Commit Graph

228 Commits (d9be90e7687b109a24ccc0a35823307b49e11597)

Author SHA1 Message Date
Clément Michaud e5ccdb4449
[MISC] Introduce CryptAlgo type. (#960)
* [MISC] Introduce CryptAlgo type.

It helps distinguish between the configuration representation of an algorithm
and the crypt representation (6 and argon2id vs sha512 vs argon2id).

* Add a description to CryptAlgo.

* use const

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-05-03 14:06:09 +10:00
Amir Zarrinkafsh be0cc72473
[CI] Add goconst linter (#961)
* [CI] Add goconst linter

* Implement goconst recommendations

* Rename defaultPolicy to denyPolicy

* Change order for test constants

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 18:20:40 +02:00
Amir Zarrinkafsh e67f63ee44
[CI] Add godot linter (#958)
* [CI] Add godot linter

* Implement godot recommendations
2020-05-02 15:06:39 +10:00
James Elliott e95c6a294d
[HOTFIX] Prevent Username Enumeration (#950)
* [HOTFIX] Prevent Username Enumeration

* thanks to TheHllm for identifying the bug: https://github.com/TheHllm
* temporarily prevents username enumeration with file auth
* proper calculated and very slightly random fix to come

* closely replicate behaviour

* allow error to bubble up

* Synchronize security documentation.

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-02 00:32:09 +02:00
Amir Zarrinkafsh aebcb38f90
[MISC] Fix goimports ordering for repo (#947) 2020-05-01 16:56:42 +10:00
James Elliott 2437f989cb
[SECURITY] Disable HTTP server header (#946)
* [SECURITY] Disable HTTP Server Header

* alphabetize fasthttp.Server property assignment
2020-04-30 13:16:41 +10:00
James Elliott c9e8a924e0
[FEATURE] Buffer size configuration and additional http error handling (#944)
* implement read buffer size config option
* implement write buffer size config option
* implement fasthttp ErrorHandler so we can log errors to Authelia as well
* add struct/schema validation
* add default value
* add docs
* add config key to validator
* refactoring
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 12:03:05 +10:00
Amir Zarrinkafsh f8bd506326
[FEATURE] Embed static assets in Go binary (#916)
* [FEATURE] Embed static assets in Go binary

* Refactor/consolidate code and specify public_html via configuration

* Update docs and config template for assets

* Update AUR package pre-requisites and systemd unit

* Include static assets as Buildkite and GitHub artifacts

* Remove references to PUBLIC_DIR

* Only serve assets via embedded filesystem and remove configuration references

* Update authelia-scripts helper to build the embedded filesystem

* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.

* Move go:generate to satisfy linter
2020-04-29 00:07:20 +10:00
Amir Zarrinkafsh 2f8bcef621
[CI] Adjust linting default excludes to align with goreportcard (#934) 2020-04-28 16:39:54 +10:00
dependabot-preview[bot] ab8db21214
[MISC] (deps): Bump node in /internal/suites/example/compose/authelia (#930)
Bumps node from 12-alpine to 14-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 13:13:03 +10:00
dependabot-preview[bot] 6c0e9f84b0
[MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#929)
Bumps node from 12-alpine to 14-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 12:53:16 +10:00
Clément Michaud 29325ab273
Fix CSP not propagated in default handler. (#915)
Also:
- not hide the CSP header in the dist version of suites.
- Fix CSP errors due to FontAwesome loading stylesheets dynamically.
2020-04-26 00:12:55 +02:00
Daniel Sutton ca4a890fb2
[MISC] Update to alpine 3.11.6 (#917)
* update to alpine 3.11.6

Signed-off-by: Daniel Sutton <daniel@ducksecops.uk>
2020-04-25 22:56:32 +02:00
Clément Michaud 9116135401
[BUGFIX] Bad redirection behavior after inactivity and inactivity update events. (#911)
* This affects primarily Authelia instances running behind Traefik or
nginx ingress controllers within Kubernetes because those proxies
require that Authelia returns 302 instead of 401 after the session
has been inactive for too long.
* fixes #909
* fixed activity timestamp not being updated when accessing forbidden resources.
* fix inactivity not updated when user was inactive for too long.
* cover inactivity timeout updates with unit tests.
2020-04-25 09:29:36 +10:00
James Elliott e89e040949
[FIX] File Notifier Default Permissions (#902)
* [FIX] File Notifier Default Permissions

* set to 0600 for security
* recreate file if it exists with correct perms
* remove named return vars from notifier
2020-04-23 12:01:24 +10:00
James Elliott c1ac25a15b
[FEATURE] Config Validation (#901)
* [FEATURE] Config Validation

* check configuration for invalid keys on startup
* allow users to manually trigger all configuration validation on a file using a cmd
* setup all defaults in config template and run tests against it to prevent accidents
* use tests to check bad configuration values are caught
* use tests to check old configuration values are caught
* add tests for specific key errors
* resolve merge conflicts
* nolint prealloc for test
2020-04-23 11:47:27 +10:00
James Elliott b9fb33d806
[FEATURE] File Secrets (#896)
* [FEATURE] File Secret Loading

* add a validator for secrets
* run the secrets validator before the main config validator
* only allow a secret to be defined in one of: config, env, file env
* remove LF if found in file
* update configuration before main config validation
* fix unit tests
* implement secret testing
* refactor the secrets validator
* make check os agnostic
* update docs
* add warning when user attempts to use ENV instead of ENV file
* discourage ENV in docs
* update config template
* oxford comma
* apply suggestions from code review
* rename Validate to ValidateConfiguration
* add k8s example
* add deprecation notice in docs and warning
* style changes
2020-04-23 11:11:32 +10:00
Amir Zarrinkafsh 9eb9d107f1
[DEPRECATE] Remove migration tools from latest version of Authelia (#894)
* [DEPRECATE] Remove migration tools from latest version of Authelia
Also update references to point to container version 4.14.2 for any of the migration examples.

* [DOCS] Remove v4 release statement in README.md
2020-04-22 13:55:30 +10:00
Amir Zarrinkafsh 54694c4fca
[MISC] Ignore errcheck recommendations for legacy code (#893)
* [MISC] Ignore errcheck recommendations for legacy code
Some of this is likely intended to stay how it is, some could use refactoring, for now we will mark is and ignore it from the linter to be potentially addressed in the future.

* [MISC] Ensure files are gofmt-ed
2020-04-22 13:33:14 +10:00
James Elliott fca190dedc
[MISC] Linting unparam fixes (#892)
* remove unused bools
2020-04-21 15:53:47 +10:00
James Elliott 9e9dee43ac
[FEATURE] Notifier Startup Checks (#889)
* implement SMTP notifier startup check
* check dial, starttls, auth, mail from, rcpt to, reset, and quit
* log the error on failure
* implement mock
* misc optimizations, adjustments, and refactoring
* implement validate_skip config option
* fix comments to end with period
* fix suites that used smtp notifier without a smtp container
* add docs
* add file notifier startup check
* move file mode into const.go
* disable gosec linting on insecureskipverify since it's intended, warned, and discouraged
* minor PR commentary adjustment
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 14:59:38 +10:00
Amir Zarrinkafsh 333137d56d
[MISC] Implement final golint recommendations (#888) 2020-04-21 10:48:24 +10:00
Clément Michaud b12d9d405f
[FEATURE] Add Content-Security-Policy meta to login portal. (#822)
CSP is used to avoid some attacks where the hacker tries to execute
untrusted code in the browser.

The policy is to use assets hosted on the the original website and in order to make CSP work with material UI, a nonce is generated at each request of index.html and injected in the template as well as provided in the Content-Security-Policy header (https://material-ui.com/styles/advanced/#how-does-one-implement-csp)

Fix #815
2020-04-21 10:23:28 +10:00
Amir Zarrinkafsh 2e784084c7
[MISC] Implement golint recommendations (#885)
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-04-20 23:03:38 +02:00
James Elliott e72c653f6e
[BUGFIX] 2FA after 1FA only when necessary for access to target (#881)
* prevents requirement to always 2FA if the user doesn't have permission to access a target URL
2020-04-19 21:45:46 +10:00
Dustin Sweigart 951dc71325
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869)
* added support for listing multiple domains and multiple subjects

* updated documentation to show use of multiple domains and subjects

* updated config.template.yml to display multiple domains as a list

* updated config.template.yml to display multiple subjects as a list

* updated docs/configuration/access-control.md to display multiple domains as a list

* updated docs/configuration/access-control.md to display multiple subjects as a list

* removed redundant check that always returned true

* Commentary definition for `weak`
2020-04-16 10:18:11 +10:00
Sohalt 4deebe2a64
[BUGFIX] Allow username_attribute == mail_attribute (#865) 2020-04-15 22:26:23 +10:00
Clément Michaud 730e88df9d
[FEATURE] Make Authelia serve over TLS in all suites (#864)
* [BUGFIX] Fix dev workflow by using TLS for all suites.

* Fix traefik 1.x and 2.x suites.

* Display authelia logs on suite failure.

* Fix HAProxy suite.

* Extend timeout of test case.

* Display current URL in verify assertion.

* fix doLoginTwoFactor by adding a timeout

* when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal
* fix by adding one second timeout
* bump go version to 1.14.2

* Fix Kube suite and bump dashboard.

* Update dist authelia-frontend to proxy_pass with variable

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Remove debug logs since it's polluting logs.

Also set timeout back to 5 seconds in HA suite.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-14 09:57:28 +10:00
Amir Zarrinkafsh 94fb28c6c0
[MISC] Update Go to 1.14.2 (#863) 2020-04-13 20:14:49 +10:00
Amir Zarrinkafsh 254e5ed239
[MISC] Fix authelia-{backend,frontend} dev server logging and startup (#862)
#767 added an interactive tty to the authelia-frontend server due toe a bump in react-scripts, this in turn consumes all logging and pages on a failure and made it difficult to interact with within the dev workflow.
The tty has been replaced with an open stdin as this also satisfies the react-scripts requirement.

This change also ignores the web directory in the reflex script to avoid errors and long start-ups in the authelia-frontend container.
2020-04-13 15:00:44 +10:00
James Elliott 92084bc5b2
[MISC] Add http debug routes (#848)
* [MISC] Add debug endpoints to Authelia

* enabled only with trace logging
* allows go tool pprof usage when enabled
* enables both the expvarhandler and pprofhandler from fasthttp
* simplify tls/non-tls listen and serve
* make it easy to define custom settings of the fasthttp server in the future
* make name param optional
* add note about the trace setting in the documentation
2020-04-11 14:59:58 +10:00
James Elliott b3ce7fc379
[BUGFIX] Password hashing schema map mismatch with docs (#852)
* add a nolint for gosec 'possibly hardcoded password' that was incorrect
* make all parameters consistent
* update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing'
* reword some of the docs
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 13:54:18 +10:00
Amir Zarrinkafsh 0189688588
[MISC] Allow HEAD method on /api/verify (#850)
This is to natively support the upstream HAProxy module haproxy-auth-request without patching.
2020-04-11 12:14:26 +10:00
Amir Zarrinkafsh 76e8142032
[DOCS] Add Remote-User and Remote-Groups headers to Traefik docs and examples (#849) 2020-04-11 11:49:54 +10:00
Amir Zarrinkafsh de2c5836fd
[Buildkite] Introduce CI linting with golangci-lint and reviewdog (#832)
* [Buildkite] Introduce CI linting with golangci-lint and reviewdog

* Initial pass of golangci-lint

* Add gosimple (megacheck) recommendations

* Add golint recommendations

* [BUGFIX] Migrate authentication traces from v3 mongodb

* Add deadcode recommendations

* [BUGFIX] Fix ShortTimeouts suite when run in dev workflow

* Add unused recommendations

* Add unparam recommendations

* Disable linting on unfixable errors instead of skipping files

* Adjust nolint notation for unparam

* Fix ineffectual assignment to err raised by linter.

* Export environment variable in agent hook

* Add ineffassign recommendations

* Add staticcheck recommendations

* Add gocyclo recommendations

* Adjust ineffassign recommendations

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-04-09 11:05:17 +10:00
James Elliott 2fed503e5e
[FEATURE] Customizable Email Subject (#830)
* [FEATURE] Customizable Email Subject

* allow users to optionally change email subject
* this is so they can more easily communicate the source of the email

* Update docs/configuration/notifier/smtp.md

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-09 10:21:28 +10:00
Amir Zarrinkafsh b692aa73d3
[MISC] Fix dev workflow for Standalone suite (#811)
Since the TLS change was implemented, the Standalone suite attempts to reach authelia-frontend:3001. This only works for the dist/CI based workflow as nginx is run in place of node and the respective ports are exposed.
This change will attempt authelia-frontend:3001 initially for the Standalone suite but given the server is unreachable in the dev workflow, it will mark authelia-frontend:3001 as unavailable for 180s and route all requests to authelia-frontend:3000 instead.
2020-04-06 10:15:05 +10:00
James Elliott 8aade7f40e
[MISC] Update durations to notation format and housekeeping (#824)
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 22:37:21 +10:00
James Elliott 9800421b88
[FEATURE] Disable Reset Password (#823)
* [FEATURE] Disable Reset Password
* add configuration key to authentication_backend called disable_reset_password
* disable_reset_password prevents the API handler for the functionality and the UI element
* disable_reset_password is a boolean
* adjust RememberMeEnabled to be RememberMe instead as it's just unnecessary
* add docs for security measures and in the authentication docs
* updated config.template.yml
* add flexEnd style to align reset password when remember me disabled
* add todo items for ldap user/password validation relating to this
2020-04-05 09:28:09 +10:00
James Elliott 626f5d2949
[FEATURE] Remember Me Configuration (#813)
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis 
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator 
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
2020-04-04 10:11:33 +11:00
Amir Zarrinkafsh d82b46a3ec
[FEATURE] Autofocus on authentication and OTP pages (#806)
* [FEATURE] Autofocus on authentication and OTP pages
This change sets the input focus on the first factor authentication and OTP pages.

The behaviour for the first factor authentication page has also been amended slightly, if an incorrect username or password is provided the password field will be cleared and set as the focus.

One thing to note is that the OTP page does not focus on any re-rendering and this is because the component doesn't handle focusing. This means that the OTP input only is auto-focused when you first visit it, if you enter an incorrect OTP there will be no focus.

Ideally we should be looking for a different library or writing a component for this ourselves in future.

Closes #511.

* Add TODO markers for potential refactor
2020-04-01 10:27:54 +11:00
Clément Michaud 7a3e782dc0
[FEATURE][BREAKING] Allow users to sign in with email. (#792)
* [FEATURE][BREAKING] Allow users to sign in with email.

The users_filter purpose evolved with the introduction of username_attribute
but is reverted here to allow the most flexibility. users_filter is now the
actual filter used for searching the user and not a sub-filter based on the
username_attribute anymore.

* {input} placeholder has been introduced to later deprecate {0} which has been
kept for backward compatibility.
* {username_attribute} and {mail_attribute} are new placeholders used to back
reference other configuration options.

Fix #735

* [MISC] Introduce new placeholders for groups_filter too.

* [MISC] Update BREAKING.md to mention the change regarding users_filter.

* [MISC] Fix unit and integration tests.

* Log an error message in console when U2F is not supported.

* Apply suggestions from code review

* Update BREAKING.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-31 09:36:04 +11:00
Clément Michaud 94a63edabb
[MISC] Fix comment dealing with aes implementation. (#791) 2020-03-29 10:07:05 +11:00
Clément Michaud 4264e64f9b
[MISC] Encrypt session data in redis store. (#789)
This is a regression from v3. With this change session data is encrypted with AES-GCM using a 256-bit key derived from the provided secret.

Fixes #652.
2020-03-28 17:10:39 +11:00
James Elliott 40fb13ba3c
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773)
* Add period TOPT config key to define the time in seconds each OTP is rotated
* Add skew TOTP config to define how many keys either side of the current one should be considered valid
* Add tests and set minimum values
* Update config template
* Use unix epoch for position calculation and Fix QR gen
  * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute
* Generate QR based on period
* Fix OTP timer graphic
2020-03-25 12:48:20 +11:00
Clément Michaud 2b4bb3bb05
[MISC] Debug message shows used headers instead of fallback warning. (#772)
This enhancement clarifies the log message following discussions, closes #691.
2020-03-23 09:12:24 +11:00
Clément Michaud c3a2e70d57
[MISC] Automatically redirect from http to https in suites. (#769) 2020-03-22 17:04:51 +11:00
Clément Michaud 060b4a19f6
[MISC] Fix authelia-frontend dev server startup. (#767)
The latest react-scripts bumps broke the startup of the authelia-frontend
container because the new version of react-scripts behaves differently when
the container is spawned with a pseudo-tty and when there is not.
2020-03-22 13:10:24 +11:00
Amir Zarrinkafsh 298d56dea3
[DEPS] Fix gopkg.in/ldap.v3 import for dependabot (#726) 2020-03-19 15:22:46 +11:00
Amir Zarrinkafsh eeabb96dd0
[BUGFIX] LDAP group retrieval of users with parenthesis in their name (#713)
This aligns the search filter escaping to [RFC4515](https://tools.ietf.org/search/rfc4515).
`base.ldif` has also been updated to be a closer match to RFC 2307.
2020-03-16 19:55:03 +11:00
Clément Michaud 359dd48092
[BUGFIX] Make users_filter configuration of LDAP backend optional. (#710)
This PR aligns the situation with what is currently documented.
2020-03-15 23:10:13 +11:00
Clément Michaud cc6650dbcd
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687)
* [BUGFIX] Set username retrieved from authentication backend in session.

In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.

Fixes #561.

* Use uid attribute as unique user identifier in suites.

* Fix the integration tests.

* Update config.template.yml

* Compute user filter based on username attribute and users_filter.

The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.

* Fix LDAP based integration tests.

* Update `users_filter` reference examples
2020-03-15 18:10:25 +11:00
Amir Zarrinkafsh 7d7ad9bd28
[MISC] Adjust TLS log messages (#701)
* [MISC] Adjust TLS log messages

* [MISC] Fix integration tests
2020-03-10 18:14:28 +11:00
Clément Michaud c429488738
[FEATURE] [BREAKING] Support writing logs in a file. (#686)
* [FEATURE] Support writing logs in a file.

* Add documentation about logs file path.

* Rename logs_level and logs_file_path into log_level and log_file_path.

* Update BREAKING.md

Fixes #338

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-09 20:57:53 +01:00
Amir Zarrinkafsh cc25b565c7
[MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively (#685)
* [MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively

* Argon2id memory in MB for Config Template

* Doc Fix

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-03-06 19:40:56 +11:00
James Elliott 26369fff3d
[FEATURE] Support Argon2id password hasing and improved entropy (#679)
* [FEATURE] Support Argon2id Passwords

- Updated go module github.com/simia-tech/crypt
- Added Argon2id support for file based authentication backend
- Made it the default method
- Made it so backwards compatibility with SHA512 exists
- Force seeding of the random string generator used for salts to ensure they are all different
- Added command params to the authelia hash-password command
- Automatically remove {CRYPT} from hashes as they are updated
- Automatically change hashes when they are updated to the configured algorithm
- Made the hashing algorithm parameters completely configurable
- Added reasonably comprehensive test suites
- Updated docs
- Updated config template

* Adjust error output

* Fix unit test

* Add unit tests and argon2 version check

* Fix new unit tests

* Update docs, added tests

* Implement configurable values and more comprehensive testing

* Added cmd params to hash_password, updated docs, misc fixes

* More detailed error for cmd, fixed a typo

* Fixed cmd flag error, minor refactoring

* Requested Changes and Minor refactoring

* Increase entropy

* Update docs for entropy changes

* Refactor to reduce nesting and easier code maintenance

* Cleanup Errors (uniformity for the function call)

* Check salt length, fix docs

* Add Base64 string validation for argon2id

* Cleanup and Finalization
- Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go
- Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len
- Fixed an error in validator that would allow a zero salt length
- Added a test to verify the upstream crypt module supports our defined random salt chars
- Updated docs
- Removed unused "HashingAlgorithm" string type

* Update crypt go mod, support argon2id key length and major refactor

* Config Template Update, Final Tests

* Use schema defaults for hash-password cmd

* Iterations check

* Docs requested changes

* Test Coverage, suggested edits

* Wording edit

* Doc changes

* Default sanity changes

* Default sanity changes - docs

* CI Sanity changes

* Memory in MB
2020-03-06 12:38:02 +11:00
Amir Zarrinkafsh 72a3f1e0d7
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684)
When no rule is set to two_factor in ACL configuration, 2FA is
considered disabled. Therefore, when a user cannot be redirected
correctly because no target URL is provided or the URL is unsafe,
the user is either redirected to the default URL or to the
'already authenticated' view instead of the second factor view.

Fixes #683
2020-03-06 11:31:09 +11:00
Amir Zarrinkafsh 0dea0fc82e
[FEATURE] Support MySQL as a storage backend. (#678)
* [FEATURE] Support MySQL as a storage backend.

Fixes #512.

* Fix integration tests and include MySQL in docs.
2020-03-05 10:25:52 +11:00
Clément Michaud faf43de14f
[FEATURE] Add TLS support. (#677)
* [FEATURE] Add TLS support.

Fixes #368.

* [FEATURE] Introduce OnError hook in suites.

This hook allows to perform actions following an erroneous suite
like displaying the logs of Authelia.

* Display Authelia logs of Standalone suite when tests fail.

* Fix Standalone suite.

* Apply suggestions from code review

* Rename ssl_key and ssl_cert into tls_key and tls_cert.
2020-03-03 18:18:25 +11:00
Clément Michaud 0c43740a4e
[FEATURE] Add command to generate self-signed certs in authelia binary. (#676)
* [FEATURE] Add command to generate self-signed certs in authelia binary.
* Apply suggestions from code review

Fixes #454 

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-01 14:08:09 +01:00
James Elliott 898f2a807e
[MISC] Add Detailed DUO Push Logging (#664)
* [MISC] Add Detailed DUO Push Logging

- Added trace logging for all response data from the DUO API
- Added warning messages on auth failures
- Added debug logging when DUO auth begins
- Updated mocks/unit tests to use the AutheliaCtx as required
2020-03-01 11:51:11 +11:00
Clément Michaud 3816aa4df2
[FEATURE] Regenerate session IDs after 2FA authentication. (#670)
Session fixation attacks were prevented because a session ID was
regenerated at each first factor authentication but this commit
generalize session regeneration from first to second factor too.

Fixes #180
2020-03-01 00:13:33 +01:00
James Elliott fc05b973ad
[FEATURE] Redis DB Index Selection (#653)
* [FEATURE] Redis DB Number Selection
- Allow users to specify the DB number
- This is so users who use their redis for multiple purposes can have clear demarcation between their data

* revert: import order

* Add default/example to config template with docs

* Set DB Index property name to be more clear
2020-02-28 11:14:44 +11:00
Paul Williams 829757d3bc
[FEATURE] Support secure websocket connections. (#656)
* Add WSS support for insecure scheme detection

WSS connections were broken by the introduction of this check. Adding WSS as a supported scheme for secure connections prevents a 401 being returned for an authorised connection.

* Add tests for WSS

Also extend HTTPS tests to ensure they do not catch WSS URLs
2020-02-28 10:28:53 +11:00
Clément Michaud 82d8e1d57a
[BUGFIX] Fix crash when no emails or groups are retrieved from LDAP. (#651)
* [BUGFIX] Fix crash when no emails or groups are retrieved from LDAP.

If group or email attribute configured by user in configuration is not
found in user object the list of attributes in LDAP search result is empty.
This change introduces a check before accessing the first element of the
list which previously led to out of bound access.

Fixes #647.

* [MISC] Change log level of LDAP connection creation to trace.
2020-02-27 23:21:07 +01:00
Clément Michaud efb567f3d5
Fix development workflow. (#649)
Suites cannot be run locally anymore following the move of the example
directory into the suites directory.
2020-02-27 10:44:29 +01:00
James Elliott e1cd524f65
[FEATURE] SMTPS support (#643)
* [FEATURE] SMTPS Support
- Added port_tls option to enable SMTPS, off by default.

* Remove configuration variable for SMTPS

Instead we enable SMTPS on port 465 only. The reason for this is so we don't require an additional configuration variable.

* Add SMTPS warning and updated docs

* Adjust SMTPS warning
2020-02-20 12:09:46 +11:00
Clément Michaud 6390826618
[MISC] Add several logs to help users detect misconfiguration issues (#639)
* Help users detect misconfiguration of their protected domain.

Sometimes users try to visit an URL pointing to a domain which is
not protected by Authelia and thus authentication fails. This log
line will help users detect those cases.

* Add a log to detect bad schemes in target URLs.

This helps users detect when an URL is http while it should be https.
Indeed, cookies are transported solely over a secure connection for
security reasons.
2020-02-19 09:39:07 +11:00
Clément Michaud c578c8651d
[MISC] Add unit tests to authorization module and trace logs. (#638)
This aims to help debug #637.
2020-02-19 09:15:09 +11:00
Clément Michaud 4643e488db
[MISC] Fail with an error message when X-Forwarded-* headers are missing (#631)
* Fail with an error message when X-Forwarded-* headers are missing.

* Remove useless comments.
2020-02-13 13:12:37 +11:00
Amir Zarrinkafsh f1a89de2e7
[MISC] Restructure repo folder layout (#628) 2020-02-09 18:04:27 +01:00
Clément Michaud 915b6b5436
[FIX] Prevent crash when storage config is nil (#623)
* Prevent crash when storage config is nil.

* Fix google analytics configuration.

Fixes #622.
2020-02-06 13:53:02 +11:00
Clément Michaud a63d55201f
[MISC] Improve documentation around headers used by verify endpoint. (#620)
* Explicit document missing X-Forwarded-Proto and X-Fowarded-Host headers.

* Add the name of the authorization header in error messages.

* Add error and debug logs about X-Original-URL header.

* Add error log when not able to parse target URL in verify endpoint.

* Fix unit tests.
2020-02-06 13:24:25 +11:00
Clément Michaud d1d02d9eae
[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611)
* Redirect to default URL after 1FA when default policy is one_factor.

User is now redirected to the default redirection URL after 1FA if
the default policy is set to one_factor and there is no target URL
or if the target URL is unsafe.

Also, if the default policy is set to one_factor and the user is already
authenticated, if she visits the login portal, the 'already authenticated'
view is displayed with a logout button.

This fixes #581.

* Update users.yml

* Fix permissions issue causing suite test failure
2020-02-05 08:18:02 +11:00
Clément Michaud ea9b408b70
[FIX] Fix default redirection URL not taken into account (#600)
* Remove unused mongo docker-compose file.

* Default redirection URL was not taken into account.

* Fix possible storage options in config template.

* Remove useless checks in u2f registration endpoints.

* Add default redirection url in config of duo suite.

* Fix log line in response handler of 2FA methods.

* Fix integration tests.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-02-01 13:54:50 +01:00
James Elliott 152b33e4fa [FIX] SMTP Notifier Unhandled Error Conditions (#585)
- Only attempt to close the connection once it's established.
- Defer the client Quit/Close so that it always executes at the end.
- Fixes #585
2020-01-28 15:19:54 +11:00
James Elliott 31ca4f891f [FIX] Disable regulation when max_retries set to 0 (#584)
- Only set regulator to enabled if max_retries is not set to 0, default is false (zero value).
- Added test for the scenario.
- Fixes #584
2020-01-27 22:54:24 +11:00
Clement Michaud 2acf8bf21c Add hash-password and migrate commands to authelia binary.
This reduce the size of the docker image and avoid confusing users.

We keep the commands in authelia-scripts too in order to keep the
current workflow of developers.
2020-01-22 11:53:15 +11:00
Clement Michaud bb7781fd2b Use env variables to configure secrets in Standalone suite. 2020-01-22 10:15:25 +11:00
Clement Michaud cab97d5f2f Bind secret environment variable to allow unmarshalling. 2020-01-22 10:15:25 +11:00
Clement Michaud e92d3ced3a Introduce viper in order to read secrets from env variables. 2020-01-22 10:15:25 +11:00
Clement Michaud ea86b62527 Add validation for notifier configuration. 2020-01-22 10:15:25 +11:00
James Elliott 736ed3f212 Misc Spelling Corrections
- Mostly changes to spelling of comments/docs/displayed text
- A few changes to test function names
2020-01-21 12:16:00 +11:00
Clement Michaud 47b34b4026 Escape special LDAP characters as suggested by OWASP.
https://owasp.org/www-project-cheat-sheets/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
2020-01-21 09:46:17 +11:00
Amir Zarrinkafsh a02fb1438e Add Traefik2 suite and refactor Traefik suite (#562)
* Update Traefik 1.x to v1.7.20 for integration tests

* Add suite for Traefik 2.x

* Refactor Traefik2 suite to utilise Docker labels

* Move Traefik2 middleware definition to a file based provider

* Expose Traefik2 dashboard
The API/Dashboard can be reached at https://traefik.example.com:8080/

* Move Traefik frontend/backend definitions to Docker labels

* Move Traefik2 router/service definitions to Docker labels

* Normalise all Traefik configuration via labels and commands
When the the middleware issue with Traefik 2.x (#476) is resolved this means all Traefik related configuration can be self-contained within the respective docker-compose.yml files.

* Define ports for Authelia frontend/backend services

* Adjust Traefik2 suite to new dev workflow

* Normalise all Traefik2 middlewares via labels

* Fix typo in middleware and comment labels specifying Traefik version
2020-01-19 11:06:37 +01:00
Clément Michaud 2e86f270cd Encode URL set to rd parameter. (#559)
* Encode URL set to rd parameter.

URL encoding that parameter solves PR #476.

Some URL parameters set during redirection were magically disappearing
after the redirection due to the authentication process. By using URL encoding,
those parameters should not be stripped anymore.

* Fix integration tests.
2020-01-19 01:57:42 +11:00
James Elliott e6ddedf23d Fixes Remember Me functionality
- Adjust the remember me duration to 1 year
- Fixes #552
2020-01-18 00:27:01 +01:00
Clement Michaud ece4423d33 Add back wait block in buildkite pipeline. 2020-01-18 00:12:36 +01:00
Clement Michaud 841de2b75d Disable inactivity timeout when user checked remember me.
Instead of checking the value of the cookie expiration we rely
on the boolean stored in the user session to check whether inactivity
timeout should be disabled.
2020-01-18 00:12:36 +01:00
Clement Michaud 6792fd5bc3 Add --ignore-certificate-errors flag to chromium-browser command in integration tests.
This flag fix error messages when running the tests for the first time.
2020-01-18 00:12:36 +01:00
Clément Michaud ce7b6b8167
Build docker image upfront in CI and use it in integration tests. (#555)
* Build docker image upfront in CI and use it in integration tests.

Previously, the development workflow was broken because the container
generated from Dockerfile.CI was used in dev environments but the binary
was not pre-built as it is on buildkite. I propose to just remove that
image and use the "to be published" image instead in integration tests.

This will have several advantages:
- Fix the dev workflow.
- Remove CI arch from authelia-scripts build command
- Optimize CI time in buildkite since we'll cache a way small artifact
- We don't build authelia more than once for earch arch.

* Fix suites and only build ARM images on master or tagged commits

* Optimise pipeline dependencies and Kubernetes suite to utilise cache

* Run unit tests and docker image build in parallel.

* Fix suite trying to write on read only fs.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-01-17 20:46:51 +01:00
Amir Zarrinkafsh 9b8be0fef0 Remove Travis and promote Buildkite (#545)
* Remove Travis and promote Buildkite

* Add Docker Size badge to README.md

* Call MicroBadger webhook to update metadata for shields

Add updateMicroBadger function and refactor publishDockerReadme to be called explicitly instead of on every deployManifest call.
2020-01-16 21:57:44 +01:00
James Elliott 242386e279 Force TLS and valid x509 certs in SMTP Notifier by default
- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
    - disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
    - allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
    - allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
    - writing future test suites and startup checks more easily
    - organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes
2020-01-10 17:37:16 +01:00
James Elliott 1ef3485418 Fix duplicate Content-Type header in SMTPNotifier
- SMTPNotifier would send the Content-Type header twice
- Fixes #498
2020-01-10 17:37:16 +01:00
Amir Zarrinkafsh 7dc4ac5cd9 Create a suite for HAProxy 2020-01-10 11:41:01 +01:00
Amir Zarrinkafsh 612881ca67 Fix spelling errors 2020-01-10 11:33:18 +01:00
James Elliott 6e946dc859 Added sec warn, more debug logging detail
- Added a warning for users who attempt authentication on servers that don't allow STARTTLS (they are transmitted in plain text)
- Included a note when AUTH fails due to no supported mechanisms including the mechanisms supported (PLAIN and LOGIN)
2019-12-28 09:35:01 +01:00
James Elliott c4b56a6002 Implement SMTP StartTLS and Adaptive Auth
- If the STARTTLS extension is advertised we automatically STARTTLS before authenticating or sending
- Uses the secure config key to determine if we should verify the cert. By default it does not verify the cert (should not break any configs)
- Attempt auth when the config has a SMTP password and the server supports the AUTH extension and either the PLAIN or LOGIN mechanism
- Check the mechanisms supported by the server and use PLAIN or LOGIN depending on which is supported
- Changed secure key to use boolean values instead of strings
- Arranged SMTP notifier properties/vars to be in the same order
- Log the steps for STARTTLS (debug only)
- Log the steps for AUTH (debug only)
2019-12-28 09:35:01 +01:00
Clement Michaud 716e017521 Add early checks for user hashes. 2019-12-28 09:08:54 +01:00
Clement Michaud 1ee442e86f Improve logs of password hashing to help troubleshoot issues. 2019-12-28 09:08:54 +01:00
Amir Zarrinkafsh 2fb20882d9
Utilise Buildkite for Authelia CI/CD (#507)
Publish steps are currently disabled.
2019-12-27 22:07:53 +11:00
Amir Zarrinkafsh fabb76754e
Rename org from clems4ever to authelia
Also fix references from config.yml to configuration.yml
2019-12-24 13:14:52 +11:00
James Elliott 09b4e4e57e Allow blank additional_groups_dn and additional_users_dn
- Make the DN concatenation uniform between both Users and Groups
- Make it possible to use a blank or commented out additional_users_dn or additional_groups_dn for ldap backends
- Fixes #508
2019-12-19 23:29:16 +01:00
James Elliott f3cf092433 Fix second_factor_method creation length
- mobile_push is 11 characters long, but db init sets it to 10.
2019-12-19 23:27:04 +01:00
James Elliott a189c28af3 Fix PostgreSQL Update Second Factor Method Pref
- column name is second_factor_method, not method
2019-12-19 23:27:04 +01:00
Clement Michaud bdf0c07a41 Display correct RemoteIP in logs. 2019-12-11 19:01:16 +01:00
Clement Michaud 4dd6260ac8 Revert "Read X-Real-Ip as the remote IP provided by the proxy."
This reverts commit fccb55f714.

Avoid exposing Authelia to more attacks by only keeping X-Forwarded-For.
2019-12-11 08:29:32 +01:00
Clement Michaud fccb55f714 Read X-Real-Ip as the remote IP provided by the proxy.
Authelia needs to know with what IP was the request originating in
order to apply network based ACL rules. Authelia already supported
X-Forwarded-For but X-Real-IP is another way to define it. It takes
precedence over X-Forwarded-For.
2019-12-10 23:47:05 +01:00
Clement Michaud 26798cdf3a Add a check for enclosing parenthesis in LDAP users and groups filters. 2019-12-09 13:03:12 +01:00
Clement Michaud f4f5d17684 Add host parameter to configure the interface Authelia listens on. 2019-12-08 19:07:19 +01:00
Clement Michaud 6f1ec2094d Fix HighAvailability suite randomness. 2019-12-08 16:41:28 +01:00
Clement Michaud 3d20142292 Allow administrator to provide a Google Analytics tracking ID.
Providing a GA tracking ID allows administrators to analyze
how the portal is used by their users in large environments,
i.e., with many users.
This will make even more sense when we have users and admins
management interfaces.
2019-12-08 14:31:48 +01:00
Clement Michaud 3faa63e8ed Use lower case database table names. 2019-12-08 14:31:48 +01:00
Clement Michaud 7c3f8c0460 Fix backend unit tests. 2019-12-08 14:31:48 +01:00
Clement Michaud df33bef478 Test user does see the not registered message.
When a user use Authelia for the first time no device is enrolled in DB.
Now we test that the user does see the "not registered" message when
no device is enrolled and see the standard 2FA method when a device is
already enrolled.
2019-12-08 14:31:48 +01:00
Clement Michaud 5942e00412 Introduce hasU2F and hasTOTP in user info. 2019-12-08 14:31:48 +01:00
Clement Michaud d077ad10da Update expiration timeouts from milliseconds to seconds. 2019-12-07 14:36:24 +01:00
Clement Michaud cc50a7eec5 Add a warning log when /%23/ characters are detected. 2019-12-06 22:34:57 +01:00
Clement Michaud e21da43fd6 Add support for LDAP over TLS. 2019-12-06 21:33:47 +01:00
Clement Michaud 336276be98 Be able to run scenarii in isolation for each suite. 2019-12-06 07:11:54 +01:00
Clement Michaud 40094b67a3 Avoid creating a symbolic link to chromedriver in Travis. 2019-12-05 11:05:24 +01:00
Clement Michaud 135cf718d5 Fix DuoPush suite and do some clean up. 2019-12-05 11:05:24 +01:00
Clement Michaud b89f63e9c1 Fix and parallelize integration tests. 2019-12-05 11:05:24 +01:00
Clement Michaud be802cfc7b Fix unit tests. 2019-12-05 11:05:24 +01:00
Clement Michaud 17eaeabdf9 Remove the test directory at the root of the repo. 2019-12-05 11:05:24 +01:00
Clement Michaud c78a732c6a Rewrite and fix remaining suites in Go. 2019-12-05 11:05:24 +01:00
Clement Michaud 9ae2096d2a Rewrite authelia frontend to improve user experience.
This refactoring simplify the code of the frontend and prepare the
portal for receiving a user settings page and an admin page.
2019-12-05 11:05:24 +01:00
Clement Michaud 3b2d733367 Move source code into internal directory to follow standard project layout.
https://github.com/golang-standards/project-layout
2019-11-17 16:30:33 +01:00