Commit Graph

943 Commits (ecbd6511e17a6990a6b8b4fabb2a3d2d8b92a46e)

Author SHA1 Message Date
Manuel Nuñez 56c10eab76
test(configuration): add additional coverage (#4779) 2023-04-13 21:15:28 +10:00
James Elliott 3d2da0b070
feat(oidc): client authentication modes (#5150)
This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-13 20:58:18 +10:00
renovate[bot] 85e9792cf3
build(deps): update envoyproxy/envoy docker tag to v1.25.5 (#5229)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-04-13 15:17:54 +10:00
James Elliott 51e1f41620
Merge remote-tracking branch 'origin/master' into feat-settings-ui
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 22:21:00 +10:00
James Elliott 7fdcc351d4
Merge remote-tracking branch 'origin/master' into feat-settings-ui
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

# Conflicts:
#	internal/handlers/handler_register_webauthn.go
#	internal/handlers/webauthn.go
#	internal/handlers/webauthn_test.go
#	internal/mocks/storage.go
#	internal/model/webauthn.go
#	internal/storage/provider.go
#	internal/storage/sql_provider.go
#	web/package.json
#	web/pnpm-lock.yaml
#	web/src/layouts/LoginLayout.tsx
2023-04-11 21:34:45 +10:00
James Elliott c8f75b19af
fix(oidc): default response mode not validated (#5129)
This fixes an issue where the default response mode (i.e. if the mode is omitted) would skip the validations against the allowed response modes.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 21:29:02 +10:00
James Elliott dfbbf1a1f3
fix(model): yaml encoding of totp and webauthn fails (#5204)
This fixes an issue where the encoding of the YAML files fails when exporting TOTP/WebAuthn devices.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 21:11:11 +10:00
James Elliott 569af0fef0
fix(commands): storage cmd fail when implicit config absent (#5213)
This fixes an issue where if the implicit config location of configuration.yml does not exist that an error is returned. This does not affect the behavior when the method was either implicit or environment.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-11 20:52:04 +10:00
James Elliott 157675f1f3
docs: adjust references of webauthn (#5203)
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-10 17:01:23 +10:00
James Elliott 928df8a698
Merge remote-tracking branch 'origin/master' into feat-oidc-auth-mode
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

# Conflicts:
#	internal/configuration/validator/const.go
2023-04-09 13:19:29 +10:00
Matthieu7503 13a45bd360
refactor: misleading host deprecation warning (#5194)
The host deprecation to sever.host is misleading this adjusts the message to be accurate.
2023-04-08 21:22:06 +10:00
James Elliott 622bf42ed4
fix(configuration): secret permission errors panic (#5141)
This fixes an issue where attempting to load secrets the process does not  have read permissions for would cause panics as well as the bit size check of the OpenID Connect 1.0 private key can potentially panic on malformed private keys. This was caused by us returning values on errors instead of nil's.

Fixes #5138

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 16:02:34 +10:00
James Elliott 0424652940
refactor: adjust openapi (#5192)
Misc fixes to OpenAPI Specification that were missed.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 15:25:19 +10:00
James Elliott 2dcfc0b04c
feat(handlers): authz authrequest authelia url (#5181)
This adjusts the AuthRequest Authz implementation behave similarly to the other implementations in as much as Authelia can return the relevant redirection to the proxy and the proxy just utilizes it if possible. In addition it swaps the HAProxy examples over to the ForwardAuth implementation as that's now supported.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 14:48:55 +10:00
James Elliott fa250ea7dd
fix(storage): postgresql webauthn tbl invalid aaguid constraint (#5183)
This fixes an issue with the PostgreSQL schema where the webauthn tables aaguid column had a NOT NULL constraint erroneously.

Fixes #5182

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-08 11:36:34 +10:00
renovate[bot] cd0437cab1
build(deps): update traefik docker tag to v2.9.10 (#5187)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-04-07 10:28:16 +10:00
renovate[bot] 09ca8d37d2
build(deps): update envoyproxy/envoy docker tag to v1.25.4 (#5177)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-04-05 22:33:01 +10:00
renovate[bot] 098320b609
build(deps): update golang docker tag to v1.20.3 (#5174)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-04-05 09:36:06 +10:00
James Elliott d6a8dec0be
build(deps): unbump github.com/go-webauthn/webauthn to v0.5.0 (#5158)
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-02 16:09:18 +10:00
James Elliott 1ba4f705f0
Merge remote-tracking branch 'origin/master' into feat-settings-ui
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-02 14:14:29 +10:00
renovate[bot] 789f084454
build(deps): update alpine docker tag to v3.17.3 (#5148)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-30 11:45:55 +11:00
renovate[bot] d0a75dd362
build(deps): update haproxy docker tag to v2.7.6 (#5149)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-30 11:11:57 +11:00
renovate[bot] cee5b28176
build(deps): update envoyproxy/envoy docker tag to v1.25.3 (#5121)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-25 11:05:52 +11:00
renovate[bot] 2d429fa03e
build(deps): update traefik docker tag to v2.9.9 (#5110)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-22 08:12:19 +10:00
renovate[bot] 3887a3d77e
build(deps): update haproxy docker tag to v2.7.5 (#5104)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-21 11:52:16 +10:00
James Elliott 4f46514fdf
Merge remote-tracking branch 'origin/master' into feat-settings-ui
# Conflicts:
#	web/package.json
#	web/pnpm-lock.yaml
2023-03-19 08:09:17 +11:00
James Elliott 2a2f2dfee2
build(deps): update module github.com/wneessen/go-mail to v0.3.9 (#5086) 2023-03-19 06:50:17 +10:00
renovate[bot] ca4a36b176
build(deps): update kubernetesui/metrics-scraper docker tag to v1.0.9 (#5083)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-18 01:34:51 +11:00
renovate[bot] 3026b36393
build(deps): update ghcr.io/k3d-io/k3d docker tag to v5.4.9 (#5081)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-17 17:51:41 +11:00
Amir Zarrinkafsh 496dee6e42
refactor(web): native vite env replacement (#5078) 2023-03-17 16:50:27 +11:00
James Elliott 7ef1ba23df
Merge remote-tracking branch 'origin/master' into feat-settings-ui
# Conflicts:
#	docs/package.json
#	docs/pnpm-lock.yaml
#	internal/configuration/validator/identity_providers_test.go
#	web/package.json
#	web/pnpm-lock.yaml
2023-03-12 00:09:42 +11:00
renovate[bot] cc23922972
build(deps): update haproxy docker tag to v2.7.4 (#5051)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-11 10:56:55 +11:00
James Elliott b490396c60
refactor: log warnings on startup about oidc secrets (#5047) 2023-03-09 18:26:52 +11:00
renovate[bot] dbf4346112
build(deps): update golang docker tag to v1.20.2 (#5044)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-08 12:24:51 +11:00
James Elliott a91762c15b
fix(templates): plain text email misleading (#5036)
The plain text email template for identity verifications indicates it's for registering a 2FA device but it may also be used for password resets. This fixes that issue.

Fixes #4915
2023-03-07 10:45:59 +11:00
James Elliott b6883a337f
Merge origin/master into feat-settings-ui 2023-03-07 10:12:49 +11:00
James Elliott ff6be40f5e
feat(oidc): pushed authorization requests (#4546)
This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details.
2023-03-06 14:58:50 +11:00
James Elliott 42671d3edb
feat(oidc): client_secret_jwt client auth (#5031)
This theoretically adds support for client_secret_jwt.
2023-03-06 13:35:58 +11:00
renovate[bot] 0fd3cf841b
build(deps): update ghcr.io/k3d-io/k3d docker tag to v5.4.8 (#5026)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-05 08:48:49 +11:00
James Elliott fca8e2130a
docs: update integration docs (#4986) 2023-03-04 15:53:48 +11:00
renovate[bot] 6b1d7fab70
build(deps): update envoyproxy/envoy docker tag to v1.25.2 (#5012)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-03-02 13:57:14 +11:00
James Elliott e64661af3f
Merge remote-tracking branch 'origin/master' into feat-settings-ui 2023-02-28 20:40:51 +11:00
James Elliott b9a6856ff5
fix(logging): injected time format inconsistent (#5004)
This fixes an issue where the injected log time format is inconsistent with a normalized time format. This adjusts it to use a RFC3339 format.
2023-02-28 20:40:04 +11:00
James Elliott 8b8d6ce417
Merge remote-tracking branch origin/master into feat-settings-ui 2023-02-28 20:07:42 +11:00
James Elliott a345490826
feat(server): handle head method (#5003)
This implements some HEAD method handlers for various static resources and the /api/health endpoint.
2023-02-28 20:01:09 +11:00
James Elliott ac72ee494c
ci: fix misc and refactorings (#4994)
* ci: fix misc and refactorings

* ci: additional fix
2023-02-26 13:22:22 +11:00
James Elliott e6ef74fd8e
Merge remote-tracking branch 'origin/master' into feat-settings-ui
# Conflicts:
#	go.mod
#	web/package.json
#	web/pnpm-lock.yaml
2023-02-25 13:46:06 +11:00
James Elliott f44700c352
fix(commands): internal services not cleaned up properly (#4966)
This fixes a race condition which in some circumstances (seemed to only affect a deliberately under provisioned VM in testing, however it could still theoretically occur on any system) can cause the process to hang during a shutdown. While unrelated this also adds additional trace logging to the shutdown process to better capture each stage to better facilitate debugging in the future specifically when one particular service is taking time to stop.

Fixes #4963
2023-02-20 16:37:22 +11:00
James Elliott ea2350f0e4
refactor: down migrations 2023-02-19 14:59:45 +11:00
James Elliott a3d7212f23
test: fix test 2023-02-19 14:08:18 +11:00
James Elliott 257bd2a25a
test: fix test 2023-02-19 12:48:11 +11:00
James Elliott 3e53ae7b2e
test: fix test 2023-02-19 12:11:33 +11:00
James Elliott a6cc022e5c
Merge remote tracking branch origin/master into feat-settings-ui 2023-02-19 11:53:11 +11:00
renovate[bot] eab09efc0c
build(deps): update module github.com/knadh/koanf to v2 (#4952)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-02-19 11:49:08 +11:00
James Elliott a13a3c45f2
fix: encoding 2023-02-19 11:48:35 +11:00
James Elliott ab01fa6bca
fix(handlers): legacy authz failure on nginx (#4956)
Since nginx doesn't do portal URL detection we have to skip returning an error on the legacy authz implementation when the portal URL isn't detected. This issue only exists in unreleased versions.
2023-02-18 16:56:53 +11:00
James Elliott e5cdb175b4
feat: cred props 2023-02-18 15:36:58 +11:00
renovate[bot] 913a882b8b
build(deps): update mariadb docker tag to v10.11.2 (#4955)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-18 10:10:00 +11:00
Amir Zarrinkafsh 51096c5e70
refactor(suites): utilise pki certs in haproxy suite (#4945)
This utilises the certs provided within the pki section of the repo for the HAProxy suite.
2023-02-17 15:05:48 +11:00
James Elliott 891f1de9f2
refactor(commands): x509 bundling (#4942)
This adds another bundling mode to the certificate command.
2023-02-17 14:29:07 +11:00
James Elliott 5be5de02d8
feat: webauthn users 2023-02-17 06:40:40 +11:00
renovate[bot] 98e6fdc69f
build(deps): update traefik docker tag to v2.9.8 (#4939)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-16 11:14:38 +11:00
renovate[bot] 9116bcf00f
build(deps): update caddy docker tag to v2.6.4 (#4938)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-16 11:00:12 +11:00
renovate[bot] 4598932155
build(deps): update traefik docker tag to v2.9.7 (#4936)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-15 20:29:27 +11:00
renovate[bot] ccaa6b9fd2
build(deps): update golang docker tag to v1.20.1 (#4930)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-15 10:56:48 +11:00
renovate[bot] 16eedfd1b4
build(deps): update haproxy docker tag to v2.7.3 (#4931)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-15 08:57:57 +11:00
James Elliott e84ca4956a
refactor: sql updates 2023-02-14 23:35:15 +11:00
Amir Zarrinkafsh 59e82e786c
refactor: collect backend coverage via go build -cover (#4921)
* refactor: collect backend coverage via go build -cover

* refactor: print percentage coverage collected
2023-02-14 14:44:08 +11:00
James Elliott ee56740f46
Merge remote-tracking branch 'origin/master' into feat-settings-ui 2023-02-13 06:33:46 +11:00
renovate[bot] 6499dcf210
build(deps): update module github.com/go-webauthn/webauthn to v0.7.1 (#4920)
* build(deps): update module github.com/go-webauthn/webauthn to v0.7.1

* test: fix for upstream changes

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-02-13 06:30:19 +11:00
James Elliott 130a28a430
fix: misc 2023-02-12 23:57:43 +11:00
James Elliott 526dd8347d
fix: misc 2023-02-12 23:12:31 +11:00
James Elliott ba1ed1252c
fix: tests 2023-02-12 22:11:00 +11:00
James Elliott 515309c10e
feat: translate all the things 2023-02-12 21:57:45 +11:00
James Elliott 7e56cf2d15
test(suites): fix postgres 2023-02-12 12:48:39 +11:00
James Elliott d0160edc70
test(suites): fix standalone 2023-02-12 12:39:17 +11:00
James Elliott be21d73c72
fix: sql migration 2023-02-12 12:25:15 +11:00
James Elliott 40e247fcee
Merge branch 'master' into feat-settings-ui 2023-02-12 03:02:26 +11:00
James Elliott fab2b0d497
test(suites): fix missing sans (#4917) 2023-02-12 02:54:44 +11:00
James Elliott 3b6f5482b8
fix: multi-cookie domain webauthn 2023-02-12 02:47:03 +11:00
James Elliott 8c057f65a5
Merge remote-tracking branch 'origin/master' into feat-settings-ui 2023-02-11 21:53:34 +11:00
James Elliott 2888ee7f41
refactor(commands): services (#4914)
Misc refactoring of the services logic to simplify the
2023-02-11 21:45:26 +11:00
renovate[bot] 1a5178a8a5
build(deps): update alpine docker tag to v3.17.2 (#4910)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-11 16:35:53 +11:00
James Elliott a0758bb4ba
refactor(suites): use pki for oidc (#4913) 2023-02-11 15:37:54 +11:00
James Elliott 852dc808bd
Merge remote-tracking branch 'origin/master' into feat-settings-ui 2023-02-11 14:13:18 +11:00
James Elliott 8e4b660f15
refactor: certs (#4912)
This refactors the suites to use a Enterprise Root CA PKI signed certificate so the CA public certificate can be trusted. This is particularly useful for webauthn in Chrome.
2023-02-11 14:11:40 +11:00
renovate[bot] dbafa26ec3
build(deps): update caddy docker tag to v2.6.3 (#4906)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-09 15:04:46 +11:00
James Elliott 1f1210c6ac
Merge remote-tracking branch 'origin/master' into feat-settings-ui 2023-02-08 13:52:07 +11:00
James Elliott 2e6d17ba8a
feat(configuration): rfc2307bis implementation (#4900)
This adds configuration defaults for RFC2307bis LDAP implementations such as OpenLDAP with the RFC2307bis LDIF which should service most user needs.
2023-02-08 13:35:57 +11:00
renovate[bot] 436a78525c
build(deps): update envoyproxy/envoy docker tag to v1.25.1 (#4899)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-08 09:22:17 +11:00
James Elliott 726850fe43
refactor: add some more useful templating funcs (#4891) 2023-02-08 01:28:09 +11:00
renovate[bot] 9bf0ce212a
build(deps): update mariadb docker tag to v10.10.3 (#4889)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-07 15:13:12 +11:00
James Elliott 9e5aa1c1a9
Merge remote-tracking branch 'origin/master' into feat-settings-ui
# Conflicts:
#	web/package.json
#	web/pnpm-lock.yaml
2023-02-05 20:19:40 +11:00
James Elliott a7ccf3652f
docs: fix rfc references and fix misc issues (#4879) 2023-02-05 18:11:30 +11:00
James Elliott a2ce9e0573
test: add test for 2329 expand-env (#4870)
This adds a test for https://github.com/authelia/authelia/issues/2329#issuecomment-1414201785
2023-02-03 10:36:38 +11:00
renovate[bot] 790139fd48
build(deps): update ghcr.io/k3d-io/k3d docker tag to v5.4.7 (#4867)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-02-03 02:43:34 +11:00
James Elliott e408cb19b1
test: adjust tests and docs to be similar (#4856) 2023-02-02 18:13:18 +11:00
James Elliott 598ea2bb19
feat(configuration): disallow public suffix domains (#4855)
This adds a check to the domains configuration to ensure the domain value is not part of the public suffix list at https://publicsuffix.org. These domains are special and users cannot write cookies with this domain value, this makes them unusable with Authelia and this more readily makes that apparent.
2023-02-02 16:34:49 +11:00
renovate[bot] 30aaa8a245
build(deps): update golang docker tag to v1.20.0 (#4864)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-02-02 14:23:09 +11:00
James Elliott d7be1c1359
refactor: reduce complexity 2023-02-01 22:10:38 +11:00