Commit Graph

168 Commits

Author SHA1 Message Date
ThinkChaos
ba65a3db82
feat(handlers): authorization header switch via query param to /api/verify (#1563)
* [FEATURE] Add auth query param to /api/verify (#1353)

When `/api/verify` is called with `?auth=basic`, use the standard
Authorization header instead of Proxy-Authorization.

* [FIX] Better basic auth error reporting

* [FIX] Return 401 when using basic auth instead of redirecting

* [TESTS] Add tests for auth=basic query param

* [DOCS] Mention auth=basic argument and provide nginx example

* docs: add/adjust basic auth query arg docs for proxies

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-02-24 10:35:04 +11:00
Amir Zarrinkafsh
683c4a70bf
fix(web): improve 2fa enrollment process (#1706)
* refactor(web): improve 2fa enrollment process

This PR will change some of the wording and colours for the 2FA processes in order to provide more clarity and address some accessibility issues for end users.

The following is a summary of the changes:

* One-Time Password ⭢ Time-based One-Time Password
* Security Key ⭢ Security Key - U2F

![Screenshot_2021-02-02-09-36-17](https://user-images.githubusercontent.com/3339418/107138185-17656100-6967-11eb-8fac-9e75c7a82d09.png)


* QRCode ⭢ QR Code

![Screenshot_2021-02-07-05-07-25](https://user-images.githubusercontent.com/3339418/107138196-29df9a80-6967-11eb-811f-d77c9bb0159e.png)

* `Not registered yet?` text to display `Lost device?` if a user has already registered a device of said type

![Screenshot_2021-02-02-10-24-54](https://user-images.githubusercontent.com/3339418/107138205-395ee380-6967-11eb-8826-83e1438dd146.png)

* Change button and text colour in e-mails that Authelia generates
* Change Authelia email footer to be more security conscious

![Screenshot_2021-02-07-04-51-40](https://user-images.githubusercontent.com/3339418/107138211-4085f180-6967-11eb-890b-9d931bd1ce76.png)

The docs have also been updated to clarify the 2fa device enrollment limitation which only allows users to register one of each device type concurrently.

Closes #1560.
2021-02-12 16:59:42 +11:00
Amir Zarrinkafsh
e091032279
docs: update contribution guidelines (#1666)
* docs: update contribution guidelines

* add release commit message type

* update none/empty scope definition

* add go mod tidy post update option
2021-01-30 19:29:07 +11:00
dependabot-preview[bot]
d93ddc420a
[MISC] (deps-dev): Bump github-pages from 210 to 211 in /docs (#1635)
Bumps [github-pages](https://github.com/github/pages-gem) from 210 to 211.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v210...v211)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-28 09:16:03 +11:00
dependabot-preview[bot]
5967416538
[MISC] (deps-dev): Bump github-pages from 209 to 210 in /docs (#1625)
Bumps [github-pages](https://github.com/github/pages-gem) from 209 to 210.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v209...v210)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-01-25 11:05:12 +11:00
Amir Zarrinkafsh
87af0d3112
[DOCS] Update contributors (#1623)
This change also modifies the contributors to introduce [All Contributors](https://allcontributors.org/).
2021-01-22 14:24:25 +11:00
Amir Zarrinkafsh
daa30f3aa3
[FEATURE] Add theme support (#1584)
* [FEATURE] Add theme support

This change allows users to select a theme for Authelia on start-up.

The default will continue to be the existing theme which is known as `light`.
Three new options are now also provided:
* `dark`
* `grey`
* `custom`

The `custom` theme allows users to specify a primary and secondary hex color code to be utilised to style the portal.

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>

* Add themes to integration tests

* Remove custom theme

* Fix linting issue in access_control_test.go

Co-authored-by: BankaiNoJutsu <lbegert@gmail.com>
2021-01-20 23:07:40 +11:00
James Elliott
712288555c
[BUGFIX] Fix incorrect docs and Certificate PEM extensions (#1589)
* add .crt to the PEM extensions scanned for
* fix documentation on the extensions allowed
* add trace logging to the loading process to help debug in the future
2021-01-10 22:10:45 +11:00
dependabot-preview[bot]
5feb845914
[MISC] (deps): [Security] Bump nokogiri from 1.10.10 to 1.11.0 in /docs (#1579)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.10 to 1.11.0. **This update includes a security fix.**
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.10...v1.11.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2021-01-05 09:38:06 +11:00
Amir Zarrinkafsh
9ca0e940da
[FEATURE] Validate ACLs and add network groups (#1568)
* adds validation to ACL's
* adds a new networks section that can be used as aliases in other sections (currently access_control)
2021-01-04 21:55:23 +11:00
James Elliott
29a900226d
[FEATURE] Enhance LDAP/SMTP TLS Configuration and Unify Them (#1557)
* add new directive in the global scope `certificates_directory` which is used to bulk load certs and trust them in Authelia
* this is in ADDITION to system certs and are trusted by both LDAP and SMTP
* added a shared TLSConfig struct to be used by both SMTP and LDAP, and anything else in the future that requires tuning the TLS
* remove usage of deprecated LDAP funcs Dial and DialTLS in favor of DialURL which is also easier to use
* use the server name from LDAP URL or SMTP host when validating the certificate unless otherwise defined in the TLS section
* added temporary translations from the old names to the new ones for all deprecated options
* added docs
* updated example configuration
* final deprecations to be done in 4.28.0
* doc updates
* fix misc linting issues
* uniform deprecation notices for ease of final removal
* added additional tests covering previously uncovered areas and the new configuration options
* add non-fatal to certificate loading when system certs could not be loaded
* adjust timeout of Suite ShortTimeouts
* add warnings pusher for the StructValidator
* make the schema suites uninform
* utilize the warnings in the StructValidator
* fix test suite usage for skip_verify
* extract LDAP filter parsing into it's own function to make it possible to test
* test LDAP filter parsing
* update ErrorContainer interface
* add tests to the StructValidator
* add NewTLSConfig test
* move baseDN for users/groups into parsed values
* add tests to cover many of the outstanding areas in LDAP
* add explicit deferred LDAP conn close to UpdatePassword
* add some basic testing to SMTP notifier
* suggestions from code review
2021-01-04 21:28:55 +11:00
Kristof Mattei
b20f62b015
Update example to set correct internal trusted ranges. (#1575) 2021-01-02 07:36:12 +11:00
Amir Zarrinkafsh
1debc820fa
[DOCS] Fix typo in IPv6 address notes (#1566) 2020-12-30 06:33:57 +11:00
James Elliott
2763aefe81
[BUGFIX] Static Session Expiration Key (#1564)
* [BUGFIX] Static Session Expiration Key

* keys for session expiration are random for each instance of Authelia
* this is caused by upstream setting it to a random value
* using a temporary bugfix fork of github.com/fasthttp/session to resolve locally
* add some misc doc additions
2020-12-29 12:44:47 +11:00
ZMiguel Valdiviesso
39bb2d2d1a
Add config example for LDAP groupOfUniqueNames group structure (#1549)
* Add config example for groupOfUniqueNames group structure

* Update ldap.md

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-12-22 08:16:20 +11:00
Amir Zarrinkafsh
f2282f78a9
[DOCS] Add notes for IPv6 literal address (#1541) 2020-12-16 11:31:39 +11:00
Begley Brothers (Development)
a7968bc77b
[DOCS] Update hash-password example with single quotes (#1537)
* [Doc] Single quote the hash-password input

Closes #1536

* Update docs/configuration/authentication/file.md

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-12-16 11:07:51 +11:00
Clément Michaud
86c4577127
[DOCS] Add a note on regexps in ACLs (#1533)
Fixes #1523
2020-12-16 11:00:58 +11:00
James Elliott
426f5260ad
[FEATURE] LDAP StartTLS (#1500)
* add start_tls config option
* add StartTLS method to the LDAP conn factory and the mock
* implemented use of the StartTLS method when the config is set to true
* add mock unit tests
* add docs
* add TLS min version support
* add tests to tls version method
* fix lint issues
* minor adjustments
* remove SSL3.0
* add tls consts
* deprecate old filter placeholders
* remove redundant fake hashing in file auth provider (to delay username enumeration, was replaced by #993
* make suite ActiveDirectory use StartTLS
* misc adjustments to docs
* suggested changes from code review
* deprecation notice conformity
* add mock test for LDAPS plus StartTLS
2020-12-03 16:23:52 +11:00
James Elliott
365304a684
[FEATURE] Add Optional Check for Session Username on VerifyGet (#1427)
* Adding the Session-Username header to the /api/verify endpoint when using cookie auth will check the value stored in the session store for the username and the header value are the same.
* use strings.EqualFold to compare case insensitively
* add docs
* add unit tests
* invalidate session if it is theoretically hijacked and log it as a warning (can only be determined if the header doesn't match the cookie)
* add example PAM script
* go mod tidy
* go mod bump to 1.15
2020-12-02 10:03:44 +11:00
Amir Zarrinkafsh
ba04d1072b
[BUGFIX] Make username_attribute a mandatory placeholder in users_filter (#1449)
* [BUGFIX] Make username_attribute a mandatory placeholder in users_filter

Not including the `username_attribute` in the `users_filter` will cause issues with the LDAP session refresh and will result in session resets when the refresh interval has expired.

This change makes said attribute mandatory for the `users_filter`.

* Update version referenced in docs for fix
2020-11-28 00:30:27 +11:00
Amir Zarrinkafsh
aa64d0c4e5
[FEATURE] Support MSAD password reset via unicodePwd attribute (#1460)
* Added `ActiveDirectory` suite for integration tests with Samba AD
* Updated documentation
* Minor styling refactor to suites
* Clean up LDAP user provisioning
* Fix Authelia home splash to reference correct link for webmail
* Add notification message for password complexity errors
* Add password complexity integration test
* Rename implementation default from rfc to custom
* add specific defaults for LDAP (activedirectory implementation)
* add docs to show the new defaults
* add docs explaining the importance of users filter
* add tests
* update instances of LDAP implementation names to use the new consts where applicable
* made the 'custom' case in the UpdatePassword method for the implementation switch the default case instead
* update config examples due to the new defaults
* apply changes from code review
* replace schema default name from MSAD to ActiveDirectory for consistency
* fix missing default for username_attribute
* replace test raising on empty username attribute with not raising on empty

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2020-11-27 20:59:22 +11:00
Amir Zarrinkafsh
a29eeb52b6
[FEATURE] Add JSON log formatting option (#1488)
This change adds the ability to format Authelia's log output as JSON.

Example below:
```
{"level":"info","msg":"Logging severity set to info","time":"2020-01-01T00:00:00+11:00"}
{"level":"info","msg":"Authelia is listening for non-TLS connections on 0.0.0.0:9091","time":"2020-01-01T00:00:00+11:00"}
```
2020-11-25 10:46:41 +11:00
Amir Zarrinkafsh
3832b55312
[DOCS] Fix links in Contributing (#1484) 2020-11-24 12:47:12 +11:00
Timo
495e57b46c
[DOCS] Make HAProxy regex case insensitive (#1478) 2020-11-24 12:35:38 +11:00
Lukas Klass
518bc67ef9
[DOCS] Clarify use of multiple subjects in ACLs and their logical evaluation (#1454)
* Clarify use of multiple subjects and their logical evaluation

* Update docs/configuration/access-control.md

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-11-13 10:30:23 +11:00
Amir Zarrinkafsh
f392f51df6
[MISC] Append log file instead of overwriting (#1450)
* [MISC] Append log file instead of overwriting

If Authelia is restarted when a `log_file_path` is defined upon restart the log file is overwritten as opposed to appending the existing file.

This change ensures that the log file will be appended to, users will need to ensure that they rotate/truncate this over time especially if running in `debug` or `trace`.

* Amend documentation for log_file_path
2020-11-13 10:14:45 +11:00
Amir Zarrinkafsh
29af1aac6a
[DOCS] Update session docs to clarify encryption (#1448)
This looks like it just fell out of sync with what actually already exists within the [`config.template.yml`](695cd5bf8f/config.template.yml (L291)).
2020-11-13 07:45:46 +11:00
James Elliott
956dbfb8de
[BUGFIX] Add ability to specify SMTP HELO/EHLO identifier (#1416)
* add docs
* add configuration option for SMTP called `identifier`
* default should act the same as before
2020-11-05 10:22:10 +11:00
Amir Zarrinkafsh
a83ccd7188
[FEATURE] Add Remote-Name and Remote-Email headers (#1402) 2020-10-26 22:38:08 +11:00
akusei
af2ae328e7
[FEATURE] Container privilege de-escalation (#1370)
* support for running as non-root

* forgot to save file

* removed write perms for user on entrypoint script

* preserve existing user behavior

* fix entrypoint permissions to account for non-root user

* typo in chmod on line 63

* better entrypoint script; moved to root

* execute bit

* support for running as non-root

* forgot to save file

* removed write perms for user on entrypoint script

* preserve existing user behavior

* fix entrypoint permissions to account for non-root user

* typo in chmod on line 63

* better entrypoint script; moved to root

* execute bit

* very rough draft documentation

* added missing header

* typo changes -> changed

* Update entrypoint.sh

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

looks good

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-10-19 10:12:21 +11:00
alexw1982
0ba634ffee
[DOCS] Update Fail2Ban security measures (#1349)
* [Docs] Security measures - Fail2Ban

Minor changes / improvements to the text

* Update measures.md

* Update docs/security/measures.md
2020-10-17 13:44:48 +11:00
dependabot-preview[bot]
e0c44966e5
[MISC] (deps): Bump just-the-docs from 0.3.2 to 0.3.3 in /docs (#1375)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.2 to 0.3.3.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.2...v0.3.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-15 15:13:34 +11:00
dependabot-preview[bot]
0e34ae78fd
[MISC] (deps-dev): Bump github-pages from 208 to 209 in /docs (#1368)
Bumps [github-pages](https://github.com/github/pages-gem) from 208 to 209.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v208...v209)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-10-11 22:33:50 +11:00
alexw1982
adf6b7878d
[DOCS] Add fail2ban security measures (#1344)
* Update measures.md

Closes #1176.
2020-09-30 11:40:26 +10:00
dependabot-preview[bot]
3f65547e3b
[MISC] (deps-dev): Bump github-pages from 207 to 208 in /docs (#1345)
Bumps [github-pages](https://github.com/github/pages-gem) from 207 to 208.
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v207...v208)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-29 12:22:36 +10:00
thehedgefrog
86ecc03640
Updated secrets.md with a functional DaemonSet (#1287)
* Updated secrets.md with a functional DaemonSet

* changed TCP socket for API endpoints
2020-09-25 09:48:24 +10:00
Amir Zarrinkafsh
607f829431
[DOCS] Clean HAProxy examples (#1338)
Remove headers that are not required and fix a typo.
2020-09-23 17:29:46 +10:00
Amir Zarrinkafsh
5b98b4d090
[BUGFIX] Fix HAProxy redirects (#1333)
Including updates to docs examples.
2020-09-23 09:06:26 +10:00
Amir Zarrinkafsh
8d68886b5b
[DOCS] Fix default layout (#1329) 2020-09-19 00:58:41 +10:00
dependabot-preview[bot]
35a7e954a2
[MISC] (deps): Bump just-the-docs from 0.3.1 to 0.3.2 in /docs (#1320)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.1...v0.3.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-09-19 00:34:08 +10:00
Amir Zarrinkafsh
771c220d38
[FEATURE] Support updated haproxy-auth-request (#1310)
* [FEATURE] Support updated haproxy-auth-request
This version removes the dependency of lua-socket which seemed to result in many unsupported and broken BSD/Pfsense deployments.

* Fix docs indentation

* Add haproxy-lua-http to TLS enabled configuration
2020-09-10 10:52:57 +10:00
James Elliott
a92b0bff1d
[FEATURE] Plain Text Email Notifications (#1238)
* add a plain text email template
* use plain text email template for file based emails
* add config option to SMTP emails named disable_html_emails
  * config option is a boolean that when set to true will only send plain text emails
* add docs for more complex SMTP notifier options
* update template
* add rfc1341 multipart logic to notifier
* check for errors after identity_verification

* * fix nil ptr
* go mod tidy
* remove needless checks

* * use multipart/atlernative instead

* * add rfc5322 compliant date header

* * fix linting issues
2020-08-21 12:16:23 +10:00
Chris Smith
c70255f9ef
[DOCS] Add FAQ for Kubernetes deployment (#1252)
* Add note to Kubernetes page about potential OOM

See #1234
2020-08-14 13:30:37 +10:00
dependabot-preview[bot]
33f039c117
[MISC] (deps): Bump github-pages and jekyll in /docs (#1257)
Bumps [github-pages](https://github.com/github/pages-gem) and [jekyll](https://github.com/jekyll/jekyll). These dependencies needed to be updated together.

Updates `github-pages` from 206 to 207
- [Release notes](https://github.com/github/pages-gem/releases)
- [Commits](https://github.com/github/pages-gem/compare/v206...v207)

Updates `jekyll` from 3.8.7 to 3.9.0
- [Release notes](https://github.com/jekyll/jekyll/releases)
- [Changelog](https://github.com/jekyll/jekyll/blob/master/History.markdown)
- [Commits](https://github.com/jekyll/jekyll/compare/v3.8.7...v3.9.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-08-11 21:54:29 +10:00
James Elliott
ea1fae6491
[MISC] Storage Schema Versioning Model (#1057)
* [MISC] Storage Schema Versioning Model 

* fixup go.sum
* remove pq
* fix int to text issue
* fix incorrect SQL text
* use key_name vs key
* use transactions for all queries during upgrades
* fix missing parenthesis
* move upgrades to their own file
* add provider name for future usage in upgrades
* fix missing create config table values
* fix using the const instead of the provider SQL
* import logging once and reuse
* update docs
* remove db at suite teardown
* apply suggestions from code review
* fix mysql
* make errors more uniform
* style changes
* remove commented code sections
* remove commented code sections
* add schema version type
* add sql mock unit tests
* go mod tidy
* test blank row situations
2020-07-16 15:56:08 +10:00
dependabot-preview[bot]
145a83ee0d
[MISC] (deps): Bump just-the-docs from 0.3.0 to 0.3.1 in /docs (#1205)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.3.0 to 0.3.1.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.3.0...v0.3.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-07-16 00:11:53 +02:00
Amir Zarrinkafsh
c5916cbce6
[DOCS] Adjust Deployment navigation order (#1160) 2020-06-29 16:55:41 +10:00
Amir Zarrinkafsh
697ffd8d73
[DOCS] Fix just-the-docs theme styling (#1159)
This fixes a minor regression due to #1158.
As there was significant styling changes and due to our introduction of the github fork ribbon for the docs the layout also needed to be updated.
2020-06-29 11:20:38 +10:00
dependabot-preview[bot]
997e17cdc6
[MISC] (deps): Bump just-the-docs from 0.2.9 to 0.3.0 in /docs (#1158)
Bumps [just-the-docs](https://github.com/pmarsceill/just-the-docs) from 0.2.9 to 0.3.0.
- [Release notes](https://github.com/pmarsceill/just-the-docs/releases)
- [Commits](https://github.com/pmarsceill/just-the-docs/compare/v0.2.9...v0.3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
2020-06-29 09:42:14 +10:00