Commit Graph

327 Commits

Author SHA1 Message Date
James Elliott
f0cb75e1e1
fix(handlers): logout redirection validation (#1908) 2021-04-13 10:38:12 +02:00
James Elliott
9e7b73bd56
refactor(authentication): add trace logs for the user/group baseDN (#1904)
This logs the baseDN for user and group searching on startup as well as the users filter (with just input remaining). Additionally refactors the location of a few log messages, and exposes the logger to the provider to reduce calls to logging.Logger().
2021-04-12 11:10:50 +10:00
James Elliott
08e674b62f
docs: refactor several areas of documentation (#1726)
Updated all links to use https://www.authelia.com/docs/.
Removed all comment sections from documented configuration on the documentation site and replaced them with their own sections.
Made all documentation inside config.template.yml double hashes, and made all commented configuration sections single quoted.
Added .yamllint.yaml to express our desired YAML styles.
Added a style guide.
Refactored many documentation areas to be 120 char widths where possible. It's by no means exhaustive but is a large start.
Added a statelessness guide for the pending Kubernetes chart introduction.
Added labels to configuration documentation and made many areas uniform.
2021-04-11 21:25:03 +10:00
James Elliott
d33d6c2f00
ci: add yamllint (#1895)
This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-11 06:51:00 +10:00
renovate[bot]
ad7808d430
build(deps): update traefik docker tag to v1.7.30 (#1897)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-09 09:32:21 +10:00
renovate[bot]
771a0f362e
build(deps): update alpine docker tag to v3.13.4 (#1877)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-04-01 12:47:51 +11:00
renovate[bot]
92da7a21de
build(deps): update haproxy docker tag to v2.3.9 (#1873)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-31 13:52:05 +11:00
Amir Zarrinkafsh
aa03981024
fix(notification): don't remove file based notifier on start up (#1862)
Attempting to run Authelia with least privilege principle as the `nobody` user and a file based notifier will cause issues during start up as the user cannot remove the notification file.

Given that ioutil.WriteFile truncates the file before writing the removal should not be necessary.

Fixes #1846.
2021-03-31 13:27:31 +11:00
renovate[bot]
dbb819dfa5
build(deps): update traefik docker tag to v1.7.29 (#1869)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-30 11:37:38 +11:00
renovate[bot]
5ab334dcdc
build(deps): update haproxy docker tag to v2.3.8 (#1858)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-28 02:06:58 +11:00
renovate[bot]
e6929cdf3e
build(deps): update alpine docker tag to v3.13.3 (#1853)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-26 11:30:30 +11:00
renovate[bot]
6d4d1d5e2f
build(deps): update traefik docker tag to v2.4.8 (#1848)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-24 19:34:55 +01:00
James Elliott
a44f0cf959
fix: redis sentinel secret missing (#1839)
* fix: redis sentinel secret missing

* refactor: use consts for authentication_backend.file.password errs

* fix: unit test for new default port

* test: cover additional misses

* test: fix windows/linux specific test error

* test: more windows specific tests

* test: remove superfluous url.IsAbs

* test: validator 100% coverage
2021-03-22 20:04:09 +11:00
renovate[bot]
e7c9d55c23
build(deps): update haproxy docker tag to v2.3.7 (#1834)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-17 08:51:46 +11:00
James Elliott
a0248cd096
test(suites): short mode skip suites testing (#1823)
This PR changes the suites tests so if go test -short is used, they are skipped per go standards and a message is displayed. Additionally removed some redundant types from suite_high_availability_test.go and adjusted a warning about a nil req var.
2021-03-14 18:08:26 +11:00
James Elliott
e3e8df26f2
refactor(session): use github.com/fasthttp/session/v2 instead of github.com/authelia/session/v2 (#1809)
Reverts to the upstream library instead of our maintenance fork.
2021-03-13 16:06:19 +11:00
James Elliott
391c8671e9
fix(handlers): log user as '<anonymous>' instead of a blank string (#1808) 2021-03-13 15:52:07 +11:00
James Elliott
5a5efa5e02
fix(server): send 404 on missing api endpoints instead of 405 (#1806)
Returns a 404 instead of 405 on bad API endpoints. The original issue was resolved in 3487fd392e however this resolves another issue that's related. Additionally this ensures the behavior is tested.
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>

Fixes #1520
Closes #1534
2021-03-11 18:36:58 +11:00
James Elliott
c310049faa
refactor(authentication): use crypto constant time compare (#1800)
* refactor(authentication): use crypto constant time compare

Improve security with usage of the crypto/subtle ConstantTimeCompare() method for hash comparison.

Fixes #1799

* docs: add explicit labels for chat types
2021-03-11 12:08:49 +11:00
James Elliott
e041143f87
feat(session): add redis sentinel provider (#1768)
* feat(session): add redis sentinel provider

* refactor(session): use int for ports as per go standards

* refactor(configuration): adjust tests and validation

* refactor(configuration): add err format consts

* refactor(configuration): explicitly map redis structs

* refactor(session): merge redis/redis sentinel providers

* refactor(session): add additional checks to redis providers

* feat(session): add redis cluster provider

* fix: update config for new values

* fix: provide nil certpool to affected tests/mocks

* test: add additional tests to cover uncovered code

* docs: expand explanation of host and nodes relation for redis

* ci: add redis-sentinel to suite highavailability, add redis-sentinel quorum

* fix(session): sentinel password

* test: use redis alpine library image for redis sentinel, use expose instead of ports, use redis ip, adjust redis ip range, adjust redis config

* test: make entrypoint.sh executable, fix entrypoint.sh if/elif

* test: add redis failover tests

* test: defer docker start, adjust sleep, attempt logout before login, attempt visit before login and tune timeouts, add additional logging

* test: add sentinel integration test

* test: add secondary node failure to tests, fix password usage, bump test timeout, add sleep

* feat: use sentinel failover cluster

* fix: renamed addrs to sentineladdrs upstream

* test(session): sentinel failover

* test: add redis standard back into testing

* test: move redis standalone test to traefik2

* fix/docs: apply suggestions from code review
2021-03-10 10:03:05 +11:00
renovate[bot]
073c558296
build(deps): update traefik docker tag to v2.4.7 (#1790)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-09 14:18:48 +11:00
James Elliott
4dce8f9496
perf(authorizer): preload access control lists (#1640)
* adjust session refresh to always occur (for disabled users)

* feat: adds filtering option for Request Method in ACL's

* simplify flow of internal/authorization/authorizer.go's methods

* implement query string checking

* utilize authorizer.Object fully

* make matchers uniform

* add tests

* add missing request methods

* add frontend enhancements to handle request method

* add request method to 1FA Handler Suite

* add internal ACL representations (preparsing)

* expand on access_control next

* add docs

* remove unnecessary slice for network names and instead just use a plain string

* add warning for ineffectual bypass policy (due to subjects)

* add user/group wildcard support

* fix(authorization): allow subject rules to match anonymous users

* feat(api): add new params

* docs(api): wording adjustments

* test: add request method into testing and proxy docs

* test: add several checks and refactor schema validation for ACL

* test: add integration test for methods acl

* refactor: apply suggestions from code review

* docs(authorization): update description
2021-03-05 15:18:31 +11:00
renovate[bot]
455b859047
build(deps): update haproxy docker tag to v2.3.6 (#1779)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-04 14:15:01 +11:00
Amir Zarrinkafsh
2a1f5e3f8d
fix(configuration): lower argon2id default memory requirements (#1762)
* fix(configuration): lower argon2id default memory requirements

The current default hashing value of 1024MB (1GB) is far too aggressive to cover all use cases.
Reducing this number and encouraging users to to read the documentation and tune will result in less issues and a better user experience.

* test: fix broken tests
2021-03-03 20:19:28 +11:00
renovate[bot]
92154a1193
build(deps): update traefik docker tag to v2.4.6 (#1774)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-03-02 15:07:51 +11:00
ThinkChaos
ba65a3db82
feat(handlers): authorization header switch via query param to /api/verify (#1563)
* [FEATURE] Add auth query param to /api/verify (#1353)

When `/api/verify` is called with `?auth=basic`, use the standard
Authorization header instead of Proxy-Authorization.

* [FIX] Better basic auth error reporting

* [FIX] Return 401 when using basic auth instead of redirecting

* [TESTS] Add tests for auth=basic query param

* [DOCS] Mention auth=basic argument and provide nginx example

* docs: add/adjust basic auth query arg docs for proxies

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-02-24 10:35:04 +11:00
renovate[bot]
64b01b2811
build(deps): update mariadb docker tag to v10.5.9 (#1757)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-23 12:49:16 +11:00
renovate[bot]
17bf3f860b
build(deps): update osixia/openldap docker tag to v1.5.0 (#1749)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 22:08:23 +11:00
renovate[bot]
36d02f9cf5
build(deps): update traefik docker tag to v2.4.5 (#1742)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 16:21:43 +11:00
renovate[bot]
59b3c2cbd8
build(deps): update haproxy docker tag to v2.3.5 (#1737)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-22 15:06:10 +11:00
Amir Zarrinkafsh
74721a9f41
feat: go:embed static assets (#1733)
* feat: go:embed static assets

Go 1.16 introduced the ability to embed files within a generated binary directly with the go tool chain. This simplifies our dependencies and the significantly improves the development workflow for future developers.

Key points to note:

Due to the inability to embed files that do not reside within the local package we need to duplicate our `config.template.yml` within `internal/configuration`.

To avoid issues with the development workflow empty mock files have been included within `internal/server/public_html`. These are substituted with the respective generated files during the CI/CD and build workflows.

* fix(suites): increase ldap suite test timeout

* fix(server): fix swagger asset CSP
2021-02-22 10:07:06 +11:00
renovate[bot]
79b2b742a8
build(deps): update alpine docker tag to v3.13.2 (#1728)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-18 10:49:39 +11:00
Amir Zarrinkafsh
683c4a70bf
fix(web): improve 2fa enrollment process (#1706)
* refactor(web): improve 2fa enrollment process

This PR will change some of the wording and colours for the 2FA processes in order to provide more clarity and address some accessibility issues for end users.

The following is a summary of the changes:

* One-Time Password ⭢ Time-based One-Time Password
* Security Key ⭢ Security Key - U2F

![Screenshot_2021-02-02-09-36-17](https://user-images.githubusercontent.com/3339418/107138185-17656100-6967-11eb-8fac-9e75c7a82d09.png)


* QRCode ⭢ QR Code

![Screenshot_2021-02-07-05-07-25](https://user-images.githubusercontent.com/3339418/107138196-29df9a80-6967-11eb-811f-d77c9bb0159e.png)

* `Not registered yet?` text to display `Lost device?` if a user has already registered a device of said type

![Screenshot_2021-02-02-10-24-54](https://user-images.githubusercontent.com/3339418/107138205-395ee380-6967-11eb-8826-83e1438dd146.png)

* Change button and text colour in e-mails that Authelia generates
* Change Authelia email footer to be more security conscious

![Screenshot_2021-02-07-04-51-40](https://user-images.githubusercontent.com/3339418/107138211-4085f180-6967-11eb-890b-9d931bd1ce76.png)

The docs have also been updated to clarify the 2fa device enrollment limitation which only allows users to register one of each device type concurrently.

Closes #1560.
2021-02-12 16:59:42 +11:00
renovate[bot]
23f8a059fe
build(deps): update traefik docker tag to v2.4.2 (#1685)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-03 09:42:29 +11:00
James Elliott
60ff16b518
fix(handlers): refresh user details on all domains (#1642)
* fix(handlers): refresh user details on all domains 

* previously sessions only got checked for updated details if the domain had group subjects attached
* this meant disabled or deleted accounts did not get detected until the session expired or the user visited a domain protected by a group subject
* this patch fixes this issue and simplifies some logic surrounding the check

* add tests

simplify IsStringSlicesDifferent so it only iterates once

* add another test for IsStringSlicesDifferent
2021-02-02 12:01:46 +11:00
renovate[bot]
3d6a9dfca4
build(deps): update traefik docker tag to v2.4.1 (#1681)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-02-02 10:35:49 +11:00
Amir Zarrinkafsh
d17c7e7fc0
refactor(suites): simplify kubernetes suite (#1680)
This PR achieves the following goals:
* Utilise upstream version of kind instead of a patched version which allows binding to networks other than the default "kind"
* Utilises the registry cache which is setup one level above the kind cluster

The former point was required to successfully run our integration tests in a Kubernetes environment, however this is now possible without running a patched version of kind.

The second point is because DockerHub has introduced rate limiting for container downloads. If there are a large number of CI jobs nodes may occasionally be rejected due to the Kubernetes suite not pulling down from the registry cache.
2021-02-02 09:53:44 +11:00
renovate[bot]
006f1eb43b
build(deps): update mariadb docker tag to v10.5.8 (#1660)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:22:12 +11:00
renovate[bot]
985aaaa76b
build(deps): update alpine docker tag to v3.13.1 (#1659)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 12:06:09 +11:00
renovate[bot]
ea913d2992
build(deps): update traefik docker tag to v1.7.28 (#1657)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 11:32:49 +11:00
renovate[bot]
ed5e9264f8
build(deps): update mariadb docker tag to v10.4.17 (#1652) 2021-01-31 09:28:43 +11:00
renovate[bot]
d4d781ae52
build(deps): update alpine docker tag to v3.13.1 (#1649)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-31 01:04:46 +11:00
renovate[bot]
72ec9713b3
build(deps): update traefik docker tag (#1674)
* build(deps): update traefik docker tag

* fix(suites): fix traefik2 empty args for matcher PathPrefix

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-31 00:30:41 +11:00
renovate[bot]
14192e11ac
build(deps): update osixia/phpldapadmin docker tag to v0.9.0 (#1673)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:52:54 +11:00
renovate[bot]
6627a54594
build(deps): update osixia/openldap docker tag to v1.4.0 (#1672)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:28:05 +11:00
renovate[bot]
d8685418e8
build(deps): update alpine docker tag to v3.12.3 (#1647)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2021-01-30 22:11:42 +11:00
Amir Zarrinkafsh
d719acc4c8
[MISC] Fix embedded fs for dev workflow (#1627)
When authelia.yml got renamed to openapi.yml in 3487fd392e the embedded fs was not updated with a openapi.yml which in turn causes the dev workflow to no longer work.
2021-01-25 10:42:57 +11:00
dependabot-preview[bot]
353b65066c
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1620)
Bumps golang from 1.15.6-alpine to 1.15.7-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-21 22:14:21 +11:00
Amir Zarrinkafsh
daa30f3aa3
[FEATURE] Add theme support (#1584)
* [FEATURE] Add theme support

This change allows users to select a theme for Authelia on start-up.

The default will continue to be the existing theme which is known as `light`.
Three new options are now also provided:
* `dark`
* `grey`
* `custom`

The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal.

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>

* Add themes to integration tests

* Remove custom theme

* Fix linting issue in access_control_test.go

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 23:07:40 +11:00
dependabot-preview[bot]
7e13d465e9
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1611)
Bumps alpine from 3.12.3 to 3.13.0.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-18 09:42:44 +11:00
Amir Zarrinkafsh
296efe2b32
[MISC] Add missing CLI suite test (#1607)
* [MISC] Add missing CLI suite test

* Add missing test for `authelia version` command in CLI suite.
* Standardise logger calls and swap CSP switch order
2021-01-17 10:23:35 +11:00
Amir Zarrinkafsh
8bab8d47ef
[MISC] Add CLI suite (#1597)
This change adds a new integration testing suite "CLI".

The intent of this suite is to test, validate and capture coverage for Authelia's commands via the CLI.
2021-01-16 21:25:02 +11:00
Amir Zarrinkafsh
81e34d84de
[MISC] Validate all sections of ACLs on startup (#1595)
* [MISC] Validate all sections of ACLs on startup

This change ensure that all sections of the `access_control` key are validated on startup.

* Change error format to clearly identify values
2021-01-16 21:05:41 +11:00
Amir Zarrinkafsh
fd7b4ada02
[BUGFIX] Disable colored logging outputs when file is specified (#1603)
In some scenarios if a user has a `log_file_path` specified and a TTY seems to be detected this causes terminal coloring outputs to be written to the file. This in turn will cause issues when attempting to utilise the log with the provided fail2ban regexes.

We now override any TTY detection/logging treatments and disable coloring/removal of the timestamp when a user is utilising the text based logger to a file.
2021-01-15 22:16:41 +11:00
dependabot-preview[bot]
8fa76499cb
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1601)
Bumps haproxy from 2.3.3-alpine to 2.3.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-15 10:45:36 +11:00
dependabot-preview[bot]
6aa0e5fa7d
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1591)
Bumps haproxy from 2.3.2-alpine to 2.3.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-11 10:01:26 +11:00
James Elliott
712288555c
[BUGFIX] Fix incorrect docs and Certificate PEM extensions (#1589)
* add .crt to the PEM extensions scanned for
* fix documentation on the extensions allowed
* add trace logging to the loading process to help debug in the future
2021-01-10 22:10:45 +11:00
Amir Zarrinkafsh
9ca0e940da
[FEATURE] Validate ACLs and add network groups (#1568)
* adds validation to ACL's
* adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 21:55:23 +11:00
James Elliott
29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00
Amir Zarrinkafsh
3487fd392e
[FEATURE] Add API docs and swagger-ui (#1544)
* [FEATURE] Add API docs and swagger-ui

This change will serve out swagger-ui at the `/api/` root path.

* Update descriptions and summaries in API spec

* Utilise frontend assets from unit testing for Docker build steps

* Fix tag for /api/user/* endpoints

* Fix response schema for /api/user/info/2fa_method

* Template and inject the session name during runtime into swagger-ui

This change also factorises and renames index.go into template.go, this can now be generically utilised to template any file.

* Fix integration tests

* Add U2F endpoints

* Change swagger directory to api

This change is to more closely conform to the golang-standards project layout.

* Add authentication for u2f endpoints

* Modify u2f endpoint descriptions

* Rename and fix u2f 2fa sign endpoints

* Fix request body for /api/secondfactor/u2f/sign endpoint

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-01-03 15:28:46 +11:00
Amir Zarrinkafsh
49ae9b0a69
[CI] Update QEMU to v5.2.0-1 (#1567)
* [CI] Update QEMU to v5.2.0-1

* Fix linting error from golangci-lint 1.34.1 update

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-12-30 07:23:24 +11:00
Amir Zarrinkafsh
b12528a65c
[FEATURE] Display TOTP secret on device registration (#1551)
* This change provides the TOTP secret which allows users to copy and utilise for password managers and other applications.
* Hide TextField if secret isn't present
* This ensure that the TextField is removed on a page or if there is no secret present.
* Add multiple buttons and set default value to OTP URL
* Remove inline icon and add icons under text field which allow copying of the secret key and the whole OTP URL.
* Fix integration tests
* Add notifications on click for secret buttons
* Also remove autoFocus on TextField so a user can identify that the full OTP URL is in focus.
2020-12-29 13:30:00 +11:00
James Elliott
2763aefe81
[BUGFIX] Static Session Expiration Key (#1564)
* [BUGFIX] Static Session Expiration Key

* keys for session expiration are random for each instance of Authelia
* this is caused by upstream setting it to a random value
* using a temporary bugfix fork of github.com/fasthttp/session to resolve locally
* add some misc doc additions
2020-12-29 12:44:47 +11:00
dependabot-preview[bot]
ee3ce69f9f
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1548)
Bumps alpine from 3.12.2 to 3.12.3.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-19 14:11:31 +11:00
Amir Zarrinkafsh
b989c1b169
[MISC] Refactor and address most errcheck linter ignores (#1511)
* [MISC] Refactor and address most errcheck linter ignores

This is mostly a quality of life change.
When we first implemented the errcheck linter we ignored a number of items in our legacy codebase with intent to revisit down the track.

* Handle errors for regulation marks and remove unnecessary logging
2020-12-16 12:47:31 +11:00
Amir Zarrinkafsh
7c6a86882f
[MISC] Catch OpenLDAP ppolicy error (#1508)
* [MISC] Catch OpenLDAP ppolicy error

Further to the discussion over at #361, this change now ensures that OpenLDAP password complexity errors are caught and appropriately handled.

This change also includes the PasswordComplexity test suite in the LDAP integration suite. This is because a ppolicy has been setup and enforced.

* Remove password history for integration tests

* Adjust max failures due to regulation trigger

* Fix error handling for password resets

* Refactor and include code suggestions
2020-12-16 12:30:03 +11:00
dependabot-preview[bot]
c14af472dd
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1531)
Bumps alpine from 3.12.1 to 3.12.2.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-12-14 09:12:55 +11:00
dependabot-preview[bot]
d7fea74177
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1512)
Bumps golang from 1.15.5-alpine to 1.15.6-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-07 12:47:48 +11:00
Amir Zarrinkafsh
0bf192aae0
[CI] Adjust reviewdog filtermode for linting (#1506)
This will ensure that linter errors are picked up for the entire codebase instead of just against the default of [added/modified lines](https://github.com/reviewdog/reviewdog#added-default).
2020-12-03 18:06:42 +11:00
James Elliott
426f5260ad
[FEATURE] LDAP StartTLS (#1500)
* add start_tls config option
* add StartTLS method to the LDAP conn factory and the mock
* implemented use of the StartTLS method when the config is set to true
* add mock unit tests
* add docs
* add TLS min version support
* add tests to tls version method
* fix lint issues
* minor adjustments
* remove SSL3.0
* add tls consts
* deprecate old filter placeholders
* remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993
* make suite ActiveDirectory use StartTLS
* misc adjustments to docs
* suggested changes from code review
* deprecation notice conformity
* add mock test for LDAPS plus StartTLS
2020-12-03 16:23:52 +11:00
dependabot-preview[bot]
c9837568b5
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1501)
Bumps haproxy from 2.3.1-alpine to 2.3.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-12-03 09:54:21 +11:00
James Elliott
365304a684
[FEATURE] Add Optional Check for Session Username on VerifyGet (#1427)
* Adding the Session-Username header to the /api/verify endpoint when using cookie auth will check the value stored in the session store for the username and the header value are the same.
* use strings.EqualFold to compare case insensitively
* add docs
* add unit tests
* invalidate session if it is theoretically hijacked and log it as a warning (can only be determined if the header doesn't match the cookie)
* add example PAM script
* go mod tidy
* go mod bump to 1.15
2020-12-02 10:03:44 +11:00
Amir Zarrinkafsh
b786b2e1f5
[MISC] Refactor webdriver port initialization (#1491)
This change aims to factorize code introduced in #1467 for webdriver port customisation within the suites.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-28 11:06:42 +11:00
Amir Zarrinkafsh
ba04d1072b
[BUGFIX] Make username_attribute a mandatory placeholder in users_filter (#1449)
* [BUGFIX] Make username_attribute a mandatory placeholder in users_filter

Not including the `username_attribute` in the `users_filter` will cause issues with the LDAP session refresh and will result in session resets when the refresh interval has expired.

This change makes said attribute mandatory for the `users_filter`.

* Update version referenced in docs for fix
2020-11-28 00:30:27 +11:00
Amir Zarrinkafsh
aa64d0c4e5
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460)
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 20:59:22 +11:00
Amir Zarrinkafsh
a29eeb52b6
[FEATURE] Add JSON log formatting option (#1488)
This change adds the ability to format Authelia's log output as JSON.

Example below:
```
{"level":"info","msg":"Logging severity set to info","time":"2020-01-01T00:00:00+11:00"}
{"level":"info","msg":"Authelia is listening for non-TLS connections on 0.0.0.0:9091","time":"2020-01-01T00:00:00+11:00"}
```
2020-11-25 10:46:41 +11:00
Amir Zarrinkafsh
f1ecc5b82a
[FEATURE] Create dedicated health endpoint (#1489)
This change points the Docker containers healthcheck to the dedicated `/api/health` endpoint and also includes support for Authelia running with a path prefix.
2020-11-25 10:20:52 +11:00
Amir Zarrinkafsh
774c1c0207
[MISC] Consistently utilise correct logging interface (#1487)
This change aims to utilise the correct logging interface consistently.

The only instances where stdlib log is utilised is for tests and when commands that Authelia supports; for example certificate generation, password hashing and config validation.
2020-11-25 09:54:36 +11:00
Timo
495e57b46c
[DOCS] Make HAProxy regex case insensitive (#1478) 2020-11-24 12:35:38 +11:00
Amir Zarrinkafsh
6db5455762
[CI] Collect coverage from frontend during integration tests (#1472)
This change will allow us to collect frontend code coverage from our Selenium based integration tests.

Given that the frontend is embedded into the Go binary and the integration tests run with a compiled binary in Docker this poses some issues with the instrumented code and the ability for it to run in this manner. To fix this we need to relax Authelia's CSP for the integration tests. This is achieved by setting the env variable `ENVIRONMENT` to `dev`.
2020-11-19 12:50:34 +11:00
Amir Zarrinkafsh
50df949520
[BUGFIX] Prevent crash when email has not been set (#1466)
* [BUGFIX] Prevent crash when email has not been set

a83ccd7188 introduced a regression where if a misconfigured deployment presented an empty emails array setting `Remote-*` headers would fail.

If the emails array is empty we now set the `Remote-Email` header to an empty string.

* Add additional case for unit tests
2020-11-16 22:22:16 +11:00
Amir Zarrinkafsh
8e32a4b65f
[CI] Add ability to customise the chromedriver port (#1467)
The development workflow expects chromedriver to be run on the host on port 4444.
There is currently no mechanism to modify this behaviour at runtime, so if another service is running on 4444 tests will just fail silently.

This change introduces the `CHROMEDRIVER_PORT` environment variable which can be utilised to set a custom port.
2020-11-16 21:59:24 +11:00
dependabot-preview[bot]
f42b1ea229
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1463)
Bumps haproxy from 2.3.0-alpine to 2.3.1-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-16 11:49:52 +11:00
dependabot-preview[bot]
6e5b930f64
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1464)
Bumps golang from 1.15.4-alpine to 1.15.5-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-16 11:07:44 +11:00
Amir Zarrinkafsh
f392f51df6
[MISC] Append log file instead of overwriting (#1450)
* [MISC] Append log file instead of overwriting

If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.

This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.

* Amend documentation for log_file_path
2020-11-13 10:14:45 +11:00
dependabot-preview[bot]
a5f07d7ade
[MISC] (deps): Bump haproxy from 2.2.4-alpine to 2.3.0-alpine in /internal/suites/example/compose/haproxy (#1431)
* [MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy

Bumps haproxy from 2.2.4-alpine to 2.3.0-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Fix HAProxy suite

Looks like the new version of HAProxy has config validation which expects a newline at the bottom of `haproxy.cfg`.
CI was failing with the following error:
[NOTICE] 313/021816 (1) : haproxy version is 2.3.0-1c0a722
[ALERT] 313/021816 (1) : parsing [/usr/local/etc/haproxy/haproxy.cfg:80]: Missing LF on last line, file might have been truncated at position 42.
[ALERT] 313/021816 (1) : Error(s) found in configuration file : /usr/local/etc/haproxy/haproxy.cfg
[ALERT] 313/021816 (1) : Fatal errors found in configuration.

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-09 13:35:18 +11:00
dependabot-preview[bot]
ee0b37c796
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1432)
Bumps golang from 1.15.3-alpine to 1.15.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-11-09 09:04:06 +11:00
Amir Zarrinkafsh
66b1600455
[MISC] Warn for poorly tuned argon2id deployments (#1426)
The warnings are currently limited to Linux based deployments, however this covers both container and host (static binary) based deployments.
We could potentially look to expand this to FreeBSD in future too.
2020-11-06 08:57:03 +11:00
James Elliott
956dbfb8de
[BUGFIX] Add ability to specify SMTP HELO/EHLO identifier (#1416)
* add docs
* add configuration option for SMTP called `identifier`
* default should act the same as before
2020-11-05 10:22:10 +11:00
Amir Zarrinkafsh
a83ccd7188
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 22:38:08 +11:00
dependabot-preview[bot]
662da9523b
[MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#1407)
Bumps node from 14-alpine to 15-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-26 11:11:37 +11:00
dependabot-preview[bot]
4f50818667
[MISC] (deps): Bump node in /internal/suites/example/compose/authelia (#1406)
Bumps node from 14-alpine to 15-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-26 09:39:06 +11:00
dependabot-preview[bot]
19ba79cfa1
[MISC] (deps): Bump alpine in /internal/suites/example/compose/kind (#1400)
Bumps alpine from 3.12.0 to 3.12.1.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-23 17:59:48 +11:00
dependabot-preview[bot]
607e6711f5
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1377)
Bumps golang from 1.15.2-alpine to 1.15.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-16 14:02:33 +11:00
dependabot-preview[bot]
4a9ed76f32
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1359)
Bumps haproxy from 2.2.3-alpine to 2.2.4-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-08 10:46:43 +11:00
Amir Zarrinkafsh
607f829431
[DOCS] Clean HAProxy examples (#1338)
Remove headers that are not required and fix a typo.
2020-09-23 17:29:46 +10:00
Amir Zarrinkafsh
5b98b4d090
[BUGFIX] Fix HAProxy redirects (#1333)
Including updates to docs examples.
2020-09-23 09:06:26 +10:00
Amir Zarrinkafsh
b1a01b1727
[CI] Update QEMU to v5.1.0-2 (#1321)
* [CI] Update QEMU to v5.1.0-2

* Fix linter errors from golangci-lint update
2020-09-18 22:05:43 +10:00
dependabot-preview[bot]
1c08670b06
[MISC] (deps): Bump golang in /internal/suites/example/compose/authelia (#1313)
Bumps golang from 1.15.1-alpine to 1.15.2-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-11 12:28:40 +10:00
dependabot-preview[bot]
01760d167f
[MISC] (deps): Bump haproxy in /internal/suites/example/compose/haproxy (#1312)
Bumps haproxy from 2.2.2-alpine to 2.2.3-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-10 11:21:20 +10:00