From d42be3f9a5a5c12580af2a67b107840fd6fd0698 Mon Sep 17 00:00:00 2001 From: depasseg Date: Fri, 10 Nov 2023 05:53:07 -0500 Subject: [PATCH] feat(authelia): Update Authelia question tooltips and defaults (#13487) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** ⚒️ Fixes # **⚙️ Type of change** - [X] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code **🧪 How Has This Been Tested?** **📃 Notes:** **✔️ Checklist:** - [ ] ⚖️ My code follows the style guidelines of this project - [X] 👀 I have performed a self-review of my own code - [X] #️⃣ I have commented my code, particularly in hard-to-understand areas - [ ] 📄 I have made corresponding changes to the documentation - [X] ⚠️ My changes generate no new warnings - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [ ] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Signed-off-by: depasseg Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Signed-off-by: Kjeld Schouten Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Co-authored-by: Xstar97TheNoob <9399967+xstar97@users.noreply.github.com> Co-authored-by: Kjeld Schouten --- charts/enterprise/authelia/Chart.yaml | 2 +- charts/enterprise/authelia/questions.yaml | 69 ++++++++++++++++------- charts/enterprise/authelia/values.yaml | 10 ++-- 3 files changed, 55 insertions(+), 26 deletions(-) diff --git a/charts/enterprise/authelia/Chart.yaml b/charts/enterprise/authelia/Chart.yaml index 21ef8832442..047695fa441 100644 --- a/charts/enterprise/authelia/Chart.yaml +++ b/charts/enterprise/authelia/Chart.yaml @@ -35,7 +35,7 @@ sources: - https://github.com/authelia/chartrepo - https://github.com/authelia/authelia type: application -version: 19.0.11 +version: 19.0.12 annotations: truecharts.org/category: security truecharts.org/SCALE-support: "true" diff --git a/charts/enterprise/authelia/questions.yaml b/charts/enterprise/authelia/questions.yaml index 9bbc055f5ef..c4241b93341 100644 --- a/charts/enterprise/authelia/questions.yaml +++ b/charts/enterprise/authelia/questions.yaml @@ -230,14 +230,20 @@ questions: attrs: - variable: name label: "Cookie Name" - description: "The name of the session cookie." + description: | + The name of the session cookie. By default this is set to authelia_session. + It’s mostly useful to change this if you are doing development or running multiple instances of Authelia. schema: type: string required: true default: "authelia_session" - variable: same_site label: "SameSite Value" - description: "Sets the Cookie SameSite value" + description: | + You can read about the SameSite cookie in detail on the MDN. In short setting SameSite to Lax is generally + the most desirable option for Authelia. None is not recommended unless you absolutely know what you’re doing + and trust all the protected apps. Strict is not going to work in many use cases and we have not tested it in + this state but it’s available as an option anyway. schema: type: string default: "lax" @@ -248,21 +254,27 @@ questions: description: "strict" - variable: expiration label: "Expiration Time" - description: "The time in seconds before the cookie expires and session is reset." + description: | + The period of time before the cookie expires and the session is destroyed. This is overriden by + remember_me_duration when the remember me box is checked. schema: type: string default: "1h" required: true - variable: inactivity label: "Inactivity Time" - description: "The inactivity time in seconds before the session is reset." + description: | + The period of time the user can be inactive for until the session is destroyed when the remember me box is + not checked or is otherwise disabled. Useful if you want long session timers but don’t want unused devices to be vulnerable. schema: type: string default: "5m" required: true - variable: remember_me_duration label: "Remember-Me duration" - description: "The remember me duration" + description: | + The period of time before the cookie expires and the session is destroyed when the remember me box is checked, a user + selecting this option negates the inactivity timeout. Setting this to -1 disables this feature entirely. schema: type: string default: "5M" @@ -283,14 +295,18 @@ questions: default: 3 - variable: find_time label: "Find Time" - description: "The time range during which the user can attempt login before being banned." + description: | + The period of time analyzed for failed attempts. For example if you set max_retries to 3 and find_time to + 2m this means the user must have 3 failed logins in 2 minutes. schema: type: string default: "2m" required: true - variable: ban_time label: "Ban Duration" - description: "The length of time before a banned user can login again" + description: | + The period of time the user is banned for after meeting the max_retries and find_time configuration. + After this duration the account will be able to login again. schema: type: string default: "5m" @@ -298,7 +314,9 @@ questions: - variable: authentication_backend group: "App Configuration" label: "Authentication Backend Provider" - description: "sed for verifying user passwords and retrieve information such as email address and groups users belong to." + description: | + Used for verifying user passwords and retrieve information such as email + address and groups users belong to. schema: additional_attrs: true type: dict @@ -405,14 +423,14 @@ questions: description: "The attribute holding the username of the user" schema: type: string - default: "" + default: "uid" required: true - variable: additional_users_dn label: "Additional Users DN" description: "An additional dn to define the scope to all users." schema: type: string - default: "OU=Users" + default: "OU=people" required: true - variable: users_filter label: "Users Filter" @@ -440,27 +458,27 @@ questions: description: "The attribute holding the name of the group" schema: type: string - default: "" + default: "cn" required: true - variable: mail_attribute label: "Mail Attribute" description: "The attribute holding the primary mail address of the user" schema: type: string - default: "" + default: "mail" required: true - variable: display_name_attribute label: "Display Name Attribute" description: "he attribute holding the display name of the user. This will be used to greet an authenticated user." schema: type: string - default: "" + default: "displayName" - variable: user label: "Admin User" description: "The username of the admin user used to connect to LDAP." schema: type: string - default: "CN=Authelia,DC=example,DC=com" + default: "CN=admin,ou=people,DC=example,DC=com" required: true - variable: plain_password label: "Password" @@ -688,10 +706,13 @@ questions: attrs: - variable: default_policy label: "Default Policy" - description: "Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'." + description: | + The default policy defines the policy applied if no rules section apply to the information known about the request. + It is recommended that this is configured to deny for security reasons. Sites which you do not wish to secure at all + with Authelia should not be configured in your reverse proxy to perform authentication with Authelia at all for performance reasons. schema: type: string - default: "two_factor" + default: "deny" enum: - value: "bypass" description: "bypass" @@ -745,7 +766,7 @@ questions: attrs: - variable: domain label: "Domains" - description: "defines which domain or set of domains the rule applies to." + description: "Defines which domain or set of domains the rule applies to." schema: type: list default: [] @@ -758,7 +779,9 @@ questions: required: true - variable: policy label: "Policy" - description: "The policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'." + description: | + The specific policy to apply to the selected rule. This is not criteria for a match, this is the + action to take when a match is made. schema: type: string default: "two_factor" @@ -773,7 +796,11 @@ questions: description: "deny" - variable: subject label: "Subject" - description: "defines the subject to apply authorizations to. This parameter is optional and matching any user if not provided" + description: | + This criteria matches identifying characteristics about the subject. Currently this is either + user or groups the user belongs to. This allows you to effectively control exactly what each user is + authorized to access or to specifically require two-factor authentication to specific users. Subjects + are prefixed with either user: or group: to identify which part of the identity to check. schema: type: list default: [] @@ -982,7 +1009,9 @@ questions: description: "two_factor" - variable: consent_mode label: "Consent Mode" - description: "Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.)" + description: | + Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or + implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.) schema: type: string default: "auto" diff --git a/charts/enterprise/authelia/values.yaml b/charts/enterprise/authelia/values.yaml index e27c2e05ede..f6ee5a66e91 100644 --- a/charts/enterprise/authelia/values.yaml +++ b/charts/enterprise/authelia/values.yaml @@ -228,7 +228,7 @@ authentication_backend: ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. - username_attribute: "" + username_attribute: "uid" ## An additional dn to define the scope to all users. additional_users_dn: OU=Users @@ -270,17 +270,17 @@ authentication_backend: groups_filter: "" ## The attribute holding the name of the group - group_name_attribute: "" + group_name_attribute: "cn" ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the ## first one returned by the LDAP server is used. - mail_attribute: "" + mail_attribute: "mail" ## The attribute holding the display name of the user. This will be used to greet an authenticated user. - display_name_attribute: "" + display_name_attribute: "displayname" ## The username of the admin user. - user: CN=Authelia,DC=example,DC=com + user: CN=admin,DC=example,DC=com plain_password: "" ##