Commit Graph

1114 Commits

Author SHA1 Message Date
Amir Zarrinkafsh
9e2a9f5ee6
[DEPRECATE] Remove OSX (darwin) based binaries (#967) 2020-05-03 22:03:53 +10:00
Clément Michaud
e5ccdb4449
[MISC] Introduce CryptAlgo type. (#960)
* [MISC] Introduce CryptAlgo type.

It helps distinguish between the configuration representation of an algorithm
and the crypt representation (6 and argon2id vs sha512 vs argon2id).

* Add a description to CryptAlgo.

* use const

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-05-03 14:06:09 +10:00
Clément Michaud
da5c722cf8
[DOCS] Introduce an FAQ and document forwarded authentication. (#962)
* add FAQ docs section
* add forwarded authentication section to deployments > supported proxies
* apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-03 13:18:13 +10:00
Amir Zarrinkafsh
be0cc72473
[CI] Add goconst linter (#961)
* [CI] Add goconst linter

* Implement goconst recommendations

* Rename defaultPolicy to denyPolicy

* Change order for test constants

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 18:20:40 +02:00
Amir Zarrinkafsh
310c5dc09b
[DOCS] Harmonize Remote-User and Remote-Groups headers in nginx example (#963)
Fixes #957.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 17:10:26 +02:00
Amir Zarrinkafsh
d301ebe47c
[CI] Fix pipeline dependencies (#964)
* [CI] Fix pipeline dependencies
This change ensures that CI_BYPASS works as intended and ensures that the hardcoded pipeline does not conflict with the repo provided dynamic pipeline.
The hardcoded pipeline has been changed to reflect the following:
```yaml
steps:
  # Blocking pipeline for master branch deployments (concurrency_group).
  - label: ":pipeline: Setup Pipeline"
    command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
    concurrency: 1
    concurrency_group: "deployments"
    if: build.branch == "master"

  # Non-blocking pipeline for all others (tagged commits/local branches/PRs).
  - label: ":pipeline: Setup Pipeline"
    command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
    if: build.branch != "master"

  - wait:
    if: build.pull_request.repository.fork != true && build.branch !~ /^dependabot\/.*/

  # Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
  - block: "Public fork needs approval"
    if: build.pull_request.repository.fork == true

  # Blocking deployment for master branch deployments (concurrency_group).
  - label: "🚀 Setup Deployment"
    command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
    concurrency: 1
    concurrency_group: "deployments"
    depends_on: ~
    if: build.branch == "master"

  # Non-blocking deployment for all others (tagged commits/local branches).
  - label: "🚀 Setup Deployment"
    command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
    depends_on: ~
    if: build.branch != "master" && build.branch !~ /^dependabot\/.*/ && build.pull_request.repository.fork != true

  # Removed dependency optimisation for forked PRs to enforce block step.
  - label: "🚀 Setup Deployment"
    command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
    if: build.pull_request.repository.fork == true
```

* [CI] Include upstream hardcoded pipeline in repo
2020-05-02 17:05:11 +02:00
Amir Zarrinkafsh
e67f63ee44
[CI] Add godot linter (#958)
* [CI] Add godot linter

* Implement godot recommendations
2020-05-02 15:06:39 +10:00
Amir Zarrinkafsh
ce5f5e9214
[CI] Optimise pipeline deployments with explicit dependencies (#955)
Pushes to master and tagged releases will have now have explicit dependencies for steps. This is specifically to prevent darwin based builds holding up execution of other steps which should not have a dependence.
2020-05-02 13:22:17 +10:00
Amir Zarrinkafsh
1ed1318870
[CI] Fix artifact download for publishing step (#954) 2020-05-02 12:12:18 +10:00
James Elliott
9947371ef8
[CI] Run unit tests on master and tagged commits (#953) 2020-05-02 11:41:53 +10:00
James Elliott
c13525bf84
[RELEASE] v4.16.0 (#952) 2020-05-02 09:01:39 +10:00
James Elliott
e95c6a294d
[HOTFIX] Prevent Username Enumeration (#950)
* [HOTFIX] Prevent Username Enumeration

* thanks to TheHllm for identifying the bug: https://github.com/TheHllm
* temporarily prevents username enumeration with file auth
* proper calculated and very slightly random fix to come

* closely replicate behaviour

* allow error to bubble up

* Synchronize security documentation.

Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-02 00:32:09 +02:00
Amir Zarrinkafsh
6d8f45513f
[DOCS] Update secrets examples for Docker Compose (#948)
* [DOCS] Update secrets examples for Docker Compose

* Fix typo

* Include examples for Docker Secrets and bind mounted secret files
2020-05-01 16:58:40 +10:00
Amir Zarrinkafsh
aebcb38f90
[MISC] Fix goimports ordering for repo (#947) 2020-05-01 16:56:42 +10:00
James Elliott
2437f989cb
[SECURITY] Disable HTTP server header (#946)
* [SECURITY] Disable HTTP Server Header

* alphabetize fasthttp.Server property assignment
2020-04-30 13:16:41 +10:00
James Elliott
c9e8a924e0
[FEATURE] Buffer size configuration and additional http error handling (#944)
* implement read buffer size config option
* implement write buffer size config option
* implement fasthttp ErrorHandler so we can log errors to Authelia as well
* add struct/schema validation
* add default value
* add docs
* add config key to validator
* refactoring
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 12:03:05 +10:00
Amir Zarrinkafsh
2b627c6c04
[CI] Set concurrency groups at a global level and simplify pipeline (#942) 2020-04-29 14:06:35 +10:00
Amir Zarrinkafsh
f781d63b2c
[CI] Prevent race conditions with appropriate deployment steps (#941)
If we have multiple builds to master that intend to deploy AUR packages or documentation, we must ensure that the jobs are locked and executed sequentially, not simultaneously. If they were to run simultaneously this has the ability to cause a race condition when attempting to commit the respective steps.
2020-04-29 13:05:41 +10:00
Dimitris Zervas
c9efae05ad
[DOCS] Add jira auto-login with http headers documentation (#868)
* Add jira auto-login with http headers documentation

* Update two-factor-basic-auth.md

* Create using-remote-user-header-for-sso-with-jira.md
2020-04-29 12:34:05 +10:00
Amir Zarrinkafsh
12100d21e2
[CI] Linting optimisations (#940)
* [CI] Lint all builds except tagged commits to satisfy branch protection

* [CI] Add automatic retries for linting failures
This is to treat any issues with the reviewdog API server and occasional failures we are seeing.
2020-04-29 12:30:46 +10:00
Amir Zarrinkafsh
f8bd506326
[FEATURE] Embed static assets in Go binary (#916)
* [FEATURE] Embed static assets in Go binary

* Refactor/consolidate code and specify public_html via configuration

* Update docs and config template for assets

* Update AUR package pre-requisites and systemd unit

* Include static assets as Buildkite and GitHub artifacts

* Remove references to PUBLIC_DIR

* Only serve assets via embedded filesystem and remove configuration references

* Update authelia-scripts helper to build the embedded filesystem

* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.

* Move go:generate to satisfy linter
2020-04-29 00:07:20 +10:00
Amir Zarrinkafsh
ff2df8b039
[DOCS] Fix HAProxy typo (#937) 2020-04-28 21:00:10 +10:00
Amir Zarrinkafsh
69859aa5d4
[DOCS] Update HAProxy code syntax style (#936) 2020-04-28 20:53:06 +10:00
Amir Zarrinkafsh
dca8a5343a
[DOCS] Update proxy integration example for HAProxy (#935)
* [DOCS] Update proxy integration example for HAProxy

* Minor style tweak

* Update haproxy.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-04-28 19:17:45 +10:00
Amir Zarrinkafsh
2f8bcef621
[CI] Adjust linting default excludes to align with goreportcard (#934) 2020-04-28 16:39:54 +10:00
dependabot-preview[bot]
3ba06c2e9d
[MISC] (deps): Bump node from 12-alpine to 14-alpine (#932)
Bumps node from 12-alpine to 14-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-28 09:38:20 +10:00
dependabot-preview[bot]
9fc3098481
[MISC] (deps): Bump @types/react-dom from 16.9.6 to 16.9.7 in /web (#933)
Bumps [@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom) from 16.9.6 to 16.9.7.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 23:03:49 +02:00
Amir Zarrinkafsh
6c7d5cfa9a
[CI] Add Gemfile.lock monitoring to dependabot (#931)
This will allow dependabot to inform us when there are newer ruby bundles available.
2020-04-27 21:09:26 +02:00
dependabot-preview[bot]
ab8db21214
[MISC] (deps): Bump node in /internal/suites/example/compose/authelia (#930)
Bumps node from 12-alpine to 14-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 13:13:03 +10:00
dependabot-preview[bot]
6c0e9f84b0
[MISC] (deps): Bump node in /internal/suites/example/compose/duo-api (#929)
Bumps node from 12-alpine to 14-alpine.

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 12:53:16 +10:00
Amir Zarrinkafsh
83d40641d7
[CI] Add Dockerfile monitoring to dependabot (#928)
This will allow dependabot to inform us when there are newer version of the base packages for our Dockerfiles.
2020-04-27 11:56:44 +10:00
dependabot-preview[bot]
1dad4846f9
[MISC] (deps): Bump @material-ui/core from 4.9.11 to 4.9.12 in /web (#927)
Bumps [@material-ui/core](https://github.com/mui-org/material-ui/tree/HEAD/packages/material-ui) from 4.9.11 to 4.9.12.
- [Release notes](https://github.com/mui-org/material-ui/releases)
- [Changelog](https://github.com/mui-org/material-ui/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mui-org/material-ui/commits/v4.9.12/packages/material-ui)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-27 11:15:12 +10:00
dependabot-preview[bot]
ac36283c68
[MISC] (deps): Bump @types/node from 13.13.2 to 13.13.4 in /web (#926)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 13.13.2 to 13.13.4.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-04-26 23:23:23 +02:00
dependabot-preview[bot]
d79e90d84b
[MISC] (deps): Bump @types/react-router-dom from 5.1.4 to 5.1.5 in /web (#925)
Bumps [@types/react-router-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-router-dom) from 5.1.4 to 5.1.5.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-router-dom)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-04-26 21:41:56 +02:00
dependabot-preview[bot]
5d2b7a1398
[MISC] (deps): Bump github.com/fasthttp/router from 1.0.3 to 1.0.4 (#923)
Bumps [github.com/fasthttp/router](https://github.com/fasthttp/router) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/fasthttp/router/releases)
- [Commits](https://github.com/fasthttp/router/compare/v1.0.3...v1.0.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-04-26 20:43:59 +02:00
Amir Zarrinkafsh
784112d654
[MISC] Update QEMU to v4.2.0-7 (#921)
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-04-26 16:09:28 +02:00
Amir Zarrinkafsh
a90f432ba1
[CI] Update reviewdog level to error (#922)
This will ensure that GitHub checks are identified as failures as opposed to neutral warnings.
2020-04-26 15:38:20 +02:00
Clément Michaud
bfff9237fa
[RELEASE] v4.15.1 (#919) 2020-04-26 00:29:08 +02:00
Clément Michaud
29325ab273
Fix CSP not propagated in default handler. (#915)
Also:
- not hide the CSP header in the dist version of suites.
- Fix CSP errors due to FontAwesome loading stylesheets dynamically.
2020-04-26 00:12:55 +02:00
Daniel Sutton
ca4a890fb2
[MISC] Update to alpine 3.11.6 (#917)
* update to alpine 3.11.6

Signed-off-by: Daniel Sutton <daniel@ducksecops.uk>
2020-04-25 22:56:32 +02:00
James Elliott
4e7d645084
[FIX] Layout discrepancy with U2F (#914)
* 4.8.0 deps bump changed the root containers padding from 32px to 24px
* only affects the u2f screen, this fixes the padding on the root container for the Login Layout
* this makes u2f screen layout behave the same as all of the other ones
2020-04-25 16:56:56 +02:00
Clément Michaud
9116135401
[BUGFIX] Bad redirection behavior after inactivity and inactivity update events. (#911)
* This affects primarily Authelia instances running behind Traefik or
nginx ingress controllers within Kubernetes because those proxies
require that Authelia returns 302 instead of 401 after the session
has been inactive for too long.
* fixes #909
* fixed activity timestamp not being updated when accessing forbidden resources.
* fix inactivity not updated when user was inactive for too long.
* cover inactivity timeout updates with unit tests.
2020-04-25 09:29:36 +10:00
Clément Michaud
f92480b44b
[DOCS] Add SECURITY.md and update README.md. (#906)
* Add SECURITY.md and update README.md.

* Align README.md and SECURITY.md with the security documentation.
2020-04-24 10:29:30 +10:00
Clément Michaud
1b8dccb806
Fix broken link in threat model. (#908) 2020-04-24 07:18:16 +10:00
Clément Michaud
a3721b69ce
Add mention about TLS support in threat model. (#907)
* Add mention about TLS support in threat model.

* Try to fix title rendering.
2020-04-23 22:59:04 +02:00
James Elliott
8917c98d65
[RELEASE] v4.15.0 (#904)
* [RELEASE] v4.15.0

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-23 12:43:27 +10:00
James Elliott
e89e040949
[FIX] File Notifier Default Permissions (#902)
* [FIX] File Notifier Default Permissions

* set to 0600 for security
* recreate file if it exists with correct perms
* remove named return vars from notifier
2020-04-23 12:01:24 +10:00
James Elliott
c1ac25a15b
[FEATURE] Config Validation (#901)
* [FEATURE] Config Validation

* check configuration for invalid keys on startup
* allow users to manually trigger all configuration validation on a file using a cmd
* setup all defaults in config template and run tests against it to prevent accidents
* use tests to check bad configuration values are caught
* use tests to check old configuration values are caught
* add tests for specific key errors
* resolve merge conflicts
* nolint prealloc for test
2020-04-23 11:47:27 +10:00
James Elliott
b9fb33d806
[FEATURE] File Secrets (#896)
* [FEATURE] File Secret Loading

* add a validator for secrets
* run the secrets validator before the main config validator
* only allow a secret to be defined in one of: config, env, file env
* remove LF if found in file
* update configuration before main config validation
* fix unit tests
* implement secret testing
* refactor the secrets validator
* make check os agnostic
* update docs
* add warning when user attempts to use ENV instead of ENV file
* discourage ENV in docs
* update config template
* oxford comma
* apply suggestions from code review
* rename Validate to ValidateConfiguration
* add k8s example
* add deprecation notice in docs and warning
* style changes
2020-04-23 11:11:32 +10:00
Amir Zarrinkafsh
0ec3f18b44
[CI] Introduce GitHub checks based linting with reviewdog (#900)
* [CI] Introduce linting for branch commits with reviewdog
This utilises the GitHub checks API and could be a potential candidate instead of in-line PR reviews.

* [CI] Change reporter to `github-check`

* [CI] Adjust linting in-line PR commentary to execute with linting step
2020-04-22 23:10:22 +10:00