Commit Graph

144 Commits (eaa4fb5fb731868bf48820baaef434e6df87a3ee)

Author SHA1 Message Date
James Elliott a50d425863
refactor(middlewares): convert the bridge to a builder (#3338)
This adjusts the bridge to be utilized as a builder in order to make it more reusable.
2022-06-10 11:34:43 +10:00
Manuel Nuñez 37de389c2f
feat(web): translation for page title/footer (#3401)
Add translations for title and footer.
2022-06-09 11:46:15 +10:00
James Elliott a793ef8b5a
i18n: update translations (#3447) 2022-05-28 17:01:54 +10:00
haowei 3a2804928f
i18n: add zh-tw translation for portal.json (#3439) 2022-05-28 14:43:21 +10:00
SvanGlan 71c47c7344
i18n: update sv translation of portal.json (#3430)
Correct a few issues in the Swedish translation files.
2022-05-25 21:28:40 +10:00
James Elliott aa5bee68f7
i18n: update translations (#3425) 2022-05-25 12:46:47 +10:00
James Elliott 77ac770585
i18n: update translations (#3399) 2022-05-24 22:07:24 +10:00
SvanGlan 40bfef9aaa
i18n: add sv translation for portal.json (#3421) 2022-05-24 21:48:02 +10:00
Auzborn123 2e1bfaa7db
i18n: fix ru translation (#3384)
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-05-18 15:09:23 +10:00
Auzborn123 5dacdd1278
i18n: add ru translation for portal.json (#3367) 2022-05-16 11:19:28 +10:00
James Elliott 0855ea2f71
fix(server): missing cache and xss headers (#3289)
Addresses documentation and a couple of headers which were missed.
2022-05-04 14:47:23 +10:00
James Elliott 556a115c83
fix(server): missing modern security headers (#3288)
This fixes an issue with missing modern security headers such as the X-Content-Type-Options, Referer-Policy, etc.
2022-05-03 12:19:30 +10:00
James Elliott 4710de33a4
refactor(configuration): remove ptr for duoapi and notifier (#3200)
This adds to the ongoing effort to remove all pointers to structs in the configuration without breaking backwards compatibility.
2022-04-16 09:34:26 +10:00
James Elliott 79935c7e2e
fix(server): locale format incorrect (#3154)
This fixes an issue where the locale would be formatted as en-en instead of en-US.
2022-04-09 21:38:17 +10:00
James Elliott f9da940bfc
fix(web): description of profile scope is not accurate (#3146)
This adjusts the profile scope to be described as "Access your profile information" as it accesses more than the display name now.
2022-04-09 08:47:21 +10:00
James Elliott 66a450ed38
feat(oidc): pre-configured consent (#3118)
Allows users to pre-configure consent if enabled by the client configuration by selecting a checkbox during consent.

Closes #2598
2022-04-08 15:35:21 +10:00
James Elliott 4503ac07be
fix(web): lowercase locales are not consistent with localization platforms (#3141)
This fixes an issue with localization platforms and the docs regarding localization, and the forcing locale names to lowercase.
2022-04-08 14:53:46 +10:00
James Elliott ce6bf74c8d
fix(server): incorrect remote ip logged in error handler (#3139)
This fixes edge cases where the remote IP was not correctly logged. Generally this is not an issue as most errors do not hit this handler, but in instances where a transport error occurs this is important.
2022-04-08 14:13:47 +10:00
James Elliott 90edf11b88
feat(web): add user display name to oidc consent view (#3138)
This adds the current logged in users display name to the consent page as well as some other minor tweaks.

Closes #2595
2022-04-08 12:50:55 +10:00
James Elliott 4ebd8fdf4e
feat(oidc): provide cors config including options handlers (#3005)
This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
2022-04-07 10:58:51 +10:00
renovate[bot] d96c93ef2b
build(deps): update module github.com/valyala/fasthttp to v1.35.0 (#3120)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2022-04-06 07:57:23 +10:00
Clément Michaud 3ca438e3d5
feat: implement mutual tls in the web server (#3065)
Mutual TLS helps prevent untrusted clients communicating with services like Authelia. This can be utilized to reduce the attack surface.

Fixes #3041
2022-04-05 09:57:47 +10:00
James Elliott a2eb0316c8
feat(web): password reset custom url (#3111)
This allows providing a custom URL for password resets. If provided the disable_reset_password option is ignored, the password reset API is disabled, and the button provided in the UI to reset the password redirects users to the configured endpoint.

Closes #1934, Closes #2854

Co-authored-by: you1996 <youssri@flyweight.tech>
2022-04-04 17:46:55 +10:00
James Elliott aac4c4772c
feat(web): i18n asset overrides (#3040)
This allows overriding translation files in folders with lowercase RFC5646 / BCP47 Format language codes. This also fixes an issues where languages which don't expressly match the language code specified due to having a variant will also match the existing codes.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-04-04 12:15:26 +10:00
James Elliott 2502d89682
fix(server): respond with 404/405 appropriately (#3087)
This adjusts the not found handler to not respond with a 404 on not found endpoints that are part of the /api or /.well-known folders, and respond with a 405 when the method isn't implemented.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-04-04 09:58:01 +10:00
James Elliott 9e05066097
refactor(handlers): ppolicy (#3103)
Add tests and makes the password policy a provider so the configuration can be loaded to memory on startup.
2022-04-03 21:58:27 +10:00
James Elliott 70ab8aab15
fix(web): show appropriate default and available methods (#2999)
This ensures that; the method set when a user does not have a preference is a method that is available, that if a user has a preferred method that is not available it is changed to an enabled method with preference put on methods the user has configured, that the frontend does not show the method selection option when only one method is available.
2022-03-28 12:26:30 +11:00
James Elliott 2f31db2db3
fix(server): healthcheck ipv6 format is invalid (#3055)
This fixes an issue with the healthcheck writting the IPv6 host without brackets.
2022-03-25 11:56:23 +11:00
James Elliott b43ee50368
fix(configuration): remember me duration disabled impossible (#2997)
This fixes an issue not properly resolved by db6dd32151.
2022-03-13 13:51:23 +11:00
James Elliott 8f05846e21
feat: webauthn (#2707)
This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless.
2022-03-03 22:20:43 +11:00
James Elliott 6276883f04
refactor(configuration): utilize time duration decode hook (#2938)
This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable.
2022-03-02 17:40:26 +11:00
James Elliott bed7a8ae32
feat(server): csp template (#2856)
Implements the ability for advanced users to override the CSP and easily include the required nonce.
2022-02-21 10:14:09 +11:00
James Elliott 26236f491e
fix(server): use of inconsistent methods for determining origin (#2848)
This unifies the methods to obtain the X-Forwarded-* header values and provides logical fallbacks. In addition, so we can ensure this functionality extends to the templated files we've converted the ServeTemplatedFile method into a function that operates as a middlewares.RequestHandler.

Fixes #2765
2022-02-07 00:37:28 +11:00
James Elliott 9a8c6602dd
fix(middlewares): smart delay on reset password (#2767)
This adds a smart delay on reset password attempts to prevent username enumeration. Additionally utilizes crypto rand instead of math rand. It also moves the timing delay functionality into its own handler func.
2022-01-21 10:46:13 +11:00
James Elliott 7df242f1e3
refactor: remove ioutil (#2635)
Was deprecated in 1.16 and has more performant options available.
2021-12-02 00:14:15 +11:00
James Elliott ad8e844af6
feat(totp): algorithm and digits config (#2634)
Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm).

Fixes #1226.
2021-12-01 23:11:29 +11:00
Philipp Staiger 01b77384f9
feat(duo): multi device selection (#2137)
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.

Closes #594. Closes #1039.
2021-12-01 14:32:58 +11:00
Amir Zarrinkafsh 0be883befb
feat: customizable static assets (#2597)
* feat: customizable static assets

This change provides the means to override specific assets from the embedded Go FS with files situated on disk.

We only allow overriding the following files currently:
* favicon.ico
* logo.png

* refactor(server): make logo string a const

* refactor(suites): override favicon and use ntp3 in traefik2 suite

* test(suites): test logo override in traefik2 suite

* test(suites): test asset override fallback in traefik suite

Closes #1630.
2021-11-15 19:37:58 +11:00
James Elliott 7efcac6017
fix(session): use crypto/rand for session id generator (#2594)
This adjusts the session ID generator making it use it's own random function rather than using one from the utils lib. This allows us to utilize crypto/rand or math/rand interchangeably. Additionally refactor the utils.RandomString func.
2021-11-11 20:13:32 +11:00
James Elliott 0d7777e3f5
fix(server): provide correct scheme to templated files (#2486)
This utilizes the context of the request and configuration to determine the correct scheme to use for the base URL.

Fixes #2485. Fixes #2476.
2021-10-10 21:19:47 +11:00
Amir Zarrinkafsh a3e84769b5
feat(web): replace cra with vite (#2457)
* feat(web): replace cra with vite

* fix: add istanbul
* fix: add jest
* fix: inject env vars
* fix: replicate cra output directories
* fix: post-frontend build for go templating
* fix: dynamic publicpath

* fix(web): import resolution with aliases for .module.css files

* refactor(server): baseurl var

* refactor(web): drop babel-jest for esbuild-jest

* refactor(web): add inline sourcemap for coverage bundle

* build(deps): update web deps

* build(deps): downgrade vite-plugin-istanbul to 2.2.0

98bf77dbaa is a breaking change that means production mode builds can no longer be instrumented.

* refactor(web): match frontend name and version

* refactor(web): drop cra readme
2021-10-08 15:00:06 +11:00
Amir Zarrinkafsh 11032bdf93
fix(server): remove obselete memory check warning (#2380)
Given the fact that many Linux OSes are defaulting to CGroups v2 and also Authelia changing the default memory config for argon2id this warning is now obselete.
2021-09-16 12:26:34 +10:00
James Elliott b4e570358e
fix: include major in go.mod module directive (#2278)
* build: include major in go.mod module directive

* fix: xflags

* revert: cobra changes

* fix: mock doc
2021-08-11 11:16:46 +10:00
Amir Zarrinkafsh e2ebdb7e41
fix: oidc issuer path and strip path middleware (#2272)
* fix: oidc issuer path and strip path middleware

This ensures the server.path requests append the base_url to the oidc well-known issuer information and adjusts server.path configuration to only strip the configured path instead of the first level entirely regardless of its content.

* fix: only log the token error and general refactoring

* refactor: factorize base_url functions

* refactor(server): include all paths in startup logging

* refactor: factorize

* refactor: GetExternalRootURL -> ExternalRootURL

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-10 10:31:08 +10:00
James Elliott c5c6bda8b0
refactor: configuration agnostic healthcheck (#2231)
This makes the healthcheck simple and configured directly by Authelia's configuration on startup.
2021-08-05 14:02:07 +10:00
Clément Michaud 4a570489d1
fix(server): use lower case in error messages (#2151)
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-08-04 09:18:20 +10:00
James Elliott a7e867a699
feat(configuration): replace viper with koanf (#2053)
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 19:55:21 +10:00
James Elliott 158783a9d4
feat(configuration): replace several configuration options (#2209)
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.

BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 21:55:30 +10:00
Clément Michaud bc983ce9f5
fix: user is now redirected when authenticated (#2082)
* fix(handlers,web): user is now redirected when authenticated

Fix: #1788

* remove dead code and fix ci issues

* fix infinite loop in frontend

* fix issue with integration tests

* handle bot recommendation

* fix integration test & add dot to comment

* fix last integration test

* Update api/openapi.yml

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update web/src/services/SafeRedirection.ts

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Update api/openapi.yml

* Update openapi.yml

* refactor: valid -> safe

* refactor: adjust merge conflicts

* Apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

* fix: adjust test return messaging

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-02 16:15:38 +10:00
James Elliott 911d71204f
fix(handlers): handle xhr requests to /api/verify with 401 (#2189)
This changes the way XML HTTP requests are handled on the verify endpoint so that they are redirected using a 401 instead of a 302/303.
2021-07-22 13:52:37 +10:00
James Elliott cef35fadcd
feat(configuration): add error and warn log levels (#2050)
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
2021-06-01 14:09:50 +10:00
James Elliott ddea31193b
feature(oidc): add support for OpenID Connect
OpenID connect has become a standard when it comes to authentication and
in order to fix a security concern around forwarding authentication and authorization information
it has been decided to add support for it.

This feature is in beta version and only enabled when there is a configuration for it.
Before enabling it in production, please consider that it's in beta with potential bugs and that there
are several production critical features still missing such as all OIDC related data is stored in
configuration or memory. This means you are potentially going to experience issues with HA
deployments, or when restarting a single instance specifically related to OIDC.

We are still working on adding the remaining set of features before making it GA as soon as possible.

Related to #189

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-05 00:15:36 +02:00
James Elliott 5a5efa5e02
fix(server): send 404 on missing api endpoints instead of 405 (#1806)
Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e however this resolves another issue that's related. Additionally this ensures the behavior is tested.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>

Fixes #1520
Closes #1534
2021-03-11 18:36:58 +11:00
Amir Zarrinkafsh 74721a9f41
feat: go:embed static assets (#1733)
* feat: go:embed static assets

Go 1.16 introduced the ability to embed files within a generated binary directly with the go tool chain. This simplifies our dependencies and the significantly improves the development workflow for future developers.

Key points to note:

Due to the inability to embed files that do not reside within the local package we need to duplicate our `config.template.yml` within `internal/configuration`.

To avoid issues with the development workflow empty mock files have been included within `internal/server/public_html`. These are substituted with the respective generated files during the CI/CD and build workflows.

* fix(suites): increase ldap suite test timeout

* fix(server): fix swagger asset CSP
2021-02-22 10:07:06 +11:00
Amir Zarrinkafsh d719acc4c8
[MISC] Fix embedded fs for dev workflow (#1627)
When authelia.yml got renamed to openapi.yml in 3487fd392e the embedded fs was not updated with a openapi.yml which in turn causes the dev workflow to no longer work.
2021-01-25 10:42:57 +11:00
Amir Zarrinkafsh daa30f3aa3
[FEATURE] Add theme support (#1584)
* [FEATURE] Add theme support

This change allows users to select a theme for Authelia on start-up.

The default will continue to be the existing theme which is known as `light`.
Three new options are now also provided:
* `dark`
* `grey`
* `custom`

The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal.

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>

* Add themes to integration tests

* Remove custom theme

* Fix linting issue in access_control_test.go

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 23:07:40 +11:00
Amir Zarrinkafsh 296efe2b32
[MISC] Add missing CLI suite test (#1607)
* [MISC] Add missing CLI suite test

* Add missing test for `authelia version` command in CLI suite.
* Standardise logger calls and swap CSP switch order
2021-01-17 10:23:35 +11:00
Amir Zarrinkafsh 3487fd392e
[FEATURE] Add API docs and swagger-ui (#1544)
* [FEATURE] Add API docs and swagger-ui

This change will serve out swagger-ui at the `/api/` root path.

* Update descriptions and summaries in API spec

* Utilise frontend assets from unit testing for Docker build steps

* Fix tag for /api/user/* endpoints

* Fix response schema for /api/user/info/2fa_method

* Template and inject the session name during runtime into swagger-ui

This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file.

* Fix integration tests

* Add U2F endpoints

* Change swagger directory to api

This change is to more closely conform to the golang-standards project layout.

* Add authentication for u2f endpoints

* Modify u2f endpoint descriptions

* Rename and fix u2f 2fa sign endpoints

* Fix request body for /api/secondfactor/u2f/sign endpoint

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 15:28:46 +11:00
Amir Zarrinkafsh f1ecc5b82a
[FEATURE] Create dedicated health endpoint (#1489)
This change points the Docker containers healthcheck to the dedicated `/api/health` endpoint and also includes support for Authelia running with a path prefix.
2020-11-25 10:20:52 +11:00
Amir Zarrinkafsh 6db5455762
[CI] Collect coverage from frontend during integration tests (#1472)
This change will allow us to collect frontend code coverage from our Selenium based integration tests.

Given that the frontend is embedded into the Go binary and the integration tests run with a compiled binary in Docker this poses some issues with the instrumented code and the ability for it to run in this manner. To fix this we need to relax Authelia's CSP for the integration tests. This is achieved by setting the env variable `ENVIRONMENT` to `dev`.
2020-11-19 12:50:34 +11:00
Amir Zarrinkafsh 66b1600455
[MISC] Warn for poorly tuned argon2id deployments (#1426)
The warnings are currently limited to Linux based deployments, however this covers both container and host (static binary) based deployments.
We could potentially look to expand this to FreeBSD in future too.
2020-11-06 08:57:03 +11:00
Amir Zarrinkafsh bcd6a6aa45
[FEATURE] Add IPv6 support (#1196) 2020-07-16 16:36:37 +10:00
Amir Zarrinkafsh 29e54c231b
[MISC] Template global config and refactor some /api endpoints (#1135)
* [MISC] Template global config and refactor some /api endpoints
* /api/configuration has been removed in favour of templating said global config
* /api/configuration/extended has been renamed to /api/configuration and display_name has been removed
* /api/user/info has been modified to include display_name

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-06-21 15:40:37 +02:00
Amir Zarrinkafsh b27c1fbae9
[CI] Add PathPrefix integration test suite (#1052)
Add a suite for testing the PathPrefix feature implemented earlier to serve authelia under a multi-purpose domain.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-27 13:55:44 +02:00
Amir Zarrinkafsh 0f100d4f7b
[DEPRECATE] Warning for PUBLIC_DIR environment variable (#938) 2020-05-21 14:51:28 +10:00
Amir Zarrinkafsh 7488206195
[BUGFIX] Relax CSP for trusted-types (#1036)
This will need to be revisited to re-introduce trusted-types when we have a clear handle on all the libraries and their implementation to support this.
2020-05-21 13:16:37 +10:00
James Elliott fcd0b5e46a
[FEATURE] Allow Authelia to listen on a specified path (#1027)
* [FEATURE] Allow Authelia to listen on a specified path

* Fix linting and add a couple typescript types

* Template index.html to support base_url

* Update docs and configuration template

* Access base path from body attribute.

* Update CSP

* Fix unit test
Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful.

* Template index.html with ${PUBLIC_URL}

* Define PUBLIC_URL in .env(s)

* Add docs clarification

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 12:20:55 +10:00
James Elliott 469daedd36
[FEATURE] Delay 1FA Authentication (#993)
* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-21 00:03:15 +02:00
Amir Zarrinkafsh a70e460ff4
[BUGFIX] Add routes for files in the root path (#988) 2020-05-07 13:29:12 +02:00
Clément Michaud af5754bcab
[MISC] Add coverage for Remote-User and Remote-Groups (#982)
* Fix dev workflow.

* Fix dev workflow.

* Cover Remote-User and Remote-Groups using Traefik.

* Cover Remote-User and Remote-Groups using HAProxy.

* Fix redirection after unauthorized response when using HAProxy.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-06 11:50:37 +10:00
Amir Zarrinkafsh 1600e0f7da
[CI] Add wsl linter (#980)
* [CI] Add wsl linter

* Implement wsl recommendations

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-05 21:35:32 +02:00
James Elliott 3f374534ab
[FEATURE] Automatic Profile Refresh - LDAP (#912)
* [FIX] LDAP Not Checking for Updated Groups

* refactor handlers verifyFromSessionCookie
* refactor authorizer selectMatchingObjectRules
* refactor authorizer isDomainMatching
* add authorizer URLHasGroupSubjects method
* add user provider ProviderType method
* update tests
* check for new LDAP groups and update session when:
  * user provider type is LDAP
  * authorization is forbidden
  * URL has rule with group subjects

* Implement Refresh Interval

* add default values for LDAP user provider
* add default for refresh interval
* add schema validator for refresh interval
* add various tests
* rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong
* use Authelia ctx clock
* add check to determine if user is deleted, if so destroy the
* make ldap user not found error a const
* implement GetRefreshSettings in mock

* Use user not found const with FileProvider
* comment exports

* use ctx.Clock instead of time pkg

* add debug logging

* use ptr to reference userSession so we don't have to retrieve it again

* add documenation
* add check for 0 refresh interval to reduce CPU cost
* remove badly copied debug msg

* add group change delta message

* add SliceStringDelta
* refactor ldap refresh to use the new func

* improve delta add/remove log message

* fix incorrect logic in SliceStringDelta
* add tests to SliceStringDelta

* add always config option
* add tests for always config option
* update docs

* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* complete mocks and fix an old one
* show warning when LDAP details failed to update for an unknown reason

* golint fix

* actually fix existing mocks

* use mocks for LDAP refresh testing

* use mocks for LDAP refresh testing for both added and removed groups

* use test mock to verify disabled refresh behaviour
* add information to threat model
* add time const for default Unix() value

* misc adjustments to mocks

* Suggestions from code review

* requested changes
* update emails
* docs updates
* test updates
* misc

* golint fix

* set debug for dev testing

* misc docs and logging updates

* misc grammar/spelling

* use built function for VerifyGet

* fix reviewdog suggestions

* requested changes

* Apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 21:39:25 +02:00
James Elliott 2437f989cb
[SECURITY] Disable HTTP server header (#946)
* [SECURITY] Disable HTTP Server Header

* alphabetize fasthttp.Server property assignment
2020-04-30 13:16:41 +10:00
James Elliott c9e8a924e0
[FEATURE] Buffer size configuration and additional http error handling (#944)
* implement read buffer size config option
* implement write buffer size config option
* implement fasthttp ErrorHandler so we can log errors to Authelia as well
* add struct/schema validation
* add default value
* add docs
* add config key to validator
* refactoring
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 12:03:05 +10:00
Amir Zarrinkafsh f8bd506326
[FEATURE] Embed static assets in Go binary (#916)
* [FEATURE] Embed static assets in Go binary

* Refactor/consolidate code and specify public_html via configuration

* Update docs and config template for assets

* Update AUR package pre-requisites and systemd unit

* Include static assets as Buildkite and GitHub artifacts

* Remove references to PUBLIC_DIR

* Only serve assets via embedded filesystem and remove configuration references

* Update authelia-scripts helper to build the embedded filesystem

* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.

* Move go:generate to satisfy linter
2020-04-29 00:07:20 +10:00
Clément Michaud 29325ab273
Fix CSP not propagated in default handler. (#915)
Also:
- not hide the CSP header in the dist version of suites.
- Fix CSP errors due to FontAwesome loading stylesheets dynamically.
2020-04-26 00:12:55 +02:00
Amir Zarrinkafsh 54694c4fca
[MISC] Ignore errcheck recommendations for legacy code (#893)
* [MISC] Ignore errcheck recommendations for legacy code
Some of this is likely intended to stay how it is, some could use refactoring, for now we will mark is and ignore it from the linter to be potentially addressed in the future.

* [MISC] Ensure files are gofmt-ed
2020-04-22 13:33:14 +10:00
Clément Michaud b12d9d405f
[FEATURE] Add Content-Security-Policy meta to login portal. (#822)
CSP is used to avoid some attacks where the hacker tries to execute
untrusted code in the browser.

The policy is to use assets hosted on the the original website and in order to make CSP work with material UI, a nonce is generated at each request of index.html and injected in the template as well as provided in the Content-Security-Policy header (https://material-ui.com/styles/advanced/#how-does-one-implement-csp)

Fix #815
2020-04-21 10:23:28 +10:00
James Elliott 92084bc5b2
[MISC] Add http debug routes (#848)
* [MISC] Add debug endpoints to Authelia

* enabled only with trace logging
* allows go tool pprof usage when enabled
* enables both the expvarhandler and pprofhandler from fasthttp
* simplify tls/non-tls listen and serve
* make it easy to define custom settings of the fasthttp server in the future
* make name param optional
* add note about the trace setting in the documentation
2020-04-11 14:59:58 +10:00
Amir Zarrinkafsh 0189688588
[MISC] Allow HEAD method on /api/verify (#850)
This is to natively support the upstream HAProxy module haproxy-auth-request without patching.
2020-04-11 12:14:26 +10:00
James Elliott 8aade7f40e
[MISC] Update durations to notation format and housekeeping (#824)
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 22:37:21 +10:00
James Elliott 9800421b88
[FEATURE] Disable Reset Password (#823)
* [FEATURE] Disable Reset Password
* add configuration key to authentication_backend called disable_reset_password
* disable_reset_password prevents the API handler for the functionality and the UI element
* disable_reset_password is a boolean
* adjust RememberMeEnabled to be RememberMe instead as it's just unnecessary
* add docs for security measures and in the authentication docs
* updated config.template.yml
* add flexEnd style to align reset password when remember me disabled
* add todo items for ldap user/password validation relating to this
2020-04-05 09:28:09 +10:00
James Elliott 40fb13ba3c
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773)
* Add period TOPT config key to define the time in seconds each OTP is rotated
* Add skew TOTP config to define how many keys either side of the current one should be considered valid
* Add tests and set minimum values
* Update config template
* Use unix epoch for position calculation and Fix QR gen
  * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute
* Generate QR based on period
* Fix OTP timer graphic
2020-03-25 12:48:20 +11:00
Amir Zarrinkafsh 7d7ad9bd28
[MISC] Adjust TLS log messages (#701)
* [MISC] Adjust TLS log messages

* [MISC] Fix integration tests
2020-03-10 18:14:28 +11:00
Clément Michaud faf43de14f
[FEATURE] Add TLS support. (#677)
* [FEATURE] Add TLS support.

Fixes #368.

* [FEATURE] Introduce OnError hook in suites.

This hook allows to perform actions following an erroneous suite
like displaying the logs of Authelia.

* Display Authelia logs of Standalone suite when tests fail.

* Fix Standalone suite.

* Apply suggestions from code review

* Rename ssl_key and ssl_cert into tls_key and tls_cert.
2020-03-03 18:18:25 +11:00
James Elliott 898f2a807e
[MISC] Add Detailed DUO Push Logging (#664)
* [MISC] Add Detailed DUO Push Logging

- Added trace logging for all response data from the DUO API
- Added warning messages on auth failures
- Added debug logging when DUO auth begins
- Updated mocks/unit tests to use the AutheliaCtx as required
2020-03-01 11:51:11 +11:00
Clément Michaud ea9b408b70
[FIX] Fix default redirection URL not taken into account (#600)
* Remove unused mongo docker-compose file.

* Default redirection URL was not taken into account.

* Fix possible storage options in config template.

* Remove useless checks in u2f registration endpoints.

* Add default redirection url in config of duo suite.

* Fix log line in response handler of 2FA methods.

* Fix integration tests.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-02-01 13:54:50 +01:00
Amir Zarrinkafsh fabb76754e
Rename org from clems4ever to authelia
Also fix references from config.yml to configuration.yml
2019-12-24 13:14:52 +11:00
Clement Michaud f4f5d17684 Add host parameter to configure the interface Authelia listens on. 2019-12-08 19:07:19 +01:00
Clement Michaud 3d20142292 Allow administrator to provide a Google Analytics tracking ID.
Providing a GA tracking ID allows administrators to analyze
how the portal is used by their users in large environments,
i.e., with many users.
This will make even more sense when we have users and admins
management interfaces.
2019-12-08 14:31:48 +01:00
Clement Michaud 5942e00412 Introduce hasU2F and hasTOTP in user info. 2019-12-08 14:31:48 +01:00
Clement Michaud b89f63e9c1 Fix and parallelize integration tests. 2019-12-05 11:05:24 +01:00
Clement Michaud 9ae2096d2a Rewrite authelia frontend to improve user experience.
This refactoring simplify the code of the frontend and prepare the
portal for receiving a user settings page and an admin page.
2019-12-05 11:05:24 +01:00
Clement Michaud 3b2d733367 Move source code into internal directory to follow standard project layout.
https://github.com/golang-standards/project-layout
2019-11-17 16:30:33 +01:00