From 76fa325f084d2d3ee613462740443c0c585bda19 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sun, 3 Mar 2019 23:51:52 +0100 Subject: [PATCH] [BREAKING] Create a suite for kubernetes tests. Authelia client uses hash router instead of browser router in order to work with Kubernetes nginx-ingress-controller. This is also better for users having old browsers. This commit is breaking because it requires to change the configuration of the proxy to include the # in the URL of the login portal. --- .gitignore | 1 + .travis.yml | 8 +- README.md | 14 +- bootstrap.sh | 49 +++++ client/src/App.tsx | 4 +- .../src/behaviors/SafelyRedirectBehavior.ts | 15 -- .../AlreadyAuthenticated.tsx | 4 +- .../FirstFactorForm/FirstFactorForm.tsx | 8 +- .../FirstFactorForm/FirstFactorForm.ts | 16 +- .../SecondFactorForm/SecondFactorForm.ts | 68 ++++--- client/src/services/AutheliaService.ts | 52 +++-- .../AuthenticationView/AuthenticationView.tsx | 2 +- config.template.yml | 4 +- docs/authelia-scripts.md | 13 +- docs/build-and-dev.md | 54 ++++++ docs/build.md | 53 ------ docs/deployment-production.md | 3 +- docs/getting-started.md | 107 +++++------ docs/suites.md | 34 ++-- example/compose/nginx/backend/Dockerfile | 4 + .../compose/nginx/backend/docker-compose.yml | 5 +- .../nginx/backend/html/home/index.html | 119 ++++++------ .../{single_factor => secure}/secret.html | 0 .../html/singlefactor}/secret.html | 1 - example/compose/nginx/backend/nginx.conf | 10 +- .../compose/nginx/minimal/docker-compose.yml | 12 -- .../nginx/minimal/html/home/index.html | 32 ---- example/compose/nginx/minimal/nginx.conf | 96 ---------- example/compose/nginx/minimal/ssl/server.csr | 11 -- example/compose/nginx/portal/nginx.conf.ejs | 141 +++++++------- example/compose/smtp/docker-compose.yml | 1 - example/kube/README.md | 84 ++------ example/kube/apps/app-home/deployment.yml | 33 ---- example/kube/apps/app-home/index.html | 35 ---- example/kube/apps/app-home/service.yml | 12 -- example/kube/apps/app1/deployment.yml | 33 ---- example/kube/apps/app1/index.html | 9 - example/kube/apps/app1/service.yml | 12 -- example/kube/apps/app1/ssl/tls.crt | 17 -- example/kube/apps/app1/ssl/tls.csr | 15 -- example/kube/apps/app1/ssl/tls.key | 27 --- example/kube/apps/app2/deployment.yml | 33 ---- example/kube/apps/app2/index.html | 9 - example/kube/apps/app2/service.yml | 12 -- example/kube/apps/app2/ssl/tls.crt | 17 -- example/kube/apps/app2/ssl/tls.csr | 15 -- example/kube/apps/app2/ssl/tls.key | 27 --- example/kube/apps/apps.yml | 130 +++++++++++++ example/kube/apps/insecure-ingress.yml | 28 --- example/kube/apps/secure-ingress.yml | 23 --- .../ssl/server.crt => kube/apps/ssl/tls.crt} | 0 .../ssl/server.key => kube/apps/ssl/tls.key} | 0 example/kube/authelia/configs/config.yml | 114 +++++------ example/kube/authelia/deployment.yml | 3 +- example/kube/authelia/ingress.yml | 4 +- example/kube/bootstrap-authelia.sh | 8 + example/kube/bootstrap.sh | 32 +--- example/kube/build_and_push.sh | 9 - example/kube/dashboard/dashboard.yaml | 179 ++++++++++++++++++ example/kube/docker-registry/daemonset.yml | 35 ---- example/kube/docker-registry/ingress.yml | 18 -- .../docker-registry/replicationcontroller.yml | 44 ----- example/kube/docker-registry/service.yml | 17 -- .../ingress-controller/default-backend.yml | 48 ----- .../kube/ingress-controller/deployment.yml | 16 +- example/kube/ingress-controller/rbac.yml | 141 ++++++++++++++ example/kube/ingress-controller/service.yml | 9 +- .../kube/{mailcatcher => mail}/deployment.yml | 0 .../kube/{mailcatcher => mail}/ingress.yml | 6 +- .../kube/{mailcatcher => mail}/service.yml | 0 example/kube/test.yml | 22 +++ package-lock.json | 47 +++-- package.json | 8 +- scripts/authelia-scripts | 1 + scripts/authelia-scripts-bootstrap | 24 +++ scripts/authelia-scripts-docker-build | 12 +- scripts/authelia-scripts-docker-publish | 11 +- scripts/authelia-scripts-serve | 1 - scripts/authelia-scripts-suites-start | 9 +- scripts/authelia-scripts-suites-test | 113 ++++++++--- scripts/authelia-scripts-travis | 5 +- scripts/run-environment.ts | 80 +++++--- scripts/utils/docker.js | 3 +- scripts/utils/exec.js | 7 +- server/src/lib/IdentityCheckMiddleware.ts | 2 +- server/src/lib/Server.ts | 3 +- server/src/lib/authorization/Authorizer.ts | 2 - .../SessionConfigurationBuilder.spec.ts | 18 +- .../SessionConfigurationBuilder.ts | 31 +-- .../src/lib/routes/firstfactor/post.spec.ts | 2 - server/src/lib/routes/firstfactor/post.ts | 15 +- server/src/lib/routes/redirect/post.ts | 31 --- .../src/lib/routes/secondfactor/redirect.ts | 26 ++- .../lib/routes/secondfactor/u2f/sign/post.ts | 4 +- server/src/lib/utils/IsRedirectionSafe.ts | 14 ++ server/src/lib/utils/SafeRedirection.spec.ts | 33 ---- server/src/lib/utils/SafeRedirection.ts | 21 -- server/src/lib/web_server/Configurator.ts | 6 + server/src/lib/web_server/RestApi.ts | 2 - shared/DomainExtractor.spec.ts | 4 +- shared/api.ts | 17 +- test/helpers/ClickOn.ts | 4 +- test/helpers/ClickOnLink.ts | 4 +- test/helpers/FillField.ts | 4 +- test/helpers/FillLoginPageAndClick.ts | 5 +- test/helpers/FullLogin.ts | 8 +- test/helpers/GetIdentityLink.ts | 8 +- test/helpers/LoginAndRegisterTotp.ts | 8 +- test/helpers/LoginAs.ts | 6 +- test/helpers/Logout.ts | 3 +- test/helpers/RegisterTotp.ts | 6 +- test/helpers/ValidateTotp.ts | 6 +- test/helpers/VisitPage.ts | 2 +- test/helpers/assertions/VerifyBodyContains.ts | 9 + .../assertions/VerifySecretObserved.ts | 9 +- test/helpers/assertions/VerifyUrlContains.ts | 5 + test/helpers/behaviors/LoginOneFactor.ts | 9 +- .../behaviors/RegisterAndLoginTwoFactor.ts | 9 +- .../behaviors/VisitPageAndWaitUrlIs.ts | 2 +- .../context/AutheliaServerWithHotReload.ts | 61 ++++-- test/helpers/context/AutheliaSuite.ts | 5 - test/helpers/context/WithEnvironment.ts | 22 --- test/helpers/context/kubernetes/Kubernetes.ts | 27 +++ .../context/kubernetes/KubernetesManager.ts | 20 ++ .../scenarii/SingleFactorAuthentication.ts | 39 ++++ .../scenarii/TwoFactorAuthentication.ts | 22 +++ test/helpers/utils/WaitUntil.ts | 28 +++ test/helpers/utils/exec.ts | 29 ++- test/helpers/utils/execPromise.ts | 16 ++ test/suites/basic/config.yml | 2 +- test/suites/basic/environment.ts | 14 +- test/suites/basic/scenarii/BadPassword.ts | 2 +- .../LogoutRedirectToAlreadyLoggedIn.ts | 2 +- .../basic/scenarii/RequiredTwoFactor.ts | 2 +- test/suites/basic/scenarii/ResetPassword.ts | 20 +- .../basic/scenarii/SimpleAuthentication.ts | 37 ---- test/suites/basic/scenarii/TOTPValidation.ts | 4 +- test/suites/basic/test.ts | 4 +- test/suites/dockerhub/config.yml | 2 +- test/suites/dockerhub/environment.ts | 11 +- .../scenarii/SimpleAuthentication.ts | 20 -- test/suites/dockerhub/test.ts | 6 +- test/suites/high-availability/config.yml | 20 +- test/suites/high-availability/environment.ts | 11 +- .../scenarii/AccessControl.ts | 30 ++- .../scenarii/AuthenticationRegulation.ts | 2 +- .../scenarii/BasicAuthentication.ts | 2 +- .../scenarii/CustomHeadersForwarded.ts | 12 +- .../EnforceInternalRedirectionsOnly.ts | 29 ++- .../scenarii/SingleFactorAuthentication.ts | 37 ---- test/suites/high-availability/test.ts | 5 +- test/suites/kubernetes/README.md | 12 ++ test/suites/kubernetes/environment.ts | 134 +++++++++++++ test/suites/kubernetes/test.ts | 10 + test/suites/short-timeouts/config.yml | 2 +- test/suites/short-timeouts/environment.ts | 14 +- .../short-timeouts/scenarii/Inactivity.ts | 61 +++--- 157 files changed, 1890 insertions(+), 1762 deletions(-) create mode 100644 bootstrap.sh delete mode 100644 client/src/behaviors/SafelyRedirectBehavior.ts create mode 100644 docs/build-and-dev.md delete mode 100644 docs/build.md create mode 100644 example/compose/nginx/backend/Dockerfile rename example/compose/nginx/backend/html/{single_factor => secure}/secret.html (100%) rename example/compose/nginx/{minimal/html/admin => backend/html/singlefactor}/secret.html (93%) delete mode 100644 example/compose/nginx/minimal/docker-compose.yml delete mode 100644 example/compose/nginx/minimal/html/home/index.html delete mode 100644 example/compose/nginx/minimal/nginx.conf delete mode 100644 example/compose/nginx/minimal/ssl/server.csr delete mode 100644 example/kube/apps/app-home/deployment.yml delete mode 100644 example/kube/apps/app-home/index.html delete mode 100644 example/kube/apps/app-home/service.yml delete mode 100644 example/kube/apps/app1/deployment.yml delete mode 100644 example/kube/apps/app1/index.html delete mode 100644 example/kube/apps/app1/service.yml delete mode 100644 example/kube/apps/app1/ssl/tls.crt delete mode 100644 example/kube/apps/app1/ssl/tls.csr delete mode 100644 example/kube/apps/app1/ssl/tls.key delete mode 100644 example/kube/apps/app2/deployment.yml delete mode 100644 example/kube/apps/app2/index.html delete mode 100644 example/kube/apps/app2/service.yml delete mode 100644 example/kube/apps/app2/ssl/tls.crt delete mode 100644 example/kube/apps/app2/ssl/tls.csr delete mode 100644 example/kube/apps/app2/ssl/tls.key create mode 100644 example/kube/apps/apps.yml delete mode 100644 example/kube/apps/insecure-ingress.yml delete mode 100644 example/kube/apps/secure-ingress.yml rename example/{compose/nginx/minimal/ssl/server.crt => kube/apps/ssl/tls.crt} (100%) rename example/{compose/nginx/minimal/ssl/server.key => kube/apps/ssl/tls.key} (100%) create mode 100755 example/kube/bootstrap-authelia.sh mode change 100644 => 100755 example/kube/bootstrap.sh delete mode 100644 example/kube/build_and_push.sh create mode 100644 example/kube/dashboard/dashboard.yaml delete mode 100644 example/kube/docker-registry/daemonset.yml delete mode 100644 example/kube/docker-registry/ingress.yml delete mode 100644 example/kube/docker-registry/replicationcontroller.yml delete mode 100644 example/kube/docker-registry/service.yml delete mode 100644 example/kube/ingress-controller/default-backend.yml create mode 100644 example/kube/ingress-controller/rbac.yml rename example/kube/{mailcatcher => mail}/deployment.yml (100%) rename example/kube/{mailcatcher => mail}/ingress.yml (76%) rename example/kube/{mailcatcher => mail}/service.yml (100%) create mode 100644 example/kube/test.yml create mode 100755 scripts/authelia-scripts-bootstrap delete mode 100644 server/src/lib/routes/redirect/post.ts create mode 100644 server/src/lib/utils/IsRedirectionSafe.ts delete mode 100644 server/src/lib/utils/SafeRedirection.spec.ts delete mode 100644 server/src/lib/utils/SafeRedirection.ts create mode 100644 test/helpers/assertions/VerifyBodyContains.ts create mode 100644 test/helpers/assertions/VerifyUrlContains.ts delete mode 100644 test/helpers/context/WithEnvironment.ts create mode 100644 test/helpers/context/kubernetes/Kubernetes.ts create mode 100644 test/helpers/context/kubernetes/KubernetesManager.ts create mode 100644 test/helpers/scenarii/SingleFactorAuthentication.ts create mode 100644 test/helpers/scenarii/TwoFactorAuthentication.ts create mode 100644 test/helpers/utils/WaitUntil.ts create mode 100644 test/helpers/utils/execPromise.ts delete mode 100644 test/suites/basic/scenarii/SimpleAuthentication.ts delete mode 100644 test/suites/dockerhub/scenarii/SimpleAuthentication.ts delete mode 100644 test/suites/high-availability/scenarii/SingleFactorAuthentication.ts create mode 100644 test/suites/kubernetes/README.md create mode 100644 test/suites/kubernetes/environment.ts create mode 100644 test/suites/kubernetes/test.ts diff --git a/.gitignore b/.gitignore index 166cceaa..8dc02ff1 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ Configuration.schema.json users_database.test.yml .suite +.kube diff --git a/.travis.yml b/.travis.yml index f71f06bc..debdccbe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,18 +15,16 @@ addons: hosts: - admin.example.com - login.example.com - - single_factor.example.com + - singlefactor.example.com - dev.example.com - home.example.com - mx1.mail.example.com - mx2.mail.example.com - public.example.com + - secure.example.com - authelia.example.com - admin.example.com - -before_install: -- npm install -g npm@'>=2.13.5' -- pushd client && npm install && popd + - mail.example.com before_script: - export DISPLAY=:99.0 diff --git a/README.md b/README.md index 59107576..d98936e3 100644 --- a/README.md +++ b/README.md @@ -41,14 +41,18 @@ For more details about the features, follow [Features](./docs/features.md). ## Getting Started -If you want to quickly test Authelia with Docker, we recommend you read -[Getting Started](./docs/getting-started.md). +You can start off with + + source bootstrap.sh + +If you want to go further, please read [Getting Started](./docs/getting-started.md). ## Deployment -Now that you have tested **Authelia** and you want to try it out in your own infrastructure, you can learn how to deploy and use it with -[Deployment](./docs/deployment-production.md). This guide will show you how to deploy -it on bare metal as well as on Kubernetes. +Now that you have tested **Authelia** and you want to try it out in your own infrastructure, +you can learn how to deploy and use it with [Deployment](./docs/deployment-production.md). +This guide will show you how to deploy it on bare metal as well as on +[Kubernetes](https://kubernetes.io/). ## Security diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100644 index 00000000..4c92e6a5 --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,49 @@ + +export PATH=$(pwd)/scripts:/tmp:$PATH + +export PS1="(authelia) $PS1" + +echo "[BOOTSTRAP] Installing npm packages..." +npm i + +pushd client +npm i +popd + +echo "[BOOTSTRAP] Checking if Docker is installed..." +if [ ! -x "$(command -v docker)" ]; +then + echo "[ERROR] You must install docker on your machine."; + return +fi + +echo "[BOOTSTRAP] Checking if docker-compose is installed..." +if [ ! -x "$(command -v docker-compose)" ]; +then + echo "[ERROR] You must install docker-compose on your machine."; + return; +fi + +echo "[BOOTSTRAP] Checking if example.com domain is forwarded to your machine..." +cat /etc/hosts | grep "login.example.com" > /dev/null +if [ $? -ne 0 ]; +then + echo "[ERROR] Please add those lines to /etc/hosts: + +127.0.0.1 home.example.com +127.0.0.1 public.example.com +127.0.0.1 secure.example.com +127.0.0.1 dev.example.com +127.0.0.1 admin.example.com +127.0.0.1 mx1.mail.example.com +127.0.0.1 mx2.mail.example.com +127.0.0.1 singlefactor.example.com +127.0.0.1 login.example.com" + return; +fi + +echo "[BOOTSTRAP] Running additional bootstrap steps..." +authelia-scripts bootstrap + +echo "[BOOTSTRAP] Run 'authelia-scripts suites start dockerhub' to start Authelia and visit https://home.example.com:8080." +echo "[BOOTSTRAP] More details at https://github.com/clems4ever/authelia/blob/master/docs/getting-started.md" diff --git a/client/src/App.tsx b/client/src/App.tsx index f35684a4..fa17b1f6 100644 --- a/client/src/App.tsx +++ b/client/src/App.tsx @@ -3,14 +3,14 @@ import './App.scss'; import { Route, Switch } from "react-router-dom"; import { routes } from './routes/index'; -import { createBrowserHistory } from 'history'; +import { createHashHistory } from 'history'; import { createStore, applyMiddleware, compose } from 'redux'; import reducer from './reducers'; import { Provider } from 'react-redux'; import thunk from 'redux-thunk'; import { routerMiddleware, ConnectedRouter } from 'connected-react-router'; -const history = createBrowserHistory(); +const history = createHashHistory(); const store = createStore( reducer(history), compose( diff --git a/client/src/behaviors/SafelyRedirectBehavior.ts b/client/src/behaviors/SafelyRedirectBehavior.ts deleted file mode 100644 index 0d683456..00000000 --- a/client/src/behaviors/SafelyRedirectBehavior.ts +++ /dev/null @@ -1,15 +0,0 @@ -import { Dispatch } from "redux"; -import * as AutheliaService from '../services/AutheliaService'; - -export default async function(url: string) { - try { - // Check the url against the backend before redirecting. - await AutheliaService.checkRedirection(url); - window.location.href = url; - } catch (e) { - console.error( - 'Cannot redirect since the URL is not in the protected domain.' + - 'This behavior could be malicious so please the issue to an administrator.'); - throw e; - } -} \ No newline at end of file diff --git a/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx b/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx index d73d636d..6b1d549a 100644 --- a/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx +++ b/client/src/components/AlreadyAuthenticated/AlreadyAuthenticated.tsx @@ -7,7 +7,7 @@ import CircleLoader, { Status } from "../CircleLoader/CircleLoader"; export interface OwnProps { username: string; - redirectionUrl: string; + redirectionUrl: string | null; } export interface DispatchProps { @@ -27,7 +27,7 @@ class AlreadyAuthenticated extends Component {
- {this.props.redirectionUrl} + {(this.props.redirectionUrl) ? {this.props.redirectionUrl} : null}