Commit Graph

30 Commits

Author SHA1 Message Date
James Elliott 63c2b4cfba
test(suites): add consistency ()
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2024-11-11 11:25:27 +00:00
James Elliott cca2840a06
test(suites): ocd update configs ()
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2024-11-10 09:28:43 +11:00
Amir Zarrinkafsh 8c304f19eb
refactor(suites): remove commentary from suite based user databases ()
This change ensures all user databases are consistent across the suites where utilised.

Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
2024-10-18 13:17:46 +11:00
Amir Zarrinkafsh 975de2898e
refactor(suites): replace mailcatcher with mailpit ()
This change replaces mailcatcher with the mailpit which is a modern equivalent with additional features, beneficial to our integration tests.

Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
2024-10-11 21:41:05 +11:00
James Elliott 0414f02c0b
build: remove docker compose version references ()
These are deprecated and being removed.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2024-04-07 19:57:27 +10:00
James Elliott 5d3e7a0183
feat(totp): reuse policy
This prevents the reuse of previously used codes being reused within the validity period. This is prevented in a smart way by recording the step multiplied by the period and hashing that value as a string with the HMAC-SHA256 algorithm, with a HMAC key unique to recording these values (auto generated).

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2024-03-04 20:29:12 +11:00
James Elliott 744b6179d2
test(suites): add and fix tests for coverage
Add tests and adjust tests and code as appropriate. This also ensures we have thorough coverage of the code.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2024-03-04 20:29:11 +11:00
James Elliott c203583a84
refactor: generate
This regenerates the generated portions of code.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2024-03-04 20:29:11 +11:00
James Elliott e618cf3416
feat(web): one-time codes for identity verification
This replaces the JWT method for Identity Verification for most elements with a One-Time Code which has a controllable lifetime. These codes elevate the session for a duration, are less likely to be accidentally clicked, can be revoked, and generally a better experience for users. Users will be able to copy the codes directly from the email or manually type them. This improves the process as the user is very unlikely to input the code into the wrong window, and can't open it in the wrong browser. In addition the process prevents accidental clicking from causing issues.

Closes 

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2024-03-04 20:28:24 +11:00
Amir Zarrinkafsh aa394f7ddb
ci: remove container read-only mounts ()
* ci: remove container read-only mounts

Signed-off-by: Amir Zarrinkafsh <nightah@me.com>

* refactor: linting updates

Signed-off-by: Amir Zarrinkafsh <nightah@me.com>

---------

Signed-off-by: Amir Zarrinkafsh <nightah@me.com>
2024-02-19 13:56:40 +11:00
James Elliott 6a6059dc22
feat(session): redirection by cookie domain ()
This allows configuring the default redirection URL by session domain. In addition it makes the Authelia URL option in the new session config mandatory at least for the time being.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-09-29 08:46:41 +10:00
James Elliott fb5c285c25
feat(authentication): suport ldap over unix socket ()
This adds support for LDAP unix sockets using the ldapi scheme. In addition it improves all of the address related parsing significantly deprecating old options.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-07 16:39:17 +10:00
James Elliott 90d190121d
feat(server): listen on unix sockets ()
This allows listening on unix sockets.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-07 15:48:26 +10:00
James Elliott a0758bb4ba
refactor(suites): use pki for oidc () 2023-02-11 15:37:54 +11:00
James Elliott 8e4b660f15
refactor: certs ()
This refactors the suites to use a Enterprise Root CA PKI signed certificate so the CA public certificate can be trusted. This is particularly useful for webauthn in Chrome.
2023-02-11 14:11:40 +11:00
James Elliott 65705a646d
feat(server): customizable authz endpoints ()
This allows users to customize the authz endpoints.

Closes , Fixes 

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-25 20:36:40 +11:00
Manuel Nuñez 8b29cf7ee8
feat(session): multiple session cookie domains ()
This adds support to configure multiple session cookie domains.

Closes 

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2023-01-12 21:57:44 +11:00
Philipp Staiger 01b77384f9
feat(duo): multi device selection ()
Allow users to select and save the preferred duo device and method, depending on availability in the duo account. A default enrollment URL is provided and adjusted if returned by the duo API. This allows auto-enrollment if enabled by the administrator.

Closes . Closes .
2021-12-01 14:32:58 +11:00
James Elliott 347bd1be77
feat(storage): encrypted secret values ()
This adds an AES-GCM 256bit encryption layer for storage for sensitive items. This is only TOTP secrets for the time being but this may be expanded later. This will require a configuration change as per https://www.authelia.com/docs/configuration/migration.html#4330.

Closes 
2021-11-25 12:56:58 +11:00
James Elliott 158783a9d4
feat(configuration): replace several configuration options ()
This change adjusts several global options moving them into the server block. It additionally notes other breaking changes in the configuration.

BREAKING CHANGE: Several configuration options have been changed and moved into other sections. Migration instructions are documented here: https://authelia.com/docs/configuration/migration.html#4.30.0
2021-08-02 21:55:30 +10:00
James Elliott 2c42464fc8
refactor(configuration): use key log instead of logging ()
* refactor: logging config key to log

This refactors the recent pre-release change adding log options to their own configuration section in favor of a log section (from logging).

* docs: add step to getting started to get the latest tagged commit

This is so we avoid issues with changes on master having differences that don't work on the latest docker tag.

* test: adjust tests

* docs: adjust doc strings
2021-06-08 23:15:43 +10:00
James Elliott cef35fadcd
feat(configuration): add error and warn log levels ()
This is so levels like warn and error can be used to exclude info or warn messages. Additionally there is a reasonable refactoring of logging moving the log config options to the logging key because there are a significant number of log options now. This also decouples the expvars and pprof handlers from the log level, and they are now configured by server.enable_expvars and server.enable_pprof at any logging level.
2021-06-01 14:09:50 +10:00
James Elliott d33d6c2f00
ci: add yamllint ()
This change implements yamllint and adjusts all yaml files to abide by our linting setup. This excludes config.template.yml as this will be done in an alternate commit.
2021-04-11 06:51:00 +10:00
Amir Zarrinkafsh e43bc93047
[FEATURE] Add configurable display name to frontend ()
* [FEATURE] Add configurable display name to frontend
This feature allows users with a LDAP backend to specify an attribute (default is "displayname") to retrieve a users name for the portal greeting.
Similarly for the file based backend a new required key "name" has been introduced.

This can also be used down the line with OIDC as a separate scope.

* Update references from Name to DisplayName
* Update compose bundles to include displayname refs
* Update LDAP automatic profile refresh
* Ensure display name is updated
* Fix bug which prevented trace logging for profile refresh to not trigger
2020-06-19 20:50:21 +10:00
Amir Zarrinkafsh ff7f9a50ab
[FEATURE] Docker simplification and configuration generation ()
* [FEATURE] Docker simplification and configuration generation
The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template.

This will allow more seamless bootstrapping of an environment no matter the deployment method.

We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment.

Users with the old volume mappings have two options:
1. Change their mappings to conform to `/config`
2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping

* Adjust paths relative to `/etc/authelia` and simplify to single volume for compose
* Add generation for file backend based user database
* Refactor Docker volumes and paths to /config
* Refactor Docker WORKDIR to /app
* Fix integration tests
* Update BREAKING.md for v4.20.0
* Run go mod tidy
* Fix log_file_path in miscellaneous.md docs
* Generate config and userdb with 0600 permissions
* Fix log_file_path in config.template.yml
2020-06-17 16:25:35 +10:00
James Elliott 9e9dee43ac
[FEATURE] Notifier Startup Checks ()
* implement SMTP notifier startup check
* check dial, starttls, auth, mail from, rcpt to, reset, and quit
* log the error on failure
* implement mock
* misc optimizations, adjustments, and refactoring
* implement validate_skip config option
* fix comments to end with period
* fix suites that used smtp notifier without a smtp container
* add docs
* add file notifier startup check
* move file mode into const.go
* disable gosec linting on insecureskipverify since it's intended, warned, and discouraged
* minor PR commentary adjustment
* apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>
2020-04-21 14:59:38 +10:00
Clément Michaud 730e88df9d
[FEATURE] Make Authelia serve over TLS in all suites ()
* [BUGFIX] Fix dev workflow by using TLS for all suites.

* Fix traefik 1.x and 2.x suites.

* Display authelia logs on suite failure.

* Fix HAProxy suite.

* Extend timeout of test case.

* Display current URL in verify assertion.

* fix doLoginTwoFactor by adding a timeout

* when doLoginTwoFactor is used with blank target and a protected domain is quickly visited authelia sometimes redirects back to the portal
* fix by adding one second timeout
* bump go version to 1.14.2

* Fix Kube suite and bump dashboard.

* Update dist authelia-frontend to proxy_pass with variable

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Apply suggestions from code review

Co-Authored-By: Amir Zarrinkafsh <nightah@me.com>

* Remove debug logs since it's polluting logs.

Also set timeout back to 5 seconds in HA suite.

Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-04-14 09:57:28 +10:00
James Elliott 626f5d2949
[FEATURE] Remember Me Configuration ()
* [FEATURE] Remember Me Configuration
* allow users to specify the duration of remember me using remember_me_duration in session config
* setting the duration to 0 disables remember me
* only render the remember me element if remember me is enabled
* prevent malicious users from faking remember me functionality in the backend
* add string to duration helper called ParseDurationString to parse a string into a duration
* added tests to the helper function
* use the SessionProvider to store the time.Duration instead of parsing it over and over again
* add sec doc, adjust month/min, consistency
* renamed internal/utils/constants.go to internal/utils/const.go to be consistent
* added security measure docs
* adjusted default remember me duration to be 1 month instead of 1 year
* utilize default remember me duration in the autheliaCtx mock
* adjust order of keys in session configuration examples
* add notes on session security measures secret only being redis 
* add TODO items for duration notation for both Expiration and Inactivity (will be removed soon)
* fix error text for Inactivity in the validator 
* add session validator tests
* deref check bodyJSON.KeepMeLoggedIn and derive the value based on conf and user input and store it (DRY)
* remove unnecessary regex for the simplified ParseDurationString utility
* ParseDurationString only accepts decimals without leading zeros now
* comprehensively test all unit types
* remove unnecessary type unions in web
* add test to check sanity of time duration consts, this is just so they can't be accidentally changed
* simplify deref check and assignment
* fix reset password padding/margins
* adjust some doc wording
* adjust the handler configuration suite test
* actually run the handler configuration suite test (whoops)
* reduce the number of regex's used by ParseDurationString to 1, thanks to Clement
* adjust some error wording
2020-04-04 10:11:33 +11:00
Clément Michaud c429488738
[FEATURE] [BREAKING] Support writing logs in a file. ()
* [FEATURE] Support writing logs in a file.

* Add documentation about logs file path.

* Rename logs_level and logs_file_path into log_level and log_file_path.

* Update BREAKING.md

Fixes 

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-03-09 20:57:53 +01:00
Amir Zarrinkafsh 72a3f1e0d7
[BUGFIX] Skip 2FA step if no ACL rule is two_factor ()
When no rule is set to two_factor in ACL configuration, 2FA is
considered disabled. Therefore, when a user cannot be redirected
correctly because no target URL is provided or the URL is unsafe,
the user is either redirected to the default URL or to the
'already authenticated' view instead of the second factor view.

Fixes 
2020-03-06 11:31:09 +11:00