302 lines
20 KiB
Go
302 lines
20 KiB
Go
package schema
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net/url"
|
|
"time"
|
|
)
|
|
|
|
// AuthenticationBackend represents the configuration related to the authentication backend.
|
|
type AuthenticationBackend struct {
|
|
PasswordReset AuthenticationBackendPasswordReset `koanf:"password_reset" json:"password_reset" jsonschema:"title=Password Reset" jsonschema_description:"Allows configuration of the password reset behaviour"`
|
|
|
|
RefreshInterval string `koanf:"refresh_interval" json:"refresh_interval" jsonschema:"title=Refresh Interval" jsonschema_description:"How frequently the user details are refreshed from the backend"`
|
|
|
|
// The file authentication backend configuration.
|
|
File *AuthenticationBackendFile `koanf:"file" json:"file" jsonschema:"title=File Backend" jsonschema_description:"The file authentication backend configuration"`
|
|
LDAP *AuthenticationBackendLDAP `koanf:"ldap" json:"ldap" jsonschema:"title=LDAP Backend" jsonschema_description:"The LDAP authentication backend configuration"`
|
|
}
|
|
|
|
// AuthenticationBackendPasswordReset represents the configuration related to password reset functionality.
|
|
type AuthenticationBackendPasswordReset struct {
|
|
Disable bool `koanf:"disable" json:"disable" jsonschema:"default=false,title=Disable" jsonschema_description:"Disables the Password Reset option"`
|
|
CustomURL url.URL `koanf:"custom_url" json:"custom_url" jsonschema:"Custom URL" jsonschema_description:"Disables the internal Password Reset option and instead redirects users to this specified URL"`
|
|
}
|
|
|
|
// AuthenticationBackendFile represents the configuration related to file-based backend.
|
|
type AuthenticationBackendFile struct {
|
|
Path string `koanf:"path" json:"path" jsonschema:"title=Path" jsonschema_description:"The file path to the user database"`
|
|
Watch bool `koanf:"watch" json:"watch" jsonschema:"default=false,title=Watch" jsonschema_description:"Enables watching the file for external changes and dynamically reloading the database"`
|
|
|
|
Password AuthenticationBackendFilePassword `koanf:"password" json:"password" jsonschema:"title=Password Options" jsonschema_description:"Allows configuration of the password hashing options when the user passwords are changed directly by Authelia"`
|
|
|
|
Search AuthenticationBackendFileSearch `koanf:"search" json:"search" jsonschema:"title=Search" jsonschema_description:"Configures the user searching behaviour"`
|
|
}
|
|
|
|
// AuthenticationBackendFileSearch represents the configuration related to file-based backend searching.
|
|
type AuthenticationBackendFileSearch struct {
|
|
Email bool `koanf:"email" json:"email" jsonschema:"default=false,title=Email Searching" jsonschema_description:"Allows users to either use their username or their configured email as a username"`
|
|
CaseInsensitive bool `koanf:"case_insensitive" json:"case_insensitive" jsonschema:"default=false,title=Case Insensitive Searching" jsonschema_description:"Allows usernames to be any case during the search"`
|
|
}
|
|
|
|
// AuthenticationBackendFilePassword represents the configuration related to password hashing.
|
|
type AuthenticationBackendFilePassword struct {
|
|
Algorithm string `koanf:"algorithm" json:"algorithm" jsonschema:"default=argon2,enum=argon2,enum=sha2crypt,enum=pbkdf2,enum=bcrypt,enum=scrypt,title=Algorithm" jsonschema_description:"The password hashing algorithm to use"`
|
|
|
|
Argon2 AuthenticationBackendFilePasswordArgon2 `koanf:"argon2" json:"argon2" jsonschema:"title=Argon2" jsonschema_description:"Configure the Argon2 password hashing parameters"`
|
|
SHA2Crypt AuthenticationBackendFilePasswordSHA2Crypt `koanf:"sha2crypt" json:"sha2crypt" jsonschema:"title=SHA2Crypt" jsonschema_description:"Configure the SHA2Crypt password hashing parameters"`
|
|
PBKDF2 AuthenticationBackendFilePasswordPBKDF2 `koanf:"pbkdf2" json:"pbkdf2" jsonschema:"title=PBKDF2" jsonschema_description:"Configure the PBKDF2 password hashing parameters"`
|
|
BCrypt AuthenticationBackendFilePasswordBCrypt `koanf:"bcrypt" json:"bcrypt" jsonschema:"title=BCrypt" jsonschema_description:"Configure the BCrypt password hashing parameters"`
|
|
SCrypt AuthenticationBackendFilePasswordSCrypt `koanf:"scrypt" json:"scrypt" jsonschema:"title=SCrypt" jsonschema_description:"Configure the SCrypt password hashing parameters"`
|
|
|
|
// Deprecated: Use individual password options instead.
|
|
Iterations int `koanf:"iterations" json:"iterations" jsonschema:"deprecated"`
|
|
|
|
// Deprecated: Use individual password options instead.
|
|
Memory int `koanf:"memory" json:"memory" jsonschema:"deprecated"`
|
|
|
|
// Deprecated: Use individual password options instead.
|
|
Parallelism int `koanf:"parallelism" json:"parallelism" jsonschema:"deprecated"`
|
|
|
|
// Deprecated: Use individual password options instead.
|
|
KeyLength int `koanf:"key_length" json:"key_length" jsonschema:"deprecated"`
|
|
|
|
// Deprecated: Use individual password options instead.
|
|
SaltLength int `koanf:"salt_length" json:"salt_length" jsonschema:"deprecated"`
|
|
}
|
|
|
|
// AuthenticationBackendFilePasswordArgon2 represents the argon2 hashing settings.
|
|
type AuthenticationBackendFilePasswordArgon2 struct {
|
|
Variant string `koanf:"variant" json:"variant" jsonschema:"default=argon2id,enum=argon2id,enum=argon2i,enum=argon2d,title=Variant" jsonschema_description:"The Argon2 variant to be used"`
|
|
Iterations int `koanf:"iterations" json:"iterations" jsonschema:"default=3,title=Iterations" jsonschema_description:"The number of Argon2 iterations (parameter t) to be used"`
|
|
Memory int `koanf:"memory" json:"memory" jsonschema:"default=65536,minimum=8,maximum=4294967295,title=Memory" jsonschema_description:"The Argon2 amount of memory in kibibytes (parameter m) to be used"`
|
|
Parallelism int `koanf:"parallelism" json:"parallelism" jsonschema:"default=4,minimum=1,maximum=16777215,title=Parallelism" jsonschema_description:"The Argon2 degree of parallelism (parameter p) to be used"`
|
|
KeyLength int `koanf:"key_length" json:"key_length" jsonschema:"default=32,minimum=4,maximum=2147483647,title=Key Length" jsonschema_description:"The Argon2 key output length"`
|
|
SaltLength int `koanf:"salt_length" json:"salt_length" jsonschema:"default=16,minimum=1,maximum=2147483647,title=Salt Length" jsonschema_description:"The Argon2 salt length"`
|
|
}
|
|
|
|
// AuthenticationBackendFilePasswordSHA2Crypt represents the sha2crypt hashing settings.
|
|
type AuthenticationBackendFilePasswordSHA2Crypt struct {
|
|
Variant string `koanf:"variant" json:"variant" jsonschema:"default=sha512,enum=sha256,enum=sha512,title=Variant" jsonschema_description:"The SHA2Crypt variant to be used"`
|
|
Iterations int `koanf:"iterations" json:"iterations" jsonschema:"default=50000,minimum=1000,maximum=999999999,title=Iterations" jsonschema_description:"The SHA2Crypt iterations (parameter rounds) to be used"`
|
|
SaltLength int `koanf:"salt_length" json:"salt_length" jsonschema:"default=16,minimum=1,maximum=16,title=Salt Length" jsonschema_description:"The SHA2Crypt salt length to be used"`
|
|
}
|
|
|
|
// AuthenticationBackendFilePasswordPBKDF2 represents the PBKDF2 hashing settings.
|
|
type AuthenticationBackendFilePasswordPBKDF2 struct {
|
|
Variant string `koanf:"variant" json:"variant" jsonschema:"default=sha512,enum=sha1,enum=sha224,enum=sha256,enum=sha384,enum=sha512,title=Variant" jsonschema_description:"The PBKDF2 variant to be used"`
|
|
Iterations int `koanf:"iterations" json:"iterations" jsonschema:"default=310000,minimum=100000,maximum=2147483647,title=Iterations" jsonschema_description:"The PBKDF2 iterations to be used"`
|
|
SaltLength int `koanf:"salt_length" json:"salt_length" jsonschema:"default=16,minimum=8,maximum=2147483647,title=Salt Length" jsonschema_description:"The PBKDF2 salt length to be used"`
|
|
}
|
|
|
|
// AuthenticationBackendFilePasswordBCrypt represents the bcrypt hashing settings.
|
|
type AuthenticationBackendFilePasswordBCrypt struct {
|
|
Variant string `koanf:"variant" json:"variant" jsonschema:"default=standard,enum=standard,enum=sha256,title=Variant" jsonschema_description:"The BCrypt variant to be used"`
|
|
Cost int `koanf:"cost" json:"cost" jsonschema:"default=12,minimum=10,maximum=31,title=Cost" jsonschema_description:"The BCrypt cost to be used"`
|
|
}
|
|
|
|
// AuthenticationBackendFilePasswordSCrypt represents the scrypt hashing settings.
|
|
type AuthenticationBackendFilePasswordSCrypt struct {
|
|
Iterations int `koanf:"iterations" json:"iterations" jsonschema:"default=16,minimum=1,maximum=58,title=Iterations" jsonschema_description:"The SCrypt iterations to be used"`
|
|
BlockSize int `koanf:"block_size" json:"block_size" jsonschema:"default=8,minimum=1,maximum=36028797018963967,title=Key Length" jsonschema_description:"The SCrypt block size to be used"`
|
|
Parallelism int `koanf:"parallelism" json:"parallelism" jsonschema:"default=1,minimum=1,maximum=1073741823,title=Key Length" jsonschema_description:"The SCrypt parallelism factor to be used"`
|
|
KeyLength int `koanf:"key_length" json:"key_length" jsonschema:"default=32,minimum=1,maximum=137438953440,title=Key Length" jsonschema_description:"The SCrypt key length to be used"`
|
|
SaltLength int `koanf:"salt_length" json:"salt_length" jsonschema:"default=16,minimum=8,maximum=1024,title=Salt Length" jsonschema_description:"The SCrypt salt length to be used"`
|
|
}
|
|
|
|
// AuthenticationBackendLDAP represents the configuration related to LDAP server.
|
|
type AuthenticationBackendLDAP struct {
|
|
Address *AddressLDAP `koanf:"address" json:"address" jsonschema:"title=Address" jsonschema_description:"The address of the LDAP directory server"`
|
|
Implementation string `koanf:"implementation" json:"implementation" jsonschema:"default=custom,enum=custom,enum=activedirectory,enum=rfc2307bis,enum=freeipa,enum=lldap,enum=glauth,title=Implementation" jsonschema_description:"The implementation which mostly decides the default values"`
|
|
Timeout time.Duration `koanf:"timeout" json:"timeout" jsonschema:"default=5 seconds,title=Timeout" jsonschema_description:"The LDAP directory server connection timeout"`
|
|
StartTLS bool `koanf:"start_tls" json:"start_tls" jsonschema:"default=false,title=StartTLS" jsonschema_description:"Enables the use of StartTLS"`
|
|
TLS *TLS `koanf:"tls" json:"tls" jsonschema:"title=TLS" jsonschema_description:"The LDAP directory server TLS connection properties"`
|
|
|
|
BaseDN string `koanf:"base_dn" json:"base_dn" jsonschema:"title=Base DN" jsonschema_description:"The base for all directory server operations"`
|
|
|
|
AdditionalUsersDN string `koanf:"additional_users_dn" json:"additional_users_dn" jsonschema:"title=Additional User Base" jsonschema_description:"The base in addition to the Base DN for all directory server operations for users"`
|
|
UsersFilter string `koanf:"users_filter" json:"users_filter" jsonschema:"title=Users Filter" jsonschema_description:"The LDAP filter used to search for user objects"`
|
|
|
|
AdditionalGroupsDN string `koanf:"additional_groups_dn" json:"additional_groups_dn" jsonschema:"title=Additional Group Base" jsonschema_description:"The base in addition to the Base DN for all directory server operations for groups"`
|
|
GroupsFilter string `koanf:"groups_filter" json:"groups_filter" jsonschema:"title=Groups Filter" jsonschema_description:"The LDAP filter used to search for group objects"`
|
|
GroupSearchMode string `koanf:"group_search_mode"`
|
|
|
|
Attributes AuthenticationBackendLDAPAttributes `koanf:"attributes" json:"attributes"`
|
|
|
|
PermitReferrals bool `koanf:"permit_referrals" json:"permit_referrals" jsonschema:"default=false,title=Permit Referrals" jsonschema_description:"Enables chasing LDAP referrals"`
|
|
PermitUnauthenticatedBind bool `koanf:"permit_unauthenticated_bind" json:"permit_unauthenticated_bind" jsonschema:"default=false,title=Permit Unauthenticated Bind" jsonschema_description:"Enables omission of the password to perform an unauthenticated bind"`
|
|
PermitFeatureDetectionFailure bool `koanf:"permit_feature_detection_failure" json:"permit_feature_detection_failure" jsonschema:"default=false,title=Permit Feature Detection Failure" jsonschema_description:"Enables failures when detecting directory server features using the Root DSE lookup"`
|
|
|
|
User string `koanf:"user" json:"user" jsonschema:"title=User" jsonschema_description:"The user distinguished name for LDAP binding"`
|
|
Password string `koanf:"password" json:"password" jsonschema:"title=Password" jsonschema_description:"The password for LDAP authenticated binding"`
|
|
}
|
|
|
|
// AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes.
|
|
type AuthenticationBackendLDAPAttributes struct {
|
|
DistinguishedName string `koanf:"distinguished_name" json:"distinguished_name" jsonschema:"title=Attribute: Distinguished Name" jsonschema_description:"The directory server attribute which contains the distinguished name for all objects"`
|
|
Username string `koanf:"username" json:"username" jsonschema:"title=Attribute: User Username" jsonschema_description:"The directory server attribute which contains the username for all users"`
|
|
DisplayName string `koanf:"display_name" json:"display_name" jsonschema:"title=Attribute: User Display Name" jsonschema_description:"The directory server attribute which contains the display name for all users"`
|
|
Mail string `koanf:"mail" json:"mail" jsonschema:"title=Attribute: User Mail" jsonschema_description:"The directory server attribute which contains the mail address for all users and groups"`
|
|
MemberOf string `koanf:"member_of" jsonschema:"title=Attribute: Member Of" jsonschema_description:"The directory server attribute which contains the objects that an object is a member of"`
|
|
GroupName string `koanf:"group_name" json:"group_name" jsonschema:"title=Attribute: Group Name" jsonschema_description:"The directory server attribute which contains the group name for all groups"`
|
|
}
|
|
|
|
// DefaultPasswordConfig represents the default configuration related to Argon2id hashing.
|
|
var DefaultPasswordConfig = AuthenticationBackendFilePassword{
|
|
Algorithm: argon2,
|
|
Argon2: AuthenticationBackendFilePasswordArgon2{
|
|
Variant: argon2id,
|
|
Iterations: 3,
|
|
Memory: 64 * 1024,
|
|
Parallelism: 4,
|
|
KeyLength: 32,
|
|
SaltLength: 16,
|
|
},
|
|
SHA2Crypt: AuthenticationBackendFilePasswordSHA2Crypt{
|
|
Variant: sha512,
|
|
Iterations: 50000,
|
|
SaltLength: 16,
|
|
},
|
|
PBKDF2: AuthenticationBackendFilePasswordPBKDF2{
|
|
Variant: sha512,
|
|
Iterations: 310000,
|
|
SaltLength: 16,
|
|
},
|
|
BCrypt: AuthenticationBackendFilePasswordBCrypt{
|
|
Variant: "standard",
|
|
Cost: 12,
|
|
},
|
|
SCrypt: AuthenticationBackendFilePasswordSCrypt{
|
|
Iterations: 16,
|
|
BlockSize: 8,
|
|
Parallelism: 1,
|
|
KeyLength: 32,
|
|
SaltLength: 16,
|
|
},
|
|
}
|
|
|
|
// DefaultCIPasswordConfig represents the default configuration related to Argon2id hashing for CI.
|
|
var DefaultCIPasswordConfig = AuthenticationBackendFilePassword{
|
|
Algorithm: argon2,
|
|
Argon2: AuthenticationBackendFilePasswordArgon2{
|
|
Iterations: 3,
|
|
Memory: 64,
|
|
Parallelism: 4,
|
|
KeyLength: 32,
|
|
SaltLength: 16,
|
|
},
|
|
SHA2Crypt: AuthenticationBackendFilePasswordSHA2Crypt{
|
|
Variant: sha512,
|
|
Iterations: 50000,
|
|
SaltLength: 16,
|
|
},
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendConfigurationImplementationCustom represents the default LDAP config.
|
|
var DefaultLDAPAuthenticationBackendConfigurationImplementationCustom = AuthenticationBackendLDAP{
|
|
GroupSearchMode: ldapGroupSearchModeFilter,
|
|
Attributes: AuthenticationBackendLDAPAttributes{
|
|
Username: ldapAttrUserID,
|
|
DisplayName: ldapAttrDisplayName,
|
|
Mail: ldapAttrMail,
|
|
GroupName: ldapAttrCommonName,
|
|
},
|
|
Timeout: time.Second * 5,
|
|
TLS: &TLS{
|
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
|
},
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory represents the default LDAP config for the LDAPImplementationActiveDirectory Implementation.
|
|
var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory = AuthenticationBackendLDAP{
|
|
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt})))",
|
|
GroupsFilter: "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
|
|
GroupSearchMode: ldapGroupSearchModeFilter,
|
|
Attributes: AuthenticationBackendLDAPAttributes{
|
|
DistinguishedName: ldapAttrDistinguishedName,
|
|
Username: ldapAttrSAMAccountName,
|
|
DisplayName: ldapAttrDisplayName,
|
|
Mail: ldapAttrMail,
|
|
MemberOf: ldapAttrMemberOf,
|
|
GroupName: ldapAttrCommonName,
|
|
},
|
|
Timeout: time.Second * 5,
|
|
TLS: &TLS{
|
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
|
},
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis represents the default LDAP config for the LDAPImplementationRFC2307bis Implementation.
|
|
var DefaultLDAPAuthenticationBackendConfigurationImplementationRFC2307bis = AuthenticationBackendLDAP{
|
|
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(|(objectClass=inetOrgPerson)(objectClass=organizationalPerson)))",
|
|
GroupsFilter: "(&(|(member={dn})(uniqueMember={dn}))(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)(objectClass=groupOfMembers))(!(pwdReset=TRUE)))",
|
|
GroupSearchMode: ldapGroupSearchModeFilter,
|
|
Attributes: AuthenticationBackendLDAPAttributes{
|
|
Username: ldapAttrUserID,
|
|
DisplayName: ldapAttrDisplayName,
|
|
Mail: ldapAttrMail,
|
|
MemberOf: ldapAttrMemberOf,
|
|
GroupName: ldapAttrCommonName,
|
|
},
|
|
Timeout: time.Second * 5,
|
|
TLS: &TLS{
|
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
|
},
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA represents the default LDAP config for the LDAPImplementationFreeIPA Implementation.
|
|
var DefaultLDAPAuthenticationBackendConfigurationImplementationFreeIPA = AuthenticationBackendLDAP{
|
|
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))",
|
|
GroupsFilter: "(&(member={dn})(objectClass=groupOfNames))",
|
|
GroupSearchMode: ldapGroupSearchModeFilter,
|
|
Attributes: AuthenticationBackendLDAPAttributes{
|
|
Username: ldapAttrUserID,
|
|
DisplayName: ldapAttrDisplayName,
|
|
Mail: ldapAttrMail,
|
|
MemberOf: ldapAttrMemberOf,
|
|
GroupName: ldapAttrCommonName,
|
|
},
|
|
Timeout: time.Second * 5,
|
|
TLS: &TLS{
|
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
|
},
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP represents the default LDAP config for the LDAPImplementationLLDAP Implementation.
|
|
var DefaultLDAPAuthenticationBackendConfigurationImplementationLLDAP = AuthenticationBackendLDAP{
|
|
AdditionalUsersDN: "OU=people",
|
|
AdditionalGroupsDN: "OU=groups",
|
|
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))",
|
|
GroupsFilter: "(&(member={dn})(objectClass=groupOfUniqueNames))",
|
|
GroupSearchMode: ldapGroupSearchModeFilter,
|
|
Attributes: AuthenticationBackendLDAPAttributes{
|
|
Username: ldapAttrUserID,
|
|
DisplayName: ldapAttrCommonName,
|
|
Mail: ldapAttrMail,
|
|
MemberOf: ldapAttrMemberOf,
|
|
GroupName: ldapAttrCommonName,
|
|
},
|
|
Timeout: time.Second * 5,
|
|
TLS: &TLS{
|
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
|
},
|
|
}
|
|
|
|
// DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth represents the default LDAP config for the LDAPImplementationGLAuth Implementation.
|
|
var DefaultLDAPAuthenticationBackendConfigurationImplementationGLAuth = AuthenticationBackendLDAP{
|
|
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))",
|
|
GroupsFilter: "(&(uniqueMember={dn})(objectClass=posixGroup))",
|
|
GroupSearchMode: ldapGroupSearchModeFilter,
|
|
Attributes: AuthenticationBackendLDAPAttributes{
|
|
Username: ldapAttrCommonName,
|
|
DisplayName: ldapAttrDescription,
|
|
Mail: ldapAttrMail,
|
|
MemberOf: ldapAttrMemberOf,
|
|
GroupName: ldapAttrCommonName,
|
|
},
|
|
Timeout: time.Second * 5,
|
|
TLS: &TLS{
|
|
MinimumVersion: TLSVersion{tls.VersionTLS12},
|
|
},
|
|
}
|