Compare commits
3 Commits
master
...
renovate/h
Author | SHA1 | Date |
---|---|---|
James Elliott | ffd73c05a0 | |
James Elliott | dbca4b7f2b | |
renovate[bot] | 73ff977ed7 |
|
@ -7,4 +7,3 @@
|
|||
!entrypoint.sh
|
||||
!healthcheck.sh
|
||||
!.healthcheck.env
|
||||
!dist/public_html/
|
95
MyNotes.md
95
MyNotes.md
|
@ -1,95 +0,0 @@
|
|||
# Ausführen
|
||||
|
||||
Um die Anwendung lokal auszuführen, können die folgenden Befehle verwendet werden.
|
||||
|
||||
```
|
||||
export GOPATH=/tmp
|
||||
source bootstrap.sh
|
||||
authelia-scripts suites setup Standalone
|
||||
```
|
||||
|
||||
Nun sollte der "Haupt-Enpunkt" unter `https://home.example.com:8080` und die API unter `https://authelia.example.com:9091` erreichbar sein. Achtung: es wird ein selbstsigniertes Zertifikat verwendet!
|
||||
Mithilfe der Hot-Reload kann jetzt gecoded werden.
|
||||
|
||||
---
|
||||
|
||||
Nach der Entwicklung kann die Testumgebung durch den folgenden Befehl wieder zurückgesetzt werden.
|
||||
|
||||
```
|
||||
go run ./cmd/authelia-scripts/ suites teardown Standalone
|
||||
```
|
||||
|
||||
## Benutzerdefinierte Zertifikate
|
||||
|
||||
Um ein benutzerdefiniertes Zertifikat für die Ausführung zu verwenden, muss die Datai `public.backend.crt` und `private.bakend.pem` unter [diesem](/internal/suites/common/pki/) Verzeichnis abgeändert werden.
|
||||
Um die Gültigkeit zu testen, kann der folgendende Befehl ausgeführt werden.
|
||||
|
||||
```
|
||||
curl https://auth.rpjosh.de:9091 --connect-to 'auth.rpjosh.de:9091:authelia.example.com:9091'
|
||||
```
|
||||
|
||||
## Externe erreichbarkeit
|
||||
|
||||
Im aktuellen Zustand sind die Endpunkte nur unter den Docker internen IP-Adressen erreichbar. Daher muss noch ein NAT Regel angelegt werden.
|
||||
|
||||
```
|
||||
ip=$(ping -c 1 authelia.example.com | gawk -F'[()]' '/PING/{print $2}')
|
||||
sudo iptables -t nat -A PREROUTING -p tcp --dport 9091 -d 192.168.0.15 -j DNAT --to-destination 192.168.240.50:9091 -m comment --comment "Authelia-Test"
|
||||
sudo iptables -t nat -A PREROUTING -p tcp --dport 9092 -d 192.168.0.15 -j DNAT --to-destination 192.168.240.50:9092 -m comment --comment "Authelia-Test"
|
||||
sudo iptables -t nat -I OUTPUT -p tcp -o lo --dport 9091 -j DNAT --to-destination 192.168.240.50:9091
|
||||
```
|
||||
|
||||
# Customizations
|
||||
|
||||
Für das Starten des *gRPC* Servers müssen die folgenden Abhängigkeiten installiert werden.
|
||||
|
||||
```
|
||||
go get github.com/envoyproxy/go-control-plane
|
||||
go get github.com/envoyproxy/go-control-plane/envoy/config/core/v3
|
||||
go get github.com/gogo/googleapis/google/rpc
|
||||
go get google.golang.org/grpc
|
||||
```
|
||||
|
||||
## Konfiguration ändern
|
||||
|
||||
Wenn die Konfiguration geändert wurde, müssen die Keys zur Validierung wieder erneut gebaut werden.
|
||||
|
||||
```
|
||||
go run ./cmd/authelia-gen code keys
|
||||
```
|
||||
|
||||
## Mocks abgeändert
|
||||
|
||||
Wenn interfaces von den Mocks geändert werden, muss folgendes wieder ausgeführt werden:
|
||||
|
||||
```
|
||||
export PATH=$PATH:$(go env GOPATH)/bin
|
||||
go generate ./...
|
||||
```
|
||||
|
||||
## Bauen
|
||||
|
||||
Um ein Docker Image für authelia zu bauen, müssen die folgenden Befehle ausgeführt werden.
|
||||
|
||||
```sh
|
||||
# Dieser Befehle funktionieren aktuell nicht
|
||||
authelia-scripts docker build
|
||||
authelia-scripts build
|
||||
|
||||
# => Manuell bauen
|
||||
export CC=musl-gcc
|
||||
|
||||
authelia-scripts build
|
||||
cp -r dist/public_html internal/server/
|
||||
go build -buildmode=pie -ldflags "-linkmode=external -s -w" -trimpath -buildmode=pie -o authelia ./cmd/authelia
|
||||
mv authelia authelia-linux-amd64-musl
|
||||
# Build docker image
|
||||
docker build --tag git.rpjosh.de/rpjosh/authelia/authelia:4.38.0-dev .
|
||||
docker push git.rpjosh.de/rpjosh/authelia/authelia:4.38.0-dev
|
||||
# Cleanup
|
||||
rm -rf internal/server/public_html/ ./authelia-linux-amd64-musl
|
||||
```
|
||||
|
||||
# gRCP
|
||||
|
||||
Um einen gRCP Endpunkt nutzen zu können, brauch mein eine *.proto* Datei. Für Envoy sieht diese wie in [dieser Datei](/ext-auth.proto) folgendermaßen aus.
|
|
@ -7,5 +7,5 @@
|
|||
package cmd
|
||||
|
||||
const (
|
||||
versionSwaggerUI = "5.0.0"
|
||||
versionSwaggerUI = "4.19.0"
|
||||
)
|
||||
|
|
|
@ -62,10 +62,6 @@ server:
|
|||
## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
|
||||
disable_healthcheck: false
|
||||
|
||||
## If a request over the insecure http protocol is received from authelias gRPC endpoint (only for envoy),
|
||||
## the request is by default redirected to the matching https URL (301)
|
||||
disable_autho_https_redirect: false
|
||||
|
||||
## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
|
||||
tls:
|
||||
## The path to the DER base64/PEM format private key.
|
||||
|
@ -77,17 +73,6 @@ server:
|
|||
## The list of certificates for client authentication.
|
||||
client_certificates: []
|
||||
|
||||
## Enable the support for gRPC ext authentication for envoy. If TLS is enabled in the above section,
|
||||
## the defined certificates will also be used for the gRPC endpoint
|
||||
grpc:
|
||||
address: 'tcp://:9092'
|
||||
|
||||
# Even if TLS is configured in the server setting (under server.tls), the grcp server won't use TLS
|
||||
disableTLS: false
|
||||
|
||||
# By default the ban is issued for the user. With this options the IP instead of the user will be banned
|
||||
use_ip_for_ban: true
|
||||
|
||||
## Server headers configuration/customization.
|
||||
headers:
|
||||
|
||||
|
@ -330,7 +315,7 @@ authentication_backend:
|
|||
## because it allows Authelia to offload the stateful operations
|
||||
## onto the LDAP service.
|
||||
# ldap:
|
||||
## The address of the directory server to connect to in the address common syntax.
|
||||
## The address of the LDAP server to connect to in the address common syntax.
|
||||
## Format: [<scheme>://]<hostname>[:<port>].
|
||||
## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`.
|
||||
## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'.
|
||||
|
@ -416,6 +401,16 @@ authentication_backend:
|
|||
## See also: additional_users_dn, additional_groups_dn.
|
||||
# base_dn: 'dc=example,dc=com'
|
||||
|
||||
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
||||
## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually
|
||||
## uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and the
|
||||
## configuration stored in database. Therefore only single value attributes are allowed and the value must never be
|
||||
## changed once attributed to a user otherwise it would break the configuration for that user. Technically,
|
||||
## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use
|
||||
## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to
|
||||
## follow https://datatracker.ietf.org/doc/html/rfc2307.
|
||||
# username_attribute: 'uid'
|
||||
|
||||
## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
|
||||
## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
|
||||
# additional_users_dn: 'ou=users'
|
||||
|
@ -446,9 +441,15 @@ authentication_backend:
|
|||
## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
|
||||
# groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
|
||||
## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to
|
||||
## use 'memberof'. Also 'filter' is the best choice for most use cases.
|
||||
# group_search_mode: 'filter'
|
||||
## The attribute holding the name of the group.
|
||||
# group_name_attribute: 'cn'
|
||||
|
||||
## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
|
||||
## first one returned by the LDAP server is used.
|
||||
# mail_attribute: 'mail'
|
||||
|
||||
## The attribute holding the display name of the user. This will be used to greet an authenticated user.
|
||||
# display_name_attribute: 'displayName'
|
||||
|
||||
## Follow referrals returned by the server.
|
||||
## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
|
||||
|
@ -459,37 +460,6 @@ authentication_backend:
|
|||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||
# password: 'password'
|
||||
|
||||
## The attributes for users and objects from the directory server.
|
||||
# attributes:
|
||||
|
||||
## The distinguished name attribute if your directory server supports it. Users should read the docs before
|
||||
## configuring. Only used for the 'memberof' group search mode.
|
||||
# distinguished_name: ''
|
||||
|
||||
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
||||
## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
|
||||
## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and
|
||||
## the configuration stored in database; therefore only single value attributes are allowed and the value must
|
||||
## never be changed once attributed to a user otherwise it would break the configuration for that user.
|
||||
## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead
|
||||
## advise to use a filter to perform alternative lookups and the attributes mentioned above
|
||||
## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307.
|
||||
# username: 'uid'
|
||||
|
||||
## The attribute holding the display name of the user. This will be used to greet an authenticated user.
|
||||
# display_name: 'displayName'
|
||||
|
||||
## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only
|
||||
## the first one returned by the directory server is used.
|
||||
# mail: 'mail'
|
||||
|
||||
## The attribute which provides distinguished names of groups an object is a member of.
|
||||
## Only used for the 'memberof' group search mode.
|
||||
# member_of: 'memberOf'
|
||||
|
||||
## The attribute holding the name of the group.
|
||||
# group_name: 'cn'
|
||||
|
||||
##
|
||||
## File (Authentication Provider)
|
||||
##
|
||||
|
|
|
@ -101,20 +101,16 @@ authentication_backend:
|
|||
base_dn: 'DC=example,DC=com'
|
||||
additional_users_dn: 'OU=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||
username_attribute: 'uid'
|
||||
mail_attribute: 'mail'
|
||||
display_name_attribute: 'displayName'
|
||||
additional_groups_dn: 'OU=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_search_mode: 'filter'
|
||||
group_name_attribute: 'cn'
|
||||
permit_referrals: false
|
||||
permit_unauthenticated_bind: false
|
||||
user: 'CN=admin,DC=example,DC=com'
|
||||
password: 'password'
|
||||
attributes:
|
||||
distinguished_name: 'distinguishedName'
|
||||
username: 'uid'
|
||||
display_name: 'displayName'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
```
|
||||
|
||||
## Options
|
||||
|
@ -213,33 +209,66 @@ The LDAP filter to narrow down which users are valid. This is important to set c
|
|||
The default value is dependent on the [implementation](#implementation), refer to the
|
||||
[attribute defaults](../../reference/guides/ldap.md#attribute-defaults) for more information.
|
||||
|
||||
### username_attribute
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults)
|
||||
for more information.*
|
||||
|
||||
The LDAP attribute that maps to the username in *Authelia*. This must contain the `{username_attribute}`
|
||||
[placeholder](../../reference/guides/ldap.md#users-filter-replacements).
|
||||
|
||||
### mail_attribute
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults](../../reference/guides/ldap.md#attribute-defaults)
|
||||
for more information.*
|
||||
|
||||
The attribute to retrieve which contains the users email addresses. This is important for the device registration and
|
||||
password reset processes. The user must have an email address in order for Authelia to perform identity verification
|
||||
when a user attempts to reset their password or register a second factor device.
|
||||
|
||||
### display_name_attribute
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more information.*
|
||||
|
||||
The attribute to retrieve which is shown on the Web UI to the user when they log in.
|
||||
|
||||
### additional_groups_dn
|
||||
|
||||
{{< confkey type="string" required="no" >}}
|
||||
|
||||
Similar to [additional_users_dn](#additionalusersdn) but it applies to group searches.
|
||||
Similar to [additional_users_dn](#additional_users_dn) but it applies to group searches.
|
||||
|
||||
### groups_filter
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [filter defaults](../../reference/guides/ldap.md#filter-defaults) for
|
||||
more information.*
|
||||
default negating this requirement. Refer to the [filter defaults](#filter-defaults) for more information.*
|
||||
|
||||
Similar to [users_filter](#usersfilter) but it applies to group searches. In order to include groups the member is not
|
||||
Similar to [users_filter](#users_filter) but it applies to group searches. In order to include groups the member is not
|
||||
a direct member of, but is a member of another group that is a member of those (i.e. recursive groups), you may try
|
||||
using the following filter which is currently only tested against Microsoft Active Directory:
|
||||
|
||||
`(&(member:1.2.840.113556.1.4.1941:={dn})(objectClass=group)(objectCategory=group))`
|
||||
|
||||
### group_search_mode
|
||||
### group_name_attribute
|
||||
|
||||
{{< confkey type="string" default="filter" required="no" >}}
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
The group search mode controls how user groups are discovered. The default of `filter` directly uses the filter to
|
||||
determine the result. The `memberof` experimental mode does another special filtered search. See the
|
||||
[Reference Documentation](../../reference/guides/ldap.md#group-search-modes) for more information.
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults](#attribute-defaults) for more
|
||||
information.*
|
||||
|
||||
The LDAP attribute that is used by Authelia to determine the group name.
|
||||
|
||||
### permit_referrals
|
||||
|
||||
|
@ -284,71 +313,6 @@ It's __strongly recommended__ this is a
|
|||
[Random Alphanumeric String](../../reference/guides/generating-secure-values.md#generating-a-random-alphanumeric-string) with 64 or more
|
||||
characters and the user password is changed to this value.
|
||||
|
||||
### attributes
|
||||
|
||||
The following options configure The directory server attribute mappings.
|
||||
|
||||
#### distinguished_name
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically not required however it is required when using the group search mode
|
||||
`memberof` replacement `{memberof:dn}`.*
|
||||
|
||||
The directory server attribute which contains the distinguished name, primarily used to perform filtered searches. There
|
||||
is a clear distinction between the actual distinguished name and a distinguished name attribute, all directories have
|
||||
distinguished names for objects, but not all have an attribute representing this that can be searched on.
|
||||
|
||||
The only known support at this time is with Active Directory.
|
||||
|
||||
#### username
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults] for more information.*
|
||||
|
||||
The directory server attribute that maps to the username in *Authelia*. This must contain the `{username_attribute}` [placeholder].
|
||||
|
||||
#### display_name
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults] for more information.*
|
||||
|
||||
The directory server attribute to retrieve which is shown on the Web UI to the user when they log in.
|
||||
|
||||
#### mail
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults] for more information.*
|
||||
|
||||
The directory server attribute to retrieve which contains the users email addresses. This is important for the device
|
||||
registration and password reset processes. The user must have an email address in order for Authelia to perform
|
||||
identity verification when a user attempts to reset their password or register a second factor device.
|
||||
|
||||
#### member_of
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults] for more information.*
|
||||
|
||||
The directory server attribute which contains the groups a user is a member of. This is currently only used for the
|
||||
`memberof` group search mode.
|
||||
|
||||
#### group_name
|
||||
|
||||
{{< confkey type="string" required="situational" >}}
|
||||
|
||||
*__Note:__ This option is technically required however the [implementation](#implementation) option can implicitly set a
|
||||
default negating this requirement. Refer to the [attribute defaults] for more information.*
|
||||
|
||||
The directory server attribute that is used by Authelia to determine the group name.
|
||||
|
||||
## Refresh Interval
|
||||
|
||||
It's recommended you either use the default [refresh interval](introduction.md#refreshinterval) or configure this to
|
||||
|
@ -368,8 +332,6 @@ for your users.
|
|||
|
||||
- [LDAP Reference Guide](../../reference/guides/ldap.md)
|
||||
|
||||
[username attribute]: #username
|
||||
[username attribute]: #usernameattribute
|
||||
[TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
|
||||
[RFC2307]: https://datatracker.ietf.org/doc/html/rfc2307
|
||||
[attribute defaults]: ../../reference/guides/ldap.md#attribute-defaults
|
||||
[placeholder]: ../../reference/guides/ldap.md#users-filter-replacements
|
||||
|
|
|
@ -92,35 +92,35 @@ Use this [Standalone Example](#standalone-example) if you want to use
|
|||
version: "3.8"
|
||||
secrets:
|
||||
JWT_SECRET:
|
||||
file: '${PWD}/data/authelia/secrets/JWT_SECRET'
|
||||
file: ${PWD}/data/authelia/secrets/JWT_SECRET
|
||||
SESSION_SECRET:
|
||||
file: '${PWD}/data/authelia/secrets/SESSION_SECRET'
|
||||
file: ${PWD}/data/authelia/secrets/SESSION_SECRET
|
||||
STORAGE_PASSWORD:
|
||||
file: '${PWD}/data/authelia/secrets/STORAGE_PASSWORD'
|
||||
file: ${PWD}/data/authelia/secrets/STORAGE_PASSWORD
|
||||
STORAGE_ENCRYPTION_KEY:
|
||||
file: '${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
|
||||
file: ${PWD}/data/authelia/secrets/STORAGE_ENCRYPTION_KEY
|
||||
services:
|
||||
authelia:
|
||||
container_name: 'authelia'
|
||||
image: 'docker.io/authelia/authelia:latest'
|
||||
restart: 'unless-stopped'
|
||||
container_name: authelia
|
||||
image: docker.io/authelia/authelia:latest
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
net:
|
||||
aliases: []
|
||||
expose:
|
||||
- 9091
|
||||
secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
|
||||
secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
|
||||
environment:
|
||||
AUTHELIA_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
|
||||
AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
|
||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: '/run/secrets/STORAGE_PASSWORD'
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
|
||||
AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
|
||||
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
|
||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /run/secrets/STORAGE_PASSWORD
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/STORAGE_ENCRYPTION_KEY
|
||||
volumes:
|
||||
- '${PWD}/data/authelia/config:/config'
|
||||
- ${PWD}/data/authelia/config:/config
|
||||
networks:
|
||||
net:
|
||||
external: true
|
||||
name: 'net'
|
||||
name: net
|
||||
...
|
||||
```
|
||||
{{< /details >}}
|
||||
|
@ -136,26 +136,26 @@ Use this [Standalone Example](#standalone-example) if you want to use a standard
|
|||
version: "3.8"
|
||||
services:
|
||||
authelia:
|
||||
container_name: 'authelia'
|
||||
image: 'docker.io/authelia/authelia:latest'
|
||||
restart: 'unless-stopped'
|
||||
container_name: authelia
|
||||
image: docker.io/authelia/authelia:latest
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
net:
|
||||
aliases: []
|
||||
expose:
|
||||
- 9091
|
||||
environment:
|
||||
AUTHELIA_JWT_SECRET_FILE: '/secrets/JWT_SECRET'
|
||||
AUTHELIA_SESSION_SECRET_FILE: '/secrets/SESSION_SECRET'
|
||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: '/secrets/STORAGE_PASSWORD'
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/secrets/STORAGE_ENCRYPTION_KEY'
|
||||
AUTHELIA_JWT_SECRET_FILE: /secrets/JWT_SECRET
|
||||
AUTHELIA_SESSION_SECRET_FILE: /secrets/SESSION_SECRET
|
||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /secrets/STORAGE_PASSWORD
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /secrets/STORAGE_ENCRYPTION_KEY
|
||||
volumes:
|
||||
- '${PWD}/data/authelia/config:/config'
|
||||
- '${PWD}/data/authelia/secrets:/secrets'
|
||||
- ${PWD}/data/authelia/config:/config
|
||||
- ${PWD}/data/authelia/secrets:/secrets
|
||||
networks:
|
||||
net:
|
||||
external: true
|
||||
name: 'net'
|
||||
name: net
|
||||
```
|
||||
...
|
||||
{{< /details >}}
|
||||
|
|
|
@ -55,16 +55,14 @@ In your Authelia configuration you will need to enter and update the following v
|
|||
base_dn: DC=example,DC=com
|
||||
additional_users_dn: OU=users
|
||||
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||
username_attribute: uid
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
additional_groups_dn: OU=groups
|
||||
groups_filter: (&(member=UID={input},OU=users,DC=example,DC=com)(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
user: UID=authelia,OU=service accounts,DC=example,DC=com
|
||||
password: "SUPER_COMPLEX_PASSWORD"
|
||||
attributes:
|
||||
distinguished_name: 'distinguishedName'
|
||||
username: 'uid'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
```
|
||||
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
|
||||
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
|
||||
|
@ -102,18 +100,16 @@ In your Authelia configuration you will need to enter and update the following v
|
|||
skip_verify: true
|
||||
minimum_version: TLS1.2
|
||||
base_dn: dc=example,DC=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: CN=users,CN=accounts
|
||||
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||
additional_groups_dn: OU=groups
|
||||
groups_filter: (&(member=UID={input},CN=users,CN=accounts,DC=example,DC=com)(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: UID=authelia,CN=users,CN=accounts,DC=example,DC=com
|
||||
password: "SUPER_COMPLEX_PASSWORD"
|
||||
attributes:
|
||||
distinguished_name: 'distinguishedName'
|
||||
username: 'uid'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
```
|
||||
Following this, restart Authelia, and you should be able to begin using LDAP integration for your user logins, with
|
||||
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
|
||||
|
@ -143,21 +139,19 @@ ldap:
|
|||
timeout: 5s
|
||||
start_tls: false
|
||||
base_dn: dc=example,DC=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: OU=people
|
||||
# To allow sign in both with username and email, one can use a filter like
|
||||
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||
additional_groups_dn: OU=groups
|
||||
groups_filter: (member={dn})
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
# The username and password of the admin or service user.
|
||||
user: UID=authelia,OU=people,DC=example,DC=com
|
||||
password: "SUPER_COMPLEX_PASSWORD"
|
||||
attributes:
|
||||
distinguished_name: 'distinguishedName'
|
||||
username: 'uid'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
```
|
||||
Following this, restart Authelia, and you should be able to begin using lldap integration for your user logins, with
|
||||
Authelia taking the email attribute for users straight from the 'mail' attribute within the LDAP object.
|
||||
|
|
|
@ -75,32 +75,6 @@ The following implementations exist:
|
|||
[GLAuth]: https://glauth.github.io/
|
||||
[RFC2307bis]: https://datatracker.ietf.org/doc/html/draft-howard-rfc2307bis-02
|
||||
|
||||
### Group Search Modes
|
||||
|
||||
There are currently two group search modes that exist.
|
||||
|
||||
#### Search Mode: filter
|
||||
|
||||
The `filter` search mode is the default search mode. Generally this is recommended.
|
||||
|
||||
#### Search Mode: memberof
|
||||
|
||||
The `memberof` search mode is a special search mode. Generally this is discouraged and is currently experimental.
|
||||
|
||||
Some systems provide a `memberOf` attribute which may include additional groups that the user is a member of. This
|
||||
search mode allows using this attribute as a method to determine their groups. How it works is the search is performed
|
||||
against the base with the subtree scope and the groups filter must include one of the `{memberof:*}` replacements, and
|
||||
the distinguished names of the results from the search are compared (case-insensitive) against the users `memberOf`
|
||||
attribute to determine if they are members.
|
||||
|
||||
This means:
|
||||
|
||||
1. The groups still must be in the search base that you have configured.
|
||||
2. The `memberOf` attribute *__MUST__* include the distinguished name of the group.
|
||||
3. If the `{memberof:dn}` replacement is used:
|
||||
1. The distinguished name *__MUST__* be searchable by your directory server.
|
||||
3. The first relative distinguished name of the distinguished name *__MUST__* be search
|
||||
|
||||
### Filter replacements
|
||||
|
||||
Various replacements occur in the user and groups filter. The replacements either occur at startup or upon an LDAP
|
||||
|
@ -111,65 +85,25 @@ is ever established. In addition to this, during the startup phase we purposeful
|
|||
phase replacements exist so we only have to check if the replacement is necessary once, and we don't needlessly perform
|
||||
every possible replacement on every search regardless of if it's needed or not.
|
||||
|
||||
#### General filter replacements
|
||||
|
||||
| Placeholder | Phase | Replacement |
|
||||
|:------------------------------:|:-------:|:-------------------------------------------:|
|
||||
| {distinguished_name_attribute} | startup | The configured distinguished name attribute |
|
||||
| {username_attribute} | startup | The configured username attribute |
|
||||
| {mail_attribute} | startup | The configured mail attribute |
|
||||
| {display_name_attribute} | startup | The configured display name attribute |
|
||||
| {member_of_attribute} | startup | The configured member of attribute |
|
||||
| {input} | search | The input into the username field |
|
||||
|
||||
#### Users filter replacements
|
||||
|
||||
| Placeholder | Phase | Replacement |
|
||||
|:------------------------------:|:-------:|:----------------------------------------------------------------------------------------------------------------:|
|
||||
| {date-time:generalized} | search | The current UTC time formatted as a LDAP generalized time in the format of `20060102150405.0Z` |
|
||||
| {date-time:unix} | search | The current time formatted as a Unix epoch |
|
||||
| {date-time:microsoft-nt} | search | The current time formatted as a Microsoft NT epoch which is used by some Microsoft [Active Directory] attributes |
|
||||
| Placeholder | Phase | Replacement |
|
||||
|:------------------------:|:-------:|:----------------------------------------------------------------------------------------------------------------:|
|
||||
| {username_attribute} | startup | The configured username attribute |
|
||||
| {mail_attribute} | startup | The configured mail attribute |
|
||||
| {display_name_attribute} | startup | The configured display name attribute |
|
||||
| {input} | search | The input into the username field |
|
||||
| {date-time:generalized} | search | The current UTC time formatted as a LDAP generalized time in the format of `20060102150405.0Z` |
|
||||
| {date-time:unix} | search | The current time formatted as a Unix epoch |
|
||||
| {date-time:microsoft-nt} | search | The current time formatted as a Microsoft NT epoch which is used by some Microsoft [Active Directory] attributes |
|
||||
|
||||
#### Groups filter replacements
|
||||
|
||||
| Placeholder | Phase | Replacement |
|
||||
|:--------------:|:------:|:----------------------------------------------------------------------------------------------------------------------------------------------------:|
|
||||
| {username} | search | The username from the profile lookup obtained from the username attribute |
|
||||
| {dn} | search | The distinguished name from the profile lookup |
|
||||
| {memberof:dn} | search | See the detailed section below |
|
||||
| {memberof:rdn} | search | Only allowed with the `memberof` search method and contains the first relative distinguished name of every `memberOf` entry a use has in parenthesis |
|
||||
|
||||
##### memberof:dn
|
||||
|
||||
Requirements:
|
||||
|
||||
1. Must be using the `memberof` search mode.
|
||||
2. Must have the distinguished name attribute configured in Authelia.
|
||||
3. Directory server must support searching by the distinguished name attribute (many directory services *__DO NOT__*
|
||||
have a distinguished name attribute).
|
||||
|
||||
##### memberof:rdn
|
||||
|
||||
Requirements:
|
||||
|
||||
1. Must be using the `memberof` search mode.
|
||||
2. Directory server must support searching by the first relative distinguished name as an attribute.
|
||||
|
||||
Splits every `memberOf` value to obtain th e first relative distinguished name and joins all of those after surrounding
|
||||
them in parenthesis. This makes the general suggested filter pattern for this particular replacement
|
||||
`(|{memberof:rdn})`. The format of this value is as follows:
|
||||
|
||||
```text
|
||||
(<RDN>)
|
||||
```
|
||||
|
||||
For example if the user has the following distinguished names in their object:
|
||||
|
||||
- CN=abc,OU=groups,DC=example,DC=com
|
||||
- CN=xyz,OU=groups,DC=example,DC=com
|
||||
|
||||
The value will be replaced with `(CN=abc)(CN=xyz)` which using the suggested pattern for the filter becomes
|
||||
`(|(CN=abc)(CN=xyz))` which will then return any user that as a `CN` of `abc` or `xyz`.
|
||||
| Placeholder | Phase | Replacement |
|
||||
|:-----------:|:------:|:-------------------------------------------------------------------------:|
|
||||
| {input} | search | The input into the username field |
|
||||
| {username} | search | The username from the profile lookup obtained from the username attribute |
|
||||
| {dn} | search | The distinguished name from the profile lookup |
|
||||
|
||||
### Defaults
|
||||
|
||||
|
@ -188,14 +122,14 @@ The following set defaults for the `additional_users_dn` and `additional_groups_
|
|||
This table describes the attribute defaults for each implementation. i.e. the username_attribute is described by the
|
||||
Username column.
|
||||
|
||||
| Implementation | Username | Display Name | Mail | Group Name | Distinguished Name | Member Of |
|
||||
|:---------------:|:--------------:|:------------:|:----:|:----------:|:------------------:|:---------:|
|
||||
| custom | N/A | displayName | mail | cn | N/A | N/A |
|
||||
| activedirectory | sAMAccountName | displayName | mail | cn | distinguishedName | memberOf |
|
||||
| rfc2307bis | uid | displayName | mail | cn | N/A | memberOf |
|
||||
| freeipa | uid | displayName | mail | cn | N/A | memberOf |
|
||||
| lldap | uid | cn | mail | cn | N/A | memberOf |
|
||||
| glauth | cn | description | mail | cn | N/A | memberOf |
|
||||
| Implementation | Username | Display Name | Mail | Group Name |
|
||||
|:---------------:|:--------------:|:------------:|:----:|:----------:|
|
||||
| custom | N/A | displayName | mail | cn |
|
||||
| activedirectory | sAMAccountName | displayName | mail | cn |
|
||||
| rfc2307bis | uid | displayName | mail | cn |
|
||||
| freeipa | uid | displayName | mail | cn |
|
||||
| lldap | uid | cn | mail | cn |
|
||||
| glauth | cn | description | mail | cn |
|
||||
|
||||
#### Filter defaults
|
||||
|
||||
|
@ -212,8 +146,8 @@ the following conditions:
|
|||
- Their password is expired:
|
||||
- The [Active Directory] implementation achieves this via the `(!(pwdLastSet=0))` filter.
|
||||
- The [FreeIPA] implementation achieves this via the `(krbPasswordExpiration>={date-time:generalized})` filter.
|
||||
- The [RFC2307bis] implementation achieves this via the `(!(pwdReset=TRUE))` filter.
|
||||
- The following implementations have no suitable attribute for this as far as we're aware:
|
||||
- [RFC2307bis]
|
||||
- [GLAuth]
|
||||
- [lldap]
|
||||
- Their account is expired:
|
||||
|
@ -228,7 +162,7 @@ the following conditions:
|
|||
|:---------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-----------------------------------------------------------------------------------------------------------------------------------------:|
|
||||
| custom | N/A | N/A |
|
||||
| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt}))) | (&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912))) |
|
||||
| rfc2307bis | (&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(!(pwdReset=TRUE))) | (&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))) |
|
||||
| rfc2307bis | (&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson))) | (&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))) |
|
||||
| freeipa | (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized}))) | (&(member={dn})(objectClass=groupOfNames)) |
|
||||
| lldap | (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) | (&(member={dn})(objectClass=groupOfNames)) |
|
||||
| glauth | (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive))) | (&(uniqueMember={dn})(objectClass=posixGroup)) |
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,144 +0,0 @@
|
|||
syntax = "proto3";
|
||||
|
||||
package envoy.service.auth.v3;
|
||||
|
||||
import "envoy/config/core/v3/base.proto";
|
||||
import "envoy/service/auth/v3/attribute_context.proto";
|
||||
import "envoy/type/v3/http_status.proto";
|
||||
|
||||
import "google/protobuf/struct.proto";
|
||||
import "google/rpc/status.proto";
|
||||
|
||||
import "envoy/annotations/deprecation.proto";
|
||||
import "udpa/annotations/status.proto";
|
||||
import "udpa/annotations/versioning.proto";
|
||||
|
||||
option java_package = "io.envoyproxy.envoy.service.auth.v3";
|
||||
option java_outer_classname = "ExternalAuthProto";
|
||||
option java_multiple_files = true;
|
||||
option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3;authv3";
|
||||
option (udpa.annotations.file_status).package_version_status = ACTIVE;
|
||||
|
||||
// [#protodoc-title: Authorization service]
|
||||
|
||||
// The authorization service request messages used by external authorization :ref:`network filter
|
||||
// <config_network_filters_ext_authz>` and :ref:`HTTP filter <config_http_filters_ext_authz>`.
|
||||
|
||||
// A generic interface for performing authorization check on incoming
|
||||
// requests to a networked service.
|
||||
service Authorization {
|
||||
// Performs authorization check based on the attributes associated with the
|
||||
// incoming request, and returns status `OK` or not `OK`.
|
||||
rpc Check(CheckRequest) returns (CheckResponse) {
|
||||
}
|
||||
}
|
||||
|
||||
message CheckRequest {
|
||||
option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest";
|
||||
|
||||
// The request attributes.
|
||||
AttributeContext attributes = 1;
|
||||
}
|
||||
|
||||
// HTTP attributes for a denied response.
|
||||
message DeniedHttpResponse {
|
||||
option (udpa.annotations.versioning).previous_message_type =
|
||||
"envoy.service.auth.v2.DeniedHttpResponse";
|
||||
|
||||
// This field allows the authorization service to send an HTTP response status code to the
|
||||
// downstream client. If not set, Envoy sends ``403 Forbidden`` HTTP status code by default.
|
||||
type.v3.HttpStatus status = 1;
|
||||
|
||||
// This field allows the authorization service to send HTTP response headers
|
||||
// to the downstream client. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>` defaults to
|
||||
// false when used in this message.
|
||||
repeated config.core.v3.HeaderValueOption headers = 2;
|
||||
|
||||
// This field allows the authorization service to send a response body data
|
||||
// to the downstream client.
|
||||
string body = 3;
|
||||
}
|
||||
|
||||
// HTTP attributes for an OK response.
|
||||
// [#next-free-field: 9]
|
||||
message OkHttpResponse {
|
||||
option (udpa.annotations.versioning).previous_message_type =
|
||||
"envoy.service.auth.v2.OkHttpResponse";
|
||||
|
||||
// HTTP entity headers in addition to the original request headers. This allows the authorization
|
||||
// service to append, to add or to override headers from the original request before
|
||||
// dispatching it to the upstream. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>` defaults to
|
||||
// false when used in this message. By setting the ``append`` field to ``true``,
|
||||
// the filter will append the correspondent header value to the matched request header.
|
||||
// By leaving ``append`` as false, the filter will either add a new header, or override an existing
|
||||
// one if there is a match.
|
||||
repeated config.core.v3.HeaderValueOption headers = 2;
|
||||
|
||||
// HTTP entity headers to remove from the original request before dispatching
|
||||
// it to the upstream. This allows the authorization service to act on auth
|
||||
// related headers (like ``Authorization``), process them, and consume them.
|
||||
// Under this model, the upstream will either receive the request (if it's
|
||||
// authorized) or not receive it (if it's not), but will not see headers
|
||||
// containing authorization credentials.
|
||||
//
|
||||
// Pseudo headers (such as ``:authority``, ``:method``, ``:path`` etc), as well as
|
||||
// the header ``Host``, may not be removed as that would make the request
|
||||
// malformed. If mentioned in ``headers_to_remove`` these special headers will
|
||||
// be ignored.
|
||||
//
|
||||
// When using the HTTP service this must instead be set by the HTTP
|
||||
// authorization service as a comma separated list like so:
|
||||
// ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``.
|
||||
repeated string headers_to_remove = 5;
|
||||
|
||||
// This field has been deprecated in favor of :ref:`CheckResponse.dynamic_metadata
|
||||
// <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>`. Until it is removed,
|
||||
// setting this field overrides :ref:`CheckResponse.dynamic_metadata
|
||||
// <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>`.
|
||||
google.protobuf.Struct dynamic_metadata = 3
|
||||
[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
|
||||
|
||||
// This field allows the authorization service to send HTTP response headers
|
||||
// to the downstream client on success. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>`
|
||||
// defaults to false when used in this message.
|
||||
repeated config.core.v3.HeaderValueOption response_headers_to_add = 6;
|
||||
|
||||
// This field allows the authorization service to set (and overwrite) query
|
||||
// string parameters on the original request before it is sent upstream.
|
||||
repeated config.core.v3.QueryParameter query_parameters_to_set = 7;
|
||||
|
||||
// This field allows the authorization service to specify which query parameters
|
||||
// should be removed from the original request before it is sent upstream. Each
|
||||
// element in this list is a case-sensitive query parameter name to be removed.
|
||||
repeated string query_parameters_to_remove = 8;
|
||||
}
|
||||
|
||||
// Intended for gRPC and Network Authorization servers ``only``.
|
||||
message CheckResponse {
|
||||
option (udpa.annotations.versioning).previous_message_type =
|
||||
"envoy.service.auth.v2.CheckResponse";
|
||||
|
||||
// Status ``OK`` allows the request. Any other status indicates the request should be denied, and
|
||||
// for HTTP filter, if not overridden by :ref:`denied HTTP response status <envoy_v3_api_field_service.auth.v3.DeniedHttpResponse.status>`
|
||||
// Envoy sends ``403 Forbidden`` HTTP status code by default.
|
||||
google.rpc.Status status = 1;
|
||||
|
||||
// An message that contains HTTP response attributes. This message is
|
||||
// used when the authorization service needs to send custom responses to the
|
||||
// downstream client or, to modify/add request headers being dispatched to the upstream.
|
||||
oneof http_response {
|
||||
// Supplies http attributes for a denied response.
|
||||
DeniedHttpResponse denied_response = 2;
|
||||
|
||||
// Supplies http attributes for an ok response.
|
||||
OkHttpResponse ok_response = 3;
|
||||
}
|
||||
|
||||
// Optional response metadata that will be emitted as dynamic metadata to be consumed by the next
|
||||
// filter. This metadata lives in a namespace specified by the canonical name of extension filter
|
||||
// that requires it:
|
||||
//
|
||||
// - :ref:`envoy.filters.http.ext_authz <config_http_filters_ext_authz_dynamic_metadata>` for HTTP filter.
|
||||
// - :ref:`envoy.filters.network.ext_authz <config_network_filters_ext_authz_dynamic_metadata>` for network filter.
|
||||
google.protobuf.Struct dynamic_metadata = 4;
|
||||
}
|
|
@ -45,7 +45,7 @@ services:
|
|||
- TZ=Australia/Melbourne
|
||||
|
||||
traefik:
|
||||
image: traefik:v2.10.3
|
||||
image: traefik:v2.10.1
|
||||
container_name: traefik
|
||||
volumes:
|
||||
- ./traefik:/etc/traefik
|
||||
|
|
|
@ -32,7 +32,7 @@ services:
|
|||
- TZ=Australia/Melbourne
|
||||
|
||||
traefik:
|
||||
image: traefik:v2.10.3
|
||||
image: traefik:v2.10.1
|
||||
container_name: traefik
|
||||
volumes:
|
||||
- ./traefik:/etc/traefik
|
||||
|
|
26
go.mod
26
go.mod
|
@ -20,7 +20,7 @@ require (
|
|||
github.com/golang/mock v1.6.0
|
||||
github.com/google/uuid v1.3.0
|
||||
github.com/hashicorp/go-retryablehttp v0.7.4
|
||||
github.com/jackc/pgx/v5 v5.4.1
|
||||
github.com/jackc/pgx/v5 v5.4.0
|
||||
github.com/jmoiron/sqlx v1.3.5
|
||||
github.com/knadh/koanf/parsers/yaml v0.1.0
|
||||
github.com/knadh/koanf/providers/confmap v0.1.0
|
||||
|
@ -33,8 +33,8 @@ require (
|
|||
github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
|
||||
github.com/ory/fosite v0.44.0
|
||||
github.com/ory/herodot v0.10.2
|
||||
github.com/ory/x v0.0.563
|
||||
github.com/otiai10/copy v1.12.0
|
||||
github.com/ory/x v0.0.561
|
||||
github.com/otiai10/copy v1.11.0
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/pquerna/otp v1.4.0
|
||||
github.com/prometheus/client_golang v1.16.0
|
||||
|
@ -43,7 +43,7 @@ require (
|
|||
github.com/spf13/pflag v1.0.5
|
||||
github.com/stretchr/testify v1.8.4
|
||||
github.com/trustelem/zxcvbn v1.0.1
|
||||
github.com/valyala/fasthttp v1.48.0
|
||||
github.com/valyala/fasthttp v1.47.0
|
||||
github.com/wneessen/go-mail v0.3.9
|
||||
golang.org/x/net v0.11.0
|
||||
golang.org/x/sync v0.3.0
|
||||
|
@ -59,7 +59,6 @@ require (
|
|||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
|
||||
github.com/cespare/xxhash/v2 v2.2.0 // indirect
|
||||
github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 // indirect
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
|
||||
github.com/cristalhq/jwt/v4 v4.0.2 // indirect
|
||||
github.com/dave/jennifer v1.6.0 // indirect
|
||||
|
@ -69,16 +68,12 @@ require (
|
|||
github.com/dlclark/regexp2 v1.4.0 // indirect
|
||||
github.com/dustin/go-humanize v1.0.0 // indirect
|
||||
github.com/ecordell/optgen v0.0.6 // indirect
|
||||
github.com/envoyproxy/go-control-plane v0.11.1 // indirect
|
||||
github.com/envoyproxy/protoc-gen-validate v1.0.1 // indirect
|
||||
github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
|
||||
github.com/fxamacker/cbor/v2 v2.4.0 // indirect
|
||||
github.com/go-crypt/x v0.2.1 // indirect
|
||||
github.com/go-redis/redis/v8 v8.11.5 // indirect
|
||||
github.com/go-webauthn/revoke v0.1.9 // indirect
|
||||
github.com/gogo/googleapis v1.4.1 // indirect
|
||||
github.com/gogo/protobuf v1.3.2 // indirect
|
||||
github.com/golang/glog v1.1.0 // indirect
|
||||
github.com/golang/glog v1.0.0 // indirect
|
||||
github.com/golang/protobuf v1.5.3 // indirect
|
||||
github.com/google/go-tpm v0.3.3 // indirect
|
||||
github.com/gorilla/websocket v1.5.0 // indirect
|
||||
|
@ -102,7 +97,7 @@ require (
|
|||
github.com/pelletier/go-toml/v2 v2.0.6 // indirect
|
||||
github.com/philhofer/fwd v1.1.2 // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
github.com/prometheus/client_model v0.4.0 // indirect
|
||||
github.com/prometheus/client_model v0.3.0 // indirect
|
||||
github.com/prometheus/common v0.42.0 // indirect
|
||||
github.com/prometheus/procfs v0.10.1 // indirect
|
||||
github.com/redis/go-redis/v9 v9.0.4 // indirect
|
||||
|
@ -124,13 +119,12 @@ require (
|
|||
github.com/ysmood/leakless v0.8.0 // indirect
|
||||
golang.org/x/crypto v0.10.0 // indirect
|
||||
golang.org/x/mod v0.10.0 // indirect
|
||||
golang.org/x/oauth2 v0.7.0 // indirect
|
||||
golang.org/x/oauth2 v0.5.0 // indirect
|
||||
golang.org/x/sys v0.9.0 // indirect
|
||||
golang.org/x/tools v0.8.0 // indirect
|
||||
golang.org/x/tools v0.7.0 // indirect
|
||||
google.golang.org/appengine v1.6.7 // indirect
|
||||
google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e // indirect
|
||||
google.golang.org/grpc v1.56.0 // indirect
|
||||
google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd // indirect
|
||||
google.golang.org/grpc v1.54.0 // indirect
|
||||
google.golang.org/protobuf v1.30.0 // indirect
|
||||
gopkg.in/ini.v1 v1.67.0 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
|
|
46
go.sum
46
go.sum
|
@ -72,8 +72,6 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
|
|||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||
github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
|
||||
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
|
||||
github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k=
|
||||
github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
|
||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
|
||||
|
@ -115,11 +113,7 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m
|
|||
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
|
||||
github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
|
||||
github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
|
||||
github.com/envoyproxy/go-control-plane v0.11.1 h1:wSUXTlLfiAQRWs2F+p+EKOY9rUyis1MyGqJ2DIk5HpM=
|
||||
github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g=
|
||||
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
|
||||
github.com/envoyproxy/protoc-gen-validate v1.0.1 h1:kt9FtLiooDc0vbwTLhdg3dyNX1K9Qwa1EK9LcD4jVUQ=
|
||||
github.com/envoyproxy/protoc-gen-validate v1.0.1/go.mod h1:0vj8bNkYbSTNS2PIyH87KZaeN4x9zpL9Qt8fQC7d+vs=
|
||||
github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 h1:JWuenKqqX8nojtoVVWjGfOF9635RETekkoH6Cc9SX0A=
|
||||
github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg=
|
||||
github.com/fasthttp/router v1.4.19 h1:RLE539IU/S4kfb4MP56zgP0TIBU9kEg0ID9GpWO0vqk=
|
||||
|
@ -160,19 +154,13 @@ github.com/go-webauthn/revoke v0.1.9 h1:gSJ1ckA9VaKA2GN4Ukp+kiGTk1/EXtaDb1YE8Rkn
|
|||
github.com/go-webauthn/revoke v0.1.9/go.mod h1:j6WKPnv0HovtEs++paan9g3ar46gm1NarktkXBaPR+w=
|
||||
github.com/go-webauthn/webauthn v0.5.0 h1:Tbmp37AGIhYbQmcy2hEffo3U3cgPClqvxJ7cLUnF7Rc=
|
||||
github.com/go-webauthn/webauthn v0.5.0/go.mod h1:0CBq/jNfPS9l033j4AxMk8K8MluiMsde9uGNSPFLEVE=
|
||||
github.com/gogo/googleapis v1.4.1 h1:1Yx4Myt7BxzvUr5ldGSbwYiZG6t9wGBZ+8/fX3Wvtq0=
|
||||
github.com/gogo/googleapis v1.4.1/go.mod h1:2lpHqI5OcWCtVElxXnPt+s8oJvMpySlOyM6xDCrzib4=
|
||||
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
|
||||
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
|
||||
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
|
||||
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
|
||||
github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
|
||||
github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
|
||||
github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=
|
||||
github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
|
||||
github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
|
@ -268,8 +256,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
|
|||
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
|
||||
github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
|
||||
github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
|
||||
github.com/jackc/pgx/v5 v5.4.1 h1:oKfB/FhuVtit1bBM3zNRRsZ925ZkMN3HXL+LgLUM9lE=
|
||||
github.com/jackc/pgx/v5 v5.4.1/go.mod h1:q6iHT8uDNXWiFNOlRqJzBTaSH3+2xCXkokxHZC5qWFY=
|
||||
github.com/jackc/pgx/v5 v5.4.0 h1:BSr+GCm4N6QcgIwv0DyTFHK9ugfEFF9DzSbbzxOiXU0=
|
||||
github.com/jackc/pgx/v5 v5.4.0/go.mod h1:q6iHT8uDNXWiFNOlRqJzBTaSH3+2xCXkokxHZC5qWFY=
|
||||
github.com/jandelgado/gcov2lcov v1.0.5 h1:rkBt40h0CVK4oCb8Dps950gvfd1rYvQ8+cWa346lVU0=
|
||||
github.com/jandelgado/gcov2lcov v1.0.5/go.mod h1:NnSxK6TMlg1oGDBfGelGbjgorT5/L3cchlbtgFYZSss=
|
||||
github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
|
||||
|
@ -279,7 +267,6 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
|
|||
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
|
||||
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
|
||||
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
|
||||
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI=
|
||||
github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
|
||||
|
@ -344,10 +331,10 @@ github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTs
|
|||
github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs=
|
||||
github.com/ory/herodot v0.10.2 h1:gGvNMHgAwWzdP/eo+roSiT5CGssygHSjDU7MSQNlJ4E=
|
||||
github.com/ory/herodot v0.10.2/go.mod h1:MMNmY6MG1uB6fnXYFaHoqdV23DTWctlPsmRCeq/2+wc=
|
||||
github.com/ory/x v0.0.563 h1:T77Bjt6ALMZmUJIsQ5UEkzDBCD+8vxfQlBCU1Y39uDk=
|
||||
github.com/ory/x v0.0.563/go.mod h1:kup4ebSC4SzwU6KPZJ4G60UR3EEsHxJ0apQVflVw5yQ=
|
||||
github.com/otiai10/copy v1.12.0 h1:cLMgSQnXBs1eehF0Wy/FAGsgDTDmAqFR7rQylBb1nDY=
|
||||
github.com/otiai10/copy v1.12.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
|
||||
github.com/ory/x v0.0.561 h1:SvNDGd6OhvAFl4XiPnYJuLCtR6iLxZJcF1Vzlo1IFTM=
|
||||
github.com/ory/x v0.0.561/go.mod h1:kup4ebSC4SzwU6KPZJ4G60UR3EEsHxJ0apQVflVw5yQ=
|
||||
github.com/otiai10/copy v1.11.0 h1:OKBD80J/mLBrwnzXqGtFCzprFSGioo30JcmR4APsNwc=
|
||||
github.com/otiai10/copy v1.11.0/go.mod h1:rSaLseMUsZFFbsFGc7wCJnnkTAvdc5L6VWxPE4308Ww=
|
||||
github.com/otiai10/mint v1.5.1 h1:XaPLeE+9vGbuyEHem1JNk3bYc7KKqyI/na0/mLd/Kks=
|
||||
github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
|
||||
github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
|
||||
|
@ -376,8 +363,6 @@ github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:
|
|||
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
|
||||
github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
|
||||
github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
|
||||
github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY=
|
||||
github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU=
|
||||
github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
|
||||
github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
|
||||
github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
|
||||
|
@ -451,8 +436,8 @@ github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGr
|
|||
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
|
||||
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
|
||||
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
|
||||
github.com/valyala/fasthttp v1.48.0 h1:oJWvHb9BIZToTQS3MuQ2R3bJZiNSa2KiNdeI8A+79Tc=
|
||||
github.com/valyala/fasthttp v1.48.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA=
|
||||
github.com/valyala/fasthttp v1.47.0 h1:y7moDoxYzMooFpT5aHgNgVOQDrS3qlkfiP9mDtGGK9c=
|
||||
github.com/valyala/fasthttp v1.47.0/go.mod h1:k2zXd82h/7UZc3VOdJ2WaUqt1uZ/XpXAfE9i+HBC3lA=
|
||||
github.com/wneessen/go-mail v0.3.9 h1:Q4DbCk3htT5DtDWKeMgNXCiHc4bBY/vv/XQPT6XDXzc=
|
||||
github.com/wneessen/go-mail v0.3.9/go.mod h1:zxOlafWCP/r6FEhAaRgH4IC1vg2YXxO0Nar9u0IScZ8=
|
||||
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
|
||||
|
@ -594,10 +579,6 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
|
|||
golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
|
||||
golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s=
|
||||
golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
|
||||
golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw=
|
||||
golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
|
||||
golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
|
||||
golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
|
||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
|
@ -726,7 +707,6 @@ golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roY
|
|||
golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
|
||||
golang.org/x/tools v0.0.0-20200717024301-6ddee64345a6/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
|
||||
golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
|
||||
golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
|
||||
|
@ -736,7 +716,6 @@ golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4f
|
|||
golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
|
||||
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
|
||||
golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
|
||||
|
@ -745,7 +724,6 @@ golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
|
|||
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
|
||||
golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
|
||||
golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
|
||||
golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
|
@ -815,10 +793,6 @@ google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6D
|
|||
google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd h1:sLpv7bNL1AsX3fdnWh9WVh7ejIzXdOc1RRHGeAmeStU=
|
||||
google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd/go.mod h1:UUQDJDOlWu4KYeJZffbWgBkS1YFobzKbLVfK69pe0Ak=
|
||||
google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e h1:Ao9GzfUMPH3zjVfzXG5rlWlk+Q8MXWKwWpwVQE1MXfw=
|
||||
google.golang.org/genproto v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:zqTuNwFlFRsw5zIts5VnzLQxSRqh+CGOTVMlYbY0Eyk=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e h1:NumxXLPfHSndr3wBBdeKiVHjGVFzi9RX2HwwQke94iY=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20230526203410-71b5a4ffd15e/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
|
||||
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
|
||||
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
|
||||
google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
|
||||
|
@ -838,10 +812,6 @@ google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA5
|
|||
google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
|
||||
google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag=
|
||||
google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
|
||||
google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag=
|
||||
google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
|
||||
google.golang.org/grpc v1.56.0 h1:+y7Bs8rtMd07LeXmL3NxcTLn7mUkbKZqEpPhMNkwJEE=
|
||||
google.golang.org/grpc v1.56.0/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
|
||||
google.golang.org/grpc/examples v0.0.0-20210304020650-930c79186c99 h1:qA8rMbz1wQ4DOFfM2ouD29DG9aHWBm6ZOy9BGxiUMmY=
|
||||
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
|
||||
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
|
||||
|
|
|
@ -60,19 +60,12 @@ const (
|
|||
)
|
||||
|
||||
const (
|
||||
ldapPlaceholderInput = "{input}"
|
||||
ldapPlaceholderDistinguishedName = "{dn}"
|
||||
ldapPlaceholderMemberOfDistinguishedName = "{memberof:dn}"
|
||||
ldapPlaceholderMemberOfRelativeDistinguishedName = "{memberof:rdn}"
|
||||
ldapPlaceholderUsername = "{username}"
|
||||
ldapPlaceholderDateTimeGeneralized = "{date-time:generalized}"
|
||||
ldapPlaceholderDateTimeMicrosoftNTTimeEpoch = "{date-time:microsoft-nt}"
|
||||
ldapPlaceholderDateTimeUnixEpoch = "{date-time:unix}"
|
||||
ldapPlaceholderDistinguishedNameAttribute = "{distinguished_name_attribute}"
|
||||
ldapPlaceholderUsernameAttribute = "{username_attribute}"
|
||||
ldapPlaceholderDisplayNameAttribute = "{display_name_attribute}"
|
||||
ldapPlaceholderMailAttribute = "{mail_attribute}"
|
||||
ldapPlaceholderMemberOfAttribute = "{member_of_attribute}"
|
||||
ldapPlaceholderInput = "{input}"
|
||||
ldapPlaceholderDistinguishedName = "{dn}"
|
||||
ldapPlaceholderUsername = "{username}"
|
||||
ldapPlaceholderDateTimeGeneralized = "{date-time:generalized}"
|
||||
ldapPlaceholderDateTimeMicrosoftNTTimeEpoch = "{date-time:microsoft-nt}"
|
||||
ldapPlaceholderDateTimeUnixEpoch = "{date-time:unix}"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
|
@ -3,7 +3,7 @@ package authentication
|
|||
// This file is used to generate mocks. You can generate all mocks using the
|
||||
// command `go generate github.com/authelia/authelia/v4/internal/authentication`.
|
||||
|
||||
//go:generate mockgen -package authentication -destination ldap_client_mock_test.go -mock_names LDAPClient=MockLDAPClient github.com/authelia/authelia/v4/internal/authentication LDAPClient
|
||||
//go:generate mockgen -package authentication -destination ldap_client_factory_mock_test.go -mock_names LDAPClientFactory=MockLDAPClientFactory github.com/authelia/authelia/v4/internal/authentication LDAPClientFactory
|
||||
//go:generate mockgen -package authentication -destination ldap_client_mock.go -mock_names LDAPClient=MockLDAPClient github.com/authelia/authelia/v4/internal/authentication LDAPClient
|
||||
//go:generate mockgen -package authentication -destination ldap_client_factory_mock.go -mock_names LDAPClientFactory=MockLDAPClientFactory github.com/authelia/authelia/v4/internal/authentication LDAPClientFactory
|
||||
//go:generate mockgen -package authentication -destination file_user_provider_database_mock_test.go -mock_names FileUserDatabase=MockFileUserDatabase github.com/authelia/authelia/v4/internal/authentication FileUserDatabase
|
||||
//go:generate mockgen -package authentication -destination file_user_provider_hash_mock_test.go -mock_names Hash=MockHash github.com/go-crypt/crypt/algorithm Hash
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
package authentication
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestControlMsftServerPolicyHints(t *testing.T) {
|
||||
ct := &controlMsftServerPolicyHints{
|
||||
oid: ldapOIDControlMsftServerPolicyHints,
|
||||
}
|
||||
|
||||
assert.Equal(t, ldapOIDControlMsftServerPolicyHints, ct.GetControlType())
|
||||
assert.Equal(t, "Enforce the password history length constraint (MS-SAMR section 3.1.1.7.1) during password set: 1.2.840.113556.1.4.2239", ct.String())
|
||||
assert.NotNil(t, ct.Encode())
|
||||
}
|
|
@ -8,7 +8,7 @@ import (
|
|||
"strconv"
|
||||
"strings"
|
||||
|
||||
ldap "github.com/go-ldap/ldap/v3"
|
||||
"github.com/go-ldap/ldap/v3"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
||||
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||
|
@ -40,13 +40,11 @@ type LDAPUserProvider struct {
|
|||
usersFilterReplacementDateTimeMicrosoftNTTimeEpoch bool
|
||||
|
||||
// Dynamically generated groups values.
|
||||
groupsBaseDN string
|
||||
groupsAttributes []string
|
||||
groupsFilterReplacementInput bool
|
||||
groupsFilterReplacementUsername bool
|
||||
groupsFilterReplacementDN bool
|
||||
groupsFilterReplacementsMemberOfDN bool
|
||||
groupsFilterReplacementsMemberOfRDN bool
|
||||
groupsBaseDN string
|
||||
groupsAttributes []string
|
||||
groupsFilterReplacementInput bool
|
||||
groupsFilterReplacementUsername bool
|
||||
groupsFilterReplacementDN bool
|
||||
}
|
||||
|
||||
// NewLDAPUserProvider creates a new instance of LDAPUserProvider with the ProductionLDAPClientFactory.
|
||||
|
@ -88,7 +86,6 @@ func NewLDAPUserProviderWithFactory(config schema.LDAPAuthenticationBackend, dis
|
|||
|
||||
provider.parseDynamicUsersConfiguration()
|
||||
provider.parseDynamicGroupsConfiguration()
|
||||
provider.parseDynamicConfiguration()
|
||||
|
||||
return provider
|
||||
}
|
||||
|
@ -137,11 +134,38 @@ func (p *LDAPUserProvider) GetDetails(username string) (details *UserDetails, er
|
|||
}
|
||||
|
||||
var (
|
||||
groups []string
|
||||
request *ldap.SearchRequest
|
||||
result *ldap.SearchResult
|
||||
)
|
||||
|
||||
if groups, err = p.getUserGroups(client, username, profile); err != nil {
|
||||
return nil, err
|
||||
// Search for the users groups.
|
||||
request = ldap.NewSearchRequest(
|
||||
p.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
|
||||
0, 0, false, p.resolveGroupsFilter(username, profile), p.groupsAttributes, nil,
|
||||
)
|
||||
|
||||
p.log.
|
||||
WithField("base_dn", request.BaseDN).
|
||||
WithField("filter", request.Filter).
|
||||
WithField("attr", request.Attributes).
|
||||
WithField("scope", request.Scope).
|
||||
WithField("deref", request.DerefAliases).
|
||||
Trace("Performing group search")
|
||||
|
||||
if result, err = p.search(client, request); err != nil {
|
||||
return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err)
|
||||
}
|
||||
|
||||
groups := make([]string, 0)
|
||||
|
||||
for _, res := range result.Entries {
|
||||
if len(res.Attributes) == 0 {
|
||||
p.log.Warningf("No groups retrieved from LDAP for user %s", username)
|
||||
break
|
||||
}
|
||||
|
||||
// Append all values of the document. Normally there should be only one per document.
|
||||
groups = append(groups, res.Attributes[0].Values...)
|
||||
}
|
||||
|
||||
return &UserDetails{
|
||||
|
@ -251,12 +275,14 @@ func (p *LDAPUserProvider) search(client LDAPClient, request *ldap.SearchRequest
|
|||
} else {
|
||||
result.Referrals = append(result.Referrals, referral)
|
||||
}
|
||||
} else {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
if !p.config.PermitReferrals || len(result.Referrals) == 0 {
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return result, nil
|
||||
}
|
||||
|
||||
|
@ -331,11 +357,6 @@ func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (p
|
|||
return nil, fmt.Errorf("there were %d users found when searching for '%s' but there should only be 1", len(result.Entries), username)
|
||||
}
|
||||
|
||||
return p.getUserProfileResultToProfile(username, result)
|
||||
}
|
||||
|
||||
//nolint:gocyclo // Not overly complex.
|
||||
func (p *LDAPUserProvider) getUserProfileResultToProfile(username string, result *ldap.SearchResult) (profile *ldapUserProfile, err error) {
|
||||
userProfile := ldapUserProfile{
|
||||
DN: result.Entries[0].DN,
|
||||
}
|
||||
|
@ -343,50 +364,35 @@ func (p *LDAPUserProvider) getUserProfileResultToProfile(username string, result
|
|||
for _, attr := range result.Entries[0].Attributes {
|
||||
attrs := len(attr.Values)
|
||||
|
||||
switch attr.Name {
|
||||
case p.config.Attributes.Username:
|
||||
if attr.Name == p.config.UsernameAttribute {
|
||||
switch attrs {
|
||||
case 1:
|
||||
userProfile.Username = attr.Values[0]
|
||||
|
||||
if attr.Name == p.config.Attributes.DisplayName && userProfile.DisplayName == "" {
|
||||
userProfile.DisplayName = attr.Values[0]
|
||||
}
|
||||
|
||||
if attr.Name == p.config.Attributes.Mail && len(userProfile.Emails) == 0 {
|
||||
userProfile.Emails = []string{attr.Values[0]}
|
||||
}
|
||||
case 0:
|
||||
return nil, fmt.Errorf("user '%s' must have value for attribute '%s'",
|
||||
username, p.config.Attributes.Username)
|
||||
username, p.config.UsernameAttribute)
|
||||
default:
|
||||
return nil, fmt.Errorf("user '%s' has %d values for for attribute '%s' but the attribute must be a single value attribute",
|
||||
username, attrs, p.config.Attributes.Username)
|
||||
}
|
||||
case p.config.Attributes.Mail:
|
||||
if attrs == 0 {
|
||||
continue
|
||||
username, attrs, p.config.UsernameAttribute)
|
||||
}
|
||||
}
|
||||
|
||||
if attrs == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
if attr.Name == p.config.MailAttribute {
|
||||
userProfile.Emails = attr.Values
|
||||
case p.config.Attributes.DisplayName:
|
||||
if attrs == 0 {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
if attr.Name == p.config.DisplayNameAttribute {
|
||||
userProfile.DisplayName = attr.Values[0]
|
||||
case p.config.Attributes.MemberOf:
|
||||
if attrs == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
userProfile.MemberOf = attr.Values
|
||||
}
|
||||
}
|
||||
|
||||
if userProfile.Username == "" {
|
||||
return nil, fmt.Errorf("user '%s' must have value for attribute '%s'",
|
||||
username, p.config.Attributes.Username)
|
||||
username, p.config.UsernameAttribute)
|
||||
}
|
||||
|
||||
if userProfile.DN == "" {
|
||||
|
@ -396,118 +402,6 @@ func (p *LDAPUserProvider) getUserProfileResultToProfile(username string, result
|
|||
return &userProfile, nil
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) getUserGroups(client LDAPClient, username string, profile *ldapUserProfile) (groups []string, err error) {
|
||||
request := ldap.NewSearchRequest(
|
||||
p.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
|
||||
0, 0, false, p.resolveGroupsFilter(username, profile), p.groupsAttributes, nil,
|
||||
)
|
||||
|
||||
p.log.
|
||||
WithField("base_dn", request.BaseDN).
|
||||
WithField("filter", request.Filter).
|
||||
WithField("attributes", request.Attributes).
|
||||
WithField("scope", request.Scope).
|
||||
WithField("deref", request.DerefAliases).
|
||||
WithField("mode", p.config.GroupSearchMode).
|
||||
Trace("Performing group search")
|
||||
|
||||
switch p.config.GroupSearchMode {
|
||||
case "", "filter":
|
||||
return p.getUserGroupsRequestFilter(client, username, profile, request)
|
||||
case "memberof":
|
||||
return p.getUserGroupsRequestMemberOf(client, username, profile, request)
|
||||
default:
|
||||
return nil, fmt.Errorf("could not perform group search with mode '%s' as it's unknown", p.config.GroupSearchMode)
|
||||
}
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) getUserGroupsRequestFilter(client LDAPClient, username string, _ *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) {
|
||||
var result *ldap.SearchResult
|
||||
|
||||
if result, err = p.search(client, request); err != nil {
|
||||
return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err)
|
||||
}
|
||||
|
||||
for _, entry := range result.Entries {
|
||||
if group := p.getUserGroupFromEntry(entry); len(group) != 0 {
|
||||
groups = append(groups, group)
|
||||
}
|
||||
}
|
||||
|
||||
return groups, nil
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) getUserGroupsRequestMemberOf(client LDAPClient, username string, profile *ldapUserProfile, request *ldap.SearchRequest) (groups []string, err error) {
|
||||
var result *ldap.SearchResult
|
||||
|
||||
if result, err = p.search(client, request); err != nil {
|
||||
return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err)
|
||||
}
|
||||
|
||||
for _, entry := range result.Entries {
|
||||
if len(entry.Attributes) == 0 {
|
||||
p.log.
|
||||
WithField("dn", entry.DN).
|
||||
WithField("attributes", request.Attributes).
|
||||
WithField("mode", "memberof").
|
||||
Trace("Skipping Group as the server did not return any requested attributes")
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
if !utils.IsStringInSliceFold(entry.DN, profile.MemberOf) {
|
||||
p.log.
|
||||
WithField("dn", entry.DN).
|
||||
WithField("mode", "memberof").
|
||||
Trace("Skipping Group as it doesn't match the users memberof entries")
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
if group := p.getUserGroupFromEntry(entry); len(group) != 0 {
|
||||
groups = append(groups, group)
|
||||
}
|
||||
}
|
||||
|
||||
return groups, nil
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) getUserGroupFromEntry(entry *ldap.Entry) string {
|
||||
attributes:
|
||||
for _, attr := range entry.Attributes {
|
||||
switch attr.Name {
|
||||
case p.config.Attributes.GroupName:
|
||||
switch len(attr.Values) {
|
||||
case 0:
|
||||
p.log.
|
||||
WithField("dn", entry.DN).
|
||||
WithField("attribute", attr.Name).
|
||||
Trace("Group skipped as the server returned a null attribute")
|
||||
case 1:
|
||||
switch len(attr.Values[0]) {
|
||||
case 0:
|
||||
p.log.
|
||||
WithField("dn", entry.DN).
|
||||
WithField("attribute", attr.Name).
|
||||
Trace("Skipping group as the configured group name attribute had no value")
|
||||
|
||||
default:
|
||||
return attr.Values[0]
|
||||
}
|
||||
default:
|
||||
p.log.
|
||||
WithField("dn", entry.DN).
|
||||
WithField("attribute", attr.Name).
|
||||
Trace("Group skipped as the server returned a multi-valued attribute but it should be a single-valued attribute")
|
||||
}
|
||||
|
||||
break attributes
|
||||
}
|
||||
}
|
||||
|
||||
return ""
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) resolveUsersFilter(input string) (filter string) {
|
||||
filter = p.config.UsersFilter
|
||||
|
||||
|
@ -551,27 +445,6 @@ func (p *LDAPUserProvider) resolveGroupsFilter(input string, profile *ldapUserPr
|
|||
}
|
||||
}
|
||||
|
||||
if p.groupsFilterReplacementsMemberOfDN {
|
||||
sep := fmt.Sprintf(")(%s=", p.config.Attributes.DistinguishedName)
|
||||
values := make([]string, len(profile.MemberOf))
|
||||
|
||||
for i, memberof := range profile.MemberOf {
|
||||
values[i] = ldap.EscapeFilter(memberof)
|
||||
}
|
||||
|
||||
filter = strings.ReplaceAll(filter, ldapPlaceholderMemberOfDistinguishedName, fmt.Sprintf("(%s=%s)", p.config.Attributes.DistinguishedName, strings.Join(values, sep)))
|
||||
}
|
||||
|
||||
if p.groupsFilterReplacementsMemberOfRDN {
|
||||
values := make([]string, len(profile.MemberOf))
|
||||
|
||||
for i, memberof := range profile.MemberOf {
|
||||
values[i] = ldap.EscapeFilter(strings.SplitN(memberof, ",", 2)[0])
|
||||
}
|
||||
|
||||
filter = strings.ReplaceAll(filter, ldapPlaceholderMemberOfRelativeDistinguishedName, fmt.Sprintf("(%s)", strings.Join(values, ")(")))
|
||||
}
|
||||
|
||||
p.log.Tracef("Computed groups filter is %s", filter)
|
||||
|
||||
return filter
|
||||
|
|
|
@ -37,6 +37,11 @@ func (p *LDAPUserProvider) StartupCheck() (err error) {
|
|||
"LDAP Server.")
|
||||
}
|
||||
|
||||
if !p.features.Extensions.TLS && p.config.StartTLS {
|
||||
p.log.Info("Your LDAP Server does not appear to support TLS but you enabled StartTLS which may result " +
|
||||
"in an error.")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -85,24 +90,22 @@ func (p *LDAPUserProvider) getServerSupportedFeatures(client LDAPClient) (featur
|
|||
}
|
||||
|
||||
func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderDistinguishedNameAttribute, p.config.Attributes.DistinguishedName)
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderUsernameAttribute, p.config.Attributes.Username)
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderDisplayNameAttribute, p.config.Attributes.DisplayName)
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderMailAttribute, p.config.Attributes.Mail)
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, ldapPlaceholderMemberOfAttribute, p.config.Attributes.MemberOf)
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{username_attribute}", p.config.UsernameAttribute)
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{mail_attribute}", p.config.MailAttribute)
|
||||
p.config.UsersFilter = strings.ReplaceAll(p.config.UsersFilter, "{display_name_attribute}", p.config.DisplayNameAttribute)
|
||||
|
||||
p.log.Tracef("Dynamically generated users filter is %s", p.config.UsersFilter)
|
||||
|
||||
if len(p.config.Attributes.Username) != 0 && !utils.IsStringInSlice(p.config.Attributes.Username, p.usersAttributes) {
|
||||
p.usersAttributes = append(p.usersAttributes, p.config.Attributes.Username)
|
||||
if !utils.IsStringInSlice(p.config.UsernameAttribute, p.usersAttributes) {
|
||||
p.usersAttributes = append(p.usersAttributes, p.config.UsernameAttribute)
|
||||
}
|
||||
|
||||
if len(p.config.Attributes.Mail) != 0 && !utils.IsStringInSlice(p.config.Attributes.Mail, p.usersAttributes) {
|
||||
p.usersAttributes = append(p.usersAttributes, p.config.Attributes.Mail)
|
||||
if !utils.IsStringInSlice(p.config.MailAttribute, p.usersAttributes) {
|
||||
p.usersAttributes = append(p.usersAttributes, p.config.MailAttribute)
|
||||
}
|
||||
|
||||
if len(p.config.Attributes.DisplayName) != 0 && !utils.IsStringInSlice(p.config.Attributes.DisplayName, p.usersAttributes) {
|
||||
p.usersAttributes = append(p.usersAttributes, p.config.Attributes.DisplayName)
|
||||
if !utils.IsStringInSlice(p.config.DisplayNameAttribute, p.usersAttributes) {
|
||||
p.usersAttributes = append(p.usersAttributes, p.config.DisplayNameAttribute)
|
||||
}
|
||||
|
||||
if p.config.AdditionalUsersDN != "" {
|
||||
|
@ -134,14 +137,8 @@ func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {
|
|||
}
|
||||
|
||||
func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() {
|
||||
p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderDistinguishedNameAttribute, p.config.Attributes.DistinguishedName)
|
||||
p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderUsernameAttribute, p.config.Attributes.Username)
|
||||
p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderDisplayNameAttribute, p.config.Attributes.DisplayName)
|
||||
p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderMailAttribute, p.config.Attributes.Mail)
|
||||
p.config.GroupsFilter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderMemberOfAttribute, p.config.Attributes.MemberOf)
|
||||
|
||||
if len(p.config.Attributes.GroupName) != 0 && !utils.IsStringInSlice(p.config.Attributes.GroupName, p.groupsAttributes) {
|
||||
p.groupsAttributes = append(p.groupsAttributes, p.config.Attributes.GroupName)
|
||||
p.groupsAttributes = []string{
|
||||
p.config.GroupNameAttribute,
|
||||
}
|
||||
|
||||
if p.config.AdditionalGroupsDN != "" {
|
||||
|
@ -164,25 +161,5 @@ func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() {
|
|||
p.groupsFilterReplacementDN = true
|
||||
}
|
||||
|
||||
if strings.Contains(p.config.GroupsFilter, ldapPlaceholderMemberOfDistinguishedName) {
|
||||
p.groupsFilterReplacementsMemberOfDN = true
|
||||
}
|
||||
|
||||
if strings.Contains(p.config.GroupsFilter, ldapPlaceholderMemberOfRelativeDistinguishedName) {
|
||||
p.groupsFilterReplacementsMemberOfRDN = true
|
||||
}
|
||||
|
||||
p.log.Tracef("Detected group filter replacements that need to be resolved per lookup are: input=%v, username=%v, dn=%v", p.groupsFilterReplacementInput, p.groupsFilterReplacementUsername, p.groupsFilterReplacementDN)
|
||||
}
|
||||
|
||||
func (p *LDAPUserProvider) parseDynamicConfiguration() {
|
||||
if len(p.config.Attributes.MemberOf) != 0 {
|
||||
if !utils.IsStringInSlice(p.config.Attributes.MemberOf, p.usersAttributes) {
|
||||
p.usersAttributes = append(p.usersAttributes, p.config.Attributes.MemberOf)
|
||||
}
|
||||
|
||||
if !utils.IsStringInSlice(p.config.Attributes.MemberOf, p.groupsAttributes) {
|
||||
p.groupsAttributes = append(p.groupsAttributes, p.config.Attributes.MemberOf)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -5,7 +5,7 @@ import (
|
|||
"strings"
|
||||
|
||||
ber "github.com/go-asn1-ber/asn1-ber"
|
||||
ldap "github.com/go-ldap/ldap/v3"
|
||||
"github.com/go-ldap/ldap/v3"
|
||||
)
|
||||
|
||||
func ldapEntriesContainsEntry(needle *ldap.Entry, haystack []*ldap.Entry) bool {
|
||||
|
@ -67,12 +67,12 @@ func ldapEscape(inputUsername string) string {
|
|||
}
|
||||
|
||||
func ldapGetReferral(err error) (referral string, ok bool) {
|
||||
if !ldap.IsErrorWithCode(err, ldap.LDAPResultReferral) {
|
||||
return "", false
|
||||
}
|
||||
|
||||
switch e := err.(type) {
|
||||
case *ldap.Error:
|
||||
if e.ResultCode != ldap.LDAPResultReferral {
|
||||
return "", false
|
||||
}
|
||||
|
||||
if e.Packet == nil {
|
||||
return "", false
|
||||
}
|
||||
|
|
|
@ -193,12 +193,6 @@ func TestLDAPGetReferral(t *testing.T) {
|
|||
expectedReferral: "",
|
||||
expectedOK: false,
|
||||
},
|
||||
{
|
||||
description: "ShouldNotGetInvalidErrType",
|
||||
have: errors.New("not an err"),
|
||||
expectedReferral: "",
|
||||
expectedOK: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
|
|
|
@ -82,7 +82,6 @@ type ldapUserProfile struct {
|
|||
Emails []string
|
||||
DisplayName string
|
||||
Username string
|
||||
MemberOf []string
|
||||
}
|
||||
|
||||
// LDAPSupportedFeatures represents features which a server may support which are implemented in code.
|
||||
|
|
|
@ -16,7 +16,6 @@ import (
|
|||
"github.com/sirupsen/logrus"
|
||||
"github.com/valyala/fasthttp"
|
||||
"golang.org/x/sync/errgroup"
|
||||
"google.golang.org/grpc"
|
||||
|
||||
"github.com/authelia/authelia/v4/internal/authentication"
|
||||
"github.com/authelia/authelia/v4/internal/server"
|
||||
|
@ -34,17 +33,6 @@ func NewServerService(name string, server *fasthttp.Server, listener net.Listene
|
|||
}
|
||||
}
|
||||
|
||||
// NewGRCPServerService creates a new ServerService with the appropriate logger etc.
|
||||
func NewGRCPServerService(name string, server *grpc.Server, listener net.Listener, isTLS bool, log *logrus.Logger) (service *GRCPServerService) {
|
||||
return &GRCPServerService{
|
||||
name: name,
|
||||
server: server,
|
||||
listener: listener,
|
||||
isTLS: isTLS,
|
||||
log: log.WithFields(map[string]any{logFieldService: serviceTypeServer, serviceTypeServer: name}),
|
||||
}
|
||||
}
|
||||
|
||||
// NewFileWatcherService creates a new FileWatcherService with the appropriate logger etc.
|
||||
func NewFileWatcherService(name, path string, reload ProviderReload, log *logrus.Logger) (service *FileWatcherService, err error) {
|
||||
if path == "" {
|
||||
|
@ -173,54 +161,6 @@ func (service *ServerService) Log() *logrus.Entry {
|
|||
return service.log
|
||||
}
|
||||
|
||||
// GRCPServerService is a Service which runs a gRCP server.
|
||||
type GRCPServerService struct {
|
||||
name string
|
||||
server *grpc.Server
|
||||
isTLS bool
|
||||
listener net.Listener
|
||||
log *logrus.Entry
|
||||
}
|
||||
|
||||
// ServiceType returns the service type for this service, which is always 'server'.
|
||||
func (service *GRCPServerService) ServiceType() string {
|
||||
return serviceTypeServer
|
||||
}
|
||||
|
||||
// ServiceName returns the individual name for this service.
|
||||
func (service *GRCPServerService) ServiceName() string {
|
||||
return service.name
|
||||
}
|
||||
|
||||
// Run the ServerService.
|
||||
func (service *GRCPServerService) Run() (err error) {
|
||||
defer func() {
|
||||
if r := recover(); r != nil {
|
||||
service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)")
|
||||
}
|
||||
}()
|
||||
|
||||
service.log.Infof(fmtLogServerListening, connectionType(service.isTLS), service.listener.Addr().String())
|
||||
|
||||
if err = service.server.Serve(service.listener); err != nil {
|
||||
service.log.WithError(err).Error("Error returned attempting to serve requests")
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Shutdown the ServerService.
|
||||
func (service *GRCPServerService) Shutdown() {
|
||||
service.server.Stop()
|
||||
}
|
||||
|
||||
// Log returns the *logrus.Entry of the ServerService.
|
||||
func (service *GRCPServerService) Log() *logrus.Entry {
|
||||
return service.log
|
||||
}
|
||||
|
||||
// FileWatcherService is a Service that watches files for changes.
|
||||
type FileWatcherService struct {
|
||||
name string
|
||||
|
@ -332,19 +272,6 @@ func svcSvrMetricsFunc(ctx *CmdCtx) (service Service) {
|
|||
return service
|
||||
}
|
||||
|
||||
func svcSvrGRPCFunc(ctx *CmdCtx) (service Service) {
|
||||
switch svr, listener, isTLS, err := server.CreateGRPCServer(ctx.config, ctx.providers); {
|
||||
case err != nil:
|
||||
ctx.log.WithError(err).Fatal("Create Server Service (gRPC) returned error")
|
||||
case svr != nil && listener != nil:
|
||||
service = NewGRCPServerService("gRCP", svr, listener, isTLS, ctx.log)
|
||||
default:
|
||||
ctx.log.Debug("Create Server Service (gRPC) skipped")
|
||||
}
|
||||
|
||||
return service
|
||||
}
|
||||
|
||||
func svcWatcherUsersFunc(ctx *CmdCtx) (service Service) {
|
||||
var err error
|
||||
|
||||
|
@ -385,7 +312,7 @@ func servicesRun(ctx *CmdCtx) {
|
|||
)
|
||||
|
||||
for _, serviceFunc := range []func(ctx *CmdCtx) Service{
|
||||
svcSvrMainFunc, svcSvrGRPCFunc, svcSvrMetricsFunc,
|
||||
svcSvrMainFunc, svcSvrMetricsFunc,
|
||||
svcWatcherUsersFunc,
|
||||
} {
|
||||
if service := serviceFunc(ctx); service != nil {
|
||||
|
|
|
@ -315,7 +315,7 @@ authentication_backend:
|
|||
## because it allows Authelia to offload the stateful operations
|
||||
## onto the LDAP service.
|
||||
# ldap:
|
||||
## The address of the directory server to connect to in the address common syntax.
|
||||
## The address of the LDAP server to connect to in the address common syntax.
|
||||
## Format: [<scheme>://]<hostname>[:<port>].
|
||||
## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`.
|
||||
## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'.
|
||||
|
@ -401,6 +401,16 @@ authentication_backend:
|
|||
## See also: additional_users_dn, additional_groups_dn.
|
||||
# base_dn: 'dc=example,dc=com'
|
||||
|
||||
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
||||
## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually
|
||||
## uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and the
|
||||
## configuration stored in database. Therefore only single value attributes are allowed and the value must never be
|
||||
## changed once attributed to a user otherwise it would break the configuration for that user. Technically,
|
||||
## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use
|
||||
## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to
|
||||
## follow https://datatracker.ietf.org/doc/html/rfc2307.
|
||||
# username_attribute: 'uid'
|
||||
|
||||
## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
|
||||
## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
|
||||
# additional_users_dn: 'ou=users'
|
||||
|
@ -431,9 +441,15 @@ authentication_backend:
|
|||
## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
|
||||
# groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
|
||||
## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to
|
||||
## use 'memberof'. Also 'filter' is the best choice for most use cases.
|
||||
# group_search_mode: 'filter'
|
||||
## The attribute holding the name of the group.
|
||||
# group_name_attribute: 'cn'
|
||||
|
||||
## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
|
||||
## first one returned by the LDAP server is used.
|
||||
# mail_attribute: 'mail'
|
||||
|
||||
## The attribute holding the display name of the user. This will be used to greet an authenticated user.
|
||||
# display_name_attribute: 'displayName'
|
||||
|
||||
## Follow referrals returned by the server.
|
||||
## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
|
||||
|
@ -444,37 +460,6 @@ authentication_backend:
|
|||
## Password can also be set using a secret: https://www.authelia.com/c/secrets
|
||||
# password: 'password'
|
||||
|
||||
## The attributes for users and objects from the directory server.
|
||||
# attributes:
|
||||
|
||||
## The distinguished name attribute if your directory server supports it. Users should read the docs before
|
||||
## configuring. Only used for the 'memberof' group search mode.
|
||||
# distinguished_name: ''
|
||||
|
||||
## The attribute holding the username of the user. This attribute is used to populate the username in the session
|
||||
## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP
|
||||
## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and
|
||||
## the configuration stored in database; therefore only single value attributes are allowed and the value must
|
||||
## never be changed once attributed to a user otherwise it would break the configuration for that user.
|
||||
## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead
|
||||
## advise to use a filter to perform alternative lookups and the attributes mentioned above
|
||||
## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307.
|
||||
# username: 'uid'
|
||||
|
||||
## The attribute holding the display name of the user. This will be used to greet an authenticated user.
|
||||
# display_name: 'displayName'
|
||||
|
||||
## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only
|
||||
## the first one returned by the directory server is used.
|
||||
# mail: 'mail'
|
||||
|
||||
## The attribute which provides distinguished names of groups an object is a member of.
|
||||
## Only used for the 'memberof' group search mode.
|
||||
# member_of: 'memberOf'
|
||||
|
||||
## The attribute holding the name of the group.
|
||||
# group_name: 'cn'
|
||||
|
||||
##
|
||||
## File (Authentication Provider)
|
||||
##
|
||||
|
|
|
@ -294,36 +294,4 @@ var deprecations = map[string]Deprecation{
|
|||
MapFunc: nil,
|
||||
ErrFunc: nil,
|
||||
},
|
||||
"authentication_backend.ldap.username_attribute": {
|
||||
Version: model.SemanticVersion{Major: 4, Minor: 38},
|
||||
Key: "authentication_backend.ldap.username_attribute",
|
||||
NewKey: "authentication_backend.ldap.attributes.username",
|
||||
AutoMap: true,
|
||||
MapFunc: nil,
|
||||
ErrFunc: nil,
|
||||
},
|
||||
"authentication_backend.ldap.mail_attribute": {
|
||||
Version: model.SemanticVersion{Major: 4, Minor: 38},
|
||||
Key: "authentication_backend.ldap.mail_attribute",
|
||||
NewKey: "authentication_backend.ldap.attributes.mail",
|
||||
AutoMap: true,
|
||||
MapFunc: nil,
|
||||
ErrFunc: nil,
|
||||
},
|
||||
"authentication_backend.ldap.display_name_attribute": {
|
||||
Version: model.SemanticVersion{Major: 4, Minor: 38},
|
||||
Key: "authentication_backend.ldap.display_name_attribute",
|
||||
NewKey: "authentication_backend.ldap.attributes.display_name",
|
||||
AutoMap: true,
|
||||
MapFunc: nil,
|
||||
ErrFunc: nil,
|
||||
},
|
||||
"authentication_backend.ldap.group_name_attribute": {
|
||||
Version: model.SemanticVersion{Major: 4, Minor: 38},
|
||||
Key: "authentication_backend.ldap.group_name_attribute",
|
||||
NewKey: "authentication_backend.ldap.attributes.group_name",
|
||||
AutoMap: true,
|
||||
MapFunc: nil,
|
||||
ErrFunc: nil,
|
||||
},
|
||||
}
|
||||
|
|
|
@ -245,28 +245,6 @@ func TestShouldLoadURLList(t *testing.T) {
|
|||
assert.Equal(t, "https://example.com", config.IdentityProviders.OIDC.CORS.AllowedOrigins[1].String())
|
||||
}
|
||||
|
||||
func TestShouldDisableOIDCEntropy(t *testing.T) {
|
||||
val := schema.NewStructValidator()
|
||||
keys, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config_oidc_disable_entropy.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
||||
|
||||
assert.NoError(t, err)
|
||||
|
||||
validator.ValidateKeys(keys, DefaultEnvPrefix, val)
|
||||
|
||||
assert.Len(t, val.Errors(), 0)
|
||||
assert.Len(t, val.Warnings(), 0)
|
||||
|
||||
assert.Equal(t, -1, config.IdentityProviders.OIDC.MinimumParameterEntropy)
|
||||
|
||||
validator.ValidateIdentityProviders(&config.IdentityProviders, val)
|
||||
|
||||
assert.Len(t, val.Errors(), 1)
|
||||
require.Len(t, val.Warnings(), 2)
|
||||
|
||||
assert.EqualError(t, val.Warnings()[0], "identity_providers: oidc: option 'minimum_parameter_entropy' is disabled which is considered unsafe and insecure")
|
||||
assert.Equal(t, -1, config.IdentityProviders.OIDC.MinimumParameterEntropy)
|
||||
}
|
||||
|
||||
func TestShouldConfigureConsent(t *testing.T) {
|
||||
val := schema.NewStructValidator()
|
||||
keys, config, err := Load(val, NewDefaultSources([]string{"./test_resources/config_oidc.yml"}, DefaultEnvPrefix, DefaultEnvDelimiter)...)
|
||||
|
|
|
@ -108,9 +108,11 @@ type LDAPAuthenticationBackend struct {
|
|||
|
||||
AdditionalGroupsDN string `koanf:"additional_groups_dn"`
|
||||
GroupsFilter string `koanf:"groups_filter"`
|
||||
GroupSearchMode string `koanf:"group_search_mode"`
|
||||
|
||||
Attributes LDAPAuthenticationAttributes `koanf:"attributes"`
|
||||
GroupNameAttribute string `koanf:"group_name_attribute"`
|
||||
UsernameAttribute string `koanf:"username_attribute"`
|
||||
MailAttribute string `koanf:"mail_attribute"`
|
||||
DisplayNameAttribute string `koanf:"display_name_attribute"`
|
||||
|
||||
PermitReferrals bool `koanf:"permit_referrals"`
|
||||
PermitUnauthenticatedBind bool `koanf:"permit_unauthenticated_bind"`
|
||||
|
@ -120,16 +122,6 @@ type LDAPAuthenticationBackend struct {
|
|||
Password string `koanf:"password"`
|
||||
}
|
||||
|
||||
// LDAPAuthenticationAttributes represents the configuration related to LDAP server attributes.
|
||||
type LDAPAuthenticationAttributes struct {
|
||||
DistinguishedName string `koanf:"distinguished_name"`
|
||||
Username string `koanf:"username"`
|
||||
DisplayName string `koanf:"display_name"`
|
||||
Mail string `koanf:"mail"`
|
||||
MemberOf string `koanf:"member_of"`
|
||||
GroupName string `koanf:"group_name"`
|
||||
}
|
||||
|
||||
// DefaultPasswordConfig represents the default configuration related to Argon2id hashing.
|
||||
var DefaultPasswordConfig = Password{
|
||||
Algorithm: argon2,
|
||||
|
@ -183,14 +175,11 @@ var DefaultCIPasswordConfig = Password{
|
|||
|
||||
// DefaultLDAPAuthenticationBackendConfigurationImplementationCustom represents the default LDAP config.
|
||||
var DefaultLDAPAuthenticationBackendConfigurationImplementationCustom = LDAPAuthenticationBackend{
|
||||
GroupSearchMode: ldapGroupSearchModeFilter,
|
||||
Attributes: LDAPAuthenticationAttributes{
|
||||
Username: ldapAttrUserID,
|
||||
DisplayName: ldapAttrDisplayName,
|
||||
Mail: ldapAttrMail,
|
||||
GroupName: ldapAttrCommonName,
|
||||
},
|
||||
Timeout: time.Second * 5,
|
||||
UsernameAttribute: ldapAttrUserID,
|
||||
MailAttribute: ldapAttrMail,
|
||||
DisplayNameAttribute: ldapAttrDisplayName,
|
||||
GroupNameAttribute: ldapAttrCommonName,
|
||||
Timeout: time.Second * 5,
|
||||
TLS: &TLSConfig{
|
||||
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||
},
|
||||
|
@ -198,18 +187,13 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationCustom = LDAPAuth
|
|||
|
||||
// DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory represents the default LDAP config for the LDAPImplementationActiveDirectory Implementation.
|
||||
var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory = LDAPAuthenticationBackend{
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt})))",
|
||||
GroupsFilter: "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
|
||||
GroupSearchMode: ldapGroupSearchModeFilter,
|
||||
Attributes: LDAPAuthenticationAttributes{
|
||||
DistinguishedName: ldapAttrDistinguishedName,
|
||||
Username: ldapAttrSAMAccountName,
|
||||
DisplayName: ldapAttrDisplayName,
|
||||
Mail: ldapAttrMail,
|
||||
MemberOf: ldapAttrMemberOf,
|
||||
GroupName: ldapAttrCommonName,
|
||||
},
|
||||
Timeout: time.Second * 5,
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt})))",
|
||||
UsernameAttribute: "sAMAccountName",
|
||||
MailAttribute: ldapAttrMail,
|
||||
DisplayNameAttribute: ldapAttrDisplayName,
|
||||
GroupsFilter: "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
|
||||
GroupNameAttribute: ldapAttrCommonName,
|
||||
Timeout: time.Second * 5,
|
||||
TLS: &TLSConfig{
|
||||
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||
},
|
||||
|
@ -217,17 +201,13 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =
|
|||
|
||||
// DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis represents the default LDAP config for the LDAPImplementationRFC2307bis Implementation.
|
||||
var DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis = LDAPAuthenticationBackend{
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson)))",
|
||||
GroupsFilter: "(&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))(!(pwdReset=TRUE)))",
|
||||
GroupSearchMode: ldapGroupSearchModeFilter,
|
||||
Attributes: LDAPAuthenticationAttributes{
|
||||
Username: ldapAttrUserID,
|
||||
DisplayName: ldapAttrDisplayName,
|
||||
Mail: ldapAttrMail,
|
||||
MemberOf: ldapAttrMemberOf,
|
||||
GroupName: ldapAttrCommonName,
|
||||
},
|
||||
Timeout: time.Second * 5,
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson)))",
|
||||
UsernameAttribute: ldapAttrUserID,
|
||||
MailAttribute: ldapAttrMail,
|
||||
DisplayNameAttribute: ldapAttrDisplayName,
|
||||
GroupsFilter: "(&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers)))",
|
||||
GroupNameAttribute: ldapAttrCommonName,
|
||||
Timeout: time.Second * 5,
|
||||
TLS: &TLSConfig{
|
||||
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||
},
|
||||
|
@ -235,17 +215,13 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis = LDAP
|
|||
|
||||
// DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA represents the default LDAP config for the LDAPImplementationFreeIPA Implementation.
|
||||
var DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA = LDAPAuthenticationBackend{
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))",
|
||||
GroupsFilter: "(&(member={dn})(objectClass=groupOfNames))",
|
||||
GroupSearchMode: ldapGroupSearchModeFilter,
|
||||
Attributes: LDAPAuthenticationAttributes{
|
||||
Username: ldapAttrUserID,
|
||||
DisplayName: ldapAttrDisplayName,
|
||||
Mail: ldapAttrMail,
|
||||
MemberOf: ldapAttrMemberOf,
|
||||
GroupName: ldapAttrCommonName,
|
||||
},
|
||||
Timeout: time.Second * 5,
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))",
|
||||
UsernameAttribute: ldapAttrUserID,
|
||||
MailAttribute: ldapAttrMail,
|
||||
DisplayNameAttribute: ldapAttrDisplayName,
|
||||
GroupsFilter: "(&(member={dn})(objectClass=groupOfNames))",
|
||||
GroupNameAttribute: ldapAttrCommonName,
|
||||
Timeout: time.Second * 5,
|
||||
TLS: &TLSConfig{
|
||||
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||
},
|
||||
|
@ -253,19 +229,15 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA = LDAPAut
|
|||
|
||||
// DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP represents the default LDAP config for the LDAPImplementationLLDAP Implementation.
|
||||
var DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP = LDAPAuthenticationBackend{
|
||||
AdditionalUsersDN: "OU=people",
|
||||
AdditionalGroupsDN: "OU=groups",
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))",
|
||||
GroupsFilter: "(&(member={dn})(objectClass=groupOfUniqueNames))",
|
||||
GroupSearchMode: ldapGroupSearchModeFilter,
|
||||
Attributes: LDAPAuthenticationAttributes{
|
||||
Username: ldapAttrUserID,
|
||||
DisplayName: ldapAttrCommonName,
|
||||
Mail: ldapAttrMail,
|
||||
MemberOf: ldapAttrMemberOf,
|
||||
GroupName: ldapAttrCommonName,
|
||||
},
|
||||
Timeout: time.Second * 5,
|
||||
AdditionalUsersDN: "OU=people",
|
||||
AdditionalGroupsDN: "OU=groups",
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))",
|
||||
UsernameAttribute: ldapAttrUserID,
|
||||
MailAttribute: ldapAttrMail,
|
||||
DisplayNameAttribute: ldapAttrCommonName,
|
||||
GroupsFilter: "(&(member={dn})(objectClass=groupOfUniqueNames))",
|
||||
GroupNameAttribute: ldapAttrCommonName,
|
||||
Timeout: time.Second * 5,
|
||||
TLS: &TLSConfig{
|
||||
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||
},
|
||||
|
@ -273,17 +245,13 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP = LDAPAuthe
|
|||
|
||||
// DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth represents the default LDAP config for the LDAPImplementationGLAuth Implementation.
|
||||
var DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth = LDAPAuthenticationBackend{
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))",
|
||||
GroupsFilter: "(&(uniqueMember={dn})(objectClass=posixGroup))",
|
||||
GroupSearchMode: ldapGroupSearchModeFilter,
|
||||
Attributes: LDAPAuthenticationAttributes{
|
||||
Username: ldapAttrCommonName,
|
||||
DisplayName: ldapAttrDescription,
|
||||
Mail: ldapAttrMail,
|
||||
MemberOf: ldapAttrMemberOf,
|
||||
GroupName: ldapAttrCommonName,
|
||||
},
|
||||
Timeout: time.Second * 5,
|
||||
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))",
|
||||
UsernameAttribute: ldapAttrCommonName,
|
||||
MailAttribute: ldapAttrMail,
|
||||
DisplayNameAttribute: ldapAttrDescription,
|
||||
GroupsFilter: "(&(uniqueMember={dn})(objectClass=posixGroup))",
|
||||
GroupNameAttribute: ldapAttrCommonName,
|
||||
Timeout: time.Second * 5,
|
||||
TLS: &TLSConfig{
|
||||
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
||||
},
|
||||
|
|
|
@ -78,14 +78,6 @@ const (
|
|||
LDAPImplementationGLAuth = "glauth"
|
||||
)
|
||||
|
||||
const (
|
||||
// LDAPGroupSearchModeFilter is the string for the filter group search mode.
|
||||
LDAPGroupSearchModeFilter = "filter"
|
||||
|
||||
// LDAPGroupSearchModeMemberOf is the string for the memberOf group search mode.
|
||||
LDAPGroupSearchModeMemberOf = "memberof"
|
||||
)
|
||||
|
||||
// TOTP Algorithm.
|
||||
const (
|
||||
TOTPAlgorithmSHA1 = "SHA1"
|
||||
|
@ -129,18 +121,11 @@ const (
|
|||
)
|
||||
|
||||
const (
|
||||
ldapGroupSearchModeFilter = "filter"
|
||||
)
|
||||
|
||||
const (
|
||||
ldapAttrDistinguishedName = "distinguishedName"
|
||||
ldapAttrMail = "mail"
|
||||
ldapAttrUserID = "uid"
|
||||
ldapAttrSAMAccountName = "sAMAccountName"
|
||||
ldapAttrDisplayName = "displayName"
|
||||
ldapAttrDescription = "description"
|
||||
ldapAttrCommonName = "cn"
|
||||
ldapAttrMemberOf = "memberOf"
|
||||
ldapAttrMail = "mail"
|
||||
ldapAttrUserID = "uid"
|
||||
ldapAttrDisplayName = "displayName"
|
||||
ldapAttrDescription = "description"
|
||||
ldapAttrCommonName = "cn"
|
||||
)
|
||||
|
||||
// Address Schemes.
|
||||
|
|
|
@ -120,13 +120,10 @@ var Keys = []string{
|
|||
"authentication_backend.ldap.users_filter",
|
||||
"authentication_backend.ldap.additional_groups_dn",
|
||||
"authentication_backend.ldap.groups_filter",
|
||||
"authentication_backend.ldap.group_search_mode",
|
||||
"authentication_backend.ldap.attributes.distinguished_name",
|
||||
"authentication_backend.ldap.attributes.username",
|
||||
"authentication_backend.ldap.attributes.display_name",
|
||||
"authentication_backend.ldap.attributes.mail",
|
||||
"authentication_backend.ldap.attributes.member_of",
|
||||
"authentication_backend.ldap.attributes.group_name",
|
||||
"authentication_backend.ldap.group_name_attribute",
|
||||
"authentication_backend.ldap.username_attribute",
|
||||
"authentication_backend.ldap.mail_attribute",
|
||||
"authentication_backend.ldap.display_name_attribute",
|
||||
"authentication_backend.ldap.permit_referrals",
|
||||
"authentication_backend.ldap.permit_unauthenticated_bind",
|
||||
"authentication_backend.ldap.permit_feature_detection_failure",
|
||||
|
@ -264,8 +261,6 @@ var Keys = []string{
|
|||
"server.address",
|
||||
"server.asset_path",
|
||||
"server.disable_healthcheck",
|
||||
"server.disable_autho_https_redirect",
|
||||
"server.use_ip_for_ban",
|
||||
"server.tls.certificate",
|
||||
"server.tls.key",
|
||||
"server.tls.client_certificates",
|
||||
|
@ -276,8 +271,6 @@ var Keys = []string{
|
|||
"server.endpoints.authz.*.implementation",
|
||||
"server.endpoints.authz.*.authn_strategies",
|
||||
"server.endpoints.authz.*.authn_strategies[].name",
|
||||
"server.grpc.address",
|
||||
"server.grpc.disableTLS",
|
||||
"server.buffers.read",
|
||||
"server.buffers.write",
|
||||
"server.timeouts.read",
|
||||
|
|
|
@ -7,16 +7,13 @@ import (
|
|||
|
||||
// ServerConfiguration represents the configuration of the http server.
|
||||
type ServerConfiguration struct {
|
||||
Address *AddressTCP `koanf:"address"`
|
||||
AssetPath string `koanf:"asset_path"`
|
||||
DisableHealthcheck bool `koanf:"disable_healthcheck"`
|
||||
DisableAutoHttpsRedirect bool `koanf:"disable_autho_https_redirect"`
|
||||
UseIPInsteadOfUserForBan bool `koanf:"use_ip_for_ban"`
|
||||
Address *AddressTCP `koanf:"address"`
|
||||
AssetPath string `koanf:"asset_path"`
|
||||
DisableHealthcheck bool `koanf:"disable_healthcheck"`
|
||||
|
||||
TLS ServerTLS `koanf:"tls"`
|
||||
Headers ServerHeaders `koanf:"headers"`
|
||||
Endpoints ServerEndpoints `koanf:"endpoints"`
|
||||
GRPC ServerGRPC `koanf:"grpc"`
|
||||
|
||||
Buffers ServerBuffers `koanf:"buffers"`
|
||||
Timeouts ServerTimeouts `koanf:"timeouts"`
|
||||
|
@ -63,15 +60,6 @@ type ServerHeaders struct {
|
|||
CSPTemplate string `koanf:"csp_template"`
|
||||
}
|
||||
|
||||
// ServerGRCP contains configuration options for the gRCP server.
|
||||
type ServerGRPC struct {
|
||||
// Address with port to listen on. If this field is empty, no grcp server
|
||||
// will be spawned.
|
||||
Address *AddressTCP `koanf:"address"`
|
||||
|
||||
DisableTLS bool `koanf:"disableTLS"`
|
||||
}
|
||||
|
||||
// DefaultServerConfiguration represents the default values of the ServerConfiguration.
|
||||
var DefaultServerConfiguration = ServerConfiguration{
|
||||
Address: &AddressTCP{Address{true, false, -1, 9091, &url.URL{Scheme: AddressSchemeTCP, Host: ":9091", Path: "/"}}},
|
||||
|
|
|
@ -66,15 +66,14 @@ authentication_backend:
|
|||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -47,15 +47,14 @@ authentication_backend:
|
|||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
user: cn=admin,dc=example,dc=com
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
|
|
|
@ -66,15 +66,14 @@ authentication_backend:
|
|||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -18,16 +18,14 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
mail: 'mail'
|
||||
group_name: 'cn'
|
||||
username: 'uid'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -19,15 +19,14 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -18,15 +18,14 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -18,15 +18,13 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
attributes:
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
username: 'uid'
|
||||
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
|
||||
access_control:
|
||||
|
|
|
@ -18,15 +18,14 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -1,137 +0,0 @@
|
|||
---
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
|
||||
server:
|
||||
address: 'tcp://127.0.0.1:9091'
|
||||
|
||||
log:
|
||||
level: 'debug'
|
||||
|
||||
totp:
|
||||
issuer: 'authelia.com'
|
||||
|
||||
duo_api:
|
||||
hostname: 'api-123456789.example.com'
|
||||
integration_key: 'ABCDEF'
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'one_factor'
|
||||
# Network based rule, if not provided any network matches.
|
||||
networks:
|
||||
- '192.168.1.0/24'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
|
||||
- domain: ['singlefactor.example.com', 'onefactor.example.com']
|
||||
policy: 'one_factor'
|
||||
|
||||
# Rules applied to 'admins' group
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'deny'
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/groups/dev/.*$'
|
||||
subject: 'group:dev'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'john'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to 'dev' group and user 'john'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/deny-all.*$'
|
||||
subject: ['group:dev', 'user:john']
|
||||
policy: 'deny'
|
||||
|
||||
# Rules applied to user 'harry'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
|
||||
# Rules applied to user 'bob'
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
- domain: 'dev.example.com'
|
||||
resources:
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
|
||||
session:
|
||||
name: 'authelia_session'
|
||||
expiration: '1h' # 1 hour
|
||||
inactivity: '5m' # 5 minutes
|
||||
domain: 'example.com'
|
||||
redis:
|
||||
host: '127.0.0.1'
|
||||
port: 6379
|
||||
high_availability:
|
||||
sentinel_name: 'test'
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: '2m'
|
||||
ban_time: '5m'
|
||||
|
||||
storage:
|
||||
mysql:
|
||||
address: 'tcp://127.0.0.1:3306'
|
||||
database: 'authelia'
|
||||
username: 'authelia'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://127.0.0.1:1025'
|
||||
username: 'test'
|
||||
sender: 'admin@example.com'
|
||||
disable_require_tls: true
|
||||
|
||||
identity_providers:
|
||||
oidc:
|
||||
cors:
|
||||
allowed_origins:
|
||||
- 'https://google.com'
|
||||
- 'https://example.com'
|
||||
minimum_parameter_entropy: -1
|
||||
clients:
|
||||
- id: 'abc'
|
||||
secret: '123'
|
||||
consent_mode: 'explicit'
|
||||
userinfo_signing_alg: 'none'
|
||||
...
|
|
@ -1,111 +1,108 @@
|
|||
---
|
||||
default_redirection_url: 'https://home.example.com:8080/'
|
||||
default_redirection_url: https://home.example.com:8080/
|
||||
|
||||
server:
|
||||
host: 127.0.0.1
|
||||
port: 9091
|
||||
|
||||
log:
|
||||
level: 'debug'
|
||||
level: debug
|
||||
|
||||
totp:
|
||||
issuer: 'authelia.com'
|
||||
issuer: authelia.com
|
||||
|
||||
duo_api:
|
||||
hostname: 'api-123456789.example.com'
|
||||
integration_key: 'ABCDEF'
|
||||
hostname: api-123456789.example.com
|
||||
integration_key: ABCDEF
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
url: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
mail: 'mail'
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
url: ldap://127.0.0.1
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
user: cn=admin,dc=example,dc=com
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
default_policy: deny
|
||||
|
||||
rules:
|
||||
# Rules applied to everyone
|
||||
- domain: 'public.example.com'
|
||||
policy: 'bypass'
|
||||
- domain: public.example.com
|
||||
policy: bypass
|
||||
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: secure.example.com
|
||||
policy: one_factor
|
||||
# Network based rule, if not provided any network matches.
|
||||
networks:
|
||||
- '192.168.1.0/24'
|
||||
- domain: 'secure.example.com'
|
||||
policy: 'two_factor'
|
||||
- 192.168.1.0/24
|
||||
- domain: secure.example.com
|
||||
policy: two_factor
|
||||
|
||||
- domain:
|
||||
- 'singlefactor.example.com'
|
||||
- 'onefactor.example.com'
|
||||
policy: 'one_factor'
|
||||
- domain: [singlefactor.example.com, onefactor.example.com]
|
||||
policy: one_factor
|
||||
|
||||
# Rules applied to 'admins' group
|
||||
- domain: 'mx2.mail.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'deny'
|
||||
- domain: '*.example.com'
|
||||
subject: 'group:admins'
|
||||
policy: 'two_factor'
|
||||
- domain: "mx2.mail.example.com"
|
||||
subject: "group:admins"
|
||||
policy: deny
|
||||
- domain: "*.example.com"
|
||||
subject: "group:admins"
|
||||
policy: two_factor
|
||||
|
||||
# Rules applied to 'dev' group
|
||||
- domain: 'dev.example.com'
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- '^/groups/dev/.*$'
|
||||
subject: 'group:dev'
|
||||
policy: 'two_factor'
|
||||
- "^/groups/dev/.*$"
|
||||
subject: "group:dev"
|
||||
policy: two_factor
|
||||
|
||||
# Rules applied to user 'john'
|
||||
- domain: 'dev.example.com'
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- '^/users/john/.*$'
|
||||
subject: 'user:john'
|
||||
policy: 'two_factor'
|
||||
- "^/users/john/.*$"
|
||||
subject: "user:john"
|
||||
policy: two_factor
|
||||
|
||||
# Rules applied to 'dev' group and user 'john'
|
||||
- domain: 'dev.example.com'
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- '^/deny-all.*$'
|
||||
subject: ['group:dev', 'user:john']
|
||||
policy: 'deny'
|
||||
- "^/deny-all.*$"
|
||||
subject: ["group:dev", "user:john"]
|
||||
policy: deny
|
||||
|
||||
# Rules applied to user 'harry'
|
||||
- domain: 'dev.example.com'
|
||||
- domain: dev.example.com
|
||||
resources:
|
||||
- '^/users/harry/.*$'
|
||||
subject: 'user:harry'
|
||||
policy: 'two_factor'
|
||||
- "^/users/harry/.*$"
|
||||
subject: "user:harry"
|
||||
policy: two_factor
|
||||
|
||||
# Rules applied to user 'bob'
|
||||
- domain: '*.mail.example.com'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
- domain: 'dev.example.com'
|
||||
- domain: "*.mail.example.com"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
- domain: "dev.example.com"
|
||||
resources:
|
||||
- '^/users/bob/.*$'
|
||||
subject: 'user:bob'
|
||||
policy: 'two_factor'
|
||||
- "^/users/bob/.*$"
|
||||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
|
||||
session:
|
||||
name: 'authelia_session'
|
||||
name: authelia_session
|
||||
expiration: 3600000 # 1 hour
|
||||
inactivity: 300000 # 5 minutes
|
||||
domain: 'example.com'
|
||||
domain: example.com
|
||||
redis:
|
||||
host: 127.0.0.1
|
||||
port: 6379
|
||||
high_availability:
|
||||
sentinel_name: 'test'
|
||||
sentinel_name: test
|
||||
|
||||
regulation:
|
||||
max_retries: 3
|
||||
|
@ -116,12 +113,12 @@ storage:
|
|||
mysql:
|
||||
host: 127.0.0.1
|
||||
port: 3306
|
||||
database: 'authelia'
|
||||
username: 'authelia'
|
||||
database: authelia
|
||||
username: authelia
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
username: 'test'
|
||||
username: test
|
||||
host: 127.0.0.1
|
||||
port: 1025
|
||||
sender: admin@example.com
|
||||
|
@ -129,7 +126,7 @@ notifier:
|
|||
|
||||
identity_providers:
|
||||
oidc:
|
||||
hmac_secret: '1nb2j3kh1b23kjh1b23jh1b23j1h2b3'
|
||||
hmac_secret: 1nb2j3kh1b23kjh1b23jh1b23j1h2b3
|
||||
issuer_private_keys:
|
||||
keys:
|
||||
keya:
|
||||
|
@ -205,10 +202,10 @@ identity_providers:
|
|||
-----END CERTIFICATE-----
|
||||
cors:
|
||||
allowed_origins:
|
||||
- 'https://google.com'
|
||||
- 'https://example.com'
|
||||
- https://google.com
|
||||
- https://example.com
|
||||
clients:
|
||||
- id: 'abc'
|
||||
- id: abc
|
||||
secret: '123'
|
||||
consent_mode: 'explicit'
|
||||
consent_mode: explicit
|
||||
...
|
||||
|
|
|
@ -18,15 +18,14 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -18,15 +18,14 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -20,16 +20,14 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://127.0.0.1'
|
||||
base_dn: 'dc=example,dc=com'
|
||||
username_attribute: 'uid'
|
||||
additional_users_dn: 'ou=users'
|
||||
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||
additional_groups_dn: 'ou=groups'
|
||||
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||
group_name_attribute: 'cn'
|
||||
mail_attribute: 'mail'
|
||||
user: 'cn=admin,dc=example,dc=com'
|
||||
attributes:
|
||||
username: 'uid'
|
||||
group_name: 'cn'
|
||||
mail: 'mail'
|
||||
|
||||
|
||||
access_control:
|
||||
default_policy: 'deny'
|
||||
|
|
|
@ -364,7 +364,7 @@ func validateLDAPAuthenticationBackendImplementation(config *schema.Authenticati
|
|||
case schema.LDAPImplementationGLAuth:
|
||||
implementation = &schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth
|
||||
default:
|
||||
validator.Push(fmt.Errorf(errFmtLDAPAuthBackendOptionMustBeOneOf, "implementation", strJoinOr(validLDAPImplementations), config.LDAP.Implementation))
|
||||
validator.Push(fmt.Errorf(errFmtLDAPAuthBackendImplementation, strJoinOr(validLDAPImplementations), config.LDAP.Implementation))
|
||||
}
|
||||
|
||||
tlsconfig := &schema.TLSConfig{}
|
||||
|
@ -394,44 +394,32 @@ func setDefaultImplementationLDAPAuthenticationBackendProfileAttributes(config *
|
|||
config.AdditionalUsersDN = implementation.AdditionalUsersDN
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.AdditionalGroupsDN, implementation.AdditionalGroupsDN) {
|
||||
config.AdditionalGroupsDN = implementation.AdditionalGroupsDN
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.UsersFilter, implementation.UsersFilter) {
|
||||
config.UsersFilter = implementation.UsersFilter
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.AdditionalGroupsDN, implementation.AdditionalGroupsDN) {
|
||||
config.AdditionalGroupsDN = implementation.AdditionalGroupsDN
|
||||
if ldapImplementationShouldSetStr(config.UsernameAttribute, implementation.UsernameAttribute) {
|
||||
config.UsernameAttribute = implementation.UsernameAttribute
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.DisplayNameAttribute, implementation.DisplayNameAttribute) {
|
||||
config.DisplayNameAttribute = implementation.DisplayNameAttribute
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.MailAttribute, implementation.MailAttribute) {
|
||||
config.MailAttribute = implementation.MailAttribute
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.GroupsFilter, implementation.GroupsFilter) {
|
||||
config.GroupsFilter = implementation.GroupsFilter
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.GroupSearchMode, implementation.GroupSearchMode) {
|
||||
config.GroupSearchMode = implementation.GroupSearchMode
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.Attributes.DistinguishedName, implementation.Attributes.DistinguishedName) {
|
||||
config.Attributes.DistinguishedName = implementation.Attributes.DistinguishedName
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.Attributes.Username, implementation.Attributes.Username) {
|
||||
config.Attributes.Username = implementation.Attributes.Username
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.Attributes.DisplayName, implementation.Attributes.DisplayName) {
|
||||
config.Attributes.DisplayName = implementation.Attributes.DisplayName
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.Attributes.Mail, implementation.Attributes.Mail) {
|
||||
config.Attributes.Mail = implementation.Attributes.Mail
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.Attributes.MemberOf, implementation.Attributes.MemberOf) {
|
||||
config.Attributes.MemberOf = implementation.Attributes.MemberOf
|
||||
}
|
||||
|
||||
if ldapImplementationShouldSetStr(config.Attributes.GroupName, implementation.Attributes.GroupName) {
|
||||
config.Attributes.GroupName = implementation.Attributes.GroupName
|
||||
if ldapImplementationShouldSetStr(config.GroupNameAttribute, implementation.GroupNameAttribute) {
|
||||
config.GroupNameAttribute = implementation.GroupNameAttribute
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -498,32 +486,4 @@ func validateLDAPRequiredParameters(config *schema.AuthenticationBackend, valida
|
|||
} else if !strings.HasPrefix(config.LDAP.GroupsFilter, "(") || !strings.HasSuffix(config.LDAP.GroupsFilter, ")") {
|
||||
validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterEnclosingParenthesis, "groups_filter", config.LDAP.GroupsFilter, config.LDAP.GroupsFilter))
|
||||
}
|
||||
|
||||
validateLDAPGroupFilter(config, validator)
|
||||
}
|
||||
|
||||
func validateLDAPGroupFilter(config *schema.AuthenticationBackend, validator *schema.StructValidator) {
|
||||
if config.LDAP.GroupSearchMode == "" {
|
||||
config.LDAP.GroupSearchMode = schema.LDAPGroupSearchModeFilter
|
||||
}
|
||||
|
||||
if !utils.IsStringInSlice(config.LDAP.GroupSearchMode, validLDAPGroupSearchModes) {
|
||||
validator.Push(fmt.Errorf(errFmtLDAPAuthBackendOptionMustBeOneOf, "group_search_mode", strJoinOr(validLDAPGroupSearchModes), config.LDAP.GroupSearchMode))
|
||||
}
|
||||
|
||||
pMemberOfDN, pMemberOfRDN := strings.Contains(config.LDAP.GroupsFilter, "{memberof:dn}"), strings.Contains(config.LDAP.GroupsFilter, "{memberof:rdn}")
|
||||
|
||||
if config.LDAP.GroupSearchMode == schema.LDAPGroupSearchModeMemberOf {
|
||||
if !pMemberOfDN && !pMemberOfRDN {
|
||||
validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterMissingPlaceholderGroupSearchMode, "groups_filter", strJoinOr([]string{"{memberof:rdn}", "{memberof:dn}"}), config.LDAP.GroupSearchMode))
|
||||
}
|
||||
}
|
||||
|
||||
if pMemberOfDN && config.LDAP.Attributes.DistinguishedName == "" {
|
||||
validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterMissingAttribute, "distinguished_name", strJoinOr([]string{"{memberof:dn}"})))
|
||||
}
|
||||
|
||||
if (pMemberOfDN || pMemberOfRDN) && config.LDAP.Attributes.MemberOf == "" {
|
||||
validator.Push(fmt.Errorf(errFmtLDAPAuthBackendFilterMissingAttribute, "member_of", strJoinOr([]string{"{memberof:rdn}", "{memberof:dn}"})))
|
||||
}
|
||||
}
|
||||
|
|
|
@ -577,7 +577,7 @@ func (suite *LDAPAuthenticationBackendSuite) SetupTest() {
|
|||
suite.config.LDAP.User = testLDAPUser
|
||||
suite.config.LDAP.Password = testLDAPPassword
|
||||
suite.config.LDAP.BaseDN = testLDAPBaseDN
|
||||
suite.config.LDAP.Attributes.Username = "uid"
|
||||
suite.config.LDAP.UsernameAttribute = "uid"
|
||||
suite.config.LDAP.UsersFilter = "({username_attribute}={input})"
|
||||
suite.config.LDAP.GroupsFilter = "(cn={input})"
|
||||
}
|
||||
|
@ -591,12 +591,12 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateCompleteConfigura
|
|||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldValidateDefaultImplementationAndUsernameAttribute() {
|
||||
suite.config.LDAP.Implementation = ""
|
||||
suite.config.LDAP.Attributes.Username = ""
|
||||
suite.config.LDAP.UsernameAttribute = ""
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.Equal(schema.LDAPImplementationCustom, suite.config.LDAP.Implementation)
|
||||
|
||||
suite.Equal(suite.config.LDAP.Attributes.Username, schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.Attributes.Username)
|
||||
suite.Equal(suite.config.LDAP.UsernameAttribute, schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.UsernameAttribute)
|
||||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
}
|
||||
|
@ -743,7 +743,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldRaiseOnEmptyUsersFilter()
|
|||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldNotRaiseOnEmptyUsernameAttribute() {
|
||||
suite.config.LDAP.Attributes.Username = ""
|
||||
suite.config.LDAP.UsernameAttribute = ""
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
|
@ -793,7 +793,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultGroupNameAttrib
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.Equal("cn", suite.config.LDAP.Attributes.GroupName)
|
||||
suite.Equal("cn", suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute() {
|
||||
|
@ -802,7 +802,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute()
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.Equal("mail", suite.config.LDAP.Attributes.Mail)
|
||||
suite.Equal("mail", suite.config.LDAP.MailAttribute)
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultDisplayNameAttribute() {
|
||||
|
@ -811,7 +811,7 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultDisplayNameAttr
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.Equal("displayName", suite.config.LDAP.Attributes.DisplayName)
|
||||
suite.Equal("displayName", suite.config.LDAP.DisplayNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldSetDefaultRefreshInterval() {
|
||||
|
@ -890,64 +890,6 @@ func (suite *LDAPAuthenticationBackendSuite) TestShouldNotAllowSSL30() {
|
|||
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnBadSearchMode() {
|
||||
suite.config.LDAP.GroupSearchMode = "memberOF"
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Require().Len(suite.validator.Errors(), 1)
|
||||
|
||||
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'group_search_mode' must be one of 'filter' or 'memberof' but it's configured as 'memberOF'")
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldNoErrorOnPlaceholderSearchMode() {
|
||||
suite.config.LDAP.GroupSearchMode = memberof
|
||||
suite.config.LDAP.GroupsFilter = filterMemberOfRDN
|
||||
suite.config.LDAP.Attributes.MemberOf = memberOf
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingPlaceholderSearchMode() {
|
||||
suite.config.LDAP.GroupSearchMode = memberof
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Require().Len(suite.validator.Errors(), 1)
|
||||
|
||||
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: option 'groups_filter' must contain one of the '{memberof:rdn}' or '{memberof:dn}' placeholders when using a group_search_mode of 'memberof' but they're absent")
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingDistinguishedNameDN() {
|
||||
suite.config.LDAP.Attributes.DistinguishedName = ""
|
||||
suite.config.LDAP.GroupsFilter = "(|({memberof:dn}))"
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Require().Len(suite.validator.Errors(), 2)
|
||||
|
||||
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: attributes: option 'distinguished_name' must be provided when using the '{memberof:dn}' placeholder but it's absent")
|
||||
suite.EqualError(suite.validator.Errors()[1], "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent")
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldErrorOnMissingMemberOfRDN() {
|
||||
suite.config.LDAP.Attributes.DistinguishedName = ""
|
||||
suite.config.LDAP.GroupsFilter = filterMemberOfRDN
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Require().Len(suite.validator.Errors(), 1)
|
||||
|
||||
suite.EqualError(suite.validator.Errors()[0], "authentication_backend: ldap: attributes: option 'member_of' must be provided when using the '{memberof:rdn}' or '{memberof:dn}' placeholder but it's absent")
|
||||
}
|
||||
|
||||
func (suite *LDAPAuthenticationBackendSuite) TestShouldNotAllowTLSVerMinGreaterThanVerMax() {
|
||||
suite.config.LDAP.TLS = &schema.TLSConfig{
|
||||
MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS13},
|
||||
|
@ -967,7 +909,9 @@ func TestLDAPAuthenticationBackend(t *testing.T) {
|
|||
}
|
||||
|
||||
type ActiveDirectoryAuthenticationBackendSuite struct {
|
||||
LDAPImplementationSuite
|
||||
suite.Suite
|
||||
config schema.AuthenticationBackend
|
||||
validator *schema.StructValidator
|
||||
}
|
||||
|
||||
func (suite *ActiveDirectoryAuthenticationBackendSuite) SetupTest() {
|
||||
|
@ -988,30 +932,81 @@ func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldSetActiveDirec
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
||||
suite.config.LDAP.Timeout = time.Second * 2
|
||||
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
|
||||
suite.config.LDAP.Attributes.Username = "cn"
|
||||
suite.config.LDAP.Attributes.Mail = "userPrincipalName"
|
||||
suite.config.LDAP.Attributes.DisplayName = "name"
|
||||
suite.config.LDAP.UsernameAttribute = "cn"
|
||||
suite.config.LDAP.MailAttribute = "userPrincipalName"
|
||||
suite.config.LDAP.DisplayNameAttribute = "name"
|
||||
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=group)(objectCategory=group))"
|
||||
suite.config.LDAP.Attributes.GroupName = "distinguishedName"
|
||||
suite.config.LDAP.GroupNameAttribute = "distinguishedName"
|
||||
suite.config.LDAP.AdditionalUsersDN = "OU=test"
|
||||
suite.config.LDAP.AdditionalGroupsDN = "OU=grps"
|
||||
suite.config.LDAP.Attributes.MemberOf = member
|
||||
suite.config.LDAP.GroupSearchMode = memberof
|
||||
suite.config.LDAP.Attributes.DistinguishedName = "objectGUID"
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory)
|
||||
|
||||
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
||||
suite.Equal("objectGUID", suite.config.LDAP.Attributes.DistinguishedName)
|
||||
suite.Equal(memberof, suite.config.LDAP.GroupSearchMode)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *ActiveDirectoryAuthenticationBackendSuite) TestShouldRaiseErrorOnInvalidURLWithHTTP() {
|
||||
|
@ -1028,7 +1023,9 @@ func TestActiveDirectoryAuthenticationBackend(t *testing.T) {
|
|||
}
|
||||
|
||||
type RFC2307bisAuthenticationBackendSuite struct {
|
||||
LDAPImplementationSuite
|
||||
suite.Suite
|
||||
config schema.AuthenticationBackend
|
||||
validator *schema.StructValidator
|
||||
}
|
||||
|
||||
func (suite *RFC2307bisAuthenticationBackendSuite) SetupTest() {
|
||||
|
@ -1049,29 +1046,78 @@ func (suite *RFC2307bisAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *RFC2307bisAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
||||
suite.config.LDAP.Timeout = time.Second * 2
|
||||
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person))"
|
||||
suite.config.LDAP.Attributes.Username = "o"
|
||||
suite.config.LDAP.Attributes.Mail = "Email"
|
||||
suite.config.LDAP.Attributes.DisplayName = "Given"
|
||||
suite.config.LDAP.UsernameAttribute = "o"
|
||||
suite.config.LDAP.MailAttribute = "Email"
|
||||
suite.config.LDAP.DisplayNameAttribute = "Given"
|
||||
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixGroup)(objectClass=top))"
|
||||
suite.config.LDAP.Attributes.GroupName = "gid"
|
||||
suite.config.LDAP.Attributes.MemberOf = member
|
||||
suite.config.LDAP.GroupNameAttribute = "gid"
|
||||
suite.config.LDAP.AdditionalUsersDN = "OU=users,OU=OpenLDAP"
|
||||
suite.config.LDAP.AdditionalGroupsDN = "OU=groups,OU=OpenLDAP"
|
||||
suite.config.LDAP.GroupSearchMode = memberof
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis)
|
||||
|
||||
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
||||
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
||||
suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func TestRFC2307bisAuthenticationBackend(t *testing.T) {
|
||||
|
@ -1079,7 +1125,9 @@ func TestRFC2307bisAuthenticationBackend(t *testing.T) {
|
|||
}
|
||||
|
||||
type FreeIPAAuthenticationBackendSuite struct {
|
||||
LDAPImplementationSuite
|
||||
suite.Suite
|
||||
config schema.AuthenticationBackend
|
||||
validator *schema.StructValidator
|
||||
}
|
||||
|
||||
func (suite *FreeIPAAuthenticationBackendSuite) SetupTest() {
|
||||
|
@ -1100,29 +1148,75 @@ func (suite *FreeIPAAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *FreeIPAAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
||||
suite.config.LDAP.Timeout = time.Second * 2
|
||||
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=person)(!(nsAccountLock=TRUE)))"
|
||||
suite.config.LDAP.Attributes.Username = "dn"
|
||||
suite.config.LDAP.Attributes.Mail = "email"
|
||||
suite.config.LDAP.Attributes.DisplayName = "gecos"
|
||||
suite.config.LDAP.UsernameAttribute = "dn"
|
||||
suite.config.LDAP.MailAttribute = "email"
|
||||
suite.config.LDAP.DisplayNameAttribute = "gecos"
|
||||
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixgroup))"
|
||||
suite.config.LDAP.GroupSearchMode = schema.LDAPGroupSearchModeMemberOf
|
||||
suite.config.LDAP.Attributes.GroupName = "groupName"
|
||||
suite.config.LDAP.Attributes.MemberOf = member
|
||||
suite.config.LDAP.GroupNameAttribute = "groupName"
|
||||
suite.config.LDAP.AdditionalUsersDN = "OU=people"
|
||||
suite.config.LDAP.AdditionalGroupsDN = "OU=grp"
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA)
|
||||
|
||||
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
||||
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
||||
suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func TestFreeIPAAuthenticationBackend(t *testing.T) {
|
||||
|
@ -1130,7 +1224,9 @@ func TestFreeIPAAuthenticationBackend(t *testing.T) {
|
|||
}
|
||||
|
||||
type LLDAPAuthenticationBackendSuite struct {
|
||||
LDAPImplementationSuite
|
||||
suite.Suite
|
||||
config schema.AuthenticationBackend
|
||||
validator *schema.StructValidator
|
||||
}
|
||||
|
||||
func (suite *LLDAPAuthenticationBackendSuite) SetupTest() {
|
||||
|
@ -1151,29 +1247,78 @@ func (suite *LLDAPAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *LLDAPAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
||||
suite.config.LDAP.Timeout = time.Second * 2
|
||||
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(nsAccountLock=TRUE)))"
|
||||
suite.config.LDAP.Attributes.Username = "username"
|
||||
suite.config.LDAP.Attributes.Mail = "m"
|
||||
suite.config.LDAP.Attributes.DisplayName = "fn"
|
||||
suite.config.LDAP.Attributes.MemberOf = member
|
||||
suite.config.LDAP.UsernameAttribute = "username"
|
||||
suite.config.LDAP.MailAttribute = "m"
|
||||
suite.config.LDAP.DisplayNameAttribute = "fn"
|
||||
suite.config.LDAP.GroupsFilter = "(&(member={dn})(!(objectClass=posixGroup)))"
|
||||
suite.config.LDAP.Attributes.GroupName = "grpz"
|
||||
suite.config.LDAP.GroupNameAttribute = "grpz"
|
||||
suite.config.LDAP.AdditionalUsersDN = "OU=no"
|
||||
suite.config.LDAP.AdditionalGroupsDN = "OU=yes"
|
||||
suite.config.LDAP.GroupSearchMode = memberof
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP)
|
||||
|
||||
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
||||
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
||||
suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func TestLLDAPAuthenticationBackend(t *testing.T) {
|
||||
|
@ -1181,7 +1326,9 @@ func TestLLDAPAuthenticationBackend(t *testing.T) {
|
|||
}
|
||||
|
||||
type GLAuthAuthenticationBackendSuite struct {
|
||||
LDAPImplementationSuite
|
||||
suite.Suite
|
||||
config schema.AuthenticationBackend
|
||||
validator *schema.StructValidator
|
||||
}
|
||||
|
||||
func (suite *GLAuthAuthenticationBackendSuite) SetupTest() {
|
||||
|
@ -1202,80 +1349,80 @@ func (suite *GLAuthAuthenticationBackendSuite) TestShouldSetDefaults() {
|
|||
suite.Len(suite.validator.Warnings(), 0)
|
||||
suite.Len(suite.validator.Errors(), 0)
|
||||
|
||||
suite.EqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.Equal(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func (suite *GLAuthAuthenticationBackendSuite) TestShouldOnlySetDefaultsIfNotManuallyConfigured() {
|
||||
suite.config.LDAP.Timeout = time.Second * 2
|
||||
suite.config.LDAP.UsersFilter = "(&({username_attribute}={input})(objectClass=Person)(!(accountStatus=inactive)))"
|
||||
suite.config.LDAP.Attributes.Username = "description"
|
||||
suite.config.LDAP.Attributes.Mail = "sender"
|
||||
suite.config.LDAP.Attributes.DisplayName = "given"
|
||||
suite.config.LDAP.UsernameAttribute = "description"
|
||||
suite.config.LDAP.MailAttribute = "sender"
|
||||
suite.config.LDAP.DisplayNameAttribute = "given"
|
||||
suite.config.LDAP.GroupsFilter = "(&(member={dn})(objectClass=posixGroup))"
|
||||
suite.config.LDAP.Attributes.GroupName = "grp"
|
||||
suite.config.LDAP.GroupNameAttribute = "grp"
|
||||
suite.config.LDAP.AdditionalUsersDN = "OU=users,OU=GlAuth"
|
||||
suite.config.LDAP.AdditionalGroupsDN = "OU=groups,OU=GLAuth"
|
||||
suite.config.LDAP.Attributes.MemberOf = member
|
||||
suite.config.LDAP.GroupSearchMode = memberof
|
||||
|
||||
ValidateAuthenticationBackend(&suite.config, suite.validator)
|
||||
|
||||
suite.NotEqualImplementationDefaults(schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth)
|
||||
|
||||
suite.Equal(member, suite.config.LDAP.Attributes.MemberOf)
|
||||
suite.Equal("", suite.config.LDAP.Attributes.DistinguishedName)
|
||||
suite.Equal(schema.LDAPGroupSearchModeMemberOf, suite.config.LDAP.GroupSearchMode)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalUsersDN,
|
||||
suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.AdditionalGroupsDN,
|
||||
suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.Timeout,
|
||||
suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsersFilter,
|
||||
suite.config.LDAP.UsersFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.UsernameAttribute,
|
||||
suite.config.LDAP.UsernameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.DisplayNameAttribute,
|
||||
suite.config.LDAP.DisplayNameAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.MailAttribute,
|
||||
suite.config.LDAP.MailAttribute)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupsFilter,
|
||||
suite.config.LDAP.GroupsFilter)
|
||||
suite.NotEqual(
|
||||
schema.DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth.GroupNameAttribute,
|
||||
suite.config.LDAP.GroupNameAttribute)
|
||||
}
|
||||
|
||||
func TestGLAuthAuthenticationBackend(t *testing.T) {
|
||||
suite.Run(t, new(GLAuthAuthenticationBackendSuite))
|
||||
}
|
||||
|
||||
type LDAPImplementationSuite struct {
|
||||
suite.Suite
|
||||
config schema.AuthenticationBackend
|
||||
validator *schema.StructValidator
|
||||
}
|
||||
|
||||
func (suite *LDAPImplementationSuite) EqualImplementationDefaults(expected schema.LDAPAuthenticationBackend) {
|
||||
suite.Equal(expected.Timeout, suite.config.LDAP.Timeout)
|
||||
suite.Equal(expected.AdditionalUsersDN, suite.config.LDAP.AdditionalUsersDN)
|
||||
suite.Equal(expected.AdditionalGroupsDN, suite.config.LDAP.AdditionalGroupsDN)
|
||||
suite.Equal(expected.UsersFilter, suite.config.LDAP.UsersFilter)
|
||||
suite.Equal(expected.GroupsFilter, suite.config.LDAP.GroupsFilter)
|
||||
suite.Equal(expected.GroupSearchMode, suite.config.LDAP.GroupSearchMode)
|
||||
|
||||
suite.Equal(expected.Attributes.DistinguishedName, suite.config.LDAP.Attributes.DistinguishedName)
|
||||
suite.Equal(expected.Attributes.Username, suite.config.LDAP.Attributes.Username)
|
||||
suite.Equal(expected.Attributes.DisplayName, suite.config.LDAP.Attributes.DisplayName)
|
||||
suite.Equal(expected.Attributes.Mail, suite.config.LDAP.Attributes.Mail)
|
||||
suite.Equal(expected.Attributes.MemberOf, suite.config.LDAP.Attributes.MemberOf)
|
||||
suite.Equal(expected.Attributes.GroupName, suite.config.LDAP.Attributes.GroupName)
|
||||
}
|
||||
|
||||
func (suite *LDAPImplementationSuite) NotEqualImplementationDefaults(expected schema.LDAPAuthenticationBackend) {
|
||||
suite.NotEqual(expected.Timeout, suite.config.LDAP.Timeout)
|
||||
suite.NotEqual(expected.UsersFilter, suite.config.LDAP.UsersFilter)
|
||||
suite.NotEqual(expected.GroupsFilter, suite.config.LDAP.GroupsFilter)
|
||||
suite.NotEqual(expected.GroupSearchMode, suite.config.LDAP.GroupSearchMode)
|
||||
suite.NotEqual(expected.Attributes.Username, suite.config.LDAP.Attributes.Username)
|
||||
suite.NotEqual(expected.Attributes.DisplayName, suite.config.LDAP.Attributes.DisplayName)
|
||||
suite.NotEqual(expected.Attributes.Mail, suite.config.LDAP.Attributes.Mail)
|
||||
suite.NotEqual(expected.Attributes.GroupName, suite.config.LDAP.Attributes.GroupName)
|
||||
|
||||
if expected.Attributes.DistinguishedName != "" {
|
||||
suite.NotEqual(expected.Attributes.DistinguishedName, suite.config.LDAP.Attributes.DistinguishedName)
|
||||
}
|
||||
|
||||
if expected.AdditionalUsersDN != "" {
|
||||
suite.NotEqual(expected.AdditionalUsersDN, suite.config.LDAP.AdditionalUsersDN)
|
||||
}
|
||||
|
||||
if expected.AdditionalGroupsDN != "" {
|
||||
suite.NotEqual(expected.AdditionalGroupsDN, suite.config.LDAP.AdditionalGroupsDN)
|
||||
}
|
||||
|
||||
if expected.Attributes.MemberOf != "" {
|
||||
suite.NotEqual(expected.Attributes.MemberOf, suite.config.LDAP.Attributes.MemberOf)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -98,9 +98,9 @@ const (
|
|||
errFmtLDAPAuthBackendUnauthenticatedBindWithPassword = "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when a password is specified"
|
||||
errFmtLDAPAuthBackendUnauthenticatedBindWithResetEnabled = "authentication_backend: ldap: option 'permit_unauthenticated_bind' can't be enabled when password reset is enabled"
|
||||
|
||||
errFmtLDAPAuthBackendMissingOption = "authentication_backend: ldap: option '%s' is required"
|
||||
errFmtLDAPAuthBackendTLSConfigInvalid = "authentication_backend: ldap: tls: %w"
|
||||
errFmtLDAPAuthBackendOptionMustBeOneOf = "authentication_backend: ldap: option '%s' " +
|
||||
errFmtLDAPAuthBackendMissingOption = "authentication_backend: ldap: option '%s' is required"
|
||||
errFmtLDAPAuthBackendTLSConfigInvalid = "authentication_backend: ldap: tls: %w"
|
||||
errFmtLDAPAuthBackendImplementation = "authentication_backend: ldap: option 'implementation' " +
|
||||
errSuffixMustBeOneOf
|
||||
errFmtLDAPAuthBackendFilterReplacedPlaceholders = "authentication_backend: ldap: option " +
|
||||
"'%s' has an invalid placeholder: '%s' has been removed, please use '%s' instead"
|
||||
|
@ -109,10 +109,6 @@ const (
|
|||
"'%s' must contain enclosing parenthesis: '%s' should probably be '(%s)'"
|
||||
errFmtLDAPAuthBackendFilterMissingPlaceholder = "authentication_backend: ldap: option " +
|
||||
"'%s' must contain the placeholder '{%s}' but it's absent"
|
||||
errFmtLDAPAuthBackendFilterMissingPlaceholderGroupSearchMode = "authentication_backend: ldap: option " +
|
||||
"'%s' must contain one of the %s placeholders when using a group_search_mode of '%s' but they're absent"
|
||||
errFmtLDAPAuthBackendFilterMissingAttribute = "authentication_backend: ldap: attributes: option " +
|
||||
"'%s' must be provided when using the %s placeholder but it's absent"
|
||||
)
|
||||
|
||||
// TOTP Error constants.
|
||||
|
@ -378,6 +374,17 @@ const (
|
|||
operatorNotPattern = "not pattern"
|
||||
)
|
||||
|
||||
var (
|
||||
validLDAPImplementations = []string{
|
||||
schema.LDAPImplementationCustom,
|
||||
schema.LDAPImplementationActiveDirectory,
|
||||
schema.LDAPImplementationRFC2307bis,
|
||||
schema.LDAPImplementationFreeIPA,
|
||||
schema.LDAPImplementationLLDAP,
|
||||
schema.LDAPImplementationGLAuth,
|
||||
}
|
||||
)
|
||||
|
||||
const (
|
||||
legacy = "legacy"
|
||||
authzImplementationLegacy = "Legacy"
|
||||
|
@ -393,22 +400,6 @@ var (
|
|||
validAuthzAuthnStrategies = []string{"CookieSession", "HeaderAuthorization", "HeaderProxyAuthorization", "HeaderAuthRequestProxyAuthorization", "HeaderLegacy"}
|
||||
)
|
||||
|
||||
var (
|
||||
validLDAPImplementations = []string{
|
||||
schema.LDAPImplementationCustom,
|
||||
schema.LDAPImplementationActiveDirectory,
|
||||
schema.LDAPImplementationRFC2307bis,
|
||||
schema.LDAPImplementationFreeIPA,
|
||||
schema.LDAPImplementationLLDAP,
|
||||
schema.LDAPImplementationGLAuth,
|
||||
}
|
||||
|
||||
validLDAPGroupSearchModes = []string{
|
||||
schema.LDAPGroupSearchModeFilter,
|
||||
schema.LDAPGroupSearchModeMemberOf,
|
||||
}
|
||||
)
|
||||
|
||||
var (
|
||||
validArgon2Variants = []string{"argon2id", "id", "argon2i", "i", "argon2d", "d"}
|
||||
validSHA2CryptVariants = []string{digestSHA256, digestSHA512}
|
||||
|
|
|
@ -13,11 +13,6 @@ const (
|
|||
testLDAPURL = "ldap://ldap"
|
||||
testLDAPUser = "user"
|
||||
testEncryptionKey = "a_not_so_secure_encryption_key"
|
||||
|
||||
member = "member"
|
||||
memberof = "memberof"
|
||||
memberOf = "memberOf"
|
||||
filterMemberOfRDN = "(|({memberof:rdn}))"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
|
@ -1,410 +0,0 @@
|
|||
package handlers
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/authelia/authelia/v4/internal/authorization"
|
||||
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||
"github.com/authelia/authelia/v4/internal/middlewares"
|
||||
"github.com/authelia/authelia/v4/internal/session"
|
||||
"github.com/authelia/authelia/v4/internal/utils"
|
||||
core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
|
||||
autha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
|
||||
envoy_type "github.com/envoyproxy/go-control-plane/envoy/type/v3"
|
||||
"github.com/gogo/googleapis/google/rpc"
|
||||
"github.com/valyala/fasthttp"
|
||||
rpcstatus "google.golang.org/genproto/googleapis/rpc/status"
|
||||
"google.golang.org/grpc/codes"
|
||||
healthpb "google.golang.org/grpc/health/grpc_health_v1"
|
||||
"google.golang.org/grpc/status"
|
||||
|
||||
"context"
|
||||
)
|
||||
|
||||
type AuthzGRCP struct {
|
||||
Config *schema.Configuration
|
||||
Providers middlewares.Providers
|
||||
AuthStrategies []AuthnStrategy
|
||||
Authz Authz
|
||||
}
|
||||
|
||||
func NewAuthzGRCP(config *schema.Configuration, providers middlewares.Providers) *AuthzGRCP {
|
||||
|
||||
// Determine the refresh interval
|
||||
authBuilder := NewAuthzBuilder().WithConfig(config)
|
||||
|
||||
// Only the following strategies are supported. These are hardcoded at the moment and won't be taken from the configuration
|
||||
strategies := []AuthnStrategy{NewHeaderProxyAuthorizationAuthnStrategy() /* NewHeaderAuthorizationAuthnStrategy(), */, NewCookieSessionAuthnStrategy(authBuilder.config.RefreshInterval)}
|
||||
|
||||
return &AuthzGRCP{
|
||||
Config: config,
|
||||
Providers: providers,
|
||||
AuthStrategies: strategies,
|
||||
Authz: Authz{strategies: strategies},
|
||||
}
|
||||
}
|
||||
|
||||
type GRCPRequestData struct {
|
||||
RemoteHost string
|
||||
Domain string
|
||||
Method string
|
||||
Protocol string
|
||||
Path string
|
||||
AutheliaURL string
|
||||
}
|
||||
|
||||
func (data *GRCPRequestData) String() string {
|
||||
return fmt.Sprintf(
|
||||
`Extracted data from headers:
|
||||
Remote Host = %s
|
||||
Domain = %s
|
||||
Method = %s
|
||||
Protocol = %s
|
||||
Path = %s
|
||||
AutheliaURL = %s
|
||||
`, data.RemoteHost, data.Domain, data.Method, data.Protocol, data.Path, data.AutheliaURL)
|
||||
}
|
||||
|
||||
// GetRequestURI returns a request URI from the provided Data inside this struct.
|
||||
// It returns an error if values are missing
|
||||
func (data *GRCPRequestData) GetRequestURI() (*url.URL, error) {
|
||||
if len(data.Protocol) == 0 || len(data.Domain) == 0 || len(data.Path) == 0 || len(data.Method) == 0 {
|
||||
return nil, fmt.Errorf("missing required values for URI. One of 'Protocol', 'Domain', 'Path' or 'Method' was not found")
|
||||
}
|
||||
|
||||
return url.ParseRequestURI(fmt.Sprintf("%s://%s%s", data.Protocol, data.Domain, data.Path))
|
||||
}
|
||||
|
||||
// GetAutheliaURI returns a URI for the authelia protal from the provided Data inside this struct.
|
||||
func (data *GRCPRequestData) GetAutheliaURI(provider *session.Session) (*url.URL, error) {
|
||||
if len(data.AutheliaURL) == 0 {
|
||||
return nil, fmt.Errorf("missing required 'AutheliaURL' for request")
|
||||
}
|
||||
|
||||
// Parse the URL
|
||||
uri, err := url.ParseRequestURI(data.AutheliaURL)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Validate URL
|
||||
if !utils.HasURIDomainSuffix(uri, provider.Config.Domain) {
|
||||
return nil, fmt.Errorf("authelia url '%s' is not valid for detected domain '%s' as the url does not have the domain as a suffix", data.AutheliaURL, provider.Config.Domain)
|
||||
}
|
||||
|
||||
return uri, nil
|
||||
}
|
||||
|
||||
// HandleGRPC is the authentication handler for envoy proxies via the gRPC protocoll.
|
||||
// It is oriented on handler_authz.go
|
||||
func (authz *AuthzGRCP) Check(goCtx context.Context, req *autha.CheckRequest) (*autha.CheckResponse, error) {
|
||||
request, data := authz.GetHttpCtxFromGRPC(req)
|
||||
ctx := middlewares.NewAutheliaCtx(request, *authz.Config, authz.Providers)
|
||||
|
||||
// Log the parsed data and the inbound headers
|
||||
ctx.Logger.Debug(data)
|
||||
b, err := json.MarshalIndent(req.Attributes.Request.Http.Headers, "", " ")
|
||||
if err == nil {
|
||||
ctx.Logger.Trace("Inbound Headers: ")
|
||||
ctx.Logger.Trace((string(b)))
|
||||
}
|
||||
|
||||
// Get request URI
|
||||
uri, err := data.GetRequestURI()
|
||||
if err != nil {
|
||||
ctx.Logger.WithError(err).Error("Error getting Target URL and Request Method")
|
||||
return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad authentication request"), nil
|
||||
}
|
||||
|
||||
// Get authentication object
|
||||
object := authorization.NewObject(uri, data.Method)
|
||||
if !utils.IsURISecure(object.URL) {
|
||||
// Check for redirect
|
||||
if !ctx.Configuration.Server.DisableAutoHttpsRedirect {
|
||||
// Redirect to https
|
||||
return authz.AuthResponseHeader(envoy_type.StatusCode_PermanentRedirect, "", []*core.HeaderValueOption{
|
||||
{
|
||||
Header: &core.HeaderValue{
|
||||
Key: "Location",
|
||||
Value: fmt.Sprintf("https://%s%s", data.Domain, data.Path),
|
||||
},
|
||||
},
|
||||
}), nil
|
||||
}
|
||||
ctx.Logger.Errorf("Target URL '%s' has an insecure scheme '%s', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely", object.URL.String(), object.URL.Scheme)
|
||||
return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad protocol for authentication request"), nil
|
||||
}
|
||||
|
||||
// Get provider
|
||||
provider, err := ctx.GetSessionProviderByTargetURL(object.URL)
|
||||
if err != nil {
|
||||
ctx.Logger.WithError(err).WithField("target_url", object.URL.String()).Error("Target URL does not appear to have a relevant session cookies configuration")
|
||||
return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad domain for authentication request"), nil
|
||||
}
|
||||
|
||||
// Get authelia url
|
||||
if len(data.AutheliaURL) == 0 {
|
||||
ctx.Logger.Info("Received no authelia URL from headers. Using the default of https://auth.rpjosh.de")
|
||||
data.AutheliaURL = "https://auth.rpjosh.de"
|
||||
}
|
||||
autheliaURI, err := data.GetAutheliaURI(provider)
|
||||
if err != nil {
|
||||
ctx.Logger.WithError(err).WithField("target_url", object.URL.String()).Error("Error occurred trying to determine the external Authelia URL for Target URL")
|
||||
return authz.ErrAuthResponse(envoy_type.StatusCode_BadRequest, "Bad authentication request"), nil
|
||||
}
|
||||
ctx.Logger.Trace("Using authelia URL " + autheliaURI.String())
|
||||
|
||||
var (
|
||||
authn Authn
|
||||
strategy AuthnStrategy
|
||||
)
|
||||
|
||||
// Get strategie
|
||||
if authn, strategy, err = authz.Authz.authn(ctx, provider); err != nil {
|
||||
authn.Object = object
|
||||
|
||||
ctx.Logger.WithError(err).Error("Error occurred while attempting to authenticate a request")
|
||||
|
||||
switch strategy {
|
||||
case nil:
|
||||
ctx.Logger.Trace("Received no strategy to use")
|
||||
return authz.ErrAuthResponse(envoy_type.StatusCode_Unauthorized, "Unauthorized"), nil
|
||||
default:
|
||||
// Because the response is modified directly, we have to catch this and rewrite this function
|
||||
if s, ok := strategy.(*HeaderAuthnStrategy); ok {
|
||||
ctx.Logger.Trace("Rewriting HeaderAuthnStrategy")
|
||||
ctx.Logger.Debugf("Responding %d %s", s.authn, autheliaURI)
|
||||
|
||||
headers := make([]*core.HeaderValueOption, 0)
|
||||
if s.headerAuthenticate != nil {
|
||||
headers = append(headers, &core.HeaderValueOption{
|
||||
Header: &core.HeaderValue{
|
||||
Key: string(s.headerAuthenticate),
|
||||
Value: string(headerValueAuthenticateBasic),
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
return authz.AuthResponseHeader(envoy_type.StatusCode(s.statusAuthenticate), "", headers), nil
|
||||
} else if _, ok := strategy.(*CookieSessionAuthnStrategy); ok {
|
||||
ctx.Logger.Trace("Rewriting CookieSessionAuthnStrategy")
|
||||
|
||||
}
|
||||
|
||||
ctx.Logger.Error("Received unsupported auth strategy for gRPC server")
|
||||
// strategy.HandleUnauthorized(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI))
|
||||
}
|
||||
|
||||
return authz.ErrAuthResponse(envoy_type.StatusCode_Unauthorized, "Unauthorized"), nil
|
||||
}
|
||||
|
||||
authn.Object = object
|
||||
authn.Method = friendlyMethod(authn.Object.Method)
|
||||
|
||||
ruleHasSubject, required := ctx.Providers.Authorizer.GetRequiredLevel(
|
||||
authorization.Subject{
|
||||
Username: authn.Details.Username,
|
||||
Groups: authn.Details.Groups,
|
||||
IP: net.ParseIP(data.RemoteHost),
|
||||
},
|
||||
object,
|
||||
)
|
||||
|
||||
switch isAuthzResult(authn.Level, required, ruleHasSubject) {
|
||||
case AuthzResultForbidden:
|
||||
ctx.Logger.Infof("Access to '%s' is forbidden to user '%s'", object.URL.String(), authn.Username)
|
||||
return authz.ErrAuthResponse(envoy_type.StatusCode_Forbidden, "Forbidden"), nil
|
||||
case AuthzResultUnauthorized:
|
||||
if strategy != nil {
|
||||
ctx.Logger.Error("Handling not supported handler")
|
||||
//strategy.HandleUnauthorized(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI))
|
||||
} else {
|
||||
ctx.Logger.Debugf("Redirecting user")
|
||||
return authz.HandleUnauthorizedRedirect(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI)), nil
|
||||
}
|
||||
case AuthzResultAuthorized:
|
||||
ctx.Logger.Debugf("Authorized request")
|
||||
return authz.HandleAuthorized(ctx, &authn), nil
|
||||
//authz.Authz.handleAuthorized(ctx, &authn)
|
||||
}
|
||||
|
||||
ctx.Logger.Info("Handling default redirection")
|
||||
return authz.HandleUnauthorizedRedirect(ctx, &authn, authz.Authz.getRedirectionURL(&object, autheliaURI)), nil
|
||||
}
|
||||
|
||||
// GetHttpCtxFromGRPC is an Adapter that converts common fields between a grpc request
|
||||
// a "normal" http request.
|
||||
// It also returns the
|
||||
func (authz *AuthzGRCP) GetHttpCtxFromGRPC(req *autha.CheckRequest) (*fasthttp.RequestCtx, *GRCPRequestData) {
|
||||
|
||||
// Extract headers
|
||||
headers := req.Attributes.Request.Http.Headers
|
||||
|
||||
// Parse the header data
|
||||
data := &GRCPRequestData{
|
||||
RemoteHost: headers["x-forwarded-for"],
|
||||
Domain: headers[":authority"],
|
||||
Method: headers[":method"],
|
||||
Protocol: headers["x-forwarded-proto"],
|
||||
Path: headers[":path"],
|
||||
AutheliaURL: headers[""],
|
||||
}
|
||||
|
||||
// Build fasthttp request with common types
|
||||
rtc := &fasthttp.RequestCtx{}
|
||||
|
||||
// General headers
|
||||
rtc.Request.Header.Set(fasthttp.HeaderXForwardedFor, data.RemoteHost)
|
||||
|
||||
// Needed for NewHeaderProxyAuthorizationAuthnStrategy and NewHeaderAuthorizationAuthnStrategy
|
||||
authz.setHeaderIfSet(fasthttp.HeaderAuthorization, rtc, &headers)
|
||||
authz.setHeaderIfSet(fasthttp.HeaderProxyAuthorization, rtc, &headers)
|
||||
authz.setHeaderIfSet(fasthttp.HeaderWWWAuthenticate, rtc, &headers)
|
||||
authz.setHeaderIfSet(fasthttp.HeaderProxyAuthenticate, rtc, &headers)
|
||||
|
||||
// Needed for CookieSesseionauthnStrategy
|
||||
rtc.Request.Header.Set("cookie", headers["cookie"])
|
||||
|
||||
return rtc, data
|
||||
}
|
||||
|
||||
// setHeaderIfSet sets the header in the given fastHttp request if the header from the envoy authentication
|
||||
// request was also set
|
||||
func (authz *AuthzGRCP) setHeaderIfSet(headerKeyFast string, rtc *fasthttp.RequestCtx, envoyHeaders *map[string]string) {
|
||||
// Envoys provided header keys are always lower case
|
||||
envoyHeaderKey := strings.ToLower(headerKeyFast)
|
||||
|
||||
if val, isSet := (*envoyHeaders)[envoyHeaderKey]; isSet {
|
||||
rtc.Request.Header.Set(headerKeyFast, val)
|
||||
}
|
||||
}
|
||||
|
||||
// ErrAuthResponse returns an authentication error for envoy with the given status code
|
||||
// and the given text body
|
||||
func (authz *AuthzGRCP) ErrAuthResponse(statuscode envoy_type.StatusCode, body string) *autha.CheckResponse {
|
||||
return &autha.CheckResponse{
|
||||
Status: &rpcstatus.Status{
|
||||
Code: int32(rpc.UNAUTHENTICATED),
|
||||
},
|
||||
HttpResponse: &autha.CheckResponse_DeniedResponse{
|
||||
DeniedResponse: &autha.DeniedHttpResponse{
|
||||
Status: &envoy_type.HttpStatus{
|
||||
Code: statuscode,
|
||||
},
|
||||
Body: body,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// ErrAuthResponse returns an authentication error for envoy with the given status code
|
||||
// and the given text body
|
||||
func (authz *AuthzGRCP) AuthResponseHeader(statuscode envoy_type.StatusCode, body string, headers []*core.HeaderValueOption) *autha.CheckResponse {
|
||||
return &autha.CheckResponse{
|
||||
Status: &rpcstatus.Status{
|
||||
Code: int32(rpc.UNAUTHENTICATED),
|
||||
},
|
||||
HttpResponse: &autha.CheckResponse_DeniedResponse{
|
||||
DeniedResponse: &autha.DeniedHttpResponse{
|
||||
Status: &envoy_type.HttpStatus{
|
||||
Code: statuscode,
|
||||
},
|
||||
Body: body,
|
||||
Headers: headers,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (authz *AuthzGRCP) HandleAuthorized(ctx *middlewares.AutheliaCtx, authn *Authn) *autha.CheckResponse {
|
||||
return &autha.CheckResponse{
|
||||
Status: &rpcstatus.Status{
|
||||
Code: int32(rpc.OK),
|
||||
},
|
||||
HttpResponse: &autha.CheckResponse_OkResponse{
|
||||
OkResponse: &autha.OkHttpResponse{
|
||||
Headers: []*core.HeaderValueOption{
|
||||
{
|
||||
Header: &core.HeaderValue{
|
||||
Key: "Auth-Handler",
|
||||
Value: getAuthType(authn.Type),
|
||||
},
|
||||
},
|
||||
{
|
||||
Header: &core.HeaderValue{
|
||||
Key: "Auth-Username",
|
||||
Value: authn.Username,
|
||||
},
|
||||
},
|
||||
{
|
||||
Header: &core.HeaderValue{
|
||||
Key: "Auth-Username-Display",
|
||||
Value: authn.Details.DisplayName,
|
||||
},
|
||||
},
|
||||
{
|
||||
Header: &core.HeaderValue{
|
||||
Key: "Auth-Realm",
|
||||
Value: authn.Object.Domain,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (authz *AuthzGRCP) HandleUnauthorizedRedirect(ctx *middlewares.AutheliaCtx, authn *Authn, redirectionURL *url.URL) *autha.CheckResponse {
|
||||
return &autha.CheckResponse{
|
||||
Status: &rpcstatus.Status{
|
||||
Code: int32(rpc.UNAUTHENTICATED),
|
||||
},
|
||||
HttpResponse: &autha.CheckResponse_DeniedResponse{
|
||||
DeniedResponse: &autha.DeniedHttpResponse{
|
||||
Status: &envoy_type.HttpStatus{
|
||||
Code: 302,
|
||||
},
|
||||
Headers: []*core.HeaderValueOption{
|
||||
{
|
||||
Header: &core.HeaderValue{
|
||||
Key: "Location",
|
||||
Value: redirectionURL.String(),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func getAuthType(t AuthnType) string {
|
||||
|
||||
switch t {
|
||||
case AuthnTypeNone:
|
||||
return "none"
|
||||
case AuthnTypeCookie:
|
||||
return "cookie"
|
||||
case AuthnTypeProxyAuthorization:
|
||||
return "proxy"
|
||||
case AuthnTypeAuthorization:
|
||||
return "header"
|
||||
default:
|
||||
return "unknown"
|
||||
}
|
||||
}
|
||||
|
||||
// HealthEndpoint implements a health function to check if the appliction is
|
||||
// still alive
|
||||
type HealthEndpoint struct{}
|
||||
|
||||
func (s *HealthEndpoint) Check(ctx context.Context, in *healthpb.HealthCheckRequest) (*healthpb.HealthCheckResponse, error) {
|
||||
return &healthpb.HealthCheckResponse{Status: healthpb.HealthCheckResponse_SERVING}, nil
|
||||
}
|
||||
|
||||
func (s *HealthEndpoint) Watch(in *healthpb.HealthCheckRequest, srv healthpb.Health_WatchServer) error {
|
||||
return status.Error(codes.Unimplemented, "Watch is not implemented")
|
||||
}
|
|
@ -33,7 +33,7 @@ func FirstFactorPOST(delayFunc middlewares.TimingAttackDelayFunc) middlewares.Re
|
|||
return
|
||||
}
|
||||
|
||||
if bannedUntil, err := ctx.Providers.Regulator.Regulate(ctx, bodyJSON.Username, ctx.RemoteIP().String()); err != nil {
|
||||
if bannedUntil, err := ctx.Providers.Regulator.Regulate(ctx, bodyJSON.Username); err != nil {
|
||||
if errors.Is(err, regulation.ErrUserIsBanned) {
|
||||
_ = markAuthenticationAttempt(ctx, false, &bannedUntil, bodyJSON.Username, regulation.AuthType1FA, nil)
|
||||
|
||||
|
|
|
@ -277,18 +277,13 @@ func markAuthenticationAttempt(ctx *middlewares.AutheliaCtx, successful bool, ba
|
|||
if successful {
|
||||
ctx.Logger.Debugf("Successful %s authentication attempt made by user '%s'", authType, username)
|
||||
} else {
|
||||
reasonPhrase := "by user '" + username + "'"
|
||||
if ctx.Configuration.Server.UseIPInsteadOfUserForBan {
|
||||
reasonPhrase = fmt.Sprintf("by ip %q (user %q)", ctx.RemoteIP().String(), username)
|
||||
}
|
||||
|
||||
switch {
|
||||
case errAuth != nil:
|
||||
ctx.Logger.Errorf("Unsuccessful %s authentication attempt %s: %+v", authType, reasonPhrase, errAuth)
|
||||
ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s': %+v", authType, username, errAuth)
|
||||
case bannedUntil != nil:
|
||||
ctx.Logger.Errorf("Unsuccessful %s authentication attempt %s and they are banned until %s", authType, reasonPhrase, bannedUntil)
|
||||
ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s' and they are banned until %s", authType, username, bannedUntil)
|
||||
default:
|
||||
ctx.Logger.Errorf("Unsuccessful %s authentication attempt %s", authType, reasonPhrase)
|
||||
ctx.Logger.Errorf("Unsuccessful %s authentication attempt by user '%s'", authType, username)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -210,18 +210,18 @@ func (mr *MockStorageMockRecorder) FindIdentityVerification(arg0, arg1 interface
|
|||
}
|
||||
|
||||
// LoadAuthenticationLogs mocks base method.
|
||||
func (m *MockStorage) LoadAuthenticationLogs(arg0 context.Context, arg1, arg2 string, arg3 time.Time, arg4, arg5 int) ([]model.AuthenticationAttempt, error) {
|
||||
func (m *MockStorage) LoadAuthenticationLogs(arg0 context.Context, arg1 string, arg2 time.Time, arg3, arg4 int) ([]model.AuthenticationAttempt, error) {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "LoadAuthenticationLogs", arg0, arg1, arg2, arg3, arg4, arg5)
|
||||
ret := m.ctrl.Call(m, "LoadAuthenticationLogs", arg0, arg1, arg2, arg3, arg4)
|
||||
ret0, _ := ret[0].([]model.AuthenticationAttempt)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// LoadAuthenticationLogs indicates an expected call of LoadAuthenticationLogs.
|
||||
func (mr *MockStorageMockRecorder) LoadAuthenticationLogs(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) *gomock.Call {
|
||||
func (mr *MockStorageMockRecorder) LoadAuthenticationLogs(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoadAuthenticationLogs", reflect.TypeOf((*MockStorage)(nil).LoadAuthenticationLogs), arg0, arg1, arg2, arg3, arg4, arg5)
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoadAuthenticationLogs", reflect.TypeOf((*MockStorage)(nil).LoadAuthenticationLogs), arg0, arg1, arg2, arg3, arg4)
|
||||
}
|
||||
|
||||
// LoadOAuth2BlacklistedJTI mocks base method.
|
||||
|
|
|
@ -40,13 +40,13 @@ func (r *Regulator) Mark(ctx Context, successful, banned bool, username, request
|
|||
|
||||
// Regulate the authentication attempts for a given user.
|
||||
// This method returns ErrUserIsBanned if the user is banned along with the time until when the user is banned.
|
||||
func (r *Regulator) Regulate(ctx context.Context, username string, remoteIp string) (time.Time, error) {
|
||||
func (r *Regulator) Regulate(ctx context.Context, username string) (time.Time, error) {
|
||||
// If there is regulation configuration, no regulation applies.
|
||||
if !r.enabled {
|
||||
return time.Time{}, nil
|
||||
}
|
||||
|
||||
attempts, err := r.store.LoadAuthenticationLogs(ctx, username, remoteIp, r.clock.Now().Add(-r.config.BanTime), 10, 0)
|
||||
attempts, err := r.store.LoadAuthenticationLogs(ctx, username, r.clock.Now().Add(-r.config.BanTime), 10, 0)
|
||||
if err != nil {
|
||||
return time.Time{}, nil
|
||||
}
|
||||
|
|
|
@ -23,8 +23,6 @@ type RegulatorSuite struct {
|
|||
mock *mocks.MockAutheliaCtx
|
||||
}
|
||||
|
||||
// @TODO
|
||||
// Extend this test for IP ban :)
|
||||
func (s *RegulatorSuite) SetupTest() {
|
||||
s.mock = mocks.NewMockAutheliaCtx(s.T())
|
||||
s.mock.Ctx.Configuration.Regulation = schema.RegulationConfiguration{
|
||||
|
@ -60,9 +58,9 @@ func (s *RegulatorSuite) TestShouldMark() {
|
|||
func (s *RegulatorSuite) TestShouldHandleRegulateError() {
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
s.mock.StorageMock.EXPECT().LoadAuthenticationLogs(s.mock.Ctx, "john", "127.0.0.1", s.mock.Clock.Now().Add(-s.mock.Ctx.Configuration.Regulation.BanTime), 10, 0).Return(nil, fmt.Errorf("failed"))
|
||||
s.mock.StorageMock.EXPECT().LoadAuthenticationLogs(s.mock.Ctx, "john", s.mock.Clock.Now().Add(-s.mock.Ctx.Configuration.Regulation.BanTime), 10, 0).Return(nil, fmt.Errorf("failed"))
|
||||
|
||||
until, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
until, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
|
||||
s.NoError(err)
|
||||
s.Equal(time.Time{}, until)
|
||||
|
@ -78,12 +76,12 @@ func (s *RegulatorSuite) TestShouldNotThrowWhenUserIsLegitimate() {
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.NoError(s.T(), err)
|
||||
}
|
||||
|
||||
|
@ -109,12 +107,12 @@ func (s *RegulatorSuite) TestShouldNotThrowWhenFailedAuthenticationNotInFindTime
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.NoError(s.T(), err)
|
||||
}
|
||||
|
||||
|
@ -145,12 +143,12 @@ func (s *RegulatorSuite) TestShouldBanUserIfLatestAttemptsAreWithinFinTime() {
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.Equal(s.T(), regulation.ErrUserIsBanned, err)
|
||||
}
|
||||
|
||||
|
@ -178,12 +176,12 @@ func (s *RegulatorSuite) TestShouldCheckUserIsStillBanned() {
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.Equal(s.T(), regulation.ErrUserIsBanned, err)
|
||||
}
|
||||
|
||||
|
@ -202,12 +200,12 @@ func (s *RegulatorSuite) TestShouldCheckUserIsNotYetBanned() {
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.NoError(s.T(), err)
|
||||
}
|
||||
|
||||
|
@ -234,12 +232,12 @@ func (s *RegulatorSuite) TestShouldCheckUserWasAboutToBeBanned() {
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.NoError(s.T(), err)
|
||||
}
|
||||
|
||||
|
@ -270,12 +268,12 @@ func (s *RegulatorSuite) TestShouldCheckRegulationHasBeenResetOnSuccessfulAttemp
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
regulator := regulation.NewRegulator(s.mock.Ctx.Configuration.Regulation, s.mock.StorageMock, &s.mock.Clock)
|
||||
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.NoError(s.T(), err)
|
||||
}
|
||||
|
||||
|
@ -305,7 +303,7 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
|
|||
}
|
||||
|
||||
s.mock.StorageMock.EXPECT().
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), "127.0.0.1", gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
LoadAuthenticationLogs(s.mock.Ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
// Check Disabled Functionality.
|
||||
|
@ -316,7 +314,7 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
|
|||
}
|
||||
|
||||
regulator := regulation.NewRegulator(config, s.mock.StorageMock, &s.mock.Clock)
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err := regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.NoError(s.T(), err)
|
||||
|
||||
// Check Enabled Functionality.
|
||||
|
@ -327,6 +325,6 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
|
|||
}
|
||||
|
||||
regulator = regulation.NewRegulator(config, s.mock.StorageMock, &s.mock.Clock)
|
||||
_, err = regulator.Regulate(s.mock.Ctx, "john", "127.0.0.1")
|
||||
_, err = regulator.Regulate(s.mock.Ctx, "john")
|
||||
assert.Equal(s.T(), regulation.ErrUserIsBanned, err)
|
||||
}
|
||||
|
|
|
@ -9,7 +9,6 @@ import (
|
|||
"time"
|
||||
|
||||
duoapi "github.com/duosecurity/duo_api_golang"
|
||||
autha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
|
||||
"github.com/fasthttp/router"
|
||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
@ -17,8 +16,6 @@ import (
|
|||
"github.com/valyala/fasthttp/expvarhandler"
|
||||
"github.com/valyala/fasthttp/fasthttpadaptor"
|
||||
"github.com/valyala/fasthttp/pprofhandler"
|
||||
"google.golang.org/grpc"
|
||||
healthpb "google.golang.org/grpc/health/grpc_health_v1"
|
||||
|
||||
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||
"github.com/authelia/authelia/v4/internal/duo"
|
||||
|
@ -192,7 +189,7 @@ func handleRouter(config *schema.Configuration, providers middlewares.Providers)
|
|||
uri := path.Join(pathAuthz, name)
|
||||
|
||||
authz := handlers.NewAuthzBuilder().WithConfig(config).WithEndpointConfig(endpoint).Build()
|
||||
// @HERE
|
||||
|
||||
handler := middlewares.Wrap(metricsVRMW, bridge(authz.Handler))
|
||||
|
||||
switch name {
|
||||
|
@ -407,12 +404,6 @@ func handleRouter(config *schema.Configuration, providers middlewares.Providers)
|
|||
return handler
|
||||
}
|
||||
|
||||
func handleGRCP(server *grpc.Server, config *schema.Configuration, providers middlewares.Providers) {
|
||||
// Register endpoints
|
||||
healthpb.RegisterHealthServer(server, &handlers.HealthEndpoint{})
|
||||
autha.RegisterAuthorizationServer(server, handlers.NewAuthzGRCP(config, providers))
|
||||
}
|
||||
|
||||
func handleMetrics(path string) fasthttp.RequestHandler {
|
||||
r := router.New()
|
||||
|
||||
|
|
|
@ -9,8 +9,6 @@ import (
|
|||
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/valyala/fasthttp"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
|
||||
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
||||
"github.com/authelia/authelia/v4/internal/logging"
|
||||
|
@ -46,13 +44,30 @@ func CreateDefaultServer(config *schema.Configuration, providers middlewares.Pro
|
|||
if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {
|
||||
isTLS, connectionScheme = true, schemeHTTPS
|
||||
|
||||
tlsConfig, err := loadTLSCertificates(config)
|
||||
if err != nil {
|
||||
return nil, nil, nil, false, fmt.Errorf("HTTP server: %w", err)
|
||||
if err = server.AppendCert(config.Server.TLS.Certificate, config.Server.TLS.Key); err != nil {
|
||||
return nil, nil, nil, false, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
|
||||
}
|
||||
|
||||
// Apply configuration
|
||||
listener = tls.NewListener(listener, tlsConfig.Clone())
|
||||
if len(config.Server.TLS.ClientCertificates) > 0 {
|
||||
caCertPool := x509.NewCertPool()
|
||||
|
||||
var cert []byte
|
||||
|
||||
for _, path := range config.Server.TLS.ClientCertificates {
|
||||
if cert, err = os.ReadFile(path); err != nil {
|
||||
return nil, nil, nil, false, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
|
||||
}
|
||||
|
||||
caCertPool.AppendCertsFromPEM(cert)
|
||||
}
|
||||
|
||||
// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication
|
||||
// but we don't want everybody on the Internet to be able to authenticate.
|
||||
server.TLSConfig.ClientCAs = caCertPool
|
||||
server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
|
||||
listener = tls.NewListener(listener, server.TLSConfig.Clone())
|
||||
}
|
||||
|
||||
if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Address.Hostname(),
|
||||
|
@ -93,72 +108,3 @@ func CreateMetricsServer(config *schema.Configuration, providers middlewares.Pro
|
|||
|
||||
return server, listener, []string{config.Telemetry.Metrics.Address.Path()}, false, nil
|
||||
}
|
||||
|
||||
// CreateGRPCServer creates a server for handling gRPC authentication requests from an envoy proxy.
|
||||
func CreateGRPCServer(config *schema.Configuration, providers middlewares.Providers) (server *grpc.Server, listener net.Listener, tls bool, err error) {
|
||||
if config.Server.GRPC.Address == nil {
|
||||
return nil, nil, false, nil
|
||||
}
|
||||
|
||||
// Initialize gPRC server
|
||||
lis, err := config.Server.GRPC.Address.Listener()
|
||||
if err != nil {
|
||||
return nil, nil, false, fmt.Errorf("error occurred while attempting to initialize grcp server listener for address '%s': %w", config.Server.GRPC.Address, err)
|
||||
}
|
||||
|
||||
opts := []grpc.ServerOption{grpc.MaxConcurrentStreams(10)}
|
||||
|
||||
if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" && !config.Server.GRPC.DisableTLS {
|
||||
tlsConfig, err := loadTLSCertificates(config)
|
||||
if err != nil {
|
||||
return nil, nil, false, fmt.Errorf("gRPC server: %w", err)
|
||||
}
|
||||
|
||||
opts = append(opts, grpc.Creds(credentials.NewTLS(tlsConfig)))
|
||||
tls = true
|
||||
}
|
||||
|
||||
s := grpc.NewServer(opts...)
|
||||
handleGRCP(s, config, providers)
|
||||
|
||||
return s, lis, tls, nil
|
||||
}
|
||||
|
||||
// loadTLSCertificates loads the server and client certificates from the files and returns a
|
||||
// tls.Config object for the server
|
||||
func loadTLSCertificates(config *schema.Configuration) (*tls.Config, error) {
|
||||
|
||||
// Load the server certificates
|
||||
serverCert, err := tls.LoadX509KeyPair(config.Server.TLS.Certificate, config.Server.TLS.Key)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load server certificate '%s' or key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
|
||||
}
|
||||
|
||||
// Create the tls configuration
|
||||
tlsConfig := &tls.Config{
|
||||
Certificates: []tls.Certificate{serverCert},
|
||||
ClientAuth: tls.NoClientCert,
|
||||
}
|
||||
|
||||
// Load client certificates
|
||||
if len(config.Server.TLS.ClientCertificates) > 0 {
|
||||
caCertPool := x509.NewCertPool()
|
||||
|
||||
var cert []byte
|
||||
|
||||
for _, path := range config.Server.TLS.ClientCertificates {
|
||||
if cert, err = os.ReadFile(path); err != nil {
|
||||
return nil, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
|
||||
}
|
||||
|
||||
caCertPool.AppendCertsFromPEM(cert)
|
||||
}
|
||||
|
||||
// ClientCAs should never be nil, otherwise the system cert pool is used for client authentication,
|
||||
// but we don't want everybody on the Internet to be able to authenticate.
|
||||
tlsConfig.ClientCAs = caCertPool
|
||||
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
|
|
@ -90,5 +90,5 @@ type Provider interface {
|
|||
// RegulatorProvider is an interface providing storage capabilities for persisting any kind of data related to the regulator.
|
||||
type RegulatorProvider interface {
|
||||
AppendAuthenticationLog(ctx context.Context, attempt model.AuthenticationAttempt) (err error)
|
||||
LoadAuthenticationLogs(ctx context.Context, username string, ip string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error)
|
||||
LoadAuthenticationLogs(ctx context.Context, username string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error)
|
||||
}
|
||||
|
|
|
@ -33,7 +33,6 @@ func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceNa
|
|||
|
||||
sqlInsertAuthenticationAttempt: fmt.Sprintf(queryFmtInsertAuthenticationLogEntry, tableAuthenticationLogs),
|
||||
sqlSelectAuthenticationAttemptsByUsername: fmt.Sprintf(queryFmtSelect1FAAuthenticationLogEntryByUsername, tableAuthenticationLogs),
|
||||
sqlSelectAuthenticationAttemptyByIP: fmt.Sprintf(queryFmtSelect1FAAuthenticationLogEntryByIP, tableAuthenticationLogs),
|
||||
|
||||
sqlInsertIdentityVerification: fmt.Sprintf(queryFmtInsertIdentityVerification, tableIdentityVerification),
|
||||
sqlConsumeIdentityVerification: fmt.Sprintf(queryFmtConsumeIdentityVerification, tableIdentityVerification),
|
||||
|
@ -150,7 +149,6 @@ type SQLProvider struct {
|
|||
// Table: authentication_logs.
|
||||
sqlInsertAuthenticationAttempt string
|
||||
sqlSelectAuthenticationAttemptsByUsername string
|
||||
sqlSelectAuthenticationAttemptyByIP string
|
||||
|
||||
// Table: identity_verification.
|
||||
sqlInsertIdentityVerification string
|
||||
|
@ -1023,18 +1021,10 @@ func (p *SQLProvider) AppendAuthenticationLog(ctx context.Context, attempt model
|
|||
}
|
||||
|
||||
// LoadAuthenticationLogs retrieve the latest failed authentications from the authentication log.
|
||||
func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username string, ip string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error) {
|
||||
func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error) {
|
||||
attempts = make([]model.AuthenticationAttempt, 0, limit)
|
||||
|
||||
// Dynmaic values based on ip / username ban
|
||||
query := p.sqlSelectAuthenticationAttemptsByUsername
|
||||
placeholder := username
|
||||
if p.config.Server.UseIPInsteadOfUserForBan {
|
||||
query = p.sqlSelectAuthenticationAttemptyByIP
|
||||
placeholder = ip
|
||||
}
|
||||
|
||||
if err = p.db.SelectContext(ctx, &attempts, query, fromDate, placeholder, limit, limit*page); err != nil {
|
||||
if err = p.db.SelectContext(ctx, &attempts, p.sqlSelectAuthenticationAttemptsByUsername, fromDate, username, limit, limit*page); err != nil {
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return nil, ErrNoAuthenticationLogs
|
||||
}
|
||||
|
@ -1043,5 +1033,4 @@ func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username strin
|
|||
}
|
||||
|
||||
return attempts, nil
|
||||
|
||||
}
|
||||
|
|
|
@ -71,7 +71,6 @@ func NewPostgreSQLProvider(config *schema.Configuration, caCertPool *x509.CertPo
|
|||
|
||||
provider.sqlInsertAuthenticationAttempt = provider.db.Rebind(provider.sqlInsertAuthenticationAttempt)
|
||||
provider.sqlSelectAuthenticationAttemptsByUsername = provider.db.Rebind(provider.sqlSelectAuthenticationAttemptsByUsername)
|
||||
provider.sqlSelectAuthenticationAttemptyByIP = provider.db.Rebind(provider.sqlSelectAuthenticationAttemptyByIP)
|
||||
|
||||
provider.sqlInsertMigration = provider.db.Rebind(provider.sqlInsertMigration)
|
||||
provider.sqlSelectMigrations = provider.db.Rebind(provider.sqlSelectMigrations)
|
||||
|
|
|
@ -211,14 +211,6 @@ const (
|
|||
ORDER BY time DESC
|
||||
LIMIT ?
|
||||
OFFSET ?;`
|
||||
|
||||
queryFmtSelect1FAAuthenticationLogEntryByIP = `
|
||||
SELECT time, successful, username
|
||||
FROM %s
|
||||
WHERE time > ? AND remote_ip = ? AND auth_type = '1FA' AND banned = FALSE
|
||||
ORDER BY time DESC
|
||||
LIMIT ?
|
||||
OFFSET ?;`
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
|
@ -21,19 +21,16 @@ authentication_backend:
|
|||
ldap:
|
||||
address: 'ldap://openldap'
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: cn=admin,dc=example,dc=com
|
||||
password: password
|
||||
attributes:
|
||||
distinguished_name: 'distinguishedName'
|
||||
username: 'uid'
|
||||
display_name: 'displayName'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
|
|
|
@ -22,19 +22,16 @@ authentication_backend:
|
|||
tls:
|
||||
skip_verify: true
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson)) # yamllint disable-line rule:line-length
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: cn=pwmanager,dc=example,dc=com
|
||||
password: password
|
||||
attributes:
|
||||
distinguished_name: ''
|
||||
username: 'uid'
|
||||
display_name: 'displayName'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
|
||||
session:
|
||||
secret: unsecure_session_secret
|
||||
|
|
|
@ -10,9 +10,6 @@ server:
|
|||
tls:
|
||||
certificate: /pki/public.backend.crt
|
||||
key: /pki/private.backend.pem
|
||||
grpc:
|
||||
address: 'tcp://0.0.0.0:9092'
|
||||
disableTLS: false
|
||||
|
||||
telemetry:
|
||||
metrics:
|
||||
|
@ -20,7 +17,7 @@ telemetry:
|
|||
address: tcp://0.0.0.0:9959
|
||||
|
||||
log:
|
||||
level: trace
|
||||
level: debug
|
||||
|
||||
authentication_backend:
|
||||
file:
|
||||
|
@ -33,8 +30,6 @@ session:
|
|||
cookies:
|
||||
- domain: 'example.com'
|
||||
authelia_url: 'https://login.example.com:8080'
|
||||
- domain: 'rpjosh.de'
|
||||
authelia_url: 'https://ubuntugui.rpjosh.de:9091'
|
||||
|
||||
storage:
|
||||
encryption_key: a_not_so_secure_encryption_key
|
||||
|
@ -88,18 +83,6 @@ access_control:
|
|||
subject: "user:bob"
|
||||
policy: two_factor
|
||||
|
||||
- domain: auth.rpjosh.de
|
||||
policy: bypass
|
||||
|
||||
- domain: datenbank.rpjosh.de
|
||||
resources:
|
||||
- "^/$"
|
||||
policy: bypass
|
||||
- domain: datenbank.rpjosh.de
|
||||
resources:
|
||||
- "^/hi.*$"
|
||||
policy: one_factor
|
||||
|
||||
|
||||
regulation:
|
||||
# Set it to 0 to disable max_retries.
|
||||
|
|
|
@ -17,4 +17,3 @@ ENV PATH="/app:${PATH}" \
|
|||
VOLUME /config
|
||||
|
||||
EXPOSE 9091
|
||||
EXPOSE 9092
|
|
@ -2,4 +2,4 @@
|
|||
|
||||
set -x
|
||||
|
||||
pnpm start
|
||||
pnpm install --frozen-lockfile && pnpm start
|
|
@ -1,4 +1,4 @@
|
|||
FROM haproxy:2.7.8-alpine
|
||||
FROM haproxy:2.7.9-alpine
|
||||
USER root
|
||||
|
||||
RUN \
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
version: '3'
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:v2.10.3
|
||||
image: traefik:v2.10.1
|
||||
volumes:
|
||||
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||
labels:
|
||||
|
|
|
@ -20,18 +20,15 @@ authentication_backend:
|
|||
tls:
|
||||
skip_verify: true
|
||||
base_dn: dc=example,dc=com
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=users
|
||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: cn=admin,dc=example,dc=com
|
||||
attributes:
|
||||
distinguished_name: ''
|
||||
username: 'uid'
|
||||
display_name: 'displayName'
|
||||
mail: 'mail'
|
||||
member_of: 'memberOf'
|
||||
group_name: 'cn'
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
|
|
|
@ -19,18 +19,18 @@
|
|||
"@fortawesome/free-solid-svg-icons": "6.4.0",
|
||||
"@fortawesome/react-fontawesome": "0.2.0",
|
||||
"@mui/icons-material": "5.11.16",
|
||||
"@mui/material": "5.13.6",
|
||||
"@mui/material": "5.13.5",
|
||||
"@mui/styles": "5.13.2",
|
||||
"axios": "1.4.0",
|
||||
"broadcast-channel": "5.1.0",
|
||||
"classnames": "2.3.2",
|
||||
"i18next": "23.2.3",
|
||||
"i18next": "22.5.1",
|
||||
"i18next-browser-languagedetector": "7.0.2",
|
||||
"i18next-http-backend": "2.2.1",
|
||||
"qrcode.react": "3.1.0",
|
||||
"react": "18.2.0",
|
||||
"react-dom": "18.2.0",
|
||||
"react-i18next": "13.0.1",
|
||||
"react-i18next": "12.3.1",
|
||||
"react-loading": "2.0.3",
|
||||
"react-router-dom": "6.13.0",
|
||||
"react18-input-otp": "1.1.3",
|
||||
|
@ -72,15 +72,15 @@
|
|||
"@testing-library/jest-dom": "5.16.5",
|
||||
"@testing-library/react": "14.0.0",
|
||||
"@types/node": "20.3.1",
|
||||
"@types/react": "18.2.13",
|
||||
"@types/react-dom": "18.2.6",
|
||||
"@types/react": "18.2.12",
|
||||
"@types/react-dom": "18.2.5",
|
||||
"@types/testing-library__jest-dom": "5.14.6",
|
||||
"@types/zxcvbn": "4.4.1",
|
||||
"@typescript-eslint/eslint-plugin": "5.60.0",
|
||||
"@typescript-eslint/parser": "5.60.0",
|
||||
"@vitejs/plugin-react": "4.0.1",
|
||||
"@typescript-eslint/eslint-plugin": "5.59.11",
|
||||
"@typescript-eslint/parser": "5.59.11",
|
||||
"@vitejs/plugin-react": "4.0.0",
|
||||
"@vitest/coverage-istanbul": "0.32.2",
|
||||
"esbuild": "0.18.6",
|
||||
"esbuild": "0.18.4",
|
||||
"eslint": "8.43.0",
|
||||
"eslint-config-prettier": "8.8.0",
|
||||
"eslint-config-react-app": "7.0.1",
|
||||
|
|
1670
web/pnpm-lock.yaml
1670
web/pnpm-lock.yaml
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue