2019-04-25 04:52:08 +07:00
|
|
|
package handlers
|
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
const (
|
|
|
|
// ActionTOTPRegistration is the string representation of the action for which the token has been produced.
|
|
|
|
ActionTOTPRegistration = "RegisterTOTPDevice"
|
2019-04-25 04:52:08 +07:00
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
// ActionU2FRegistration is the string representation of the action for which the token has been produced.
|
|
|
|
ActionU2FRegistration = "RegisterU2FDevice"
|
2019-04-25 04:52:08 +07:00
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
// ActionResetPassword is the string representation of the action for which the token has been produced.
|
|
|
|
ActionResetPassword = "ResetPassword"
|
|
|
|
)
|
2019-04-25 04:52:08 +07:00
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
const (
|
|
|
|
// HeaderProxyAuthorization is the basic-auth HTTP header Authelia utilises.
|
|
|
|
HeaderProxyAuthorization = "Proxy-Authorization"
|
2021-02-24 06:35:04 +07:00
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
// HeaderAuthorization is the basic-auth HTTP header Authelia utilises with "auth=basic" query param.
|
|
|
|
HeaderAuthorization = "Authorization"
|
2020-12-02 06:03:44 +07:00
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
// HeaderSessionUsername is used as additional protection to validate a user for things like pam_exec.
|
|
|
|
HeaderSessionUsername = "Session-Username"
|
2020-12-02 06:03:44 +07:00
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
headerRemoteUser = "Remote-User"
|
|
|
|
headerRemoteName = "Remote-Name"
|
|
|
|
headerRemoteEmail = "Remote-Email"
|
|
|
|
headerRemoteGroups = "Remote-Groups"
|
|
|
|
)
|
2019-04-25 04:52:08 +07:00
|
|
|
|
|
|
|
const (
|
2020-04-21 04:03:38 +07:00
|
|
|
// Forbidden means the user is forbidden the access to a resource.
|
2019-04-25 04:52:08 +07:00
|
|
|
Forbidden authorizationMatching = iota
|
|
|
|
// NotAuthorized means the user can access the resource with more permissions.
|
|
|
|
NotAuthorized authorizationMatching = iota
|
|
|
|
// Authorized means the user is authorized given her current permissions.
|
|
|
|
Authorized authorizationMatching = iota
|
|
|
|
)
|
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
const (
|
|
|
|
messageOperationFailed = "Operation failed."
|
|
|
|
messageAuthenticationFailed = "Authentication failed. Check your credentials."
|
|
|
|
messageUnableToRegisterOneTimePassword = "Unable to set up one-time passwords." //nolint:gosec
|
|
|
|
messageUnableToRegisterSecurityKey = "Unable to register your security key."
|
|
|
|
messageUnableToResetPassword = "Unable to reset your password."
|
|
|
|
messageMFAValidationFailed = "Authentication failed, please retry later."
|
|
|
|
)
|
2020-11-27 16:59:22 +07:00
|
|
|
|
2021-11-29 10:09:14 +07:00
|
|
|
const (
|
|
|
|
logFmtErrParseRequestBody = "Failed to parse %s request body: %+v"
|
|
|
|
logFmtErrWriteResponseBody = "Failed to write %s response body for user '%s': %+v"
|
|
|
|
logFmtErrRegulationFail = "Failed to perform %s authentication regulation for user '%s': %+v"
|
|
|
|
logFmtErrSessionRegenerate = "Could not regenerate session during %s authentication for user '%s': %+v"
|
|
|
|
logFmtErrSessionReset = "Could not reset session during %s authentication for user '%s': %+v"
|
|
|
|
logFmtErrSessionSave = "Could not save session with the %s during %s authentication for user '%s': %+v"
|
|
|
|
logFmtErrObtainProfileDetails = "Could not obtain profile details during %s authentication for user '%s': %+v"
|
|
|
|
logFmtTraceProfileDetails = "Profile details for user '%s' => groups: %s, emails %s"
|
|
|
|
)
|
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
const (
|
|
|
|
testInactivity = "10"
|
|
|
|
testRedirectionURL = "http://redirection.local"
|
|
|
|
testUsername = "john"
|
|
|
|
)
|
2020-05-21 05:03:15 +07:00
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
const (
|
|
|
|
loginDelayMovingAverageWindow = 10
|
|
|
|
loginDelayMinimumDelayMilliseconds = float64(250)
|
|
|
|
loginDelayMaximumRandomDelayMilliseconds = int64(85)
|
|
|
|
)
|
2021-05-05 05:06:05 +07:00
|
|
|
|
2021-12-01 10:32:58 +07:00
|
|
|
// Duo constants.
|
|
|
|
const (
|
|
|
|
allow = "allow"
|
|
|
|
deny = "deny"
|
|
|
|
enroll = "enroll"
|
|
|
|
auth = "auth"
|
|
|
|
)
|
|
|
|
|
2021-05-05 05:06:05 +07:00
|
|
|
// OIDC constants.
|
|
|
|
const (
|
2021-08-10 07:31:08 +07:00
|
|
|
pathOpenIDConnectWellKnown = "/.well-known/openid-configuration"
|
|
|
|
|
2021-07-22 10:52:37 +07:00
|
|
|
pathOpenIDConnectJWKs = "/api/oidc/jwks"
|
|
|
|
pathOpenIDConnectAuthorization = "/api/oidc/authorize"
|
|
|
|
pathOpenIDConnectToken = "/api/oidc/token" //nolint:gosec // This is not a hard coded credential, it's a path.
|
|
|
|
pathOpenIDConnectIntrospection = "/api/oidc/introspect"
|
|
|
|
pathOpenIDConnectRevocation = "/api/oidc/revoke"
|
|
|
|
pathOpenIDConnectUserinfo = "/api/oidc/userinfo"
|
2021-05-05 05:06:05 +07:00
|
|
|
|
|
|
|
// Note: If you change this const you must also do so in the frontend at web/src/services/Api.ts.
|
2021-07-22 10:52:37 +07:00
|
|
|
pathOpenIDConnectConsent = "/api/oidc/consent"
|
2021-05-05 05:06:05 +07:00
|
|
|
)
|
|
|
|
|
2021-11-23 16:45:38 +07:00
|
|
|
const (
|
|
|
|
totpAlgoSHA1 = "SHA1"
|
|
|
|
totpAlgoSHA256 = "SHA256"
|
|
|
|
totpAlgoSHA512 = "SHA512"
|
|
|
|
)
|
|
|
|
|
2021-05-05 05:06:05 +07:00
|
|
|
const (
|
|
|
|
accept = "accept"
|
|
|
|
reject = "reject"
|
|
|
|
)
|
2021-07-22 10:52:37 +07:00
|
|
|
|
|
|
|
const authPrefix = "Basic "
|
|
|
|
|
|
|
|
const ldapPasswordComplexityCode = "0000052D."
|
|
|
|
|
|
|
|
var ldapPasswordComplexityCodes = []string{
|
|
|
|
"0000052D", "SynoNumber", "SynoMixedCase", "SynoExcludeNameDesc", "SynoSpecialChar",
|
|
|
|
}
|
|
|
|
|
|
|
|
var ldapPasswordComplexityErrors = []string{
|
|
|
|
"LDAP Result Code 19 \"Constraint Violation\": Password fails quality checking policy",
|
|
|
|
"LDAP Result Code 19 \"Constraint Violation\": Password is too young to change",
|
|
|
|
}
|