Commit Graph

132 Commits

Author SHA1 Message Date
Clement Michaud
4016ff1bba [BREAKING] Create a suite for Traefik proxy.
* Removal of the Redirect header sent by Authelia /api/verify endpoint.
* Authelia does not consume Host header anymore but X-Forwarded-Proto and X-Forwarded-Host
  to compute the link sent in identity verification emails.
* Authelia used Host header as the application name for U2F authentication but it's now using
  X-Forwarded-* headers.
2019-04-12 09:24:54 +02:00
ViViDboarder
617e929e1a Fix relative paths and add error handling 2019-04-12 09:24:54 +02:00
ViViDboarder
356b82f443 Fix lint error 2019-04-12 09:24:54 +02:00
ViViDboarder
0922b3c215 Build x-original-url from forwarded headers
This is to allow broader support for proxies. In particular, this allows
support with Traefik.

This patch also includes some examples of configuration with Traefik.
2019-04-12 09:24:54 +02:00
Clement Michaud
36d65c284e Add a test checking forwarded headers on bypass-based resources. 2019-04-10 22:34:15 +02:00
Amir Zarrinkafsh
c074270b54 Fix attaching User/Groups headers for bypass strategy 2019-04-10 21:32:12 +02:00
Clement Michaud
8a76b5118d Add network criteria in ACLs to specify policy based on network subnet. 2019-03-31 20:11:07 +02:00
Amir Zarrinkafsh
274c6135c7
Capture IP address and Target URL in Duo 2FA request 2019-03-27 19:44:50 +11:00
Clement Michaud
a717b965c1 Display only available 2FA methods.
For instance Duo Push Notification method is not displayed if the API
is not configured.
2019-03-24 22:23:25 +01:00
Clement Michaud
8ef402511c Add Duo Push Notification option as 2FA. 2019-03-24 15:15:49 +01:00
Clement Michaud
d9e487c99f Display only one 2FA option.
Displaying only one option at 2FA stage will allow to add more options
like DUO push or OAuth.

The user can switch to other option and in this case the option is
remembered so that next time, the user will see the same option. The
latest option is considered as the prefered option by Authelia.
2019-03-23 19:34:00 +01:00
Clement Michaud
40574bc8ec Fix the bypass strategy.
Before this fix an anonymous user was not able to access a resource
that were configured with a bypass policy. This was due to a useless
check of the userid in the auth session. Moreover, in the case of an
anonymous user, we should not check the inactivity period since there
is no session.

Also refactor /verify endpoint for better testability and add tests
in a new suite.
2019-03-22 23:51:36 +01:00
Clement Michaud
7c3d6cc376 Log what is retrieved from headers to help debugging. 2019-03-22 15:34:38 +01:00
Clement Michaud
76fa325f08 [BREAKING] Create a suite for kubernetes tests.
Authelia client uses hash router instead of browser router in order to work
with Kubernetes nginx-ingress-controller. This is also better for users having
old browsers.

This commit is breaking because it requires to change the configuration of the
proxy to include the # in the URL of the login portal.
2019-03-16 00:13:27 +01:00
Clement Michaud
b3d381bfa7 Fix integration and unit tests. 2019-03-03 11:39:40 +01:00
Clement Michaud
4bd7ea6f42 Add a script to hash a password for user database. 2019-03-03 11:39:40 +01:00
Clement Michaud
5614bea827 Fix unit tests. 2019-03-03 11:39:40 +01:00
Clement Michaud
85d3adc3e3 Check linting issues on hotreload and fix remaining ones. 2019-03-03 11:39:40 +01:00
Clement Michaud
c487ed0a37 Migrate more tests to mocha. 2019-03-03 11:39:40 +01:00
Clement Michaud
c579355c5b Migrate more Cucumber tests into Mocha. 2019-03-03 11:39:40 +01:00
Clement Michaud
efceb66ffa Migrate some tests to mocha. 2019-03-03 11:39:40 +01:00
Clement Michaud
d3a790627e Fix inactivity Ãe2e tests. 2019-03-03 11:39:40 +01:00
Clement Michaud
d2a547eca6 Fix e2e tests for complete configuration. 2019-03-03 11:39:40 +01:00
Clement Michaud
eccf08b6b0 Authelia can be run locally while communicating with docker environment. 2019-03-03 11:39:40 +01:00
Clement Michaud
317611b099 Replace material-UI by material-components-web. 2019-03-03 11:39:40 +01:00
Clement Michaud
419c883a8c Replace client by client-react. 2019-03-03 11:39:40 +01:00
Clement Michaud
605002a333 Complete rewrite of the UI. 2019-03-03 11:39:40 +01:00
Clement Michaud
9d7155a969 Almost full authentication workflow with U2F and TOTP. 2019-03-03 11:39:40 +01:00
Clement Michaud
fe14bde29b Backend and frontend are reloaded on code change. 2019-03-03 11:39:40 +01:00
ViViDboarder
264a94d4e7 Add ability to search for groups using {uid}
On some LDAP servers, the `uid` attribute is more like a guid, while the
username exists instead in a dedicated field, like `username`. This
means the `uid` is not necessarily equal to `username`.

This is allows referencing using the `uid` to search for groups in the same
way as `dn` so that one can explicitly match the `memberuid` to the `uid` for
the user without the assumptions that come with using `{0}`.
2019-02-27 21:34:18 -08:00
Clement Michaud
cc8cb36e04 Log error in LDAP input sanitizer to help with troubleshooting. 2019-02-11 23:01:29 +01:00
Clément Michaud
84b1194711
Merge branch 'master' into master 2019-01-08 21:32:28 +01:00
Tedy Stoica
0bbf4dc299
Added "/" to regex 2019-01-08 12:52:17 +02:00
Tedy Stoica
99bc50f2ff
Modified regex 2019-01-08 12:15:20 +02:00
BankaiNoJutsu
3d1448d3cc fix permissions 2018-12-18 16:34:56 +01:00
BankaiNoJutsu
48c204fc68 added all themes, clean and backup of dist, --theme value check 2018-12-18 16:30:23 +01:00
Clement Michaud
b53d16d8a1 Introduce Subject and Object in authorization module. 2018-11-17 18:29:10 +01:00
Clement Michaud
97bfafb6eb [BREAKING] Flatten the ACL rules to enable some use cases.
With previous configuration format rules were not ordered between groups and
thus not predictable. Also in some cases `any` must have been a higher
precedence than `groups`. Flattening the rules let the user apply whatever
policy he can think of.

When several rules match the (subject, domain, resource), the first one is
applied.

NOTE: This commit changed the format for declaring ACLs. Be sure to update
your configuration file before upgrading.
2018-11-17 18:08:29 +01:00
Clement Michaud
9fc55543fd Integrate more policy options in ACL rules.
The possible values for ACL policies are now: bypass, one_factor, two_factor,
deny.

This change also deprecate auth_methods because the method is now associated
directly to a resource in the ACLs instead of a domain.
2018-11-17 18:08:29 +01:00
Clement Michaud
42581dfe93 Fix open redirection vulnerability.
In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.
2018-11-17 17:48:20 +01:00
Clement Michaud
baa1899536 Fix U2F sign request after u2f library upgrade. 2018-11-17 13:58:48 +01:00
Clement Michaud
7c80515b34 Fix U2F authentication by upgrading libraries. 2018-11-06 15:45:01 +01:00
Clement Michaud
e8c3205e0a Make Authelia compatible with Firefox.
Use the polyfill version of u2f API provided by Google.

https://github.com/mastahyeti/u2f-api

This polyfill is at least compatible with Chrome and
Firefox after enabling the U2F support.

[HOWTO] Enable U2F in Firefox >= 57:
Navigate to 'about:config' and search for 'u2f' option.
Double-click on the line to toggle the option.
2018-10-27 18:22:01 +02:00
Clement Michaud
4c3b5cfbb3 Implement Keep me logged in feature. 2018-10-21 16:11:31 +02:00
Clement Michaud
059c5936f5 Add 'keep me logged in' checkbox in first factor page. 2018-10-21 15:25:28 +02:00
Clement Michaud
ad6b064063 Fix typing issue when using Dockerfile.dev. 2018-10-21 15:25:09 +02:00
Clement Michaud
91763e97a1 Get IP of the original client when querying /verify. 2018-08-28 23:06:14 +02:00
Clément Michaud
67f84b97c8
Enable authentication to Mongo and Redis. (#263)
* Fix issue in unit test of IdentityCheckMiddleware.

* Enable authentication to Mongo server.

* Enable authentication to Redis.
2018-08-26 13:10:23 +02:00
Clément Michaud
9dab40c2ce
Add support for users database on disk. (#262)
In order to simplify the deployment of Authelia for
testing, LDAP is now optional made optional thanks
to users database stored in a file. One can update
the file manually even while Authelia is running.

With this feature the minimal configuration requires
only two components: Authelia and nginx.

The users database is obviously made for development
environments only as it prevents Authelia to be scaled
to more than one instance.

Note: Configuration has been updated. Key `ldap` has
been nested in `authentication_backend`.
2018-08-26 10:30:43 +02:00
Clément Michaud
6438a5e48f
Fix ECONNRESET when LDAP queries fail. (#261)
This commit should fix #225.

In order to avoid stalling LDAP connections, Authelia creates new
sessions for each set of queries bound to one authentication, i.e.,
one session for authentication, emails retrieval and groups
retrieval.
Before this commit, a failing query was preventing the session to
be closed (unbind was not called). Now, unbind is always called
whatever the outcome of the query.

I took the opportunity of this commit to refactor LDAP client in
order to prepare the work on users database stored in a file.
(#233)
2018-08-25 19:22:48 +02:00