mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
refactor: apply godot recommendations (#2839)
This commit is contained in:
parent
357c654db8
commit
1772a83190
|
@ -46,19 +46,19 @@ var hostEntries = []HostEntry{
|
|||
{Domain: "proxy-client2.example.com", IP: "192.168.240.202"},
|
||||
{Domain: "proxy-client3.example.com", IP: "192.168.240.203"},
|
||||
|
||||
// Redis Replicas
|
||||
// Redis Replicas.
|
||||
{Domain: "redis-node-0.example.com", IP: "192.168.240.110"},
|
||||
{Domain: "redis-node-1.example.com", IP: "192.168.240.111"},
|
||||
{Domain: "redis-node-2.example.com", IP: "192.168.240.112"},
|
||||
|
||||
// Redis Sentinel Replicas
|
||||
// Redis Sentinel Replicas.
|
||||
{Domain: "redis-sentinel-0.example.com", IP: "192.168.240.120"},
|
||||
{Domain: "redis-sentinel-1.example.com", IP: "192.168.240.121"},
|
||||
{Domain: "redis-sentinel-2.example.com", IP: "192.168.240.122"},
|
||||
|
||||
// Kubernetes dashboard.
|
||||
{Domain: "kubernetes.example.com", IP: "192.168.240.110"},
|
||||
// OIDC tester app
|
||||
// OIDC tester app.
|
||||
{Domain: "oidc.example.com", IP: "192.168.240.100"},
|
||||
{Domain: "oidc-public.example.com", IP: "192.168.240.100"},
|
||||
}
|
||||
|
|
|
@ -125,7 +125,7 @@ func setupSuite(cmd *cobra.Command, args []string) {
|
|||
}
|
||||
}
|
||||
|
||||
// Create the .suite file
|
||||
// Create the .suite file.
|
||||
if err := createRunningSuiteFile(suiteName); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
|
|
@ -53,7 +53,7 @@ func NewFileUserProvider(configuration *schema.FileAuthenticationBackendConfigur
|
|||
panic(err)
|
||||
}
|
||||
|
||||
// Early check whether hashed passwords are correct for all users
|
||||
// Early check whether hashed passwords are correct for all users.
|
||||
err = checkPasswordHashes(database)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
|
|
|
@ -19,7 +19,7 @@ func WithDatabase(content []byte, f func(path string)) {
|
|||
log.Fatal(err)
|
||||
}
|
||||
|
||||
defer os.Remove(tmpfile.Name()) // Clean up
|
||||
defer os.Remove(tmpfile.Name()) // Clean up.
|
||||
|
||||
if _, err := tmpfile.Write(content); err != nil {
|
||||
tmpfile.Close()
|
||||
|
|
|
@ -89,10 +89,10 @@ func TestEscapeSpecialCharsFromUserInput(t *testing.T) {
|
|||
nil,
|
||||
mockFactory)
|
||||
|
||||
// No escape
|
||||
// No escape.
|
||||
assert.Equal(t, "xyz", ldapClient.ldapEscape("xyz"))
|
||||
|
||||
// Escape
|
||||
// Escape.
|
||||
assert.Equal(t, "test\\,abc", ldapClient.ldapEscape("test,abc"))
|
||||
assert.Equal(t, "test\\5cabc", ldapClient.ldapEscape("test\\abc"))
|
||||
assert.Equal(t, "test\\2aabc", ldapClient.ldapEscape("test*abc"))
|
||||
|
|
|
@ -9,7 +9,7 @@ type IdentityProvidersConfiguration struct {
|
|||
|
||||
// OpenIDConnectConfiguration configuration for OpenID Connect.
|
||||
type OpenIDConnectConfiguration struct {
|
||||
// This secret must be 32 bytes long
|
||||
// This secret must be 32 bytes long.
|
||||
HMACSecret string `koanf:"hmac_secret"`
|
||||
IssuerPrivateKey string `koanf:"issuer_private_key"`
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ func validateFileAuthenticationBackend(configuration *schema.FileAuthenticationB
|
|||
if configuration.Password == nil {
|
||||
configuration.Password = &schema.DefaultPasswordConfiguration
|
||||
} else {
|
||||
// Salt Length
|
||||
// Salt Length.
|
||||
switch {
|
||||
case configuration.Password.SaltLength == 0:
|
||||
configuration.Password.SaltLength = schema.DefaultPasswordConfiguration.SaltLength
|
||||
|
@ -72,32 +72,32 @@ func validateFileAuthenticationBackend(configuration *schema.FileAuthenticationB
|
|||
}
|
||||
|
||||
func validateFileAuthenticationBackendSHA512(configuration *schema.FileAuthenticationBackendConfiguration) {
|
||||
// Iterations (time)
|
||||
// Iterations (time).
|
||||
if configuration.Password.Iterations == 0 {
|
||||
configuration.Password.Iterations = schema.DefaultPasswordSHA512Configuration.Iterations
|
||||
}
|
||||
}
|
||||
func validateFileAuthenticationBackendArgon2id(configuration *schema.FileAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
||||
// Iterations (time)
|
||||
// Iterations (time).
|
||||
if configuration.Password.Iterations == 0 {
|
||||
configuration.Password.Iterations = schema.DefaultPasswordConfiguration.Iterations
|
||||
}
|
||||
|
||||
// Parallelism
|
||||
// Parallelism.
|
||||
if configuration.Password.Parallelism == 0 {
|
||||
configuration.Password.Parallelism = schema.DefaultPasswordConfiguration.Parallelism
|
||||
} else if configuration.Password.Parallelism < 1 {
|
||||
validator.Push(fmt.Errorf("Parallelism for argon2id must be 1 or more, you configured %d", configuration.Password.Parallelism))
|
||||
}
|
||||
|
||||
// Memory
|
||||
// Memory.
|
||||
if configuration.Password.Memory == 0 {
|
||||
configuration.Password.Memory = schema.DefaultPasswordConfiguration.Memory
|
||||
} else if configuration.Password.Memory < configuration.Password.Parallelism*8 {
|
||||
validator.Push(fmt.Errorf("Memory for argon2id must be %d or more (parallelism * 8), you configured memory as %d and parallelism as %d", configuration.Password.Parallelism*8, configuration.Password.Memory, configuration.Password.Parallelism))
|
||||
}
|
||||
|
||||
// Key Length
|
||||
// Key Length.
|
||||
if configuration.Password.KeyLength == 0 {
|
||||
configuration.Password.KeyLength = schema.DefaultPasswordConfiguration.KeyLength
|
||||
} else if configuration.Password.KeyLength < 16 {
|
||||
|
@ -185,12 +185,12 @@ func validateLDAPURL(ldapURL string, validator *schema.StructValidator) (finalUR
|
|||
}
|
||||
|
||||
func validateLDAPRequiredParameters(configuration *schema.LDAPAuthenticationBackendConfiguration, validator *schema.StructValidator) {
|
||||
// TODO: see if it's possible to disable this check if disable_reset_password is set and when anonymous/user binding is supported (#101 and #387)
|
||||
// TODO: see if it's possible to disable this check if disable_reset_password is set and when anonymous/user binding is supported (#101 and #387).
|
||||
if configuration.User == "" {
|
||||
validator.Push(errors.New("Please provide a user name to connect to the LDAP server"))
|
||||
}
|
||||
|
||||
// TODO: see if it's possible to disable this check if disable_reset_password is set and when anonymous/user binding is supported (#101 and #387)
|
||||
// TODO: see if it's possible to disable this check if disable_reset_password is set and when anonymous/user binding is supported (#101 and #387).
|
||||
if configuration.Password == "" {
|
||||
validator.Push(errors.New("Please provide a password to connect to the LDAP server"))
|
||||
}
|
||||
|
|
|
@ -10,11 +10,11 @@ import (
|
|||
// ValidateRegulation validates and update regulator configuration.
|
||||
func ValidateRegulation(configuration *schema.RegulationConfiguration, validator *schema.StructValidator) {
|
||||
if configuration.FindTime == "" {
|
||||
configuration.FindTime = schema.DefaultRegulationConfiguration.FindTime // 2 min
|
||||
configuration.FindTime = schema.DefaultRegulationConfiguration.FindTime // 2 min.
|
||||
}
|
||||
|
||||
if configuration.BanTime == "" {
|
||||
configuration.BanTime = schema.DefaultRegulationConfiguration.BanTime // 5 min
|
||||
configuration.BanTime = schema.DefaultRegulationConfiguration.BanTime // 5 min.
|
||||
}
|
||||
|
||||
findTime, err := utils.ParseDurationString(configuration.FindTime)
|
||||
|
|
|
@ -32,19 +32,19 @@ func ValidateSession(configuration *schema.SessionConfiguration, validator *sche
|
|||
|
||||
func validateSession(configuration *schema.SessionConfiguration, validator *schema.StructValidator) {
|
||||
if configuration.Expiration == "" {
|
||||
configuration.Expiration = schema.DefaultSessionConfiguration.Expiration // 1 hour
|
||||
configuration.Expiration = schema.DefaultSessionConfiguration.Expiration // 1 hour.
|
||||
} else if _, err := utils.ParseDurationString(configuration.Expiration); err != nil {
|
||||
validator.Push(fmt.Errorf("Error occurred parsing session expiration string: %s", err))
|
||||
}
|
||||
|
||||
if configuration.Inactivity == "" {
|
||||
configuration.Inactivity = schema.DefaultSessionConfiguration.Inactivity // 5 min
|
||||
configuration.Inactivity = schema.DefaultSessionConfiguration.Inactivity // 5 min.
|
||||
} else if _, err := utils.ParseDurationString(configuration.Inactivity); err != nil {
|
||||
validator.Push(fmt.Errorf("Error occurred parsing session inactivity string: %s", err))
|
||||
}
|
||||
|
||||
if configuration.RememberMeDuration == "" {
|
||||
configuration.RememberMeDuration = schema.DefaultSessionConfiguration.RememberMeDuration // 1 month
|
||||
configuration.RememberMeDuration = schema.DefaultSessionConfiguration.RememberMeDuration // 1 month.
|
||||
} else if _, err := utils.ParseDurationString(configuration.RememberMeDuration); err != nil {
|
||||
validator.Push(fmt.Errorf("Error occurred parsing session remember_me_duration string: %s", err))
|
||||
}
|
||||
|
|
|
@ -13,4 +13,4 @@ const (
|
|||
)
|
||||
|
||||
// PossibleMethods is the set of all possible Duo 2FA methods.
|
||||
var PossibleMethods = []string{Push} // OTP, Phone, SMS
|
||||
var PossibleMethods = []string{Push} // OTP, Phone, SMS.
|
||||
|
|
|
@ -91,10 +91,10 @@ func FirstFactorPost(delayFunc middlewares.TimingAttackDelayFunc) middlewares.Re
|
|||
return
|
||||
}
|
||||
|
||||
// Check if bodyJSON.KeepMeLoggedIn can be deref'd and derive the value based on the configuration and JSON data
|
||||
// Check if bodyJSON.KeepMeLoggedIn can be deref'd and derive the value based on the configuration and JSON data.
|
||||
keepMeLoggedIn := ctx.Providers.SessionProvider.RememberMe != 0 && bodyJSON.KeepMeLoggedIn != nil && *bodyJSON.KeepMeLoggedIn
|
||||
|
||||
// Set the cookie to expire if remember me is enabled and the user has asked us to
|
||||
// Set the cookie to expire if remember me is enabled and the user has asked us to.
|
||||
if keepMeLoggedIn {
|
||||
err = ctx.Providers.SessionProvider.UpdateExpiration(ctx.RequestCtx, ctx.Providers.SessionProvider.RememberMe)
|
||||
if err != nil {
|
||||
|
|
|
@ -33,13 +33,13 @@ func (s *FirstFactorSuite) TearDownTest() {
|
|||
func (s *FirstFactorSuite) TestShouldFailIfBodyIsNil() {
|
||||
FirstFactorPost(nil)(s.mock.Ctx)
|
||||
|
||||
// No body
|
||||
// No body.
|
||||
assert.Equal(s.T(), "Failed to parse 1FA request body: unable to parse body: unexpected end of JSON input", s.mock.Hook.LastEntry().Message)
|
||||
s.mock.Assert401KO(s.T(), "Authentication failed. Check your credentials.")
|
||||
}
|
||||
|
||||
func (s *FirstFactorSuite) TestShouldFailIfBodyIsInBadFormat() {
|
||||
// Missing password
|
||||
// Missing password.
|
||||
s.mock.Ctx.Request.SetBodyString(`{
|
||||
"username": "test"
|
||||
}`)
|
||||
|
|
|
@ -65,7 +65,7 @@ func SecondFactorU2FSignGet(ctx *middlewares.AutheliaCtx) {
|
|||
},
|
||||
}
|
||||
|
||||
// Save the challenge and registration for use in next request
|
||||
// Save the challenge and registration for use in next request.
|
||||
userSession.U2FRegistration = &session.U2FRegistration{
|
||||
KeyHandle: device.KeyHandle,
|
||||
PublicKey: device.PublicKey,
|
||||
|
|
|
@ -73,7 +73,7 @@ func isTargetURLAuthorized(authorizer *authorization.Authorizer, targetURL url.U
|
|||
// deduce the access is forbidden
|
||||
// For anonymous users though, we cannot be sure that she
|
||||
// could not be granted the rights to access the resource. Consequently
|
||||
// for anonymous users we send Unauthorized instead of Forbidden
|
||||
// for anonymous users we send Unauthorized instead of Forbidden.
|
||||
return Forbidden
|
||||
case level == authorization.OneFactor && authLevel >= authentication.OneFactor,
|
||||
level == authorization.TwoFactor && authLevel >= authentication.TwoFactor:
|
||||
|
@ -100,7 +100,7 @@ func verifyBasicAuth(ctx *middlewares.AutheliaCtx, header, auth []byte) (usernam
|
|||
|
||||
// If the user is not correctly authenticated, send a 401.
|
||||
if !authenticated {
|
||||
// Request Basic Authentication otherwise
|
||||
// Request Basic Authentication otherwise.
|
||||
return "", "", nil, nil, authentication.NotAuthenticated, fmt.Errorf("user %s is not authenticated", username)
|
||||
}
|
||||
|
||||
|
@ -391,7 +391,7 @@ func getProfileRefreshSettings(cfg schema.AuthenticationBackendConfiguration) (r
|
|||
refresh = true
|
||||
|
||||
if cfg.RefreshInterval != schema.ProfileRefreshAlways {
|
||||
// Skip Error Check since validator checks it
|
||||
// Skip Error Check since validator checks it.
|
||||
refreshInterval, _ = utils.ParseDurationString(cfg.RefreshInterval)
|
||||
} else {
|
||||
refreshInterval = schema.RefreshIntervalAlways
|
||||
|
|
|
@ -1023,7 +1023,7 @@ func TestShouldDestroySessionWhenUserNotExist(t *testing.T) {
|
|||
userSession = mock.Ctx.GetSession()
|
||||
assert.Equal(t, clock.Now().Add(5*time.Minute).Unix(), userSession.RefreshTTL.Unix())
|
||||
|
||||
// Simulate a Deleted User
|
||||
// Simulate a Deleted User.
|
||||
userSession.RefreshTTL = clock.Now().Add(-1 * time.Minute)
|
||||
err = mock.Ctx.SaveSession(userSession)
|
||||
|
||||
|
|
|
@ -151,7 +151,7 @@ func IdentityVerificationFinish(args IdentityVerificationFinishArgs, next func(c
|
|||
ctx.Error(fmt.Errorf("Cannot parse token"), messageOperationFailed)
|
||||
return
|
||||
case ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0:
|
||||
// Token is either expired or not active yet
|
||||
// Token is either expired or not active yet.
|
||||
ctx.Error(fmt.Errorf("Token expired"), messageIdentityVerificationTokenHasExpired)
|
||||
return
|
||||
default:
|
||||
|
|
|
@ -117,7 +117,7 @@ func NewMockAutheliaCtx(t *testing.T) *MockAutheliaCtx {
|
|||
|
||||
request := &fasthttp.RequestCtx{}
|
||||
// Set a cookie to identify this client throughout the test.
|
||||
// request.Request.Header.SetCookie("authelia_session", "client_cookie")
|
||||
// request.Request.Header.SetCookie("authelia_session", "client_cookie").
|
||||
|
||||
autheliaCtx, _ := middlewares.NewAutheliaCtx(request, configuration, providers)
|
||||
mockAuthelia.Ctx = autheliaCtx
|
||||
|
|
|
@ -38,7 +38,7 @@ func NewSMTPNotifier(configuration *schema.SMTPNotifierConfiguration, certPool *
|
|||
|
||||
// Do startTLS if available (some servers only provide the auth extension after, and encryption is preferred).
|
||||
func (n *SMTPNotifier) startTLS() error {
|
||||
// Only start if not already encrypted
|
||||
// Only start if not already encrypted.
|
||||
if _, ok := n.client.TLSConnectionState(); ok {
|
||||
n.log.Debugf("Notifier SMTP connection is already encrypted, skipping STARTTLS")
|
||||
return nil
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
package ntp
|
||||
|
||||
const (
|
||||
ntpClientModeValue uint8 = 3 // 00000011
|
||||
ntpLeapEnabledValue uint8 = 64 // 01000000
|
||||
ntpVersion3Value uint8 = 24 // 00011000
|
||||
ntpVersion4Value uint8 = 40 // 00101000
|
||||
ntpClientModeValue uint8 = 3 // 00000011.
|
||||
ntpLeapEnabledValue uint8 = 64 // 01000000.
|
||||
ntpVersion3Value uint8 = 24 // 00011000.
|
||||
ntpVersion4Value uint8 = 40 // 00101000.
|
||||
)
|
||||
|
||||
const ntpEpochOffset = 2208988800
|
||||
|
|
|
@ -72,7 +72,7 @@ func NewOpenIDConnectProvider(configuration *schema.OpenIDConnectConfiguration)
|
|||
compose.OAuth2ClientCredentialsGrantFactory,
|
||||
compose.OAuth2RefreshTokenGrantFactory,
|
||||
compose.OAuth2ResourceOwnerPasswordCredentialsFactory,
|
||||
// compose.RFC7523AssertionGrantFactory,
|
||||
// compose.RFC7523AssertionGrantFactory,.
|
||||
|
||||
compose.OpenIDConnectExplicitFactory,
|
||||
compose.OpenIDConnectImplicitFactory,
|
||||
|
@ -82,7 +82,7 @@ func NewOpenIDConnectProvider(configuration *schema.OpenIDConnectConfiguration)
|
|||
compose.OAuth2TokenIntrospectionFactory,
|
||||
compose.OAuth2TokenRevocationFactory,
|
||||
|
||||
// compose.OAuth2PKCEFactory,
|
||||
// compose.OAuth2PKCEFactory,.
|
||||
)
|
||||
|
||||
provider.herodot = herodot.NewJSONWriter(nil)
|
||||
|
|
|
@ -282,7 +282,7 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
|
|||
LoadAuthenticationLogs(s.ctx, gomock.Eq("john"), gomock.Any(), gomock.Eq(10), gomock.Eq(0)).
|
||||
Return(attemptsInDB, nil)
|
||||
|
||||
// Check Disabled Functionality
|
||||
// Check Disabled Functionality.
|
||||
configuration := schema.RegulationConfiguration{
|
||||
MaxRetries: 0,
|
||||
FindTime: "180",
|
||||
|
@ -293,7 +293,7 @@ func (s *RegulatorSuite) TestShouldHaveRegulatorDisabled() {
|
|||
_, err := regulator.Regulate(s.ctx, "john")
|
||||
assert.NoError(s.T(), err)
|
||||
|
||||
// Check Enabled Functionality
|
||||
// Check Enabled Functionality.
|
||||
configuration = schema.RegulationConfiguration{
|
||||
MaxRetries: 1,
|
||||
FindTime: "180",
|
||||
|
|
|
@ -11,7 +11,7 @@ import (
|
|||
type Regulator struct {
|
||||
// Is the regulation enabled.
|
||||
enabled bool
|
||||
// The number of failed authentication attempt before banning the user
|
||||
// The number of failed authentication attempt before banning the user.
|
||||
maxRetries int
|
||||
// If a user does the max number of retries within that duration, she will be banned.
|
||||
findTime time.Duration
|
||||
|
|
|
@ -59,7 +59,7 @@ func TestShouldCreateRedisSessionProviderTLS(t *testing.T) {
|
|||
pConfig := providerConfig.redisConfig
|
||||
assert.Equal(t, "redis.example.com:6379", pConfig.Addr)
|
||||
assert.Equal(t, "pass", pConfig.Password)
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index.
|
||||
assert.Equal(t, 0, pConfig.DB)
|
||||
assert.Equal(t, 0, pConfig.PoolSize)
|
||||
assert.Equal(t, 0, pConfig.MinIdleConns)
|
||||
|
@ -94,7 +94,7 @@ func TestShouldCreateRedisSessionProvider(t *testing.T) {
|
|||
pConfig := providerConfig.redisConfig
|
||||
assert.Equal(t, "redis.example.com:6379", pConfig.Addr)
|
||||
assert.Equal(t, "pass", pConfig.Password)
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index.
|
||||
assert.Equal(t, 0, pConfig.DB)
|
||||
assert.Equal(t, 0, pConfig.PoolSize)
|
||||
assert.Equal(t, 0, pConfig.MinIdleConns)
|
||||
|
@ -180,7 +180,7 @@ func TestShouldCreateRedisSentinelSessionProvider(t *testing.T) {
|
|||
assert.Equal(t, 8, pConfig.PoolSize)
|
||||
assert.Equal(t, 2, pConfig.MinIdleConns)
|
||||
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index.
|
||||
assert.Equal(t, 0, pConfig.DB)
|
||||
assert.Nil(t, pConfig.TLSConfig)
|
||||
}
|
||||
|
@ -233,7 +233,7 @@ func TestShouldCreateRedisSessionProviderWithUnixSocket(t *testing.T) {
|
|||
pConfig := providerConfig.redisConfig
|
||||
assert.Equal(t, "/var/run/redis/redis.sock", pConfig.Addr)
|
||||
assert.Equal(t, "pass", pConfig.Password)
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index.
|
||||
assert.Equal(t, 0, pConfig.DB)
|
||||
assert.Nil(t, pConfig.TLSConfig)
|
||||
}
|
||||
|
@ -256,7 +256,7 @@ func TestShouldSetDbNumber(t *testing.T) {
|
|||
|
||||
assert.Equal(t, "redis", providerConfig.providerName)
|
||||
pConfig := providerConfig.redisConfig
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index
|
||||
// DbNumber is the fasthttp/session property for the Redis DB Index.
|
||||
assert.Equal(t, 5, pConfig.DB)
|
||||
}
|
||||
|
||||
|
@ -277,7 +277,7 @@ func TestShouldUseEncryptingSerializerWithRedis(t *testing.T) {
|
|||
encoded, err := providerConfig.config.EncodeFunc(payload)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Now we try to decrypt what has been serialized
|
||||
// Now we try to decrypt what has been serialized.
|
||||
key := sha256.Sum256([]byte("abc"))
|
||||
decrypted, err := utils.Decrypt(encoded, &key)
|
||||
require.NoError(t, err)
|
||||
|
|
|
@ -111,7 +111,7 @@ type SQLProvider struct {
|
|||
sqlUpdateU2FDevicePublicKey string
|
||||
sqlUpdateU2FDevicePublicKeyByUsername string
|
||||
|
||||
// Table: duo_devices
|
||||
// Table: duo_devices.
|
||||
sqlUpsertDuoDevice string
|
||||
sqlDeleteDuoDevice string
|
||||
sqlSelectDuoDevice string
|
||||
|
|
|
@ -39,7 +39,7 @@ func (rs *RodSession) doLoginTwoFactor(t *testing.T, page *rod.Page, username, p
|
|||
rs.doLoginOneFactor(t, page, username, password, keepMeLoggedIn, targetURL)
|
||||
rs.verifyIsSecondFactorPage(t, page)
|
||||
rs.doValidateTOTP(t, page, otpSecret)
|
||||
// timeout when targetURL is not defined to prevent a show stopping redirect when visiting a protected domain
|
||||
// timeout when targetURL is not defined to prevent a show stopping redirect when visiting a protected domain.
|
||||
if targetURL == "" {
|
||||
time.Sleep(1 * time.Second)
|
||||
}
|
||||
|
|
|
@ -11,10 +11,10 @@ import (
|
|||
func (rs *RodSession) doInitiatePasswordReset(t *testing.T, page *rod.Page, username string) {
|
||||
err := rs.WaitElementLocatedByCSSSelector(t, page, "reset-password-button").Click("left")
|
||||
require.NoError(t, err)
|
||||
// Fill in username
|
||||
// Fill in username.
|
||||
err = rs.WaitElementLocatedByCSSSelector(t, page, "username-textfield").Input(username)
|
||||
require.NoError(t, err)
|
||||
// And click on the reset button
|
||||
// And click on the reset button.
|
||||
err = rs.WaitElementLocatedByCSSSelector(t, page, "reset-button").Click("left")
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
@ -49,7 +49,7 @@ func (rs *RodSession) doUnsuccessfulPasswordReset(t *testing.T, page *rod.Page,
|
|||
|
||||
func (rs *RodSession) doResetPassword(t *testing.T, page *rod.Page, username, newPassword1, newPassword2 string, unsuccessful bool) {
|
||||
rs.doInitiatePasswordReset(t, page, username)
|
||||
// then wait for the "email sent notification"
|
||||
// then wait for the "email sent notification".
|
||||
rs.verifyMailNotificationDisplayed(t, page)
|
||||
|
||||
if unsuccessful {
|
||||
|
|
|
@ -84,7 +84,7 @@ func (s *OIDCScenario) TestShouldAuthorizeAccessToOIDCApp() {
|
|||
|
||||
s.waitBodyContains(s.T(), s.Context(ctx), "Not logged yet...")
|
||||
|
||||
// Search for the 'login' link
|
||||
// Search for the 'login' link.
|
||||
err := s.Page.MustSearch("Log in").Click("left")
|
||||
assert.NoError(s.T(), err)
|
||||
|
||||
|
@ -92,7 +92,7 @@ func (s *OIDCScenario) TestShouldAuthorizeAccessToOIDCApp() {
|
|||
err = s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "accept-button").Click("left")
|
||||
assert.NoError(s.T(), err)
|
||||
|
||||
// Verify that the app is showing the info related to the user stored in the JWT token
|
||||
// Verify that the app is showing the info related to the user stored in the JWT token.
|
||||
s.waitBodyContains(s.T(), s.Context(ctx), "Logged in as john!")
|
||||
}
|
||||
|
||||
|
@ -111,7 +111,7 @@ func (s *OIDCScenario) TestShouldDenyConsent() {
|
|||
|
||||
s.waitBodyContains(s.T(), s.Context(ctx), "Not logged yet...")
|
||||
|
||||
// Search for the 'login' link
|
||||
// Search for the 'login' link.
|
||||
err := s.Page.MustSearch("Log in").Click("left")
|
||||
assert.NoError(s.T(), err)
|
||||
|
||||
|
|
|
@ -55,7 +55,7 @@ func (s *PasswordComplexityScenario) TestShouldRejectPasswordReset() {
|
|||
s.doVisit(s.T(), s.Context(ctx), GetLoginBaseURL())
|
||||
s.verifyIsFirstFactorPage(s.T(), s.Context(ctx))
|
||||
|
||||
// Attempt to reset the password to a
|
||||
// Attempt to reset the password to a.
|
||||
s.doResetPassword(s.T(), s.Context(ctx), "john", "a", "a", true)
|
||||
s.verifyNotificationDisplayed(s.T(), s.Context(ctx), "Your supplied password does not meet the password policy requirements.")
|
||||
}
|
||||
|
|
|
@ -48,13 +48,13 @@ func (s *RedirectionCheckScenario) TearDownTest() {
|
|||
}
|
||||
|
||||
var redirectionAuthorizations = map[string]bool{
|
||||
// external website
|
||||
// external website.
|
||||
"https://www.google.fr": false,
|
||||
// Not the right domain
|
||||
// Not the right domain.
|
||||
"https://public.example.com.a:8080/secret.html": false,
|
||||
// Not https
|
||||
// Not https.
|
||||
"http://secure.example.com:8080/secret.html": false,
|
||||
// Domain handled by Authelia
|
||||
// Domain handled by Authelia.
|
||||
"https://secure.example.com:8080/secret.html": true,
|
||||
}
|
||||
|
||||
|
@ -83,13 +83,13 @@ func (s *RedirectionCheckScenario) TestShouldRedirectOnLoginOnlyWhenDomainIsSafe
|
|||
}
|
||||
|
||||
var logoutRedirectionURLs = map[string]bool{
|
||||
// external website
|
||||
// external website.
|
||||
"https://www.google.fr": false,
|
||||
// Not the right domain
|
||||
// Not the right domain.
|
||||
"https://public.example-not-right.com:8080/index.html": false,
|
||||
// Not https
|
||||
// Not https.
|
||||
"http://public.example.com:8080/index.html": false,
|
||||
// Domain handled by Authelia
|
||||
// Domain handled by Authelia.
|
||||
"https://public.example.com:8080/index.html": true,
|
||||
}
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ func (s *RegulationScenario) TestShouldBanUserAfterTooManyAttempt() {
|
|||
require.NoError(s.T(), err)
|
||||
}
|
||||
|
||||
// Enter the correct password and test the regulation lock out
|
||||
// Enter the correct password and test the regulation lock out.
|
||||
err := s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "password-textfield").Input("password")
|
||||
require.NoError(s.T(), err)
|
||||
err = s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "sign-in-button").Click("left")
|
||||
|
@ -76,7 +76,7 @@ func (s *RegulationScenario) TestShouldBanUserAfterTooManyAttempt() {
|
|||
s.verifyIsFirstFactorPage(s.T(), s.Context(ctx))
|
||||
time.Sleep(10 * time.Second)
|
||||
|
||||
// Enter the correct password and test a successful login
|
||||
// Enter the correct password and test a successful login.
|
||||
err = s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "password-textfield").Input("password")
|
||||
require.NoError(s.T(), err)
|
||||
err = s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "sign-in-button").Click("left")
|
||||
|
|
|
@ -55,20 +55,20 @@ func (s *ResetPasswordScenario) TestShouldResetPassword() {
|
|||
s.doVisit(s.T(), s.Context(ctx), GetLoginBaseURL())
|
||||
s.verifyIsFirstFactorPage(s.T(), s.Context(ctx))
|
||||
|
||||
// Reset the password to abc
|
||||
// Reset the password to abc.
|
||||
s.doResetPassword(s.T(), s.Context(ctx), "john", "abc", "abc", false)
|
||||
|
||||
// Try to login with the old password
|
||||
// Try to login with the old password.
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
s.verifyNotificationDisplayed(s.T(), s.Context(ctx), "Incorrect username or password.")
|
||||
|
||||
// Try to login with the new password
|
||||
// Try to login with the new password.
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "abc", false, "")
|
||||
|
||||
// Logout
|
||||
// Logout.
|
||||
s.doLogout(s.T(), s.Context(ctx))
|
||||
|
||||
// Reset the original password
|
||||
// Reset the original password.
|
||||
s.doResetPassword(s.T(), s.Context(ctx), "john", "password", "password", false)
|
||||
}
|
||||
|
||||
|
@ -85,7 +85,7 @@ func (s *ResetPasswordScenario) TestShouldMakeAttackerThinkPasswordResetIsInitia
|
|||
// Try to initiate a password reset of an nonexistent user.
|
||||
s.doInitiatePasswordReset(s.T(), s.Context(ctx), "i_dont_exist")
|
||||
|
||||
// Check that the notification make the attacker thinks the process is initiated
|
||||
// Check that the notification make the attacker thinks the process is initiated.
|
||||
s.verifyMailNotificationDisplayed(s.T(), s.Context(ctx))
|
||||
}
|
||||
|
||||
|
|
|
@ -58,18 +58,18 @@ func (s *TwoFactorSuite) TestShouldAuthorizeSecretAfterTwoFactor() {
|
|||
username := testUsername
|
||||
password := testPassword
|
||||
|
||||
// Login and register TOTP, logout and login again with 1FA & 2FA
|
||||
// Login and register TOTP, logout and login again with 1FA & 2FA.
|
||||
targetURL := fmt.Sprintf("%s/secret.html", AdminBaseURL)
|
||||
_ = s.doRegisterAndLogin2FA(s.T(), s.Context(ctx), username, password, false, targetURL)
|
||||
|
||||
// And check if the user is redirected to the secret.
|
||||
s.verifySecretAuthorized(s.T(), s.Context(ctx))
|
||||
|
||||
// Leave the secret
|
||||
// Leave the secret.
|
||||
s.doVisit(s.T(), s.Context(ctx), HomeBaseURL)
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
|
||||
// And try to reload it again to check the session is kept
|
||||
// And try to reload it again to check the session is kept.
|
||||
s.doVisit(s.T(), s.Context(ctx), targetURL)
|
||||
s.verifySecretAuthorized(s.T(), s.Context(ctx))
|
||||
}
|
||||
|
|
|
@ -54,11 +54,11 @@ func (s *UserPreferencesScenario) TestShouldRememberLastUsed2FAMethod() {
|
|||
s.collectScreenshot(ctx.Err(), s.Page)
|
||||
}()
|
||||
|
||||
// Authenticate
|
||||
// Authenticate.
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
s.verifyIsSecondFactorPage(s.T(), s.Context(ctx))
|
||||
|
||||
// Then switch to push notification method
|
||||
// Then switch to push notification method.
|
||||
s.doChangeMethod(s.T(), s.Context(ctx), "push-notification")
|
||||
s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "push-notification-method")
|
||||
|
||||
|
@ -71,7 +71,7 @@ func (s *UserPreferencesScenario) TestShouldRememberLastUsed2FAMethod() {
|
|||
s.verifyIsSecondFactorPage(s.T(), s.Context(ctx))
|
||||
// And check the latest method is still used.
|
||||
s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "push-notification-method")
|
||||
// Meaning the authentication is successful
|
||||
// Meaning the authentication is successful.
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
|
||||
// Logout the user and see what user 'harry' sees.
|
||||
|
@ -83,7 +83,7 @@ func (s *UserPreferencesScenario) TestShouldRememberLastUsed2FAMethod() {
|
|||
s.doLogout(s.T(), s.Context(ctx))
|
||||
s.verifyIsFirstFactorPage(s.T(), s.Context(ctx))
|
||||
|
||||
// Then log back as previous user and verify the push notification is still the default method
|
||||
// Then log back as previous user and verify the push notification is still the default method.
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
s.verifyIsSecondFactorPage(s.T(), s.Context(ctx))
|
||||
s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "push-notification-method")
|
||||
|
@ -92,7 +92,7 @@ func (s *UserPreferencesScenario) TestShouldRememberLastUsed2FAMethod() {
|
|||
s.doLogout(s.T(), s.Context(ctx))
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
|
||||
// Eventually restore the default method
|
||||
// Eventually restore the default method.
|
||||
s.doChangeMethod(s.T(), s.Context(ctx), "one-time-password")
|
||||
s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "one-time-password-method")
|
||||
}
|
||||
|
|
|
@ -132,18 +132,18 @@ func (s *DuoPushWebDriverSuite) TestShouldAutoSelectDevice() {
|
|||
ConfigureDuoPreAuth(s.T(), PreAuthAPIResponse)
|
||||
ConfigureDuo(s.T(), Allow)
|
||||
|
||||
// Authenticate
|
||||
// Authenticate.
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
// Switch Method where single Device should be selected automatically.
|
||||
s.doChangeMethod(s.T(), s.Context(ctx), "push-notification")
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
|
||||
// Re-Login the user
|
||||
// Re-Login the user.
|
||||
s.doLogout(s.T(), s.Context(ctx))
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
// And check the latest method and device is still used.
|
||||
s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "push-notification-method")
|
||||
// Meaning the authentication is successful
|
||||
// Meaning the authentication is successful.
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
}
|
||||
|
||||
|
@ -171,7 +171,7 @@ func (s *DuoPushWebDriverSuite) TestShouldSelectDevice() {
|
|||
ConfigureDuoPreAuth(s.T(), PreAuthAPIResponse)
|
||||
ConfigureDuo(s.T(), Allow)
|
||||
|
||||
// Authenticate
|
||||
// Authenticate.
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
// Switch Method where Device Selection should open automatically.
|
||||
s.doChangeMethod(s.T(), s.Context(ctx), "push-notification")
|
||||
|
@ -183,12 +183,12 @@ func (s *DuoPushWebDriverSuite) TestShouldSelectDevice() {
|
|||
s.doChangeDevice(s.T(), s.Context(ctx), "1234567890ABCDEFGHIJ")
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
|
||||
// Re-Login the user
|
||||
// Re-Login the user.
|
||||
s.doLogout(s.T(), s.Context(ctx))
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), "john", "password", false, "")
|
||||
// And check the latest method and device is still used.
|
||||
s.WaitElementLocatedByCSSSelector(s.T(), s.Context(ctx), "push-notification-method")
|
||||
// Meaning the authentication is successful
|
||||
// Meaning the authentication is successful.
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
}
|
||||
|
||||
|
|
|
@ -87,7 +87,7 @@ func (s *HighAvailabilityWebDriverSuite) TestShouldKeepUserSessionActiveWithPrim
|
|||
s.doVisit(s.T(), s.Context(ctx), HomeBaseURL)
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
|
||||
// Verify the user is still authenticated
|
||||
// Verify the user is still authenticated.
|
||||
s.doVisit(s.T(), s.Context(ctx), GetLoginBaseURL())
|
||||
s.verifyIsSecondFactorPage(s.T(), s.Context(ctx))
|
||||
|
||||
|
@ -130,7 +130,7 @@ func (s *HighAvailabilityWebDriverSuite) TestShouldKeepUserSessionActiveWithPrim
|
|||
s.doVisit(s.T(), s.Context(ctx), HomeBaseURL)
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
|
||||
// Verify the user is still authenticated
|
||||
// Verify the user is still authenticated.
|
||||
s.doVisit(s.T(), s.Context(ctx), GetLoginBaseURL())
|
||||
s.verifyIsSecondFactorPage(s.T(), s.Context(ctx))
|
||||
}
|
||||
|
@ -170,11 +170,11 @@ func (s *HighAvailabilityWebDriverSuite) TestShouldKeepSessionAfterAutheliaResta
|
|||
s.doVisit(s.T(), s.Context(ctx), HomeBaseURL)
|
||||
s.verifyIsHome(s.T(), s.Context(ctx))
|
||||
|
||||
// Verify the user is still authenticated
|
||||
// Verify the user is still authenticated.
|
||||
s.doVisit(s.T(), s.Context(ctx), GetLoginBaseURL())
|
||||
s.verifyIsSecondFactorPage(s.T(), s.Context(ctx))
|
||||
|
||||
// Then logout and login again to check the secret is still there
|
||||
// Then logout and login again to check the secret is still there.
|
||||
s.doLogout(s.T(), s.Context(ctx))
|
||||
s.verifyIsFirstFactorPage(s.T(), s.Context(ctx))
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ func init() {
|
|||
"internal/suites/example/compose/nginx/portal/docker-compose.yml",
|
||||
"internal/suites/example/compose/squid/docker-compose.yml",
|
||||
"internal/suites/example/compose/smtp/docker-compose.yml",
|
||||
// To debug headers
|
||||
// To debug headers.
|
||||
"internal/suites/example/compose/httpbin/docker-compose.yml",
|
||||
})
|
||||
|
||||
|
|
|
@ -10,8 +10,8 @@ var standaloneSuiteName = "Standalone"
|
|||
|
||||
func init() {
|
||||
_ = os.MkdirAll("/tmp/authelia/StandaloneSuite/", 0700)
|
||||
_ = os.WriteFile("/tmp/authelia/StandaloneSuite/jwt", []byte("very_important_secret"), 0600)
|
||||
_ = os.WriteFile("/tmp/authelia/StandaloneSuite/session", []byte("unsecure_session_secret"), 0600)
|
||||
_ = os.WriteFile("/tmp/authelia/StandaloneSuite/jwt", []byte("very_important_secret"), 0600) //nolint:gosec
|
||||
_ = os.WriteFile("/tmp/authelia/StandaloneSuite/session", []byte("unsecure_session_secret"), 0600) //nolint:gosec
|
||||
|
||||
dockerEnvironment := NewDockerEnvironment([]string{
|
||||
"internal/suites/docker-compose.yml",
|
||||
|
|
|
@ -139,7 +139,7 @@ func (s *StandaloneWebDriverSuite) TestShouldCheckUserIsAskedToRegisterDevice()
|
|||
// Login one factor again.
|
||||
s.doLoginOneFactor(s.T(), s.Context(ctx), username, password, false, "")
|
||||
|
||||
// now the user should be asked to perform 2FA
|
||||
// now the user should be asked to perform 2FA.
|
||||
s.WaitElementLocatedByClassName(s.T(), s.Context(ctx), "state-method")
|
||||
}
|
||||
|
||||
|
|
|
@ -136,12 +136,12 @@ func RunFuncUntilCtrlC(fn func() error) error {
|
|||
|
||||
// RunCommandWithTimeout run a command with timeout.
|
||||
func RunCommandWithTimeout(cmd *exec.Cmd, timeout time.Duration) error {
|
||||
// Start a process:
|
||||
// Start a process.
|
||||
if err := cmd.Start(); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
|
||||
// Wait for the process to finish or kill it after a timeout (whichever happens first):
|
||||
// Wait for the process to finish or kill it after a timeout (whichever happens first).
|
||||
done := make(chan error, 1)
|
||||
|
||||
go func() {
|
||||
|
|
|
@ -76,7 +76,7 @@ func ParseRsaPublicKeyFromPemStr(pubPEM string) (*rsa.PublicKey, error) {
|
|||
case *rsa.PublicKey:
|
||||
return pub, nil
|
||||
default:
|
||||
break // fall through
|
||||
break // fall through.
|
||||
}
|
||||
|
||||
return nil, errors.New("key type is not RSA")
|
||||
|
|
|
@ -43,7 +43,7 @@ func ParseDurationString(input string) (time.Duration, error) {
|
|||
|
||||
duration = time.Duration(seconds) * time.Second
|
||||
case input != "":
|
||||
// Throw this error if input is anything other than a blank string, blank string will default to a duration of nothing
|
||||
// Throw this error if input is anything other than a blank string, blank string will default to a duration of nothing.
|
||||
return 0, fmt.Errorf("could not convert the input string of %s into a duration", input)
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user