blob: 426387867cdc46e76062f09d475c2236bb287313 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
<!DOCTYPE html>
<html>
<head>
<title>Home page</title>
<link rel="icon" href="/icon.png" type="image/png" />
<script>
window.onload = () =>{
/**
* this section renames example.com for the real hostname
* it's required for multi cookie domain suite
* */
const hostname = window.location.hostname
const protocol = window.location.protocol
const port = window.location.port
const domain = hostname.replace(/^\w+\.(.+)$/i, "$1")
const newDomain = `${domain}:${port}`
document.body.innerHTML = document.body.innerHTML.replace(/example.com:8080/ig, newDomain)
}
</script>
</head>
<body>
<h1>Access the secret</h1>
<span style="font-size: 1.2em; color: red">You need to log in to access the secret!</span><br /><br /> Try to access
it using
one of the following links to test access control powered by Authelia.<br />
<ul>
<li>
public.example.com <a href="https://public.example.com:8080/"> /</a>
</li>
<li>
secure.example.com <a href="https://secure.example.com:8080/secret.html"> / secret.html</a>
</li>
<li>
singlefactor.example.com <a href="https://singlefactor.example.com:8080/secret.html"> / secret.html</a>
</li>
<li>
deny.example.com <a href="https://deny.example.com:8080/secret.html"> / secret.html</a>
</li>
<li>
dev.example.com
<ul>
<li>Groups
<ul>
<li>
<a href="https://dev.example.com:8080/groups/admin/secret.html"> / groups / admins / secret.html</a>
</li>
<li>
<a href="https://dev.example.com:8080/groups/dev/secret.html"> / groups / dev / secret.html</a>
</li>
</ul>
</li>
<li>Users
<ul>
<li>
<a href="https://dev.example.com:8080/users/john/secret.html"> / users / john / secret.html</a>
</li>
<li>
<a href="https://dev.example.com:8080/users/harry/secret.html"> / users / harry / secret.html</a>
</li>
<li>
<a href="https://dev.example.com:8080/users/bob/secret.html"> / users / bob / secret.html</a>
</li>
</ul>
</li>
</ul>
</li>
<li>
admin.example.com <a href="https://admin.example.com:8080/secret.html"> / secret.html</a>
</li>
<li>
mx1.main.example.com <a href="https://mx1.mail.example.com:8080/secret.html"> / secret.html</a>
</li>
<li>
mx2.main.example.com <a href="https://mx2.mail.example.com:8080/secret.html"> / secret.html</a>
</li>
<li>
oidc.example.com <a href="https://oidc.example.com:8080/">/</a> (only in OIDC suite).
</li>
</ul>
You can also log off by visiting the following <a
href="https://login.example.com:8080/logout?rd=https://home.example.com:8080/">link</a>.
<h1>List of users</h1>
Here is the list of credentials you can log in with to test access control.<br />
<br /> Once first factor is passed, you will need to follow the links to register a secret for the second
factor.<br /> Authelia
will send you a fictitious email in a <strong>fake webmail</strong> at <a
href="https://mail.example.com:8080/">https://mail.example.com:8080/</a>.<br />
It will provide you with the link to complete the registration allowing you to authenticate with 2-factor.
<ul>
<li><strong>john / password</strong>: belongs to <em>admin</em> and <em>dev</em> groups.</li>
<li><strong>bob / password</strong>: belongs to <em>dev</em> group only.</li>
<li><strong>harry / password</strong>: does not belong to any group.</li>
</ul>
<h1>Access control rules</h1>
<p></p>These rules are extracted from the configuration file
<a href="https://github.com/authelia/authelia/blob/master/config.template.yml">config.template.yml</a>.</p>
<pre id="rules" style="border: 1px grey solid; padding: 20px; display: inline-block;">
default_policy: deny
rules:
# Rules applied to everyone
- domain: public.example.com
policy: two_factor
- domain: singlefactor.example.com
policy: one_factor
# Rules applied to 'admins' group
- domain: 'mx2.mail.example.com'
subject: 'group:admins'
policy: deny
- domain: '*.example.com'
subject: 'group:admins'
policy: two_factor
# Rules applied to 'dev' group
- domain: dev.example.com
resources:
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: two_factor
# Rules applied to user 'john'
- domain: dev.example.com
resources:
- '^/users/john/.*$'
subject: 'user:john'
policy: two_factor
# Rules applied to user 'harry'
- domain: dev.example.com
resources:
- '^/users/harry/.*$'
subject: 'user:harry'
policy: two_factor
# Rules applied to user 'bob'
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: two_factor
- domain: 'dev.example.com'
resources:
- '^/users/bob/.*$'
subject: 'user:bob'
policy: two_factor
</pre>
</body>
</html>
|
