Commit Graph

146 Commits

Author SHA1 Message Date
renovate[bot]
92154a1193
build(deps): update traefik docker tag to v2.4.6 (#1774)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-02 15:07:51 +11:00
renovate[bot]
64b01b2811
build(deps): update mariadb docker tag to v10.5.9 (#1757)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-23 12:49:16 +11:00
renovate[bot]
17bf3f860b
build(deps): update osixia/openldap docker tag to v1.5.0 (#1749)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 22:08:23 +11:00
renovate[bot]
36d02f9cf5
build(deps): update traefik docker tag to v2.4.5 (#1742)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 16:21:43 +11:00
renovate[bot]
59b3c2cbd8
build(deps): update haproxy docker tag to v2.3.5 (#1737)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 15:06:10 +11:00
Amir Zarrinkafsh
74721a9f41
feat: go:embed static assets (#1733)
* feat: go:embed static assets

Go 1.16 introduced the ability to embed files within a generated binary directly with the go tool chain. This simplifies our dependencies and the significantly improves the development workflow for future developers.

Key points to note:

Due to the inability to embed files that do not reside within the local package we need to duplicate our `config.template.yml` within `internal/configuration`.

To avoid issues with the development workflow empty mock files have been included within `internal/server/public_html`. These are substituted with the respective generated files during the CI/CD and build workflows.

* fix(suites): increase ldap suite test timeout

* fix(server): fix swagger asset CSP
2021-02-22 10:07:06 +11:00
renovate[bot]
79b2b742a8
build(deps): update alpine docker tag to v3.13.2 (#1728)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-18 10:49:39 +11:00
Amir Zarrinkafsh
683c4a70bf
fix(web): improve 2fa enrollment process (#1706)
* refactor(web): improve 2fa enrollment process

This PR will change some of the wording and colours for the 2FA processes in order to provide more clarity and address some accessibility issues for end users.

The following is a summary of the changes:

* One-Time Password ⭢ Time-based One-Time Password
* Security Key ⭢ Security Key - U2F

![Screenshot_2021-02-02-09-36-17](https://user-images.githubusercontent.com/3339418/107138185-17656100-6967-11eb-8fac-9e75c7a82d09.png)


* QRCode ⭢ QR Code

![Screenshot_2021-02-07-05-07-25](https://user-images.githubusercontent.com/3339418/107138196-29df9a80-6967-11eb-811f-d77c9bb0159e.png)

* `Not registered yet?` text to display `Lost device?` if a user has already registered a device of said type

![Screenshot_2021-02-02-10-24-54](https://user-images.githubusercontent.com/3339418/107138205-395ee380-6967-11eb-8826-83e1438dd146.png)

* Change button and text colour in e-mails that Authelia generates
* Change Authelia email footer to be more security conscious

![Screenshot_2021-02-07-04-51-40](https://user-images.githubusercontent.com/3339418/107138211-4085f180-6967-11eb-890b-9d931bd1ce76.png)

The docs have also been updated to clarify the 2fa device enrollment limitation which only allows users to register one of each device type concurrently.

Closes #1560.
2021-02-12 16:59:42 +11:00
renovate[bot]
23f8a059fe
build(deps): update traefik docker tag to v2.4.2 (#1685)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-03 09:42:29 +11:00
renovate[bot]
3d6a9dfca4
build(deps): update traefik docker tag to v2.4.1 (#1681)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-02 10:35:49 +11:00
Amir Zarrinkafsh
d17c7e7fc0
refactor(suites): simplify kubernetes suite (#1680)
This PR achieves the following goals:
* Utilise upstream version of kind instead of a patched version which allows binding to networks other than the default "kind"
* Utilises the registry cache which is setup one level above the kind cluster

The former point was required to successfully run our integration tests in a Kubernetes environment, however this is now possible without running a patched version of kind.

The second point is because DockerHub has introduced rate limiting for container downloads. If there are a large number of CI jobs nodes may occasionally be rejected due to the Kubernetes suite not pulling down from the registry cache.
2021-02-02 09:53:44 +11:00
renovate[bot]
006f1eb43b
build(deps): update mariadb docker tag to v10.5.8 (#1660)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:22:12 +11:00
renovate[bot]
985aaaa76b
build(deps): update alpine docker tag to v3.13.1 (#1659)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:06:09 +11:00
renovate[bot]
ea913d2992
build(deps): update traefik docker tag to v1.7.28 (#1657)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 11:32:49 +11:00
renovate[bot]
ed5e9264f8
build(deps): update mariadb docker tag to v10.4.17 (#1652) 2021-01-31 09:28:43 +11:00
renovate[bot]
d4d781ae52
build(deps): update alpine docker tag to v3.13.1 (#1649)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 01:04:46 +11:00
renovate[bot]
72ec9713b3
build(deps): update traefik docker tag (#1674)
* build(deps): update traefik docker tag

* fix(suites): fix traefik2 empty args for matcher PathPrefix

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-31 00:30:41 +11:00
renovate[bot]
14192e11ac
build(deps): update osixia/phpldapadmin docker tag to v0.9.0 (#1673)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:52:54 +11:00
renovate[bot]
6627a54594
build(deps): update osixia/openldap docker tag to v1.4.0 (#1672)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:28:05 +11:00
renovate[bot]
d8685418e8
build(deps): update alpine docker tag to v3.12.3 (#1647)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:11:42 +11:00
dependabot-preview[bot]
353b65066c
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1620)
Bumps golang from 1.15.6-alpine to 1.15.7-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-21 22:14:21 +11:00
Amir Zarrinkafsh
daa30f3aa3
[FEATURE] Add theme support (#1584)
* [FEATURE] Add theme support

This change allows users to select a theme for Authelia on start-up.

The default will continue to be the existing theme which is known as `light`.
Three new options are now also provided:
* `dark`
* `grey`
* `custom`

The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal.

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>

* Add themes to integration tests

* Remove custom theme

* Fix linting issue in access_control_test.go

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 23:07:40 +11:00
dependabot-preview[bot]
7e13d465e9
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1611)
Bumps alpine from 3.12.3 to 3.13.0.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-18 09:42:44 +11:00
Amir Zarrinkafsh
296efe2b32
[MISC] Add missing CLI suite test (#1607)
* [MISC] Add missing CLI suite test

* Add missing test for `authelia version` command in CLI suite.
* Standardise logger calls and swap CSP switch order
2021-01-17 10:23:35 +11:00
Amir Zarrinkafsh
8bab8d47ef
[MISC] Add CLI suite (#1597)
This change adds a new integration testing suite "CLI".

The intent of this suite is to test, validate and capture coverage for Authelia's commands via the CLI.
2021-01-16 21:25:02 +11:00
Amir Zarrinkafsh
81e34d84de
[MISC] Validate all sections of ACLs on startup (#1595)
* [MISC] Validate all sections of ACLs on startup

This change ensure that all sections of the `access_control` key are validated on startup.

* Change error format to clearly identify values
2021-01-16 21:05:41 +11:00
dependabot-preview[bot]
8fa76499cb
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1601)
Bumps haproxy from 2.3.3-alpine to 2.3.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-15 10:45:36 +11:00
dependabot-preview[bot]
6aa0e5fa7d
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1591)
Bumps haproxy from 2.3.2-alpine to 2.3.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-11 10:01:26 +11:00
Amir Zarrinkafsh
9ca0e940da
[FEATURE] Validate ACLs and add network groups (#1568)
* adds validation to ACL's
* adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 21:55:23 +11:00
James Elliott
29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00
Amir Zarrinkafsh
b12528a65c
[FEATURE] Display TOTP secret on device registration (#1551)
* This change provides the TOTP secret which allows users to copy and utilise for password managers and other applications.
* Hide TextField if secret isn't present
* This ensure that the TextField is removed on a page or if there is no secret present.
* Add multiple buttons and set default value to OTP URL
* Remove inline icon and add icons under text field which allow copying of the secret key and the whole OTP URL.
* Fix integration tests
* Add notifications on click for secret buttons
* Also remove autoFocus on TextField so a user can identify that the full OTP URL is in focus.
2020-12-29 13:30:00 +11:00
dependabot-preview[bot]
ee3ce69f9f
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1548)
Bumps alpine from 3.12.2 to 3.12.3.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-19 14:11:31 +11:00
Amir Zarrinkafsh
b989c1b169
[MISC] Refactor and address most errcheck linter ignores (#1511)
* [MISC] Refactor and address most errcheck linter ignores

This is mostly a quality of life change.
When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track.

* Handle errors for regulation marks and remove unnecessary logging
2020-12-16 12:47:31 +11:00
Amir Zarrinkafsh
7c6a86882f
[MISC] Catch OpenLDAP ppolicy error (#1508)
* [MISC] Catch OpenLDAP ppolicy error

Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.

This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.

* Remove password history for integration tests

* Adjust max failures due to regulation trigger

* Fix error handling for password resets

* Refactor and include code suggestions
2020-12-16 12:30:03 +11:00
dependabot-preview[bot]
c14af472dd
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1531)
Bumps alpine from 3.12.1 to 3.12.2.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-12-14 09:12:55 +11:00
dependabot-preview[bot]
d7fea74177
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1512)
Bumps golang from 1.15.5-alpine to 1.15.6-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-07 12:47:48 +11:00
James Elliott
426f5260ad
[FEATURE] LDAP StartTLS (#1500)
* add start_tls config option
* add StartTLS method to the LDAP conn factory and the mock
* implemented use of the StartTLS method when the config is set to true
* add mock unit tests
* add docs
* add TLS min version support
* add tests to tls version method
* fix lint issues
* minor adjustments
* remove SSL3.0
* add tls consts
* deprecate old filter placeholders
* remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993
* make suite ActiveDirectory use StartTLS
* misc adjustments to docs
* suggested changes from code review
* deprecation notice conformity
* add mock test for LDAPS plus StartTLS
2020-12-03 16:23:52 +11:00
dependabot-preview[bot]
c9837568b5
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1501)
Bumps haproxy from 2.3.1-alpine to 2.3.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-03 09:54:21 +11:00
Amir Zarrinkafsh
b786b2e1f5
[MISC] Refactor webdriver port initialization (#1491)
This change aims to factorize code introduced in #1467 for webdriver port customisation within the suites.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-28 11:06:42 +11:00
Amir Zarrinkafsh
aa64d0c4e5
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460)
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 20:59:22 +11:00
Timo
495e57b46c
[DOCS] Make HAProxy regex case insensitive (#1478) 2020-11-24 12:35:38 +11:00
Amir Zarrinkafsh
6db5455762
[CI] Collect coverage from frontend during integration tests (#1472)
This change will allow us to collect frontend code coverage from our Selenium based integration tests.

Given that the frontend is embedded into the Go binary and the integration tests run with a compiled binary in Docker this poses some issues with the instrumented code and the ability for it to run in this manner. To fix this we need to relax Authelia's CSP for the integration tests. This is achieved by setting the env variable `ENVIRONMENT` to `dev`.
2020-11-19 12:50:34 +11:00
Amir Zarrinkafsh
8e32a4b65f
[CI] Add ability to customise the chromedriver port (#1467)
The development workflow expects chromedriver to be run on the host on port 4444.
There is currently no mechanism to modify this behaviour at runtime, so if another service is running on 4444 tests will just fail silently.

This change introduces the `CHROMEDRIVER_PORT` environment variable which can be utilised to set a custom port.
2020-11-16 21:59:24 +11:00
dependabot-preview[bot]
f42b1ea229
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1463)
Bumps haproxy from 2.3.0-alpine to 2.3.1-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-16 11:49:52 +11:00
dependabot-preview[bot]
6e5b930f64
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1464)
Bumps golang from 1.15.4-alpine to 1.15.5-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-16 11:07:44 +11:00
Amir Zarrinkafsh
f392f51df6
[MISC] Append log file instead of overwriting (#1450)
* [MISC] Append log file instead of overwriting

If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.

This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.

* Amend documentation for log_file_path
2020-11-13 10:14:45 +11:00
dependabot-preview[bot]
a5f07d7ade
[MISC] (deps): Bump haproxy from 2.2.4-alpine to 2.3.0-alpine in /internal/suites/example/compose/haproxy (#1431)
* [MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy

Bumps haproxy from 2.2.4-alpine to 2.3.0-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Fix HAProxy suite

Looks like the new version of HAProxy has config validation which expects a newline at the bottom of `haproxy.cfg`.
CI was failing with the following error:
[NOTICE] 313/021816 (1) : haproxy version is 2.3.0-1c0a722
[ALERT] 313/021816 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:80]: Missing LF on last line, file might have been truncated at position 42.
[ALERT] 313/021816 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 313/021816 (1) : Fatal errors found in configuration.

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-09 13:35:18 +11:00
dependabot-preview[bot]
ee0b37c796
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1432)
Bumps golang from 1.15.3-alpine to 1.15.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-09 09:04:06 +11:00
Amir Zarrinkafsh
a83ccd7188
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 22:38:08 +11:00
dependabot-preview[bot]
662da9523b
[MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#1407)
Bumps node from 14-alpine to 15-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-26 11:11:37 +11:00