Commit Graph

187 Commits

Author SHA1 Message Date
alexw1982
0ba634ffee
[DOCS] Update Fail2Ban security measures (#1349)
* [Docs] Security measures - Fail2Ban

Minor changes / improvements to the text

* Update measures.md

* Update docs/security/measures.md
2020-10-17 13:44:48 +11:00
dependabot-preview[bot]
e0c44966e5
[MISC] (deps): Bump just-the-docs from 0.3.2 to 0.3.3 in /docs (#1375)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.2 to 0.3.3.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.2...v0.3.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-15 15:13:34 +11:00
dependabot-preview[bot]
0e34ae78fd
[MISC] (deps-dev): Bump github-pages from 208 to 209 in /docs (#1368)
Bumps [github-pages](https://github.com/github/pages-gem) from 208 to 209.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v208...v209)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-11 22:33:50 +11:00
alexw1982
adf6b7878d
[DOCS] Add fail2ban security measures (#1344)
* Update measures.md

Closes #1176.
2020-09-30 11:40:26 +10:00
dependabot-preview[bot]
3f65547e3b
[MISC] (deps-dev): Bump github-pages from 207 to 208 in /docs (#1345)
Bumps [github-pages](https://github.com/github/pages-gem) from 207 to 208.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v207...v208)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-29 12:22:36 +10:00
thehedgefrog
86ecc03640
Updated secrets.md with a functional DaemonSet (#1287)
* Updated secrets.md with a functional DaemonSet

* changed TCP socket for API endpoints
2020-09-25 09:48:24 +10:00
Amir Zarrinkafsh
607f829431
[DOCS] Clean HAProxy examples (#1338)
Remove headers that are not required and fix a typo.
2020-09-23 17:29:46 +10:00
Amir Zarrinkafsh
5b98b4d090
[BUGFIX] Fix HAProxy redirects (#1333)
Including updates to docs examples.
2020-09-23 09:06:26 +10:00
Amir Zarrinkafsh
8d68886b5b
[DOCS] Fix default layout (#1329) 2020-09-19 00:58:41 +10:00
dependabot-preview[bot]
35a7e954a2
[MISC] (deps): Bump just-the-docs from 0.3.1 to 0.3.2 in /docs (#1320)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.1...v0.3.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-19 00:34:08 +10:00
Amir Zarrinkafsh
771c220d38
[FEATURE] Support updated haproxy-auth-request (#1310)
* [FEATURE] Support updated haproxy-auth-request
This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments.

* Fix docs indentation

* Add haproxy-lua-http to TLS enabled configuration
2020-09-10 10:52:57 +10:00
James Elliott
a92b0bff1d
[FEATURE] Plain Text Email Notifications (#1238)
* add a plain text email template
* use plain text email template for file based emails
* add config option to SMTP emails named disable_html_emails
  * config option is a boolean that when set to true will only send plain text emails
* add docs for more complex SMTP notifier options
* update template
* add rfc1341 multipart logic to notifier
* check for errors after identity_verification

* * fix nil ptr
* go mod tidy
* remove needless checks

* * use multipart/atlernative instead

* * add rfc5322 compliant date header

* * fix linting issues
2020-08-21 12:16:23 +10:00
Chris Smith
c70255f9ef
[DOCS] Add FAQ for Kubernetes deployment (#1252)
* Add note to Kubernetes page about potential OOM

See #1234
2020-08-14 13:30:37 +10:00
dependabot-preview[bot]
33f039c117
[MISC] (deps): Bump github-pages and jekyll in /docs (#1257)
Bumps [github-pages](https://github.com/github/pages-gem) and [jekyll](https://github.com/jekyll/jekyll). These dependencies needed to be updated together.

Updates `github-pages` from 206 to 207
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v206...v207)

Updates `jekyll` from 3.8.7 to 3.9.0
- [Release notes](https://github.com/jekyll/jekyll/releases)
- [Changelog](https://github.com/jekyll/jekyll/blob/master/History.markdown)
- [Commits](https://github.com/jekyll/jekyll/compare/v3.8.7...v3.9.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-08-11 21:54:29 +10:00
James Elliott
ea1fae6491
[MISC] Storage Schema Versioning Model (#1057)
* [MISC] Storage Schema Versioning Model 

* fixup go.sum
* remove pq
* fix int to text issue
* fix incorrect SQL text
* use key_name vs key
* use transactions for all queries during upgrades
* fix missing parenthesis
* move upgrades to their own file
* add provider name for future usage in upgrades
* fix missing create config table values
* fix using the const instead of the provider SQL
* import logging once and reuse
* update docs
* remove db at suite teardown
* apply suggestions from code review
* fix mysql
* make errors more uniform
* style changes
* remove commented code sections
* remove commented code sections
* add schema version type
* add sql mock unit tests
* go mod tidy
* test blank row situations
2020-07-16 15:56:08 +10:00
dependabot-preview[bot]
145a83ee0d
[MISC] (deps): Bump just-the-docs from 0.3.0 to 0.3.1 in /docs (#1205)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.0 to 0.3.1.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.0...v0.3.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-07-16 00:11:53 +02:00
Amir Zarrinkafsh
c5916cbce6
[DOCS] Adjust Deployment navigation order (#1160) 2020-06-29 16:55:41 +10:00
Amir Zarrinkafsh
697ffd8d73
[DOCS] Fix just-the-docs theme styling (#1159)
This fixes a minor regression due to #1158.
As there was significant styling changes and due to our introduction of the github fork ribbon for the docs the layout also needed to be updated.
2020-06-29 11:20:38 +10:00
dependabot-preview[bot]
997e17cdc6
[MISC] (deps): Bump just-the-docs from 0.2.9 to 0.3.0 in /docs (#1158)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.2.9 to 0.3.0.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.2.9...v0.3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-06-29 09:42:14 +10:00
Philipp Staiger
5c4edf2f4d
[FEATURE] Support for subject combinations in ACLs (#1142) 2020-06-25 18:22:42 +10:00
dependabot-preview[bot]
1a76241ad4
[MISC] (deps): Bump just-the-docs from 0.2.7 to 0.2.9 in /docs (#1151)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.2.7 to 0.2.9.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.2.7...v0.2.9)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-06-23 21:48:15 +02:00
Amir Zarrinkafsh
e43bc93047
[FEATURE] Add configurable display name to frontend (#1124)
* [FEATURE] Add configurable display name to frontend
This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting.
Similarly for the file based backend a new required key "name" has been introduced.

This can also be used down the line with OIDC as a separate scope.

* Update references from Name to DisplayName
* Update compose bundles to include displayname refs
* Update LDAP automatic profile refresh
* Ensure display name is updated
* Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 20:50:21 +10:00
Amir Zarrinkafsh
ff7f9a50ab
[FEATURE] Docker simplification and configuration generation (#1113)
* [FEATURE] Docker simplification and configuration generation
The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template.

This will allow more seamless bootstrapping of an environment no matter the deployment method.

We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment.

Users with the old volume mappings have two options:
1. Change their mappings to conform to `/config`
2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping

* Adjust paths relative to `/etc/authelia` and simplify to single volume for compose
* Add generation for file backend based user database
* Refactor Docker volumes and paths to /config
* Refactor Docker WORKDIR to /app
* Fix integration tests
* Update BREAKING.md for v4.20.0
* Run go mod tidy
* Fix log_file_path in miscellaneous.md docs
* Generate config and userdb with 0600 permissions
* Fix log_file_path in config.template.yml
2020-06-17 16:25:35 +10:00
Amir Zarrinkafsh
2b8acb1a0b
[DOCS] Fix link for K8s setup (#1110) 2020-06-11 16:02:50 +10:00
Clement Michaud
1a1f86adf9
[DOCS] Main logo redirects to root of www.authelia.com. 2020-06-10 22:25:40 +02:00
Clement Michaud
5fc54be078
[DOCS] Try to remove url from docs config. 2020-06-10 21:24:36 +02:00
Clement Michaud
fa0c27edea
[DOCS] Add trailing slash in baseurl of documentation. 2020-06-10 21:20:21 +02:00
Clement Michaud
7d4bbd7cea
Serve docs under www.authelia.com/docs. 2020-06-10 21:08:06 +02:00
Clément Michaud
b68ed06a0b
[MISC] Configure docs to be served under /docs base url. (#1105) 2020-06-10 21:00:49 +02:00
Clément Michaud
2c0fa811a2
[DOCS] Improve documentation around Remote-User and Remote-Groups usage. (#1091)
* [DOCS] Improve documentation around Remote-User and Remote-Groups usage.

* Update docs/deployment/supported-proxies/index.md

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-06-08 17:17:24 +10:00
Clément Michaud
17f9ab3371
[DOCS] Add google analytics tracking to the documentation. (#1093)
This will allow us to analyze how the documentation is used in order to improve it
accordingly.
2020-06-08 00:44:40 +02:00
Clément Michaud
945eb4a8bf
[DOCS] Add fork me on github ribbon to documentation. (#1081)
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-06-04 13:37:19 +10:00
Clément Michaud
d6bea97a93
[DOCS] Add a roadmap section to the documentation. (#1062)
* [DOCS] Add a roadmap section to the documentation.

Adding the roadmap will likely help people figure out what are the next big
topics that might be missing for them to take the leap and use Authelia.
Maybe some users are also waiting for a feature to unlock some use cases.

* Apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-06-01 16:55:58 +10:00
dependabot-preview[bot]
15abe5053a
[MISC] (deps): Bump github-pages and jekyll in /docs (#1051)
Bumps [github-pages](https://github.com/github/pages-gem) and [jekyll](https://github.com/jekyll/jekyll). These dependencies needed to be updated together.

Updates `github-pages` from 204 to 206
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v204...v206)

Updates `jekyll` from 3.8.5 to 3.8.7
- [Release notes](https://github.com/jekyll/jekyll/releases)
- [Changelog](https://github.com/jekyll/jekyll/blob/master/History.markdown)
- [Commits](https://github.com/jekyll/jekyll/compare/v3.8.5...v3.8.7)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-05-26 09:39:54 +10:00
Amir Zarrinkafsh
08d412ece8
[DOCS] Add FAQs to Traefik2 (#1038)
Closes #997.
2020-05-21 16:48:54 +02:00
James Elliott
fcd0b5e46a
[FEATURE] Allow Authelia to listen on a specified path (#1027)
* [FEATURE] Allow Authelia to listen on a specified path

* Fix linting and add a couple typescript types

* Template index.html to support base_url

* Update docs and configuration template

* Access base path from body attribute.

* Update CSP

* Fix unit test
Also remove check for body as this will never get triggered, react itself is loaded inside the body so this has to always be successful.

* Template index.html with ${PUBLIC_URL}

* Define PUBLIC_URL in .env(s)

* Add docs clarification

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-21 12:20:55 +10:00
James Elliott
469daedd36
[FEATURE] Delay 1FA Authentication (#993)
* adaptively delay 1FA by the actual execution time of authentication
* should grow and shrink over time as successful attempts are made
* uses the average of the last 10 successful attempts to calculate
* starts at an average of 1000ms
* minimum is 250ms
* a random delay is added to the largest of avg or minimum
* the random delay is between 0ms and 85ms
* bump LDAP suite to 80s timeout
* bump regulation scenario to 45s
* add mutex locking
* amend logging
* add docs
* add tests

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-21 00:03:15 +02:00
dependabot-preview[bot]
41bbb73e9d
[MISC] (deps): [Security] Bump activesupport in /docs (#1030)
Bumps [activesupport](https://github.com/rails/rails) from 6.0.2.1 to 6.0.3.1. **This update includes a security fix.**
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v6.0.3.1/activesupport/CHANGELOG.md)
- [Commits](https://github.com/rails/rails/compare/v6.0.2.1...v6.0.3.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-05-19 08:24:24 +10:00
Clément Michaud
fe5ebfb75a
[FEATURE] Bump to fasthttp/session/v2 to support redis unix socket. (#1001)
* [FEATURE] Bump to fasthttp/session/v2 to support redis unix socket.

* Fix lint issues.

* Remove v1 import and fix double import.

* [DOCS] Document use of redis unix socket.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-18 12:45:47 +10:00
James Elliott
a4cf2e675f
[DEPRECATE] Remove Google Analytics (#1021)
* it doesn't work with our current CSP
* it's probably not used by anyone
* it isn't in harmony with our security purposes
* literally removes all use of it
* suggestions from code review
* remove useless test.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2020-05-16 09:41:42 +10:00
James Elliott
73bd2e4479
[FIX] Hash Password Cmd Not Encoding Provided Salt (#999)
* using authelia hash-password if you provide a salt it doesn't encode it as a base64 string
* this causes invalid salts to be stored if a user manually provided one instead of reliance on the automatic generation
* additionally bumped the minimum required salt length to 8 as per reference spec
* additionally removed the maximum salt length as per reference spec (actually 2^32-1 per int32)
* see docs:
  * https://tools.ietf.org/html/draft-irtf-cfrg-argon2-10
  * https://github.com/P-H-C/phc-winner-argon2
  * https://github.com/P-H-C/phc-string-format
* encode all salts
* fix edge case of false positive in CheckPassword
* bump crypt version and fix tests
2020-05-14 15:55:03 +10:00
Amir Zarrinkafsh
561a3f551c
[DOCS] Fix typos in proxy examples (#1015)
Also include global http -> https redirection in Traefik 2.x example.
2020-05-14 13:26:52 +10:00
Clément Michaud
85933dd25d
Document future possibility to use alternative 1FA methods. (#1000) 2020-05-10 07:46:28 +10:00
James Elliott
9e7947a193
[DEPRECATE] Environment Variable Secrets (#905)
* remove ENV usages
* fix reader unit tests
* fix standalone suite
* fix k8s suite
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-08 11:01:57 +10:00
James Elliott
3f374534ab
[FEATURE] Automatic Profile Refresh - LDAP (#912)
* [FIX] LDAP Not Checking for Updated Groups

* refactor handlers verifyFromSessionCookie
* refactor authorizer selectMatchingObjectRules
* refactor authorizer isDomainMatching
* add authorizer URLHasGroupSubjects method
* add user provider ProviderType method
* update tests
* check for new LDAP groups and update session when:
  * user provider type is LDAP
  * authorization is forbidden
  * URL has rule with group subjects

* Implement Refresh Interval

* add default values for LDAP user provider
* add default for refresh interval
* add schema validator for refresh interval
* add various tests
* rename hasUserBeenInactiveLongEnough to hasUserBeenInactiveTooLong
* use Authelia ctx clock
* add check to determine if user is deleted, if so destroy the
* make ldap user not found error a const
* implement GetRefreshSettings in mock

* Use user not found const with FileProvider
* comment exports

* use ctx.Clock instead of time pkg

* add debug logging

* use ptr to reference userSession so we don't have to retrieve it again

* add documenation
* add check for 0 refresh interval to reduce CPU cost
* remove badly copied debug msg

* add group change delta message

* add SliceStringDelta
* refactor ldap refresh to use the new func

* improve delta add/remove log message

* fix incorrect logic in SliceStringDelta
* add tests to SliceStringDelta

* add always config option
* add tests for always config option
* update docs

* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* complete mocks and fix an old one
* show warning when LDAP details failed to update for an unknown reason

* golint fix

* actually fix existing mocks

* use mocks for LDAP refresh testing

* use mocks for LDAP refresh testing for both added and removed groups

* use test mock to verify disabled refresh behaviour
* add information to threat model
* add time const for default Unix() value

* misc adjustments to mocks

* Suggestions from code review

* requested changes
* update emails
* docs updates
* test updates
* misc

* golint fix

* set debug for dev testing

* misc docs and logging updates

* misc grammar/spelling

* use built function for VerifyGet

* fix reviewdog suggestions

* requested changes

* Apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-04 21:39:25 +02:00
Clément Michaud
da5c722cf8
[DOCS] Introduce an FAQ and document forwarded authentication. (#962)
* add FAQ docs section
* add forwarded authentication section to deployments > supported proxies
* apply suggestions from code review

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-03 13:18:13 +10:00
Amir Zarrinkafsh
310c5dc09b
[DOCS] Harmonize Remote-User and Remote-Groups headers in nginx example (#963)
Fixes #957.

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-05-02 17:10:26 +02:00
Amir Zarrinkafsh
6d8f45513f
[DOCS] Update secrets examples for Docker Compose (#948)
* [DOCS] Update secrets examples for Docker Compose

* Fix typo

* Include examples for Docker Secrets and bind mounted secret files
2020-05-01 16:58:40 +10:00
James Elliott
c9e8a924e0
[FEATURE] Buffer size configuration and additional http error handling (#944)
* implement read buffer size config option
* implement write buffer size config option
* implement fasthttp ErrorHandler so we can log errors to Authelia as well
* add struct/schema validation
* add default value
* add docs
* add config key to validator
* refactoring
* apply suggestions from code review

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-30 12:03:05 +10:00
Dimitris Zervas
c9efae05ad
[DOCS] Add jira auto-login with http headers documentation (#868)
* Add jira auto-login with http headers documentation

* Update two-factor-basic-auth.md

* Create using-remote-user-header-for-sso-with-jira.md
2020-04-29 12:34:05 +10:00
Amir Zarrinkafsh
f8bd506326
[FEATURE] Embed static assets in Go binary (#916)
* [FEATURE] Embed static assets in Go binary

* Refactor/consolidate code and specify public_html via configuration

* Update docs and config template for assets

* Update AUR package pre-requisites and systemd unit

* Include static assets as Buildkite and GitHub artifacts

* Remove references to PUBLIC_DIR

* Only serve assets via embedded filesystem and remove configuration references

* Update authelia-scripts helper to build the embedded filesystem

* Mock the embedded filesystem for unit tests
Add to gitignore to ensure this isn't overwritten.

* Move go:generate to satisfy linter
2020-04-29 00:07:20 +10:00
Amir Zarrinkafsh
ff2df8b039
[DOCS] Fix HAProxy typo (#937) 2020-04-28 21:00:10 +10:00
Amir Zarrinkafsh
69859aa5d4
[DOCS] Update HAProxy code syntax style (#936) 2020-04-28 20:53:06 +10:00
Amir Zarrinkafsh
dca8a5343a
[DOCS] Update proxy integration example for HAProxy (#935)
* [DOCS] Update proxy integration example for HAProxy

* Minor style tweak

* Update haproxy.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-04-28 19:17:45 +10:00
Clément Michaud
1b8dccb806
Fix broken link in threat model. (#908) 2020-04-24 07:18:16 +10:00
Clément Michaud
a3721b69ce
Add mention about TLS support in threat model. (#907)
* Add mention about TLS support in threat model.

* Try to fix title rendering.
2020-04-23 22:59:04 +02:00
James Elliott
c1ac25a15b
[FEATURE] Config Validation (#901)
* [FEATURE] Config Validation

* check configuration for invalid keys on startup
* allow users to manually trigger all configuration validation on a file using a cmd
* setup all defaults in config template and run tests against it to prevent accidents
* use tests to check bad configuration values are caught
* use tests to check old configuration values are caught
* add tests for specific key errors
* resolve merge conflicts
* nolint prealloc for test
2020-04-23 11:47:27 +10:00
James Elliott
b9fb33d806
[FEATURE] File Secrets (#896)
* [FEATURE] File Secret Loading

* add a validator for secrets
* run the secrets validator before the main config validator
* only allow a secret to be defined in one of: config, env, file env
* remove LF if found in file
* update configuration before main config validation
* fix unit tests
* implement secret testing
* refactor the secrets validator
* make check os agnostic
* update docs
* add warning when user attempts to use ENV instead of ENV file
* discourage ENV in docs
* update config template
* oxford comma
* apply suggestions from code review
* rename Validate to ValidateConfiguration
* add k8s example
* add deprecation notice in docs and warning
* style changes
2020-04-23 11:11:32 +10:00
James Elliott
9e9dee43ac
[FEATURE] Notifier Startup Checks (#889)
* implement SMTP notifier startup check
* check dial, starttls, auth, mail from, rcpt to, reset, and quit
* log the error on failure
* implement mock
* misc optimizations, adjustments, and refactoring
* implement validate_skip config option
* fix comments to end with period
* fix suites that used smtp notifier without a smtp container
* add docs
* add file notifier startup check
* move file mode into const.go
* disable gosec linting on insecureskipverify since it's intended, warned, and discouraged
* minor PR commentary adjustment
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 14:59:38 +10:00
Clément Michaud
e7f18377f4
[DOCS] Add threat model documentation under security section. (#872)
* [DOCS] Add threat model documentation under security section.

* Update docs/security/threat-model.md

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-16 18:12:41 +10:00
Dustin Sweigart
951dc71325
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869)
* added support for listing multiple domains and multiple subjects

* updated documentation to show use of multiple domains and subjects

* updated config.template.yml to display multiple domains as a list

* updated config.template.yml to display multiple subjects as a list

* updated docs/configuration/access-control.md to display multiple domains as a list

* updated docs/configuration/access-control.md to display multiple subjects as a list

* removed redundant check that always returned true

* Commentary definition for `weak`
2020-04-16 10:18:11 +10:00
Clément Michaud
c5e614c86b
[DOCS] Improve documentation about users unique identifier. (#871)
Following discussion in #865.
2020-04-16 09:46:51 +10:00
James Elliott
92084bc5b2
[MISC] Add http debug routes (#848)
* [MISC] Add debug endpoints to Authelia

* enabled only with trace logging
* allows go tool pprof usage when enabled
* enables both the expvarhandler and pprofhandler from fasthttp
* simplify tls/non-tls listen and serve
* make it easy to define custom settings of the fasthttp server in the future
* make name param optional
* add note about the trace setting in the documentation
2020-04-11 14:59:58 +10:00
James Elliott
b0b3d61954
[DOCS] Adjust yaml snippets and misc adjustments (#855)
* [DOCS] Adjust yaml snippets

* use two spaces
* use yaml syntax highlighting
* other misc uniformity changes
* fix misc grammar
* add responsible disclosure link

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 14:46:07 +10:00
James Elliott
b3ce7fc379
[BUGFIX] Password hashing schema map mismatch with docs (#852)
* add a nolint for gosec 'possibly hardcoded password' that was incorrect
* make all parameters consistent
* update the docs for the correct key name 'password' instead of 'password_options' or 'password_hashing'
* reword some of the docs
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-11 13:54:18 +10:00
Sohalt
653c1ad815
[DOCS] Fix typo in the template and docs for Postgres (#853)
* update config.template.yml
* update postgres documentation
2020-04-11 12:38:57 +10:00
Amir Zarrinkafsh
76e8142032
[DOCS] Add Remote-User and Remote-Groups headers to Traefik docs and examples (#849) 2020-04-11 11:49:54 +10:00
James Elliott
bb1158b91e
[DOCS] Fix Password Hashing Example Spacing (#847) 2020-04-10 10:08:42 +10:00
James Elliott
2fed503e5e
[FEATURE] Customizable Email Subject (#830)
* [FEATURE] Customizable Email Subject

* allow users to optionally change email subject
* this is so they can more easily communicate the source of the email

* Update docs/configuration/notifier/smtp.md

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-09 10:21:28 +10:00
James Elliott
8aade7f40e
[MISC] Update durations to notation format and housekeeping (#824)
* added regulation validator
* made regulations find_time and ban_time values duration notation strings
* added DefaultRegulationConfiguration for the validator
* made session expiration and inactivity values duration notation strings
* TOTP period does not need to be converted because adjustment should be discouraged
* moved TOTP defaults to DefaultTOTPConfiguration and removed the consts
* arranged the root config validator in configuration file order
* adjusted tests for the changes
* moved duration notation docs to root of configuration
* added references to duration notation where applicable
* project wide gofmt and goimports:
* run gofmt
* run goimports -local github.com/authelia/authelia -w on all files
* Make jwt_secret error uniform and add tests
* now at 100% coverage for internal/configuration/validator/configuration.go
2020-04-05 22:37:21 +10:00
James Elliott
9800421b88
[FEATURE] Disable Reset Password (#823)
* [FEATURE] Disable Reset Password
* add configuration key to authentication_backend called disable_reset_password
* disable_reset_password prevents the API handler for the functionality and the UI element
* disable_reset_password is a boolean
* adjust RememberMeEnabled to be RememberMe instead as it's just unnecessary
* add docs for security measures and in the authentication docs
* updated config.template.yml
* add flexEnd style to align reset password when remember me disabled
* add todo items for ldap user/password validation relating to this
2020-04-05 09:28:09 +10:00
James Elliott
626f5d2949
[FEATURE] Remember Me Configuration (#813)
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis 
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator 
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
2020-04-04 10:11:33 +11:00
Amir Zarrinkafsh
8bcda073ef
[DOCS] Fix users_filter typo in docs (#805)
Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-03-31 23:12:53 +02:00
Clément Michaud
7a3e782dc0
[FEATURE][BREAKING] Allow users to sign in with email. (#792)
* [FEATURE][BREAKING] Allow users to sign in with email.

The users_filter purpose evolved with the introduction of username_attribute
but is reverted here to allow the most flexibility. users_filter is now the
actual filter used for searching the user and not a sub-filter based on the
username_attribute anymore.

* {input} placeholder has been introduced to later deprecate {0} which has been
kept for backward compatibility.
* {username_attribute} and {mail_attribute} are new placeholders used to back
reference other configuration options.

Fix #735

* [MISC] Introduce new placeholders for groups_filter too.

* [MISC] Update BREAKING.md to mention the change regarding users_filter.

* [MISC] Fix unit and integration tests.

* Log an error message in console when U2F is not supported.

* Apply suggestions from code review

* Update BREAKING.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-31 09:36:04 +11:00
Amir Zarrinkafsh
85cd75ffdf
[DOCS] Minor tweaks for compose bundles (#786) 2020-03-27 11:51:16 +11:00
Amir Zarrinkafsh
e843a52a04
[Docker] Include docker-compose.yml examples to run Authelia (#642)
* [Docker] Create Lite docker-compose.yml example

* [Docker] Update README.md with 3 compose bundles {Local,Lite,Full}

* [DOCS] Update Traefik2 proxy example

* [Docker] Create Local docker-compose.yml example

* [MISC] Update examples to utilise Traefik 2.2
This change enables global http -> https redirection.

* [Docker] Update Local compose to utilise loopback address

* [Docker] Drop compose version to 3.3 to cater for more distros

* [DOCS] Adjust Getting Started

* [Docker] Tweak Local bundle setup for OSX

* [Docker] Optimise setup.sh for Local bundle

* [Docker] Fix read-only mounting of user database

* [DOCS] Implement feedback for compose bundles

* [DOCS] Provide feedback on self-signed certificates

* [DOCS] Implement additional feedback for compose bundles

Co-authored-by: Clément Michaud <clement.michaud34@gmail.com>
2020-03-27 10:43:10 +11:00
James Elliott
40fb13ba3c
[FEATURE] TOTP Tuning Configuration Options and Fix Timer Graphic (#773)
* Add period TOPT config key to define the time in seconds each OTP is rotated
* Add skew TOTP config to define how many keys either side of the current one should be considered valid
* Add tests and set minimum values
* Update config template
* Use unix epoch for position calculation and Fix QR gen
  * This resolves the timer resetting improperly at the 0 seconds mark and allows for periods longer than 1 minute
* Generate QR based on period
* Fix OTP timer graphic
2020-03-25 12:48:20 +11:00
Clément Michaud
cc6650dbcd
[BUGFIX] [BREAKING] Set username retrieved from authentication backend in session. (#687)
* [BUGFIX] Set username retrieved from authentication backend in session.

In some setups, binding is case insensitive but Authelia is case
sensitive and therefore need the actual username as stored in the
authentication backend in order for Authelia to work correctly.

Fixes #561.

* Use uid attribute as unique user identifier in suites.

* Fix the integration tests.

* Update config.template.yml

* Compute user filter based on username attribute and users_filter.

The filter provided in users_filter is now combined with a filter
based on the username attribute to perform the LDAP search query
finding a user object from the username.

* Fix LDAP based integration tests.

* Update `users_filter` reference examples
2020-03-15 18:10:25 +11:00
Amir Zarrinkafsh
f3fd79d731
[DOCS] Review all docs and adjust since the initial refactoring (#698)
* [DOCS] Review all docs and adjust since the initial refactoring

* [DOCS] Minor tweaks
2020-03-10 09:37:46 +11:00
Clément Michaud
c429488738
[FEATURE] [BREAKING] Support writing logs in a file. (#686)
* [FEATURE] Support writing logs in a file.

* Add documentation about logs file path.

* Rename logs_level and logs_file_path into log_level and log_file_path.

* Update BREAKING.md

Fixes #338

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-09 20:57:53 +01:00
James Elliott
49c40ca0a0
[DOCS] Reorganize file auth config docs (#693) 2020-03-09 13:02:14 +11:00
Clément Michaud
3c8babbd4f
[DOCS] Proxy documentation not available anymore. (#692) 2020-03-08 16:29:16 +01:00
Amir Zarrinkafsh
cc25b565c7
[MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively (#685)
* [MISC] Update Golang and QEMU to v1.14.0 and v4.2.0-6 respectively

* Argon2id memory in MB for Config Template

* Doc Fix

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-03-06 19:40:56 +11:00
James Elliott
26369fff3d
[FEATURE] Support Argon2id password hasing and improved entropy (#679)
* [FEATURE] Support Argon2id Passwords

- Updated go module github.com/simia-tech/crypt
- Added Argon2id support for file based authentication backend
- Made it the default method
- Made it so backwards compatibility with SHA512 exists
- Force seeding of the random string generator used for salts to ensure they are all different
- Added command params to the authelia hash-password command
- Automatically remove {CRYPT} from hashes as they are updated
- Automatically change hashes when they are updated to the configured algorithm
- Made the hashing algorithm parameters completely configurable
- Added reasonably comprehensive test suites
- Updated docs
- Updated config template

* Adjust error output

* Fix unit test

* Add unit tests and argon2 version check

* Fix new unit tests

* Update docs, added tests

* Implement configurable values and more comprehensive testing

* Added cmd params to hash_password, updated docs, misc fixes

* More detailed error for cmd, fixed a typo

* Fixed cmd flag error, minor refactoring

* Requested Changes and Minor refactoring

* Increase entropy

* Update docs for entropy changes

* Refactor to reduce nesting and easier code maintenance

* Cleanup Errors (uniformity for the function call)

* Check salt length, fix docs

* Add Base64 string validation for argon2id

* Cleanup and Finalization
- Moved RandomString function from ./internal/authentication/password_hash.go to ./internal/utils/strings.go
- Added SplitStringToArrayOfStrings func that splits strings into an array with a fixed max string len
- Fixed an error in validator that would allow a zero salt length
- Added a test to verify the upstream crypt module supports our defined random salt chars
- Updated docs
- Removed unused "HashingAlgorithm" string type

* Update crypt go mod, support argon2id key length and major refactor

* Config Template Update, Final Tests

* Use schema defaults for hash-password cmd

* Iterations check

* Docs requested changes

* Test Coverage, suggested edits

* Wording edit

* Doc changes

* Default sanity changes

* Default sanity changes - docs

* CI Sanity changes

* Memory in MB
2020-03-06 12:38:02 +11:00
Amir Zarrinkafsh
0dea0fc82e
[FEATURE] Support MySQL as a storage backend. (#678)
* [FEATURE] Support MySQL as a storage backend.

Fixes #512.

* Fix integration tests and include MySQL in docs.
2020-03-05 10:25:52 +11:00
Victor
e033a399a7
[DOCS] Update two-factor-basic-auth.md (#680) 2020-03-03 18:37:18 +11:00
Clément Michaud
faf43de14f
[FEATURE] Add TLS support. (#677)
* [FEATURE] Add TLS support.

Fixes #368.

* [FEATURE] Introduce OnError hook in suites.

This hook allows to perform actions following an erroneous suite
like displaying the logs of Authelia.

* Display Authelia logs of Standalone suite when tests fail.

* Fix Standalone suite.

* Apply suggestions from code review

* Rename ssl_key and ssl_cert into tls_key and tls_cert.
2020-03-03 18:18:25 +11:00
Clément Michaud
0c43740a4e
[FEATURE] Add command to generate self-signed certs in authelia binary. (#676)
* [FEATURE] Add command to generate self-signed certs in authelia binary.
* Apply suggestions from code review

Fixes #454 

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-01 14:08:09 +01:00
Clément Michaud
b911c2f0f3
[DOCS] Make link to community doc clickable. (#675) 2020-03-01 21:58:53 +11:00
James Elliott
ffc87c1006
[DOCS] Fix Docs Links (#674)
- Fixed a few broken links
2020-03-01 16:58:26 +11:00
Clément Michaud
8ac30db51d
[DOCS] Create a community section in the documentation. (#671)
* [DOCS] Create a community section in the doc.

This section is meant to host the non-official documentation
produced by the community.

Fixes #582.

* Update index.md
2020-03-01 12:27:22 +11:00
Clément Michaud
b311bd5ead
[DOCS] Improve documentation about the integration with proxies. (#669)
* [DOCS] Improve documentation about the integration with proxies.

This improvement resolves #384.

* Update index.md
2020-03-01 12:11:16 +11:00
Clément Michaud
b5a9e0f047
[DOCS] Update links in README to reference docs.authelia.com. (#667)
* [DOCS] Update links in README to reference docs.authelia.com.

* Move report section of security to the top level page.

* Fix ordering of sub-pages of 2FA feature.
2020-03-01 00:27:23 +01:00
Clément Michaud
9c0e722bd7
[DOCS] Do not let think OAuth won't be supported. (#665)
* [DOCS] Do not let think OAuth won't be supported.

* [Buildkite] Prevent docs commit if there are no changes
2020-02-29 23:07:23 +11:00
Amir Zarrinkafsh
a268a16c6e
[BUGFIX] Prevent clobbering of CNAME for docs (#661) 2020-02-29 17:20:07 +11:00
Clément Michaud
a9f8958187
[BUGFIX] Add jekyll dependency in Gemfile. (#660)
* [BUGFIX] Add jekyll dependency in Gemfile.

* [Buildkite] Optimise documentation sync step

* [DOC] Fix merge conflict for index.md

* [DOC] Fix formatting issues
2020-02-29 16:15:03 +11:00
Clément Michaud
adf7bbaf5b
[DOCS] Bootstrap new documentation website based on just-the-docs (#659) 2020-02-29 01:43:59 +01:00
James Elliott
e1cd524f65
[FEATURE] SMTPS support (#643)
* [FEATURE] SMTPS Support
- Added port_tls option to enable SMTPS, off by default.

* Remove configuration variable for SMTPS

Instead we enable SMTPS on port 465 only. The reason for this is so we don't require an additional configuration variable.

* Add SMTPS warning and updated docs

* Adjust SMTPS warning
2020-02-20 12:09:46 +11:00
Amir Zarrinkafsh
f1a89de2e7
[MISC] Restructure repo folder layout (#628) 2020-02-09 18:04:27 +01:00
Clément Michaud
7f19078efb
[MISC] Document usage of env variables for setting secrets. (#606)
Closes #579.
2020-02-02 00:17:39 +11:00