Commit Graph

96 Commits

Author SHA1 Message Date
Clement Michaud
b53d16d8a1 Introduce Subject and Object in authorization module. 2018-11-17 18:29:10 +01:00
Clement Michaud
97bfafb6eb [BREAKING] Flatten the ACL rules to enable some use cases.
With previous configuration format rules were not ordered between groups and
thus not predictable. Also in some cases `any` must have been a higher
precedence than `groups`. Flattening the rules let the user apply whatever
policy he can think of.

When several rules match the (subject, domain, resource), the first one is
applied.

NOTE: This commit changed the format for declaring ACLs. Be sure to update
your configuration file before upgrading.
2018-11-17 18:08:29 +01:00
Clement Michaud
9fc55543fd Integrate more policy options in ACL rules.
The possible values for ACL policies are now: bypass, one_factor, two_factor,
deny.

This change also deprecate auth_methods because the method is now associated
directly to a resource in the ACLs instead of a domain.
2018-11-17 18:08:29 +01:00
Clement Michaud
42581dfe93 Fix open redirection vulnerability.
In order to redirect the user after authentication, Authelia uses
rd query parameter provided by the proxy. However an attacker could
use phishing to make the user be redirected to a bad domain. In order
to avoid the user to be redirected to a bad location, Authelia now
verifies the redirection URL is under the protected domain.
2018-11-17 17:48:20 +01:00
Clement Michaud
baa1899536 Fix U2F sign request after u2f library upgrade. 2018-11-17 13:58:48 +01:00
Clement Michaud
7c80515b34 Fix U2F authentication by upgrading libraries. 2018-11-06 15:45:01 +01:00
Clement Michaud
e8c3205e0a Make Authelia compatible with Firefox.
Use the polyfill version of u2f API provided by Google.

https://github.com/mastahyeti/u2f-api

This polyfill is at least compatible with Chrome and
Firefox after enabling the U2F support.

[HOWTO] Enable U2F in Firefox >= 57:
Navigate to 'about:config' and search for 'u2f' option.
Double-click on the line to toggle the option.
2018-10-27 18:22:01 +02:00
Clement Michaud
4c3b5cfbb3 Implement Keep me logged in feature. 2018-10-21 16:11:31 +02:00
Clement Michaud
059c5936f5 Add 'keep me logged in' checkbox in first factor page. 2018-10-21 15:25:28 +02:00
Clement Michaud
ad6b064063 Fix typing issue when using Dockerfile.dev. 2018-10-21 15:25:09 +02:00
Clement Michaud
91763e97a1 Get IP of the original client when querying /verify. 2018-08-28 23:06:14 +02:00
Clément Michaud
67f84b97c8
Enable authentication to Mongo and Redis. (#263)
* Fix issue in unit test of IdentityCheckMiddleware.

* Enable authentication to Mongo server.

* Enable authentication to Redis.
2018-08-26 13:10:23 +02:00
Clément Michaud
9dab40c2ce
Add support for users database on disk. (#262)
In order to simplify the deployment of Authelia for
testing, LDAP is now optional made optional thanks
to users database stored in a file. One can update
the file manually even while Authelia is running.

With this feature the minimal configuration requires
only two components: Authelia and nginx.

The users database is obviously made for development
environments only as it prevents Authelia to be scaled
to more than one instance.

Note: Configuration has been updated. Key `ldap` has
been nested in `authentication_backend`.
2018-08-26 10:30:43 +02:00
Clément Michaud
6438a5e48f
Fix ECONNRESET when LDAP queries fail. (#261)
This commit should fix #225.

In order to avoid stalling LDAP connections, Authelia creates new
sessions for each set of queries bound to one authentication, i.e.,
one session for authentication, emails retrieval and groups
retrieval.
Before this commit, a failing query was preventing the session to
be closed (unbind was not called). Now, unbind is always called
whatever the outcome of the query.

I took the opportunity of this commit to refactor LDAP client in
order to prepare the work on users database stored in a file.
(#233)
2018-08-25 19:22:48 +02:00
Clément Michaud
c503765dd6
Implement retry mechanism for broken connections to mongo (#258)
Before this patch, when Authelia started, if Mongo was not
up and running, Authelia failed to connect and never retried.
Now, everytime Authelia faces a broken connection, it tries
to reconnect during the next operation.
2018-08-19 16:51:36 +02:00
Clément Michaud
0dd9a5f815
Make session cookie name customizable. (#256)
This option is optional and set to authelia_session
by default.
2018-08-19 13:07:00 +02:00
Clement Michaud
6d6162f26c Add tests for minimal configuration 2018-08-10 00:12:04 +02:00
Clement Michaud
35fbea355f Fix logging after configuration refactoring 2018-08-09 23:52:53 +02:00
Clement Michaud
73be5bfc68 Fix missing default value in configuration 2018-08-09 23:52:53 +02:00
Clement Michaud
c82f910da3 Refactor configuration to remove optional sections from minimal template
Also move tests from dedicated directory to source dir with .spec.ts extension
2018-08-09 23:52:53 +02:00
Clément Michaud
a70863c48c
Merge branch 'master' into bootstrap_loading_spinner 2018-07-26 22:30:09 +02:00
Callan Bryant
dc0d0d046c restore important whitespace 2018-07-26 08:21:12 +01:00
Clément Michaud
fbe613d5ba
Merge branch 'master' into overlay_notifications 2018-07-25 21:31:23 +02:00
Clément Michaud
a8dbf27faf
Merge branch 'master' into bootstrap_loading_spinner 2018-07-25 21:31:11 +02:00
Clement Michaud
1e0a279179 Fix issues with integration tests in master 2018-07-25 20:52:26 +02:00
Callan Bryant
eea023a200 Make notifications appear on top instead of inline
Currently notifications reflow the document which causes the interface
to jump twice which can be frustrating if you're trying to click
something.

This change makes the notification appear at the top of the form as
such:
2018-07-20 09:34:13 +01:00
Callan Bryant
9cd48c068d Make first factor login page UI indicate loading state
* Submit button changes to "Loading..."
* Form fades and disables
2018-07-19 17:07:58 +01:00
Clement Michaud
df9cb51a89 Make sure session.domain is provided in config.yml 2018-05-17 01:12:14 +02:00
Clement Michaud
acd5a7a26d Fix compilation and unit tests 2018-05-17 00:06:07 +02:00
Clement Michaud
39555179e4 Bump all dependencies 2018-05-07 23:23:29 +02:00
Clement Michaud
4da5402cdf Add helmet dependency and add it as express middleware 2018-04-26 09:07:06 +02:00
Clement Michaud
7a13523004 Fix basic authentication and tests 2018-04-25 23:22:41 +02:00
Clement Michaud
bc72f5c508 Use x-original-url instead of host to deduce domain to check permissions for 2018-04-25 00:41:41 +02:00
Clement Michaud
4be299d6eb Adapt kube example to work without custom nginx template 2018-04-24 23:59:15 +02:00
Clement Michaud
48d6107b0b Rename redirect query parameter into rd for compatibility with nginx-ingress 2018-04-24 23:03:09 +02:00
Clement Michaud
bf3705b3e9 Attribute mail_attribute is not correcty taken into account 2018-04-24 21:33:31 +02:00
Clement Michaud
0b2f6ace83 Fix unit and integration tests 2018-03-29 23:09:29 +02:00
Clement Michaud
6586402114 Support 'redirect' in /api/verify endpoint to support Traefik
Traefik handles auth forwarding but does not manage redirections like Nginx.
Therefore, Authelia must redirect the user and Traefik will forward this
request.

To support both Nginx and Traefik, /api/verify is now configurable with the
'redirect' get parameter. If the verification fails and 'redirect' is not
provided the response will be a 401 error as before.
If the parameter is provided and set to any URL, the response will be a
redirection (302) to this URL.
2017-12-04 22:52:33 +01:00
Clement Michaud
515a82eb8d Add links and tooltips at second factor stage to better guide the user
A link to U2F explains what is a U2F security key and how they are used.

A tooltip on U2F device registration link is telling the user he needs a
security key to register.
2017-11-28 21:56:50 +01:00
Clement Michaud
f47d3c2b0b Reset password form sends 200 status when user does not exist
Reset password sends 200 status codes to avoid user enumeration.
2017-11-18 21:27:07 +01:00
Clement Michaud
ca885e4b15 Fix not working u2f when using Firefox
The u2f-api package does not use the official u2f script provided by Yubikey.
Unfortunately, it was blocked by Firefox.  This change reintroduces the
official u2f script.
2017-11-09 00:21:24 +01:00
Clement Michaud
a8974a9d8e Change domain from test.local to example.com
Warning: you will need to update your /etc/hosts to take this change into
account for the example environment to work.
2017-11-03 00:20:10 +01:00
Clement Michaud
d1f0543ac6 Fix bad redirection when no default_redirection_url is provided 2017-11-01 21:17:43 +01:00
Clement Michaud
009e7c2b78 Add basic authorization support for single-factor protected endpoints
One can now access a service using the basic authorization mechanism. Note the
service must not be protected by 2 factors.

The Remote-User and Remote-Groups are forwarded from Authelia like any browser
authentication.
2017-11-01 19:38:05 +01:00
Clement Michaud
e3e1235755 Fix unhandled error exception thrown by Bluebirds in tests 2017-11-01 16:30:51 +01:00
Clement Michaud
e93b98c1ec Remove unused AuthenticationValidator 2017-11-01 15:35:55 +01:00
Clement Michaud
6b78240d39 Fix endpoints redirection on errors
From this commit on, api endpoints reply with a 401 error code and non api
endpoints redirect to /error/40X.

This commit also fixes missing restrictions on /loggedin (the "already logged
in page). This was not a security issue, though.

The change also makes error pages automatically redirect the user after few
seconds based on the referrer or the default_redirection_url if provided in the
configuration.

Warning: The old /verify endpoint of the REST API has moved to /api/verify.
You will need to update your nginx configuration to take this change into
account.
2017-11-01 14:46:23 +01:00
Clement Michaud
54854bacb1 Use issuer and label when generating otpauthURL for TOTP
Issuer is customizable in configuration so that a company can set its own name
or website. If not provided, default value is 'authelia.com'.

The username is used as label.
2017-10-31 21:36:47 +01:00
Clement Michaud
73d5253297 Disable notifiers when server uses single factor method only
Notifier is not mandatory when authentication method is single_factor for
all sub-domains since there is no registration required.
2017-10-31 07:37:15 +01:00
Clement Michaud
3052c883a0 Improve UX of the second factor page
Start the U2F signing request when entering in the second factor page so that
the user only has to touch the token without any other clicks.
2017-10-31 07:27:36 +01:00