing

* test: move redis standalone test to traefik2

* fix/docs: apply suggestions from code review
2021-03-10 10:03:05 +11:00
Clément Michaud b30b066138
[MISC] Validate domain set in session is not a wildcard domain. (#1092) 2020-06-07 17:47:02 +02:00
Clément Michaud fe5ebfb75a
[FEATURE] Bump to fasthttp/session/v2 to support redis unix socket. (#1001)
* [FEATURE] Bump to fasthttp/session/v2 to support redis unix socket.

* Fix lint issues.

* Remove v1 import and fix double import.

* [DOCS] Document use of redis unix socket.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-18 12:45:47 +10:00
Amir Zarrinkafsh de2c5836fd
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832)
* [Buildkite] Introduce CI linting with golangci-lint and reviewdog

* Initial pass of golangci-lint

* Add gosimple (megacheck) recommendations

* Add golint recommendations

* [BUGFIX] Migrate authentication traces from v3 mongodb

* Add deadcode recommendations

* [BUGFIX] Fix ShortTimeouts suite when run in dev workflow

* Add unused recommendations

* Add unparam recommendations

* Disable linting on unfixable errors instead of skipping files

* Adjust nolint notation for unparam

* Fix ineffectual assignment to err raised by linter.

* Export environment variable in agent hook

* Add ineffassign recommendations

* Add staticcheck recommendations

* Add gocyclo recommendations

* Adjust ineffassign recommendations

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 11:05:17 +10:00
James Elliott 8aade7f40e
[MISC] Update durations to notation format and housekeeping (#824)
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 22:37:21 +10:00
James Elliott 626f5d2949
[FEATURE] Remember Me Configuration (#813)
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis 
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator 
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
2020-04-04 10:11:33 +11:00
Clément Michaud 4264e64f9b
[MISC] Encrypt session data in redis store. (#789)
This is a regression from v3. With this change session data is encrypted with AES-GCM using a 256-bit key derived from the provided secret.

Fixes #652.
2020-03-28 17:10:39 +11:00
Amir Zarrinkafsh fabb76754e
Rename org from clems4ever to authelia
Also fix references from config.yml to configuration.yml
2019-12-24 13:14:52 +11:00
Clement Michaud 3b2d733367 Move source code into internal directory to follow standard project layout.
https://github.com/golang-standards/project-layout
2019-11-17 16:30:33 +01:00