Commit Graph

125 Commits

Author SHA1 Message Date
Clément Michaud
7f19078efb
[MISC] Document usage of env variables for setting secrets. (#606)
Closes #579.
2020-02-02 00:17:39 +11:00
Clément Michaud
ea9b408b70
[FIX] Fix default redirection URL not taken into account (#600)
* Remove unused mongo docker-compose file.

* Default redirection URL was not taken into account.

* Fix possible storage options in config template.

* Remove useless checks in u2f registration endpoints.

* Add default redirection url in config of duo suite.

* Fix log line in response handler of 2FA methods.

* Fix integration tests.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-02-01 13:54:50 +01:00
James Elliott
736ed3f212 Misc Spelling Corrections
- Mostly changes to spelling of comments/docs/displayed text
- A few changes to test function names
2020-01-21 12:16:00 +11:00
James Elliott
242386e279 Force TLS and valid x509 certs in SMTP Notifier by default
- Adjust AUTH LOGIN functionality to be closer to AUTH PLAIN
- Removed: secure (notifier smtp conf) boolean string
- Added: disable_verify_cert (notifier smtp conf) boolean
    - disables X509 validation of certificates
- Added: disable_require_tls (notifier smtp conf) boolean
    - allows emails to be sent over plain text (for non-authenticated only)
- Added: trusted_cert (notifier smtp conf) string (path)
    - allows specifying the path of a PEM format cert to add to trusted cert pool
- Make SMTP notifier return errors on connection over plain text
- Make SMTP notifier return errors on TLS connection with invalid certs
- Implemented various debug logging for the SMTP notifier
- Implemented explicit SMTP closes on errors (previously left con open)
- Split SMTPNotifier Send func to seperate funcs for:
    - writing future test suites and startup checks more easily
    - organization and readability
- Add details of changes to docs/security.yml
- Adjust config.yml's (template and test) for the changes
2020-01-10 17:37:16 +01:00
Clement Michaud
f4f5d17684 Add host parameter to configure the interface Authelia listens on. 2019-12-08 19:07:19 +01:00
Clement Michaud
3d20142292 Allow administrator to provide a Google Analytics tracking ID.
Providing a GA tracking ID allows administrators to analyze
how the portal is used by their users in large environments,
i.e., with many users.
This will make even more sense when we have users and admins
management interfaces.
2019-12-08 14:31:48 +01:00
Clement Michaud
d077ad10da Update expiration timeouts from milliseconds to seconds. 2019-12-07 14:36:24 +01:00
Clement Michaud
e21da43fd6 Add support for LDAP over TLS. 2019-12-06 21:33:47 +01:00
Clement Michaud
135cf718d5 Fix DuoPush suite and do some clean up. 2019-12-05 11:05:24 +01:00
Clement Michaud
b89f63e9c1 Fix and parallelize integration tests. 2019-12-05 11:05:24 +01:00
Clément Michaud
b388385491
Add enclosing parenthesis to users_filter
The enclosing parenthesis are mandatory with the Go LDAP driver.

In the near future a check will be done at configuration validation before Authelia even starts.
2019-11-20 09:01:08 +01:00
Clement Michaud
6303485fd2 Add support for PostgreSQL. 2019-11-16 23:39:26 +01:00
Clement Michaud
bd19ee48fd Deprecate mongo and add mariadb as storage backend option. 2019-11-16 23:39:26 +01:00
Clement Michaud
b1d59dcec4 Add documentation on Authelia v4 in README and add a migration document. 2019-10-29 00:40:45 +01:00
Clement Michaud
828f565290 Bootstrap Go implementation of Authelia.
This is going to be the v4.

Expected improvements:
- More reliable due to static typing.
- Bump of performance.
- Improvement of logging.
- Authelia can be shipped as a single binary.
- Will likely work on ARM architecture.
2019-10-28 23:28:59 +01:00
yaleman
73e593d5a7 spelling correction 2019-10-19 18:12:31 +02:00
Clement Michaud
8a76b5118d Add network criteria in ACLs to specify policy based on network subnet. 2019-03-31 20:11:07 +02:00
Clement Michaud
4eaafb7115 Update the documentation to include information on Duo. 2019-03-24 18:45:32 +01:00
Clement Michaud
8ef402511c Add Duo Push Notification option as 2FA. 2019-03-24 15:15:49 +01:00
Clement Michaud
76fa325f08 [BREAKING] Create a suite for kubernetes tests.
Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.
2019-03-16 00:13:27 +01:00
Clement Michaud
c5eb86e0fd Fix e2e test with minimal configuration. 2019-03-03 11:39:40 +01:00
Clement Michaud
fe14bde29b Backend and frontend are reloaded on code change. 2019-03-03 11:39:40 +01:00
ViViDboarder
264a94d4e7 Add ability to search for groups using {uid}
On some LDAP servers, the `uid` attribute is more like a guid, while the
username exists instead in a dedicated field, like `username`. This
means the `uid` is not necessarily equal to `username`.

This is allows referencing using the `uid` to search for groups in the same
way as `dn` so that one can explicitly match the `memberuid` to the `uid` for
the user without the assumptions that come with using `{0}`.
2019-02-27 21:34:18 -08:00
Clement Michaud
97bfafb6eb [BREAKING] Flatten the ACL rules to enable some use cases.
With previous configuration format rules were not ordered between groups and
thus not predictable. Also in some cases `any` must have been a higher
precedence than `groups`. Flattening the rules let the user apply whatever
policy he can think of.

When several rules match the (subject, domain, resource), the first one is
applied.

NOTE: This commit changed the format for declaring ACLs. Be sure to update
your configuration file before upgrading.
2018-11-17 18:08:29 +01:00
Clement Michaud
9fc55543fd Integrate more policy options in ACL rules.
The possible values for ACL policies are now: bypass, one_factor, two_factor,
deny.

This change also deprecate auth_methods because the method is now associated
directly to a resource in the ACLs instead of a domain.
2018-11-17 18:08:29 +01:00
Clément Michaud
67f84b97c8
Enable authentication to Mongo and Redis. (#263)
* Fix issue in unit test of IdentityCheckMiddleware.

* Enable authentication to Mongo server.

* Enable authentication to Redis.
2018-08-26 13:10:23 +02:00
Clément Michaud
9dab40c2ce
Add support for users database on disk. (#262)
In order to simplify the deployment of Authelia for
testing, LDAP is now optional made optional thanks
to users database stored in a file. One can update
the file manually even while Authelia is running.

With this feature the minimal configuration requires
only two components: Authelia and nginx.

The users database is obviously made for development
environments only as it prevents Authelia to be scaled
to more than one instance.

Note: Configuration has been updated. Key `ldap` has
been nested in `authentication_backend`.
2018-08-26 10:30:43 +02:00
Clément Michaud
0dd9a5f815
Make session cookie name customizable. (#256)
This option is optional and set to authelia_session
by default.
2018-08-19 13:07:00 +02:00
whiskerch
2b1807d32b Update config.template.yml to include TOTP issuer name
* Update config.template.yml and hook.ts

This fixes issue reported in #251.
2018-08-19 10:59:47 +02:00
Clement Michaud
6d6162f26c Add tests for minimal configuration 2018-08-10 00:12:04 +02:00
Clement Michaud
c82f910da3 Refactor configuration to remove optional sections from minimal template
Also move tests from dedicated directory to source dir with .spec.ts extension
2018-08-09 23:52:53 +02:00
Clement Michaud
3883af0ecc Fix local storage configuration in config template 2018-03-29 23:50:47 +02:00
Clement Michaud
0b2f6ace83 Fix unit and integration tests 2018-03-29 23:09:29 +02:00
Clement Michaud
a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud
73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud
22d56b1faa Change basicauth.test.local into single_factor.test.local 2017-10-31 07:27:36 +01:00
Clement Michaud
cd0a93f027 Rename authentication method from 'basic_auth' to 'single_factor' 2017-10-31 07:27:36 +01:00
Clement Michaud
563e2da323 Add default_redirection_url as configuration option
This URL is used when user access the authentication domain without providing
the 'redirect' query parameter. In that case, Authelia does not know
where to redirect the user.
If the parameter is defined, Authelia can redirect the user to a default page
when no redirect parameter is provided.

When user is already authenticated and tries to access the authentication
domain, the "already logged in" page is rendered and it now tells the user he
is to be redirected in few seconds and uses this URL to redirect.

This parameter is optional. If it is not provided, there is only a notification
message at the end of the authentication process, as before, and the user is
not redirected when visiting the authentication domain while already
authenticated.
2017-10-31 07:27:23 +01:00
Clement Michaud
dacdce6c50 Implement session inactivity timeout
This timeout will prevent an attacker from using a session that has been
inactive for too long.
This inactivity timeout combined with the timeout before expiration makes a
good combination of security mechanisms to prevent session theft.

If no activity timeout is provided, then the feature is disabled and only
session expiration remains as a protection.
2017-10-31 07:27:23 +01:00
Clement Michaud
b9fa786df6 Refactor endpoints to get server variables as input parameters
This refactoring aims to ease testability and clean up a lot of soft touchy
typings in test code.

This is the first step of this refactoring introducing the concept and
implementing missing interfaces and stubs. At the end of the day,
ServerVariablesHandler should completely disappear and every variable should
be injected in the endpoint handler builder itself.
2017-10-31 07:26:53 +01:00
Dylan Smith
c62b85e37d Less restrictive email handler - replace gmail with generic 2017-10-25 19:28:56 +11:00
Clement Michaud
12a8626ef7 Make per_subdomain_methods optional in configuration file 2017-10-15 20:01:16 +02:00
Clement Michaud
ce264ff4d3 Add {dn} as an available matcher in LDAP groups filter
Sometimes, LDAP organization is such that groups membership cannot be computed
with username only. User DN is required to retrieve groups.

e.g. user Joe has a username joe and a cn of Joe Blogs, resulting in a dn of
cn=Joe Blogs,ou=users,dc=example,dc=com which is needed to retrieve groups
but cannot be computed from joe only.

Issue was reported in issue #146
2017-10-15 14:51:26 +02:00
Clement Michaud
1ab09b71d4 Specify the sender email in Gmail and Smtp notifier configuration
Sender email address can now be specified in configuration and applies to
GMail notifier and SMTP notifier.
2017-10-10 00:07:12 +02:00
Clément Michaud
d5035b8704 Merge pull request #131 from clems4ever/disable-second-factor
Allow basic authentication in configuration
2017-10-09 23:27:36 +02:00
Clément Michaud
2641fb1620 Merge pull request #130 from clems4ever/revert-filesystem-notifier
Revert filesystem notifier
2017-10-09 01:58:06 +02:00
Clement Michaud
c061dbfda4 Customize the authentication method to be used by a sub-domain
One can now customize the default authentication method for all sub-domains,
i.e., either 'two_factor' or 'basic_auth' and define specific authentication
method per sub-domain.

For example, one can specify that every sub-domain must be authenticated with
two factor except one sub-domain that must be authenticated with basic auth.
2017-10-08 23:39:29 +02:00
Clement Michaud
346c559141 Make file system an available notifier option for testing purpose 2017-10-08 22:48:20 +02:00
Clement Michaud
78f6028c1b Improve logging format for clarity
Previously, logs were not very friendly and it was hard to track
a request because of the lack of request ID.
Now every log message comes with a header containing: method, path
request ID, session ID, IP of the user, date.

Moreover, the configurations displayed in the logs have their secrets
hidden from this commit.
2017-10-08 22:33:50 +02:00
Clement Michaud
66449eedb0 Use username matcher instead of user dn in group filter
Previously, string "{0}" was replaced by the user dn in the groups_filter
attributes of the LDAP configuration.
However, if the groups children only have a memberUid attribute, one would
like to use the username instead of the user dn.

Since the user dn can be built from the username, "{0}" is now replaced
by the username instead of the user dn so that an LDAP relying on attribute
'memberUid' can be used.
2017-10-07 14:10:22 +02:00
Clement Michaud
4cd78f3f83 Add SMTP notifier as an available option in configuration
One can now plug its own SMTP server to send notifications
for identity validation and password reset requests.

Filesystem has been removed from the template configuration file
since even tests now use mail catcher (the fake webmail) to
retrieve the email and the confirmation link.
2017-09-24 23:20:45 +02:00
Clement Michaud
cf16272a73 Refine access control with per resource ACLs
ACLs can now be defined by subdomain AND resource using pattern matching
with regular expressions.
It allows a very fine-grained access control to backend resources.

[Note] For using example environmnent, user must update its /etc/hosts with
new subdomains updated in README.
2017-09-24 21:39:47 +02:00
Clement Michaud
64c06fd6b8 Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-03 12:48:35 +02:00
Clement Michaud
20536abf8b Introduce LDAP filters to search users and groups for more flexibility. 2017-09-02 22:38:26 +02:00
Clement Michaud
c12a085f8e Replace mocha integration tests by cucumber tests 2017-07-31 22:20:33 +02:00
Clement Michaud
e45ac39c8f Add Mongo as scalable and resilient storage backend 2017-07-31 00:29:00 +02:00
Clement Michaud
fd59044f5e Open and close ldap client after each operation to avoid issues with idle connections and ECONNRESET exceptions 2017-07-19 20:59:39 +02:00
Clement Michaud
8f152d2328 Fix example environment 2017-07-14 19:05:42 +02:00
Clement Michaud
925b58fabc Add redis option to the express-session middleware 2017-07-13 23:14:31 +02:00
Clement Michaud
e56c2492ed Fix integration test and package Travis scripts 2017-06-29 13:09:08 +02:00
Clement Michaud
ddf1e48535 Refactor client to make it responsive and testable 2017-06-16 18:16:38 +02:00
Paul Casto
ca918c761c domain for cookie - issue in example 2017-04-08 19:14:57 -04:00
Clement Michaud
7d21f8d5df Edit README to make the user add more subdomains in /etc/hosts for testing the example locally 2017-03-25 19:10:59 +01:00
Clement Michaud
b403cfe2f8 Rework the configuration of the access control to allow default policy for certain domains 2017-03-25 18:38:14 +01:00
Clement Michaud
38a4570b24 Edit the README to add an access control section and update the user base 2017-03-25 15:41:11 +01:00
Clement Michaud
e310478e6d Allow per user access control rules 2017-03-25 15:28:57 +01:00
Clement Michaud
2a73b1a431 Add the access_control entry in the config file to allow the user to define per group rules to access the subdomains 2017-03-25 15:17:21 +01:00
Clement Michaud
4b93338bae Move config adaptation into a module and make it testable 2017-03-22 22:28:54 +01:00
Clement Michaud
c7e4f76b9c Add an LDAP user search filter in the configuration filte to specify the user attribute to search for in LDAP 2017-03-16 01:25:55 +01:00
Clement Michaud
606ddc7308 Handle SSO over multiple subdomains 2017-03-15 23:07:57 +01:00
Clement Michaud
d29aac78d0 Create a filesystem notifier for simple getting started 2017-01-28 19:59:15 +01:00
Clement Michaud
7e41c68aa7 Remove TOTP password from the configuration 2017-01-28 18:30:07 +01:00
Clement Michaud
05046338ed Implement password reset 2017-01-27 01:20:03 +01:00
Clement Michaud
320998ef78 Set the level of logs in the config file 2017-01-22 18:18:19 +01:00
Clement Michaud
d3db94105e Registration process sends an email to allow user to register its U2F device 2017-01-22 17:54:45 +01:00