├── .gitignore ├── .pip ├── .vscode └── settings.json ├── CHANGELOG.md ├── Dockerfile ├── LICENSE ├── README.md ├── app ├── __init__.py ├── blueprints │ ├── api.py │ └── ui.py ├── data │ ├── configuration.yml │ └── users_database.yml ├── helpers │ ├── apidocs.py │ ├── argon2.py.old │ ├── argon2hash.py │ ├── iterateQuery.py │ └── rndpwd.py ├── models │ ├── MODELS.md │ ├── config.py │ ├── file_auth.py │ ├── group.py │ ├── host.py │ ├── networks.py │ ├── rules.py │ ├── totp.py │ └── users.py ├── static │ ├── configuration-live.yml │ ├── img │ │ ├── API-flat-illustration.webp │ │ ├── add.svg │ │ ├── android-chrome-192x192.png │ │ ├── android-chrome-512x512.png │ │ ├── apple-touch-icon.png │ │ ├── favicon-16x16.png │ │ ├── favicon-32x32.png │ │ ├── favicon.ico │ │ ├── google-auth.png │ │ ├── lockdown.png │ │ ├── logo-cropped.svg │ │ ├── logo-cropped.webp │ │ ├── plus.svg │ │ └── remove.svg │ ├── js │ │ ├── accordian.js │ │ ├── add_remove.js │ │ ├── api_comms.js │ │ ├── custom.js │ │ ├── menu.js │ │ └── path.js │ ├── site.webmanifest │ └── users_database-live.yml └── templates │ ├── apidocs.html │ ├── config_file.html │ ├── home.html │ ├── login-form.html │ ├── main-config.html │ ├── markdown.html │ ├── test │ ├── textbody.html │ ├── ui-config.html │ ├── ui-edit.html │ ├── ui-home.html │ └── ui-main.html ├── authelia-manager.py ├── docker-compose.yml ├── docs └── images │ ├── ui_login-screenshot.png │ └── ui_main-screenshot.png ├── entrypoint.sh ├── requirements.txt ├── run.sh └── uwsgi.ini /.gitignore: -------------------------------------------------------------------------------- 1 | *.sqlite 2 | docker/data 3 | # Byte-compiled / optimized / DLL files 4 | __pycache__/ 5 | *.py[cod] 6 | *$py.class 7 | 8 | # C extensions 9 | *.so 10 | 11 | # Distribution / packaging 12 | .Python 13 | build/ 14 | develop-eggs/ 15 | dist/ 16 | downloads/ 17 | eggs/ 18 | .eggs/ 19 | lib/ 20 | lib64/ 21 | parts/ 22 | sdist/ 23 | var/ 24 | wheels/ 25 | share/python-wheels/ 26 | *.egg-info/ 27 | .installed.cfg 28 | *.egg 29 | MANIFEST 30 | 31 | # PyInstaller 32 | # Usually these files are written by a python script from a template 33 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 34 | *.manifest 35 | *.spec 36 | 37 | # Installer logs 38 | pip-log.txt 39 | pip-delete-this-directory.txt 40 | 41 | # Unit test / coverage reports 42 | htmlcov/ 43 | .tox/ 44 | .nox/ 45 | .coverage 46 | .coverage.* 47 | .cache 48 | nosetests.xml 49 | coverage.xml 50 | *.cover 51 | *.py,cover 52 | .hypothesis/ 53 | .pytest_cache/ 54 | cover/ 55 | 56 | # Translations 57 | *.mo 58 | *.pot 59 | 60 | # Django stuff: 61 | *.log 62 | local_settings.py 63 | db.sqlite3 64 | db.sqlite3-journal 65 | 66 | # Flask stuff: 67 | instance/ 68 | .webassets-cache 69 | 70 | # Scrapy stuff: 71 | .scrapy 72 | 73 | # Sphinx documentation 74 | docs/_build/ 75 | 76 | # PyBuilder 77 | .pybuilder/ 78 | target/ 79 | 80 | # Jupyter Notebook 81 | .ipynb_checkpoints 82 | 83 | # IPython 84 | profile_default/ 85 | ipython_config.py 86 | 87 | # pyenv 88 | # For a library or package, you might want to ignore these files since the code is 89 | # intended to run in multiple environments; otherwise, check them in: 90 | # .python-version 91 | 92 | # pipenv 93 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 94 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 95 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 96 | # install all needed dependencies. 97 | #Pipfile.lock 98 | 99 | # poetry 100 | # Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. 101 | # This is especially recommended for binary packages to ensure reproducibility, and is more 102 | # commonly ignored for libraries. 103 | # https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control 104 | #poetry.lock 105 | 106 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 107 | __pypackages__/ 108 | 109 | # Celery stuff 110 | celerybeat-schedule 111 | celerybeat.pid 112 | 113 | # SageMath parsed files 114 | *.sage.py 115 | 116 | # Environments 117 | .env 118 | .venv 119 | env/ 120 | venv/ 121 | ENV/ 122 | env.bak/ 123 | venv.bak/ 124 | 125 | # Spyder project settings 126 | .spyderproject 127 | .spyproject 128 | 129 | # Rope project settings 130 | .ropeproject 131 | 132 | # mkdocs documentation 133 | /site 134 | 135 | # mypy 136 | .mypy_cache/ 137 | .dmypy.json 138 | dmypy.json 139 | 140 | # Pyre type checker 141 | .pyre/ 142 | 143 | # pytype static type analyzer 144 | .pytype/ 145 | 146 | # Cython debug symbols 147 | cython_debug/ 148 | 149 | # PyCharm 150 | # JetBrains specific template is maintainted in a separate JetBrains.gitignore that can 151 | # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore 152 | # and can be added to the global gitignore or merged into this file. For a more nuclear 153 | # option (not recommended) you can uncomment the following to ignore the entire idea folder. 154 | #.idea/ 155 | -------------------------------------------------------------------------------- /.pip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/.pip -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "python.linting.enabled": true, 3 | "python.linting.pylintEnabled": true 4 | } -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # 2023/04/20 2 | Much progress has been made 3 | - Restructured database 4 | - host 5 | - users 6 | - groups 7 | - networks 8 | - rules 9 | - totp 10 | - file_auth 11 | - config 12 | - JavaScript 13 | - async code to display and send form data to API 14 | - API 15 | - Starting to write database queries for updating entries 16 | - only for users so far 17 | - UI 18 | - MAJOR UI overhauls. Using tailwind and flowbite for css and form controls 19 | - Notifications 20 | - More 21 | - Lots more than I can remember at this point. I should have written this as I go... 22 | 23 | 24 | # 2022/12/18 25 | Initial code dump to database 26 | - Database Models created 27 | - acc_networks - holds network definitions 28 | - acc_rules - holds rules definitions 29 | - config - holds main configuration.yml contents (other than networks and rules) 30 | - API Blueprint created 31 | - Routes: 32 | - /api - Lists api endpoints 33 | - /api/initdb - Initializes Database 34 | - api/config `GET` - lists current config 35 | - For now in JSON format, will make it look pretty once the core code is done 36 | - api/config `POST` - NOT YET CREATED - This will be the endpoint that updates the database with a POST message. 37 | - helpers 38 | - argon2 - generates an argon2 password given input. See app/helpers/argon2.py for more info 39 | - rndpwd - generates a random passphrase or seed. See app/helpers/rndpwd.py for more info 40 | - taken and slightly modified from beardedtek-com/fevr (another one of my projects) 41 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | from python:3.11 2 | COPY app /app 3 | COPY run.sh /entrypoint.sh 4 | COPY requirements.txt /requirements.txt 5 | COPY instance /instance 6 | COPY authelia-manager.py /authelia-manager.py 7 | RUN pip install -r /requirements.txt && touch /.pip 8 | EXPOSE 5000 9 | ENTRYPOINT /entrypoint.sh 10 | RUN chown -R 1000:1000 /instance -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU AFFERO GENERAL PUBLIC LICENSE 2 | Version 3, 19 November 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU Affero General Public License is a free, copyleft license for 11 | software and other kinds of works, specifically designed to ensure 12 | cooperation with the community in the case of network server software. 13 | 14 | The licenses for most software and other practical works are designed 15 | to take away your freedom to share and change the works. By contrast, 16 | our General Public Licenses are intended to guarantee your freedom to 17 | share and change all versions of a program--to make sure it remains free 18 | software for all its users. 19 | 20 | When we speak of free software, we are referring to freedom, not 21 | price. Our General Public Licenses are designed to make sure that you 22 | have the freedom to distribute copies of free software (and charge for 23 | them if you wish), that you receive source code or can get it if you 24 | want it, that you can change the software or use pieces of it in new 25 | free programs, and that you know you can do these things. 26 | 27 | Developers that use our General Public Licenses protect your rights 28 | with two steps: (1) assert copyright on the software, and (2) offer 29 | you this License which gives you legal permission to copy, distribute 30 | and/or modify the software. 31 | 32 | A secondary benefit of defending all users' freedom is that 33 | improvements made in alternate versions of the program, if they 34 | receive widespread use, become available for other developers to 35 | incorporate. Many developers of free software are heartened and 36 | encouraged by the resulting cooperation. However, in the case of 37 | software used on network servers, this result may fail to come about. 38 | The GNU General Public License permits making a modified version and 39 | letting the public access it on a server without ever releasing its 40 | source code to the public. 41 | 42 | The GNU Affero General Public License is designed specifically to 43 | ensure that, in such cases, the modified source code becomes available 44 | to the community. It requires the operator of a network server to 45 | provide the source code of the modified version running there to the 46 | users of that server. Therefore, public use of a modified version, on 47 | a publicly accessible server, gives the public access to the source 48 | code of the modified version. 49 | 50 | An older license, called the Affero General Public License and 51 | published by Affero, was designed to accomplish similar goals. This is 52 | a different license, not a version of the Affero GPL, but Affero has 53 | released a new version of the Affero GPL which permits relicensing under 54 | this license. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | TERMS AND CONDITIONS 60 | 61 | 0. Definitions. 62 | 63 | "This License" refers to version 3 of the GNU Affero General Public License. 64 | 65 | "Copyright" also means copyright-like laws that apply to other kinds of 66 | works, such as semiconductor masks. 67 | 68 | "The Program" refers to any copyrightable work licensed under this 69 | License. Each licensee is addressed as "you". "Licensees" and 70 | "recipients" may be individuals or organizations. 71 | 72 | To "modify" a work means to copy from or adapt all or part of the work 73 | in a fashion requiring copyright permission, other than the making of an 74 | exact copy. The resulting work is called a "modified version" of the 75 | earlier work or a work "based on" the earlier work. 76 | 77 | A "covered work" means either the unmodified Program or a work based 78 | on the Program. 79 | 80 | To "propagate" a work means to do anything with it that, without 81 | permission, would make you directly or secondarily liable for 82 | infringement under applicable copyright law, except executing it on a 83 | computer or modifying a private copy. Propagation includes copying, 84 | distribution (with or without modification), making available to the 85 | public, and in some countries other activities as well. 86 | 87 | To "convey" a work means any kind of propagation that enables other 88 | parties to make or receive copies. Mere interaction with a user through 89 | a computer network, with no transfer of a copy, is not conveying. 90 | 91 | An interactive user interface displays "Appropriate Legal Notices" 92 | to the extent that it includes a convenient and prominently visible 93 | feature that (1) displays an appropriate copyright notice, and (2) 94 | tells the user that there is no warranty for the work (except to the 95 | extent that warranties are provided), that licensees may convey the 96 | work under this License, and how to view a copy of this License. If 97 | the interface presents a list of user commands or options, such as a 98 | menu, a prominent item in the list meets this criterion. 99 | 100 | 1. Source Code. 101 | 102 | The "source code" for a work means the preferred form of the work 103 | for making modifications to it. "Object code" means any non-source 104 | form of a work. 105 | 106 | A "Standard Interface" means an interface that either is an official 107 | standard defined by a recognized standards body, or, in the case of 108 | interfaces specified for a particular programming language, one that 109 | is widely used among developers working in that language. 110 | 111 | The "System Libraries" of an executable work include anything, other 112 | than the work as a whole, that (a) is included in the normal form of 113 | packaging a Major Component, but which is not part of that Major 114 | Component, and (b) serves only to enable use of the work with that 115 | Major Component, or to implement a Standard Interface for which an 116 | implementation is available to the public in source code form. A 117 | "Major Component", in this context, means a major essential component 118 | (kernel, window system, and so on) of the specific operating system 119 | (if any) on which the executable work runs, or a compiler used to 120 | produce the work, or an object code interpreter used to run it. 121 | 122 | The "Corresponding Source" for a work in object code form means all 123 | the source code needed to generate, install, and (for an executable 124 | work) run the object code and to modify the work, including scripts to 125 | control those activities. However, it does not include the work's 126 | System Libraries, or general-purpose tools or generally available free 127 | programs which are used unmodified in performing those activities but 128 | which are not part of the work. For example, Corresponding Source 129 | includes interface definition files associated with source files for 130 | the work, and the source code for shared libraries and dynamically 131 | linked subprograms that the work is specifically designed to require, 132 | such as by intimate data communication or control flow between those 133 | subprograms and other parts of the work. 134 | 135 | The Corresponding Source need not include anything that users 136 | can regenerate automatically from other parts of the Corresponding 137 | Source. 138 | 139 | The Corresponding Source for a work in source code form is that 140 | same work. 141 | 142 | 2. Basic Permissions. 143 | 144 | All rights granted under this License are granted for the term of 145 | copyright on the Program, and are irrevocable provided the stated 146 | conditions are met. This License explicitly affirms your unlimited 147 | permission to run the unmodified Program. The output from running a 148 | covered work is covered by this License only if the output, given its 149 | content, constitutes a covered work. This License acknowledges your 150 | rights of fair use or other equivalent, as provided by copyright law. 151 | 152 | You may make, run and propagate covered works that you do not 153 | convey, without conditions so long as your license otherwise remains 154 | in force. You may convey covered works to others for the sole purpose 155 | of having them make modifications exclusively for you, or provide you 156 | with facilities for running those works, provided that you comply with 157 | the terms of this License in conveying all material for which you do 158 | not control copyright. Those thus making or running the covered works 159 | for you must do so exclusively on your behalf, under your direction 160 | and control, on terms that prohibit them from making any copies of 161 | your copyrighted material outside their relationship with you. 162 | 163 | Conveying under any other circumstances is permitted solely under 164 | the conditions stated below. Sublicensing is not allowed; section 10 165 | makes it unnecessary. 166 | 167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 168 | 169 | No covered work shall be deemed part of an effective technological 170 | measure under any applicable law fulfilling obligations under article 171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 172 | similar laws prohibiting or restricting circumvention of such 173 | measures. 174 | 175 | When you convey a covered work, you waive any legal power to forbid 176 | circumvention of technological measures to the extent such circumvention 177 | is effected by exercising rights under this License with respect to 178 | the covered work, and you disclaim any intention to limit operation or 179 | modification of the work as a means of enforcing, against the work's 180 | users, your or third parties' legal rights to forbid circumvention of 181 | technological measures. 182 | 183 | 4. Conveying Verbatim Copies. 184 | 185 | You may convey verbatim copies of the Program's source code as you 186 | receive it, in any medium, provided that you conspicuously and 187 | appropriately publish on each copy an appropriate copyright notice; 188 | keep intact all notices stating that this License and any 189 | non-permissive terms added in accord with section 7 apply to the code; 190 | keep intact all notices of the absence of any warranty; and give all 191 | recipients a copy of this License along with the Program. 192 | 193 | You may charge any price or no price for each copy that you convey, 194 | and you may offer support or warranty protection for a fee. 195 | 196 | 5. Conveying Modified Source Versions. 197 | 198 | You may convey a work based on the Program, or the modifications to 199 | produce it from the Program, in the form of source code under the 200 | terms of section 4, provided that you also meet all of these conditions: 201 | 202 | a) The work must carry prominent notices stating that you modified 203 | it, and giving a relevant date. 204 | 205 | b) The work must carry prominent notices stating that it is 206 | released under this License and any conditions added under section 207 | 7. This requirement modifies the requirement in section 4 to 208 | "keep intact all notices". 209 | 210 | c) You must license the entire work, as a whole, under this 211 | License to anyone who comes into possession of a copy. This 212 | License will therefore apply, along with any applicable section 7 213 | additional terms, to the whole of the work, and all its parts, 214 | regardless of how they are packaged. This License gives no 215 | permission to license the work in any other way, but it does not 216 | invalidate such permission if you have separately received it. 217 | 218 | d) If the work has interactive user interfaces, each must display 219 | Appropriate Legal Notices; however, if the Program has interactive 220 | interfaces that do not display Appropriate Legal Notices, your 221 | work need not make them do so. 222 | 223 | A compilation of a covered work with other separate and independent 224 | works, which are not by their nature extensions of the covered work, 225 | and which are not combined with it such as to form a larger program, 226 | in or on a volume of a storage or distribution medium, is called an 227 | "aggregate" if the compilation and its resulting copyright are not 228 | used to limit the access or legal rights of the compilation's users 229 | beyond what the individual works permit. Inclusion of a covered work 230 | in an aggregate does not cause this License to apply to the other 231 | parts of the aggregate. 232 | 233 | 6. Conveying Non-Source Forms. 234 | 235 | You may convey a covered work in object code form under the terms 236 | of sections 4 and 5, provided that you also convey the 237 | machine-readable Corresponding Source under the terms of this License, 238 | in one of these ways: 239 | 240 | a) Convey the object code in, or embodied in, a physical product 241 | (including a physical distribution medium), accompanied by the 242 | Corresponding Source fixed on a durable physical medium 243 | customarily used for software interchange. 244 | 245 | b) Convey the object code in, or embodied in, a physical product 246 | (including a physical distribution medium), accompanied by a 247 | written offer, valid for at least three years and valid for as 248 | long as you offer spare parts or customer support for that product 249 | model, to give anyone who possesses the object code either (1) a 250 | copy of the Corresponding Source for all the software in the 251 | product that is covered by this License, on a durable physical 252 | medium customarily used for software interchange, for a price no 253 | more than your reasonable cost of physically performing this 254 | conveying of source, or (2) access to copy the 255 | Corresponding Source from a network server at no charge. 256 | 257 | c) Convey individual copies of the object code with a copy of the 258 | written offer to provide the Corresponding Source. This 259 | alternative is allowed only occasionally and noncommercially, and 260 | only if you received the object code with such an offer, in accord 261 | with subsection 6b. 262 | 263 | d) Convey the object code by offering access from a designated 264 | place (gratis or for a charge), and offer equivalent access to the 265 | Corresponding Source in the same way through the same place at no 266 | further charge. You need not require recipients to copy the 267 | Corresponding Source along with the object code. If the place to 268 | copy the object code is a network server, the Corresponding Source 269 | may be on a different server (operated by you or a third party) 270 | that supports equivalent copying facilities, provided you maintain 271 | clear directions next to the object code saying where to find the 272 | Corresponding Source. Regardless of what server hosts the 273 | Corresponding Source, you remain obligated to ensure that it is 274 | available for as long as needed to satisfy these requirements. 275 | 276 | e) Convey the object code using peer-to-peer transmission, provided 277 | you inform other peers where the object code and Corresponding 278 | Source of the work are being offered to the general public at no 279 | charge under subsection 6d. 280 | 281 | A separable portion of the object code, whose source code is excluded 282 | from the Corresponding Source as a System Library, need not be 283 | included in conveying the object code work. 284 | 285 | A "User Product" is either (1) a "consumer product", which means any 286 | tangible personal property which is normally used for personal, family, 287 | or household purposes, or (2) anything designed or sold for incorporation 288 | into a dwelling. In determining whether a product is a consumer product, 289 | doubtful cases shall be resolved in favor of coverage. For a particular 290 | product received by a particular user, "normally used" refers to a 291 | typical or common use of that class of product, regardless of the status 292 | of the particular user or of the way in which the particular user 293 | actually uses, or expects or is expected to use, the product. A product 294 | is a consumer product regardless of whether the product has substantial 295 | commercial, industrial or non-consumer uses, unless such uses represent 296 | the only significant mode of use of the product. 297 | 298 | "Installation Information" for a User Product means any methods, 299 | procedures, authorization keys, or other information required to install 300 | and execute modified versions of a covered work in that User Product from 301 | a modified version of its Corresponding Source. The information must 302 | suffice to ensure that the continued functioning of the modified object 303 | code is in no case prevented or interfered with solely because 304 | modification has been made. 305 | 306 | If you convey an object code work under this section in, or with, or 307 | specifically for use in, a User Product, and the conveying occurs as 308 | part of a transaction in which the right of possession and use of the 309 | User Product is transferred to the recipient in perpetuity or for a 310 | fixed term (regardless of how the transaction is characterized), the 311 | Corresponding Source conveyed under this section must be accompanied 312 | by the Installation Information. But this requirement does not apply 313 | if neither you nor any third party retains the ability to install 314 | modified object code on the User Product (for example, the work has 315 | been installed in ROM). 316 | 317 | The requirement to provide Installation Information does not include a 318 | requirement to continue to provide support service, warranty, or updates 319 | for a work that has been modified or installed by the recipient, or for 320 | the User Product in which it has been modified or installed. Access to a 321 | network may be denied when the modification itself materially and 322 | adversely affects the operation of the network or violates the rules and 323 | protocols for communication across the network. 324 | 325 | Corresponding Source conveyed, and Installation Information provided, 326 | in accord with this section must be in a format that is publicly 327 | documented (and with an implementation available to the public in 328 | source code form), and must require no special password or key for 329 | unpacking, reading or copying. 330 | 331 | 7. Additional Terms. 332 | 333 | "Additional permissions" are terms that supplement the terms of this 334 | License by making exceptions from one or more of its conditions. 335 | Additional permissions that are applicable to the entire Program shall 336 | be treated as though they were included in this License, to the extent 337 | that they are valid under applicable law. If additional permissions 338 | apply only to part of the Program, that part may be used separately 339 | under those permissions, but the entire Program remains governed by 340 | this License without regard to the additional permissions. 341 | 342 | When you convey a copy of a covered work, you may at your option 343 | remove any additional permissions from that copy, or from any part of 344 | it. (Additional permissions may be written to require their own 345 | removal in certain cases when you modify the work.) You may place 346 | additional permissions on material, added by you to a covered work, 347 | for which you have or can give appropriate copyright permission. 348 | 349 | Notwithstanding any other provision of this License, for material you 350 | add to a covered work, you may (if authorized by the copyright holders of 351 | that material) supplement the terms of this License with terms: 352 | 353 | a) Disclaiming warranty or limiting liability differently from the 354 | terms of sections 15 and 16 of this License; or 355 | 356 | b) Requiring preservation of specified reasonable legal notices or 357 | author attributions in that material or in the Appropriate Legal 358 | Notices displayed by works containing it; or 359 | 360 | c) Prohibiting misrepresentation of the origin of that material, or 361 | requiring that modified versions of such material be marked in 362 | reasonable ways as different from the original version; or 363 | 364 | d) Limiting the use for publicity purposes of names of licensors or 365 | authors of the material; or 366 | 367 | e) Declining to grant rights under trademark law for use of some 368 | trade names, trademarks, or service marks; or 369 | 370 | f) Requiring indemnification of licensors and authors of that 371 | material by anyone who conveys the material (or modified versions of 372 | it) with contractual assumptions of liability to the recipient, for 373 | any liability that these contractual assumptions directly impose on 374 | those licensors and authors. 375 | 376 | All other non-permissive additional terms are considered "further 377 | restrictions" within the meaning of section 10. If the Program as you 378 | received it, or any part of it, contains a notice stating that it is 379 | governed by this License along with a term that is a further 380 | restriction, you may remove that term. If a license document contains 381 | a further restriction but permits relicensing or conveying under this 382 | License, you may add to a covered work material governed by the terms 383 | of that license document, provided that the further restriction does 384 | not survive such relicensing or conveying. 385 | 386 | If you add terms to a covered work in accord with this section, you 387 | must place, in the relevant source files, a statement of the 388 | additional terms that apply to those files, or a notice indicating 389 | where to find the applicable terms. 390 | 391 | Additional terms, permissive or non-permissive, may be stated in the 392 | form of a separately written license, or stated as exceptions; 393 | the above requirements apply either way. 394 | 395 | 8. Termination. 396 | 397 | You may not propagate or modify a covered work except as expressly 398 | provided under this License. Any attempt otherwise to propagate or 399 | modify it is void, and will automatically terminate your rights under 400 | this License (including any patent licenses granted under the third 401 | paragraph of section 11). 402 | 403 | However, if you cease all violation of this License, then your 404 | license from a particular copyright holder is reinstated (a) 405 | provisionally, unless and until the copyright holder explicitly and 406 | finally terminates your license, and (b) permanently, if the copyright 407 | holder fails to notify you of the violation by some reasonable means 408 | prior to 60 days after the cessation. 409 | 410 | Moreover, your license from a particular copyright holder is 411 | reinstated permanently if the copyright holder notifies you of the 412 | violation by some reasonable means, this is the first time you have 413 | received notice of violation of this License (for any work) from that 414 | copyright holder, and you cure the violation prior to 30 days after 415 | your receipt of the notice. 416 | 417 | Termination of your rights under this section does not terminate the 418 | licenses of parties who have received copies or rights from you under 419 | this License. If your rights have been terminated and not permanently 420 | reinstated, you do not qualify to receive new licenses for the same 421 | material under section 10. 422 | 423 | 9. Acceptance Not Required for Having Copies. 424 | 425 | You are not required to accept this License in order to receive or 426 | run a copy of the Program. Ancillary propagation of a covered work 427 | occurring solely as a consequence of using peer-to-peer transmission 428 | to receive a copy likewise does not require acceptance. However, 429 | nothing other than this License grants you permission to propagate or 430 | modify any covered work. These actions infringe copyright if you do 431 | not accept this License. Therefore, by modifying or propagating a 432 | covered work, you indicate your acceptance of this License to do so. 433 | 434 | 10. Automatic Licensing of Downstream Recipients. 435 | 436 | Each time you convey a covered work, the recipient automatically 437 | receives a license from the original licensors, to run, modify and 438 | propagate that work, subject to this License. You are not responsible 439 | for enforcing compliance by third parties with this License. 440 | 441 | An "entity transaction" is a transaction transferring control of an 442 | organization, or substantially all assets of one, or subdividing an 443 | organization, or merging organizations. If propagation of a covered 444 | work results from an entity transaction, each party to that 445 | transaction who receives a copy of the work also receives whatever 446 | licenses to the work the party's predecessor in interest had or could 447 | give under the previous paragraph, plus a right to possession of the 448 | Corresponding Source of the work from the predecessor in interest, if 449 | the predecessor has it or can get it with reasonable efforts. 450 | 451 | You may not impose any further restrictions on the exercise of the 452 | rights granted or affirmed under this License. For example, you may 453 | not impose a license fee, royalty, or other charge for exercise of 454 | rights granted under this License, and you may not initiate litigation 455 | (including a cross-claim or counterclaim in a lawsuit) alleging that 456 | any patent claim is infringed by making, using, selling, offering for 457 | sale, or importing the Program or any portion of it. 458 | 459 | 11. Patents. 460 | 461 | A "contributor" is a copyright holder who authorizes use under this 462 | License of the Program or a work on which the Program is based. The 463 | work thus licensed is called the contributor's "contributor version". 464 | 465 | A contributor's "essential patent claims" are all patent claims 466 | owned or controlled by the contributor, whether already acquired or 467 | hereafter acquired, that would be infringed by some manner, permitted 468 | by this License, of making, using, or selling its contributor version, 469 | but do not include claims that would be infringed only as a 470 | consequence of further modification of the contributor version. For 471 | purposes of this definition, "control" includes the right to grant 472 | patent sublicenses in a manner consistent with the requirements of 473 | this License. 474 | 475 | Each contributor grants you a non-exclusive, worldwide, royalty-free 476 | patent license under the contributor's essential patent claims, to 477 | make, use, sell, offer for sale, import and otherwise run, modify and 478 | propagate the contents of its contributor version. 479 | 480 | In the following three paragraphs, a "patent license" is any express 481 | agreement or commitment, however denominated, not to enforce a patent 482 | (such as an express permission to practice a patent or covenant not to 483 | sue for patent infringement). To "grant" such a patent license to a 484 | party means to make such an agreement or commitment not to enforce a 485 | patent against the party. 486 | 487 | If you convey a covered work, knowingly relying on a patent license, 488 | and the Corresponding Source of the work is not available for anyone 489 | to copy, free of charge and under the terms of this License, through a 490 | publicly available network server or other readily accessible means, 491 | then you must either (1) cause the Corresponding Source to be so 492 | available, or (2) arrange to deprive yourself of the benefit of the 493 | patent license for this particular work, or (3) arrange, in a manner 494 | consistent with the requirements of this License, to extend the patent 495 | license to downstream recipients. "Knowingly relying" means you have 496 | actual knowledge that, but for the patent license, your conveying the 497 | covered work in a country, or your recipient's use of the covered work 498 | in a country, would infringe one or more identifiable patents in that 499 | country that you have reason to believe are valid. 500 | 501 | If, pursuant to or in connection with a single transaction or 502 | arrangement, you convey, or propagate by procuring conveyance of, a 503 | covered work, and grant a patent license to some of the parties 504 | receiving the covered work authorizing them to use, propagate, modify 505 | or convey a specific copy of the covered work, then the patent license 506 | you grant is automatically extended to all recipients of the covered 507 | work and works based on it. 508 | 509 | A patent license is "discriminatory" if it does not include within 510 | the scope of its coverage, prohibits the exercise of, or is 511 | conditioned on the non-exercise of one or more of the rights that are 512 | specifically granted under this License. You may not convey a covered 513 | work if you are a party to an arrangement with a third party that is 514 | in the business of distributing software, under which you make payment 515 | to the third party based on the extent of your activity of conveying 516 | the work, and under which the third party grants, to any of the 517 | parties who would receive the covered work from you, a discriminatory 518 | patent license (a) in connection with copies of the covered work 519 | conveyed by you (or copies made from those copies), or (b) primarily 520 | for and in connection with specific products or compilations that 521 | contain the covered work, unless you entered into that arrangement, 522 | or that patent license was granted, prior to 28 March 2007. 523 | 524 | Nothing in this License shall be construed as excluding or limiting 525 | any implied license or other defenses to infringement that may 526 | otherwise be available to you under applicable patent law. 527 | 528 | 12. No Surrender of Others' Freedom. 529 | 530 | If conditions are imposed on you (whether by court order, agreement or 531 | otherwise) that contradict the conditions of this License, they do not 532 | excuse you from the conditions of this License. If you cannot convey a 533 | covered work so as to satisfy simultaneously your obligations under this 534 | License and any other pertinent obligations, then as a consequence you may 535 | not convey it at all. For example, if you agree to terms that obligate you 536 | to collect a royalty for further conveying from those to whom you convey 537 | the Program, the only way you could satisfy both those terms and this 538 | License would be to refrain entirely from conveying the Program. 539 | 540 | 13. Remote Network Interaction; Use with the GNU General Public License. 541 | 542 | Notwithstanding any other provision of this License, if you modify the 543 | Program, your modified version must prominently offer all users 544 | interacting with it remotely through a computer network (if your version 545 | supports such interaction) an opportunity to receive the Corresponding 546 | Source of your version by providing access to the Corresponding Source 547 | from a network server at no charge, through some standard or customary 548 | means of facilitating copying of software. This Corresponding Source 549 | shall include the Corresponding Source for any work covered by version 3 550 | of the GNU General Public License that is incorporated pursuant to the 551 | following paragraph. 552 | 553 | Notwithstanding any other provision of this License, you have 554 | permission to link or combine any covered work with a work licensed 555 | under version 3 of the GNU General Public License into a single 556 | combined work, and to convey the resulting work. The terms of this 557 | License will continue to apply to the part which is the covered work, 558 | but the work with which it is combined will remain governed by version 559 | 3 of the GNU General Public License. 560 | 561 | 14. Revised Versions of this License. 562 | 563 | The Free Software Foundation may publish revised and/or new versions of 564 | the GNU Affero General Public License from time to time. Such new versions 565 | will be similar in spirit to the present version, but may differ in detail to 566 | address new problems or concerns. 567 | 568 | Each version is given a distinguishing version number. If the 569 | Program specifies that a certain numbered version of the GNU Affero General 570 | Public License "or any later version" applies to it, you have the 571 | option of following the terms and conditions either of that numbered 572 | version or of any later version published by the Free Software 573 | Foundation. If the Program does not specify a version number of the 574 | GNU Affero General Public License, you may choose any version ever published 575 | by the Free Software Foundation. 576 | 577 | If the Program specifies that a proxy can decide which future 578 | versions of the GNU Affero General Public License can be used, that proxy's 579 | public statement of acceptance of a version permanently authorizes you 580 | to choose that version for the Program. 581 | 582 | Later license versions may give you additional or different 583 | permissions. However, no additional obligations are imposed on any 584 | author or copyright holder as a result of your choosing to follow a 585 | later version. 586 | 587 | 15. Disclaimer of Warranty. 588 | 589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 597 | 598 | 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 608 | SUCH DAMAGES. 609 | 610 | 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these terms. 626 | 627 | To do so, attach the following notices to the program. It is safest 628 | to attach them to the start of each source file to most effectively 629 | state the exclusion of warranty; and each file should have at least 630 | the "copyright" line and a pointer to where the full notice is found. 631 | 632 | 633 | Copyright (C) 634 | 635 | This program is free software: you can redistribute it and/or modify 636 | it under the terms of the GNU Affero General Public License as published 637 | by the Free Software Foundation, either version 3 of the License, or 638 | (at your option) any later version. 639 | 640 | This program is distributed in the hope that it will be useful, 641 | but WITHOUT ANY WARRANTY; without even the implied warranty of 642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 643 | GNU Affero General Public License for more details. 644 | 645 | You should have received a copy of the GNU Affero General Public License 646 | along with this program. If not, see . 647 | 648 | Also add information on how to contact you by electronic and paper mail. 649 | 650 | If your software can interact with users remotely through a computer 651 | network, you should also make sure that it provides a way for users to 652 | get its source. For example, if your program is a web application, its 653 | interface could display a "Source" link that leads users to an archive 654 | of the code. There are many ways you could offer source, and different 655 | solutions will be better for different programs; see section 13 for the 656 | specific requirements. 657 | 658 | You should also get your employer (if you work as a programmer) or school, 659 | if any, to sign a "copyright disclaimer" for the program, if necessary. 660 | For more information on this, and how to apply and follow the GNU AGPL, see 661 | . 662 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # authelia-manager 2 | Flask Web UI for Authelia Management 3 | 4 | This will eventually be a web based UI to configure authelia. 5 | 6 | See [CHANGELOG.md](CHANGELOG.md) for current progress 7 | ## What will it configure? 8 | ### Base Config 9 | ### Authentication 10 | ##### For not ONLY text file user database (yml file) 11 | ### Access Control 12 | ##### Define Networks 13 | ##### Define Rules 14 | 15 | ## Requirements 16 | - Python (3.10 or above recommended) 17 | - UWSGI already installed or full development environment including python-devel for your version of python 18 | - Tested on Linux, but *should* work on Windows in theory 19 | 20 | ## More Info 21 | Take a look at the issues to find more information about what I plan to implement. 22 | 23 | ## Testing 24 | To test, take the following steps: 25 | #### Clone Repository 26 | ``` 27 | git clone https://github.com/beardedtek-com/authelia-manager 28 | ``` 29 | #### Entery authelia-manager directory 30 | ``` 31 | cd authelia-manager 32 | ``` 33 | 34 | ### Start it up 35 | ``` 36 | ./run.sh 37 | ``` 38 | ### run.sh takes the following actions: 39 | - Creates a new virtual environment in .venv if it does not exist: `python3 -m venv .venv` 40 | - Activates the virtual environment: `source .venv/bin/activate` 41 | - Installs python requirements: `pip install -r requirements.txt` 42 | - Starts up uWSGI on port 5000 43 | 44 | At this point, you should have the following output at the bottom of your terminal: 45 | ``` 46 | *** Starting uWSGI 2.0.21 (64bit) on [Mon Dec 19 14:06:39 2022] *** 47 | compiled with version: 12.2.1 20221020 [revision 0aaef83351473e8f4eb774f8f999bbe87a4866d7] on 19 December 2022 20:06:43 48 | os: Linux-5.15.79.1-microsoft-standard-WSL2 #1 SMP Wed Nov 23 01:01:46 UTC 2022 49 | nodename: DESKTOP-E1K894R 50 | machine: x86_64 51 | clock source: unix 52 | detected number of CPU cores: 12 53 | current working directory: /home/localadmin/Github/authelia-manager 54 | detected binary path: /home/localadmin/Github/authelia-manager/venv/bin/uwsgi 55 | !!! no internal routing support, rebuild with pcre support !!! 56 | *** WARNING: you are running uWSGI without its master process manager *** 57 | your processes number limit is 63811 58 | your memory page size is 4096 bytes 59 | detected max file descriptor number: 1048576 60 | lock engine: pthread robust mutexes 61 | thunder lock: disabled (you can enable it with --thunder-lock) 62 | uWSGI http bound on 0.0.0.0:5000 fd 4 63 | spawned uWSGI http 1 (pid: 14174) 64 | uwsgi socket 0 bound to TCP address 127.0.0.1:43817 (port auto-assigned) fd 3 65 | Python version: 3.10.9 (main, Dec 08 2022, 14:49:06) [GCC] 66 | *** Python threads support is disabled. You can enable it with --enable-threads *** 67 | Python main interpreter initialized at 0xe2f970 68 | your server socket listen backlog is limited to 100 connections 69 | your mercy for graceful operations on workers is 60 seconds 70 | mapped 291616 bytes (284 KB) for 4 cores 71 | *** Operational MODE: preforking *** 72 | WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 0xe2f970 pid: 14173 (default app) 73 | *** uWSGI is running in multiple interpreter mode *** 74 | spawned uWSGI worker 1 (pid: 14173, cores: 1) 75 | spawned uWSGI worker 2 (pid: 14185, cores: 1) 76 | spawned uWSGI worker 3 (pid: 14186, cores: 1) 77 | spawned uWSGI worker 4 (pid: 14187, cores: 1) 78 | ``` 79 | #### Try it out: 80 | [http://localhost:5000/api](http://localhost:5000/api) 81 | 82 | This will allow you to see the work that's been done in the API so far. It's getting there, but still a long ways away. 83 | 84 | # Screenshots 85 | ## Main Landing / Info Page 86 | ![Main Landing Page](https://github.com/BeardedTek-com/authelia-manager/blob/main/docs/images/ui_main-screenshot.png) 87 | 88 | ## Login Page 89 | ![Login Page](https://github.com/BeardedTek-com/authelia-manager/blob/main/docs/images/ui_login-screenshot.png) -------------------------------------------------------------------------------- /app/__init__.py: -------------------------------------------------------------------------------- 1 | # External Imports 2 | from flask import Flask, session, redirect, send_from_directory, make_response, render_template 3 | from flask_sqlalchemy import SQLAlchemy 4 | from flask_login import LoginManager 5 | from datetime import timedelta 6 | import os 7 | 8 | 9 | # Flask Setup 10 | app = Flask(__name__) 11 | app.config.update( 12 | SECRET_KEY = "SECRET_KEY", 13 | SESSION_COOKIE_NAME = "authelia-manager_session", 14 | STATIC_FOLDER = "static", 15 | TEMPLATES_FOLDER = "templates", 16 | DEBUG = False, 17 | TESTING = False, 18 | SQLALCHEMY_DATABASE_URI = "sqlite:///authelia-manager.sqlite", 19 | SQLALCHEMY_TRACK_MODIFICATIONS = False 20 | ) 21 | 22 | # Session Setup 23 | @app.before_request 24 | def before_request(): 25 | session.permanent = True 26 | app.permanent_session_lifetime = timedelta(minutes=30) 27 | 28 | # Database Setup 29 | db = SQLAlchemy(app) 30 | app.SQLALCHEMY_TRACK_MODIFICATIONS=False 31 | 32 | # Flask Login Setup 33 | from app.models.users import users 34 | login_manager = LoginManager() 35 | login_manager.login_view = 'ui.ui_login' 36 | login_manager.init_app(app) 37 | 38 | @login_manager.user_loader 39 | def load_user(userid): 40 | return users.query.get(int(userid)) 41 | 42 | # Import Blueprints 43 | 44 | # API 45 | from app.blueprints import api 46 | app.register_blueprint(api.api) 47 | 48 | #UI 49 | from app.blueprints import ui 50 | app.register_blueprint(ui.ui) -------------------------------------------------------------------------------- /app/blueprints/api.py: -------------------------------------------------------------------------------- 1 | """_summary_""" 2 | # External Imports 3 | import yaml 4 | import json 5 | from flask import Blueprint, jsonify, make_response, render_template, request, redirect, flash, url_for, request 6 | from flask_login import login_user, logout_user, login_required, current_user 7 | from os import path, access, R_OK, getcwd 8 | import random 9 | 10 | # Internal Imports 11 | from app.helpers.argon2hash import argon2hash, argon2verify 12 | from app.helpers.rndpwd import randpwd 13 | from app.helpers.apidocs import apidocs 14 | from app.helpers.iterateQuery import iterateQuery 15 | from app import db 16 | 17 | from app.models.file_auth import file_auth 18 | from app.models.group import group 19 | from app.models.host import host 20 | from app.models.networks import networks 21 | from app.models.rules import rules 22 | from app.models.totp import totp 23 | from app.models.users import users 24 | 25 | api = Blueprint('api',__name__) 26 | 27 | @api.route('/api',methods=['GET']) 28 | @api.route('/api/account',methods=['GET']) 29 | @api.route('/api/settings',methods=['GET']) 30 | @api.route('/docs',methods=['GET']) 31 | @login_required 32 | def apiDoc(): 33 | APIdocs = apidocs() 34 | Markdown = APIdocs.md() 35 | return make_response(render_template('apidocs.html',apidocs=Markdown)) 36 | 37 | @api.route('/api/initdb',methods=['GET']) 38 | def apiInitDB(): 39 | """ 40 | Initialize the database 41 | """ 42 | try: 43 | db.create_all() 44 | result = True 45 | except Exception as e: 46 | result = e 47 | return jsonify( 48 | { 49 | "InitDB" : True, 50 | "Result" : result 51 | } 52 | ) 53 | 54 | @api.route('/api/',methods=['GET']) 55 | @login_required 56 | def apiDataGET(data): 57 | if data == "config": 58 | config_Data = config.query.all() 59 | acc_networks_Data = acc_networks.query.all() 60 | acc_rules_Data = acc_rules.query.all() 61 | output = { 62 | "CONFIG" : iterateQuery(config_Data), 63 | "Access Control Networks" : iterateQuery(acc_networks_Data), 64 | "Access Control Rules" : iterateQuery(acc_rules_Data) 65 | } 66 | elif data == "user" or data == "users": 67 | output = {} 68 | query = users.query.all() 69 | output = iterateQuery(query) 70 | elif data == "networks": 71 | output = {} 72 | query = networks.query.all() 73 | output = iterateQuery(query) 74 | elif data == "rules": 75 | output = {} 76 | query = rules.query.all() 77 | output = iterateQuery(query) 78 | elif data == "totp": 79 | output = {} 80 | query = totp.query.all() 81 | output = iterateQuery(query) 82 | elif data == "group": 83 | output = {} 84 | query = group.query.all() 85 | output = iterateQuery(query) 86 | else: 87 | output = {"Error":"Invalid Request"} 88 | return output 89 | 90 | @api.route('/api/',methods=['POST']) 91 | def api_data_post(data): 92 | jsonData = request.get_json() 93 | print(jsonData) 94 | if data == "users": 95 | try: 96 | query = users.query.filter_by(id=jsonData['id']).first() 97 | changes = False 98 | if query.display != jsonData['display']: 99 | changes = True 100 | query.display = jsonData['display'] 101 | if query.email != jsonData['email']: 102 | changes = True 103 | query.email = jsonData['email'] 104 | if query.groups != jsonData['groups']: 105 | changes = True 106 | query.groups = jsonData['groups'] 107 | if query.notes != jsonData['note']: 108 | changes = True 109 | query.notes = jsonData['note'] 110 | if changes: 111 | print("changes") 112 | db.session.commit() 113 | output = {"return":0} 114 | else: 115 | print("no changes") 116 | output = {"return":1,"error":"No changes"} 117 | except Exception as error: 118 | print(f"ERROR: {error}") 119 | output = {"return":11,"error":str(error)} 120 | else: 121 | error_code = random.randint(0,2) 122 | output = {"return":error_code} 123 | if error_code != 0: 124 | output['error'] = "Test Error Code" 125 | return output 126 | 127 | @api.route('/api//current/',methods=['GET']) 128 | @login_required 129 | def apiUsersCurrentGet(config_format,config_type): 130 | if config_type == "user" or config_type == "users" or config_type == "users_database": 131 | config_type = "users_database" 132 | else: 133 | config_type = "configuration" 134 | config_path = f"{getcwd()}/app/data/{config_type}.yml" 135 | if path.isfile(config_path) and access(config_path, R_OK): 136 | with open(config_path) as config_file: 137 | config_data = yaml.safe_load(config_file) 138 | else: 139 | config_data = {"Error": f"Cannot read {config}"} 140 | if config_format == "yaml" or config_format == "yml": 141 | config_data = yaml.dump(config_data) 142 | else: 143 | config_data = json.dumps(config_data,indent=2) 144 | return render_template('config_file.html',data=config_type, Data=config_data, format=config_format) 145 | 146 | @api.route('/api/randpw',methods=['GET']) 147 | @login_required 148 | def api_gen_password(): 149 | """ 150 | Generates a random password hash 151 | """ 152 | pw_format="argon2" 153 | pw_type="id" 154 | if pw_format: 155 | # For now, we only do argon2 password generation. 156 | # We can expand here when we add more 157 | if pw_type == "i" or pw_type == "d" or pw_type == "id": 158 | # Make sure it's a type that we support 159 | # Generate random password 160 | rndpwd = randpwd() 161 | rand_password = rndpwd.generate() 162 | pwdhash = argon2hash(rand_password) 163 | hashed_password = pwdhash.gen_hash() 164 | output = { 165 | "Password" : hashed_password 166 | } 167 | else: 168 | output = { 169 | "Error" : "Unsupported Format" 170 | } 171 | if not output: 172 | output = { 173 | "Error" : "Unknown Error" 174 | } 175 | return jsonify(output) 176 | 177 | @api.route('/api/login', methods=['POST']) 178 | def api_login(): 179 | # login code goes here 180 | username = request.form.get('user') 181 | password = request.form.get('password') 182 | try: 183 | user = users.query.filter_by(user=username).first() 184 | # check if the user actually exists 185 | # take the user-supplied password, hash it, and compare it to the hashed password in the database 186 | if user and argon2verify(user.hash,password): 187 | flash(f"Welcome back, {user.display}") 188 | login_user(user) 189 | else: 190 | flash('Please check your login details and try again.') 191 | return redirect(url_for('ui.ui_login')) # if the user doesn't exist or password is wrong, reload the page 192 | # if the above check passes, then we know the user has the right credentials 193 | 194 | except Exception as error_string: 195 | if "no such table" in str(error_string): 196 | flash("Database is missing. Please contact your administrator and inform them setup is not complete.") 197 | else: 198 | flash(f"{error_string}") 199 | return redirect(url_for('ui.ui_login')) 200 | 201 | return redirect(url_for('ui.ui_main')) 202 | 203 | @api.route('/api/logout') 204 | @login_required 205 | def logout(): 206 | display_name = current_user.display 207 | logout_user() 208 | flash(f"{display_name} successfully logged out.") 209 | return redirect(url_for('ui.ui_home')) 210 | -------------------------------------------------------------------------------- /app/blueprints/ui.py: -------------------------------------------------------------------------------- 1 | # External Imports 2 | from flask import Blueprint, escape, redirect, jsonify, make_response, render_template 3 | from flask_login import login_required 4 | from sqlalchemy import desc 5 | import os 6 | 7 | # Internal Imports 8 | from app.helpers.iterateQuery import iterateQuery 9 | from app.models.config import config 10 | def auth_method(): 11 | try: 12 | query = config.query.all() 13 | print(f"query: {query}") 14 | CONFIG = iterateQuery(query) 15 | print(CONFIG) 16 | print(CONFIG[1]['auth_backend']) 17 | auth = CONFIG[1]['auth_backend'] 18 | print(auth) 19 | except: 20 | auth="none" 21 | print(auth) 22 | return auth 23 | 24 | # API Blueprint Setup 25 | ui = Blueprint('ui',__name__) 26 | @ui.route('/') 27 | def ui_home(): 28 | """ 29 | Home Page for Site 30 | 31 | Returns: 32 | make_response: outputs render template for text 33 | """ 34 | intro = { 35 | "header": "Easily Integrate On-Prem Authelia 2FA", 36 | "body": { 37 | "1":"Authelia-Manager provides an easy to use interface to quickly deploy\ 38 | Authelia and its many options without having to manually edit yaml files.\ 39 | Save time and frustration digging through the docs with an easy way to\ 40 | explore and set configuration options.", 41 | "2":"Join the revolution and be your own 2FA provider!", 42 | "button":{ 43 | "text":"Get Started", 44 | "link":{ 45 | "url":"https://github.com/beardedtek-com/authelia-manager", 46 | "target":"target='_blank'" 47 | }, 48 | "focus":"true" 49 | } 50 | }, 51 | "image":{ 52 | "1":{ 53 | "src":"/static/img/google-auth.png", 54 | "alt":"Google Authenticator", 55 | "link":"" 56 | } 57 | } 58 | 59 | } 60 | intro2 = { 61 | "header": "Lock Down Unsecured Web Apps", 62 | "body": { 63 | "1":"If you're using apps with no built-in authentication, you're attack\ 64 | surface is wide open. Authelia-Manager can help you protect your\ 65 | services with one factor, two factor, or even open access with ease!", 66 | "2":"Find out just how easy it can be to protect yourself!", 67 | "button":{ 68 | "text":"Learn More", 69 | "link":{ 70 | "url":"https://github.com/beardedtek-com/authelia-manager", 71 | "target":"target='_blank'" 72 | }, 73 | "focus":"true" 74 | } 75 | }, 76 | "image":{ 77 | "1":{ 78 | "src":"/static/img/lockdown.png", 79 | "alt":"App Lockdown", 80 | "link":"" 81 | } 82 | } 83 | 84 | } 85 | output = render_template('ui-home.html',intro=intro,intro2=intro2,auth_method=auth_method()) 86 | return make_response(output) 87 | 88 | 89 | @ui.route('/ui/login') 90 | def ui_login(): 91 | output = render_template('login-form.html',auth_method=auth_method()) 92 | return make_response(output) 93 | 94 | 95 | @ui.route('/ui') 96 | @login_required 97 | def ui_main(): 98 | print(auth_method) 99 | output = render_template('ui-main.html',auth_method=auth_method()) 100 | return make_response(output) 101 | @ui.route('/edit/') 102 | @login_required 103 | def ui_edit(data): 104 | output = render_template('ui-edit.html',auth_method=auth_method(),data=data) 105 | return make_response(output) 106 | 107 | @ui.route('/config') 108 | @login_required 109 | def ui_config(): 110 | output = render_template('ui-config.html',auth_method=auth_method()) 111 | return make_response(output) 112 | 113 | @ui.route('/users') 114 | @login_required 115 | def ui_users(): 116 | output = render_template('ui-users.html',auth_method=auth_method()) 117 | return make_response(output) 118 | 119 | @ui.route('/networks') 120 | @login_required 121 | def ui_networks(): 122 | output = render_template('ui-networks.html',auth_method=auth_method()) 123 | return make_response(output) 124 | 125 | @ui.route('/rules') 126 | @login_required 127 | def ui_rules(): 128 | output = render_template('ui-rules.html',auth_method=auth_method()) 129 | return make_response(output) -------------------------------------------------------------------------------- /app/data/configuration.yml: -------------------------------------------------------------------------------- 1 | ############################################################### 2 | # Authelia configuration # 3 | ############################################################### 4 | 5 | host: 0.0.0.0 6 | port: 9091 7 | log_level: warn 8 | 9 | # This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE 10 | # I used this site to generate the secret: https://www.grc.com/passwords.htm 11 | 12 | jwt_secret: yqRMLh4sAbQ47mG0jYsv6vzzHJg1CajKve7tB7OSXiYFk9FXE789roSHIn3380y 13 | 14 | # https://docs.authelia.com/configuration/miscellaneous.html#default-redirection-url 15 | default_redirection_url: https://auth.example.com 16 | 17 | totp: 18 | issuer: authelia.com 19 | period: 30 20 | skew: 1 21 | 22 | 23 | authentication_backend: 24 | file: 25 | path: /config/users_database.yml 26 | # customize passwords based on https://docs.authelia.com/configuration/authentication/file.html 27 | password: 28 | algorithm: argon2id 29 | iterations: 1 30 | salt_length: 16 31 | parallelism: 8 32 | memory: 512 # blocks this much of the RAM. Tune this. 33 | 34 | access_control: 35 | default_policy: deny 36 | 37 | networks: 38 | - name: internal 39 | networks: 40 | - '192.168.2.0/24' # Your Internal Subnet 41 | - '192.168.21.0/24' 42 | - name: tailscale 43 | networks: 44 | - 192.168.23.0/24 45 | - '100.64.0.0/10' # Tailscale Subnet (DO NOT MODIFY) 46 | rules: 47 | # Authelia must be bypass 48 | - domain: auth.example.com 49 | policy: bypass 50 | # Traefik Dashboard 2FA 51 | - domain: "traefik.example.com" 52 | policy: two_factor 53 | networks: 54 | - "internal" 55 | # Traefik Tailscale Dashboard one_factor (username/password) 56 | - domain: "traefik.tailscale.example.com" 57 | policy: one_factor 58 | networks: 59 | - "tailscale" 60 | # Home Assistant No Auth (We can setup authelia in Home Assistant) 61 | - domain: "hass.example.com" 62 | policy: bypass 63 | # Default Policy for any other domains 64 | - domain: "*.example.com" 65 | policy: two_factor 66 | # Let our main domain through without auth 67 | - domain: "example.com" 68 | policy: bypass 69 | 70 | session: 71 | name: authelia_session 72 | # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE 73 | # Used a different secret, but the same site as jwt_secret above. 74 | secret: yqRMLh4sAbQ47mG0jYsv6vzzHJg1CajKve7tB7OSXiYFk9FXE789roSHIn3380y # use docker secret file instead AUTHELIA_SESSION_SECRET_FILE 75 | expiration: 3600 # 1 hour 76 | inactivity: 300 # 5 minutes 77 | domain: example.com # Should match whatever your root protected domain is 78 | 79 | 80 | regulation: 81 | max_retries: 3 82 | find_time: 120 83 | ban_time: 300 84 | 85 | storage: 86 | encryption_key: yqRMLh4sAbQ47mG0jYsv6vzzHJg1CajKve7tB7OSXiYFk9FXE789roSHIn3380y 87 | # For local storage, uncomment lines below and comment out mysql. https://docs.authelia.com/configuration/storage/sqlite.html 88 | local: 89 | path: /config/db.sqlite3 90 | # mysql: 91 | # # MySQL allows running multiple authelia instances. Create database and enter details below. 92 | # host: MYSQL_HOST 93 | # port: 3306 94 | # database: authelia 95 | # username: DBUSERNAME 96 | # # Password can also be set using a secret: https://docs.authelia.com/configuration/secrets.html 97 | # # password: use docker secret file instead AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE 98 | 99 | notifier: 100 | smtp: 101 | host: mail.example.com 102 | port: 465 103 | timeout: 10s 104 | username: no-reply@example.com 105 | password: YOUR_PASSWORD 106 | sender: "Authelia " 107 | identifier: beardedtek.com 108 | subject: "[Authelia] {title}" 109 | startup_check_address: test@authelia.com 110 | disable_require_tls: false 111 | disable_starttls: true 112 | disable_html_emails: false 113 | tls: 114 | server_name: mail.example.com 115 | skip_verify: true 116 | 117 | # # For testing purpose, notifications can be sent in a file. Be sure map the volume in docker-compose. 118 | # filesystem: 119 | # filename: /tmp/authelia/notification.txt -------------------------------------------------------------------------------- /app/data/users_database.yml: -------------------------------------------------------------------------------- 1 | users: 2 | myuser: 3 | password: $argon2id$v=19$m=4096,t=3,p=1$c2FsdEl0V2l0aFNhbHQ$bpQfn8cG8LB6jy5G4MCa1oJD1eBHErwRWlDJVkog0Y4 4 | displayname: My User 5 | email: myuser@example.com 6 | groups: 7 | - admins 8 | - dev 9 | disabled: false 10 | -------------------------------------------------------------------------------- /app/helpers/apidocs.py: -------------------------------------------------------------------------------- 1 | class apidocs: 2 | def __init__(self) -> None: 3 | """ 4 | This is where we document all the api calls. 5 | """ 6 | self.contents = { 7 | "API Documentation":{ 8 | "/" : "[GET] Informational page", 9 | "/ui" : "[GET] UI entrypoint", 10 | "/ui/login" : "[GET] User login form", 11 | "/api" : "[GET] API information", 12 | "/api/docs" : "[GET] Main documentation (This may change to ui)", 13 | "/api/initdb" : "[GET] Initialize database", 14 | "/api/config" : "[GET] Returns config data in JSON", 15 | "/api/config/post" : "[POST] Processes updated config data", 16 | "/api/user" : "[GET] Returns user data in JSON", 17 | "/api/user/post" : "[POST] Processes updated user data", 18 | "/api/group" : "[GET] Returns Group Data in JSON", 19 | "/api/group/post" : "[POST] Processes updated group data", 20 | "/api/config/current/json" : "[GET] Displays Authelia's current configuration.yml file in JSON format", 21 | "/api/config/current/yaml" : "[GET] Displays Authelia's current configuration.yml file in YAML format", 22 | "/api/users/current/json" : "[GET] Displays Authelia's current user_database.yml file in JSON format", 23 | "/api/users/current/yaml" : "[GET] Displays Authelia's current user_database.yml file in YAML format", 24 | "/api/randpw" : "[GET] Generates Random Password (DEPRICATED)", 25 | "/api/account" : "[POST] Processes changes to user account", 26 | "/api/settings" : "[POST] Processes changes to user settings", 27 | "/api/login" : "[POST] Processes Log in", 28 | "/api/logout" : "[POST] Processes Log out" 29 | } 30 | } 31 | self.markdown = "API Documentation\n" 32 | def md(self) -> str: 33 | for url in self.contents: 34 | """ 35 | I'm sure there's a better way to do this, but it functions... 36 | """ 37 | self.markdown += f"
"
38 |             self.markdown += f""
39 |             self.markdown += f"  {url}  \r"
40 |             self.markdown += ""
41 |             self.markdown += ""
42 |             self.markdown += f"    {self.contents[url]}"
43 |             self.markdown += f""
44 |             self.markdown += f"
" 45 | return self.contents 46 | 47 | -------------------------------------------------------------------------------- /app/helpers/argon2.py.old: -------------------------------------------------------------------------------- 1 | from passlib.hash import argon2 2 | 3 | class argon2hash: 4 | def __init__(self,password,type=None,salt=None): 5 | self.password = password 6 | self.type = None 7 | self.salt = None 8 | self.gen_hash() 9 | 10 | def gen_hash(self): 11 | h = argon2 12 | if self.type: 13 | try: 14 | h.type = self.type 15 | except: 16 | pass 17 | 18 | if self.salt: 19 | try: 20 | h.salt = self.salt 21 | except: 22 | pass 23 | 24 | rval = { 25 | "hash" : h.hash(self.password), 26 | "type" : h.type, 27 | "salt" : h.salt 28 | } 29 | 30 | return rval 31 | def check_hash(hash,password): 32 | return False 33 | 34 | if __name__ == "__main__": 35 | Argon2hash = argon2hash("T35tP@55w0rD",type="id") 36 | print(Argon2hash.gen_hash()) 37 | -------------------------------------------------------------------------------- /app/helpers/argon2hash.py: -------------------------------------------------------------------------------- 1 | from argon2 import PasswordHasher 2 | from argon2 import exceptions as argon2Exceptions 3 | try: 4 | from app.helpers.rndpwd import randpwd 5 | except: 6 | from rndpwd import randpwd 7 | 8 | class argon2hash: 9 | def __init__(self,password=None): 10 | self.password = password if password else randpwd().generate() 11 | self.ph = PasswordHasher() 12 | def generate(self): 13 | self.ph = PasswordHasher() 14 | self.hash = self.ph.hash(self.password) 15 | rval = { 16 | "password" : self.password, 17 | "hash" : self.hash 18 | } 19 | return rval 20 | class argon2verify: 21 | def __init__(self,argon_hash,password): 22 | self.hash = argon_hash 23 | print(self.hash) 24 | self.password=password 25 | print(self.password) 26 | 27 | self.ph = PasswordHasher() 28 | print("Initialized PasswordHasher()") 29 | 30 | def verify(self): 31 | output = None 32 | try: 33 | self.ph.verify(self.hash,self.password) 34 | output = True 35 | except (argon2Exceptions.VerifyMismatchError, argon2Exceptions.VerificationError): 36 | output = False 37 | return output 38 | 39 | if __name__ == "__main__": 40 | 41 | print("\n###############################\n Random Password & Verify\n###############################") 42 | password = randpwd.generate() 43 | badpassword = "NotThePassword" 44 | print(password) 45 | hash = argon2hash(password=password).generate()["hash"] 46 | print(hash) 47 | print(f"{password}: {PasswordHasher().verify(hash,password)}") 48 | print(f"{badpassword}: {argon2verify(hash,badpassword).verify()}") 49 | print("###############################\n\n") 50 | print("###############################\n Password='P@5Sw0Rd' & Verify\n###############################") 51 | password="P@5Sw0Rd" 52 | hash=argon2hash(password=password).generate()["hash"] 53 | print(hash) 54 | print(PasswordHasher().verify(hash,"P@5Sw0Rd")) 55 | print(f"{password}: {PasswordHasher().verify(hash,password)}") 56 | print(f"{badpassword}: {argon2verify(hash,badpassword).verify()}") -------------------------------------------------------------------------------- /app/helpers/iterateQuery.py: -------------------------------------------------------------------------------- 1 | def iterateQuery(query): 2 | output={} 3 | if query: 4 | for q in query: 5 | output[q.id] = {} 6 | for item in q.__dict__: 7 | if not item.startswith('_') and item != "id": 8 | output[q.id][item] = q.__dict__[item] 9 | return output -------------------------------------------------------------------------------- /app/helpers/rndpwd.py: -------------------------------------------------------------------------------- 1 | # This code is a portion of frigate Event Video Recorder (fEVR) 2 | # 3 | # Copyright (C) 2021-2022 The Bearded Tek (http://www.beardedtek.com) William Kenny 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU Affero General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU AfferoGeneral Public License 16 | # along with this program. If not, see . 17 | 18 | from random import randint,choice 19 | import string 20 | 21 | class randpwd: 22 | def generate(count=None,key=False): 23 | if key == True: 24 | count = 128 25 | else: 26 | count = randint(24,63) 27 | password = "" 28 | for x in range(count): 29 | num = randint(0,2) 30 | if num == 0: 31 | password += choice(string.ascii_lowercase) 32 | elif num == 1: 33 | password += choice(string.ascii_uppercase) 34 | elif num == 2: 35 | password += choice(string.digits) 36 | return password 37 | 38 | if __name__ == '__main__': 39 | print(randpwd.generate(key=True)) 40 | print() 41 | print(randpwd.generate(count=63)) -------------------------------------------------------------------------------- /app/models/MODELS.md: -------------------------------------------------------------------------------- 1 | The following databases will be used: 2 | 3 | config: 4 | id : unique identifier 5 | name : human readable identifier 6 | hostname : hostname of authelia 7 | jwt_secret : jwt secret 8 | : Can be automatically generated with app.helpers.rndpwd.generate(count=63) 9 | default_redirection_url : Default Redirection URL `https://${hostname}` 10 | https://docs.authelia.com/configuration/miscellaneous.html#default-redirection-url 11 | auth_backend : Always file for now 12 | file_path: : Filepath of `/config/users_database.yml` 13 | 14 | passsword_algorithm : Algorithm to use for password hash `argon2id` 15 | password_iterations : number of hash iterations `1` 16 | password_salt_length : length of salt `16` 17 | password_parallelism : Parallelism `8` 18 | password_memory : Blocks this much RAM. TUNE THIS!!! `512` 19 | 20 | access_control_default : Default Access Control Policy `deny` 21 | 22 | session_name : authelia_session 23 | session_secret : Can be automaticall generated by app.helpers.rndpwd.generate(count=63) 24 | session_expiration : Expiration time (in seconds) `3600` 25 | session_inactivity : Inactivity Time (in seconds) `300` 26 | session_domain : should match hostname 27 | 28 | regulation_max_retries : `3` 29 | regulation_find_time : `120` 30 | regulation_ban_time : `300` 31 | 32 | storage_local_path: : `/config/db.sqlite3` 33 | 34 | notifier_smtp_enable : `true` 35 | notifier_smtp_host : smtp hostname 36 | notifier_smtp_port : `465` 37 | notifier_smtp_timeout : `10s` 38 | notifier_smtp_username : username 39 | notifier_smtp_password : password 40 | notifier_smtp_sender : send email address 41 | notifier_smtp_identifier : name for smtp server 42 | notifier_smtp_subject : `"[Authelia] {title}"` 43 | notifier_smtp_startup_check_address : test.authelia.com 44 | notifier_smtp_disable_require_tls : `false` 45 | notifier_smtp_disable_starttls : `true` 46 | notifier_smtp_disable_html_emails : `false` 47 | notifier_smtp_tls_server_name : smtp server 48 | notifier_smtp_tls_skip_verify : `true` 49 | 50 | notifier_filesystem_enable : `false` 51 | notifier_filesystem_filename : `/config/filesystem_notifier.txt` 52 | 53 | acc_networks: 54 | id : unique identifier 55 | name : Network Name (no spaces) `internal` 56 | networks : Networks included in acc (comma separated) (CIDR Notation) `192.168.2.0/24,10.0.0.0/8,172.16.0.0/12` 57 | 58 | acc_rules: 59 | id : unique identifier 60 | domain : `*.example.com` 61 | domain_regex : `empty string` 62 | policy : one_factor or two_factor or pass `two_factor` 63 | networks : comma separated list of networks defined in acc_networks `internal` 64 | subject : comma separated list of users, groups in format of ['user:username'] or ['group:groupname'] 65 | #NOTE NEED TO ADD EVERYTHING ELSE BUT THIS GETS US STARTED FOR NOW. 66 | 67 | users: 68 | id : unique identifier 69 | user : username 70 | display : Display Name 71 | email : Email Address 72 | groups : comma separated list of groups 73 | 74 | group: 75 | id : unique identifier 76 | group : group name 77 | display : Display Name 78 | permissions : comma separated permissions for the group -------------------------------------------------------------------------------- /app/models/config.py: -------------------------------------------------------------------------------- 1 | from app import db 2 | 3 | class config(db.Model): 4 | """ 5 | id : unique identifier 6 | name : human readable identifier 7 | hostname : hostname of authelia 8 | jwt_secret : jwt secret 9 | : Can be automatically generated with app.helpers.rndpwd.generate(count=63) 10 | default_redirection_url : Default Redirection URL `https://${hostname}` 11 | https://docs.authelia.com/configuration/miscellaneous.html#default-redirection-url 12 | auth_backend : Always file for now 13 | file_path : Filepath of `/config/users_database.yml` 14 | 15 | password_algorithm : Algorithm to use for password hash `argon2` 16 | password_algorithm_variant : Variant of argon2 `argon2id` 17 | password_iterations : number of hash iterations `1` 18 | password_salt_length : length of salt `16` 19 | password_parallelism : Parallelism `8` 20 | password_memory : Blocks this much RAM. TUNE THIS!!! `512` 21 | 22 | access_control_default : Default Access Control Policy `deny` 23 | 24 | session_name : authelia_session 25 | session_secret : Can be automaticall generated by app.helpers.rndpwd.generate(count=63) 26 | session_expiration : Expiration time (in seconds) `3600` 27 | session_inactivity : Inactivity Time (in seconds) `300` 28 | session_domain : should match hostname 29 | 30 | regulation_max_retries : `3` 31 | regulation_find_time : `120` 32 | regulation_ban_time : `300` 33 | 34 | storage_local_path: : `/config/db.sqlite3` 35 | 36 | notifier_smtp_enable : `true` 37 | notifier_smtp_host : smtp hostname 38 | notifier_smtp_port : `465` 39 | notifier_smtp_timeout : `10s` 40 | notifier_smtp_username : username 41 | notifier_smtp_password : password 42 | notifier_smtp_sender : send email address 43 | notifier_smtp_identifier : name for smtp server 44 | notifier_smtp_subject : `"[Authelia] {title}"` 45 | notifier_smtp_startup_check_address : test.authelia.com 46 | notifier_smtp_disable_require_tls : `false` 47 | notifier_smtp_disable_starttls : `true` 48 | notifier_smtp_disable_html_emails : `false` 49 | notifier_smtp_tls_server_name : smtp server 50 | notifier_smtp_tls_skip_verify : `true` 51 | 52 | notifier_filesystem_enable : `false` 53 | notifier_filesystem_filename : `/config/filesystem_notifier.txt` 54 | """ 55 | 56 | id = db.Column(db.Integer, primary_key=True) 57 | name = db.Column(db.String(50),unique=True) 58 | hostname = db.Column(db.String(250),unique=True) 59 | jwt_secret = db.Column(db.String(64)) 60 | default_redirection_url = db.Column(db.String(500)) 61 | auth_backend = db.Column(db.String(20)) 62 | file_path = db.Column(db.String(500)) 63 | password_algorithm = db.Column(db.String(10)) 64 | password_algorithm_variant = db.Column(db.String(10)) 65 | password_iterations = db.Column(db.Integer) 66 | password_salt_length = db.Column(db.Integer) 67 | password_parallelism = db.Column(db.Integer) 68 | password_memory = db.Column(db.Integer) 69 | access_control_default = db.Column(db.String(10)) 70 | session_name = db.Column(db.String(32)) 71 | session_secret = db.Column(db.String(64)) 72 | session_expiration = db.Column(db.Integer) 73 | session_inactivity = db.Column(db.Integer) 74 | session_domain = db.Column(db.String(250)) 75 | regulation_max_retries = db.Column(db.Integer) 76 | regulation_find_time = db.Column(db.Integer) 77 | regulation_ban_time = db.Column(db.Integer) 78 | storage_local_path = db.Column(db.String(128)) 79 | notifier_smtp_enable = db.Column(db.String(5)) 80 | notifier_smtp_host = db.Column(db.String(250)) 81 | notifier_smtp_port = db.Column(db.Integer) 82 | notifier_smtp_timeout = db.Column(db.String(30)) 83 | notifier_smtp_username = db.Column(db.String(256)) 84 | notifier_smtp_password = db.Column(db.String(256)) 85 | notifier_smtp_sender = db.Column(db.String(256)) 86 | notifier_smtp_identifier = db.Column(db.String(128)) 87 | notifier_smtp_subject = db.Column(db.String(256)) 88 | notifier_smtp_startup_check_address = db.Column(db.String(256)) 89 | notifier_smtp_disable_requre_tls = db.Column(db.String(5)) 90 | notifier_smtp_disable_starttls = db.Column(db.String(5)) 91 | notifier_smtp_disable_html_emails = db.Column(db.String(5)) 92 | notifier_smtp_tls_server_name = db.Column(db.String(250)) 93 | notifier_smtp_tls_skip_verify = db.Column(db.String(250)) 94 | notifier_filesystem_enable = db.Column(db.String(5)) 95 | notifier_filesystem_filename = db.Column(db.String(512)) 96 | -------------------------------------------------------------------------------- /app/models/file_auth.py: -------------------------------------------------------------------------------- 1 | from app import db 2 | 3 | class file_auth(db.Model): 4 | """ 5 | id : unique identifier 6 | name : Network Name (no spaces) `internal` 7 | networks : Networks included in acc (comma separated) (CIDR Notation) `192.168.2.0/24,10.0.0.0/8,172.16.0.0/12` 8 | """ 9 | id = db.Column(db.Integer, primary_key=True) 10 | path = db.Column(db.String(1024)) 11 | password_algorithm = db.Column(db.String(50)) 12 | password_iterations = db.Column(db.Integer) 13 | password_salt_length = db.Column(db.Integer) 14 | password_parallelism = db.Column(db.Integer) 15 | password_memory = db.Column(db.Integer) 16 | notes = db.Column(db.Text) -------------------------------------------------------------------------------- /app/models/group.py: -------------------------------------------------------------------------------- 1 | from app import db 2 | 3 | class group(db.Model): 4 | """ 5 | id : unique identifier 6 | group : username (for login) 7 | display : display name 8 | permissions : comma separated permissions 9 | """ 10 | id = db.Column(db.Integer, primary_key=True) 11 | group = db.Column(db.String(50),unique=True) 12 | display = db.Column(db.String(50)) 13 | permissions = db.Column(db.String(200)) 14 | notes = db.Column(db.Text) 15 | -------------------------------------------------------------------------------- /app/models/host.py: -------------------------------------------------------------------------------- 1 | from app import db 2 | 3 | class host(db.Model): 4 | """ 5 | id : unique identifier 6 | host : Host/Interface (0.0.0.0) 7 | port : Port Number 8 | log_level : Log Level 9 | default_redirection_url : Default Redirection URL 10 | jwt_secret : JWT Secret 11 | authentication_backend : 'file' or 'ldap' authentication backend 12 | """ 13 | id = db.Column(db.Integer, primary_key=True) 14 | host = db.Column(db.String(1024)) 15 | port = db.Column(db.Integer) 16 | log_level = db.Column(db.String(1024)) 17 | default_redirection_url = db.Column(db.String(1024)) 18 | jwt_secret = db.Column(db.String(64)) 19 | authentication_backend = db.Column(db.String(4)) 20 | default_policy = db.Column(db.String(5)) 21 | notes = db.Column(db.Text) -------------------------------------------------------------------------------- /app/models/networks.py: -------------------------------------------------------------------------------- 1 | from app import db 2 | 3 | class networks(db.Model): 4 | """ 5 | id : unique identifier 6 | name : Network Name (no spaces) `internal` 7 | networks : Networks included in acc (comma separated) (CIDR Notation) `192.168.2.0/24,10.0.0.0/8,172.16.0.0/12` 8 | """ 9 | id = db.Column(db.Integer, primary_key=True) 10 | name = db.Column(db.String(50),unique=True) 11 | networks = db.Column(db.String(1024)) 12 | -------------------------------------------------------------------------------- /app/models/rules.py: -------------------------------------------------------------------------------- 1 | from app import db 2 | 3 | class rules(db.Model): 4 | """ 5 | id : unique identifier 6 | domain : `*.example.com` 7 | domain_regex : `empty string` 8 | policy : one_factor or two_factor or pass `two_factor` 9 | networks : comma separated list of networks defined in acc_networks `internal` 10 | subject : comma separated list of users, groups in format of ['user:username'] or ['group:groupname'] 11 | NOTE: NEED TO ADD EVERYTHING ELSE BUT THIS GETS US STARTED FOR NOW. 12 | """ 13 | id = db.Column(db.Integer, primary_key=True) 14 | domain = db.Column(db.String(250)) 15 | domain_regex = db.Column(db.String(250)) 16 | policy = db.Column(db.String(15)) 17 | networks = db.Column(db.String(1024)) 18 | subject = db.Column(db.String(1024)) 19 | methods = db.Column(db.String(20)) 20 | resources = db.Column(db.String(100)) 21 | notes = db.Column(db.Text) -------------------------------------------------------------------------------- /app/models/totp.py: -------------------------------------------------------------------------------- 1 | from app import db 2 | 3 | class totp(db.Model): 4 | """ 5 | id : unique identifier 6 | name : Network Name (no spaces) `internal` 7 | networks : Networks included in acc (comma separated) (CIDR Notation) `192.168.2.0/24,10.0.0.0/8,172.16.0.0/12` 8 | """ 9 | id = db.Column(db.Integer, primary_key=True) 10 | issuer = db.Column(db.String(1024)) 11 | period = db.Column(db.Integer) 12 | skew = db.Column(db.Integer) 13 | notes = db.Column(db.Text) -------------------------------------------------------------------------------- /app/models/users.py: -------------------------------------------------------------------------------- 1 | """ 2 | _summary_ 3 | """ 4 | from flask_login import UserMixin 5 | from app import db 6 | 7 | class users(db.Model, UserMixin): 8 | """ 9 | id : unique identifier 10 | user : username (for login) 11 | display : display name 12 | email : email address 13 | hash : password hash 14 | groups : comma separated list of groups user belongs to 15 | """ 16 | id = db.Column(db.Integer, primary_key=True) 17 | user = db.Column(db.String(50),unique=True) 18 | display = db.Column(db.String(50)) 19 | email = db.Column(db.String(150),unique=True) 20 | groups = db.Column(db.String(200)) 21 | hash = db.Column(db.String(150)) 22 | notes = db.Column(db.Text) 23 | -------------------------------------------------------------------------------- /app/static/configuration-live.yml: -------------------------------------------------------------------------------- 1 | access_control: 2 | default_policy: deny 3 | networks: 4 | - name: internal 5 | networks: 6 | - 192.168.2.0/24 7 | - 192.168.21.0/24 8 | - name: tailscale 9 | networks: 10 | - 192.168.23.0/24 11 | - 100.64.0.0/10 12 | rules: 13 | - domain: auth.example.com 14 | policy: bypass 15 | - domain: traefik.example.com 16 | networks: 17 | - internal 18 | policy: two_factor 19 | - domain: traefik.tailscale.example.com 20 | networks: 21 | - tailscale 22 | policy: one_factor 23 | - domain: hass.example.com 24 | policy: bypass 25 | - domain: '*.example.com' 26 | policy: two_factor 27 | - domain: example.com 28 | policy: bypass 29 | authentication_backend: 30 | file: 31 | password: 32 | algorithm: argon2id 33 | iterations: 1 34 | memory: 512 35 | parallelism: 8 36 | salt_length: 16 37 | path: /config/users_database.yml 38 | default_redirection_url: https://auth.example.com 39 | host: 0.0.0.0 40 | jwt_secret: yqRMLh4sAbQ47mG0jYsv6vzzHJg1CajKve7tB7OSXiYFk9FXE789roSHIn3380y 41 | log_level: warn 42 | notifier: 43 | smtp: 44 | disable_html_emails: false 45 | disable_require_tls: false 46 | disable_starttls: true 47 | host: mail.example.com 48 | identifier: beardedtek.com 49 | password: YOUR_PASSWORD 50 | port: 465 51 | sender: Authelia 52 | startup_check_address: test@authelia.com 53 | subject: '[Authelia] {title}' 54 | timeout: 10s 55 | tls: 56 | server_name: mail.example.com 57 | skip_verify: true 58 | username: no-reply@example.com 59 | port: 9091 60 | regulation: 61 | ban_time: 300 62 | find_time: 120 63 | max_retries: 3 64 | session: 65 | domain: example.com 66 | expiration: 3600 67 | inactivity: 300 68 | name: authelia_session 69 | secret: yqRMLh4sAbQ47mG0jYsv6vzzHJg1CajKve7tB7OSXiYFk9FXE789roSHIn3380y 70 | storage: 71 | encryption_key: yqRMLh4sAbQ47mG0jYsv6vzzHJg1CajKve7tB7OSXiYFk9FXE789roSHIn3380y 72 | local: 73 | path: /config/db.sqlite3 74 | totp: 75 | issuer: authelia.com 76 | period: 30 77 | skew: 1 78 | -------------------------------------------------------------------------------- /app/static/img/API-flat-illustration.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/API-flat-illustration.webp -------------------------------------------------------------------------------- /app/static/img/add.svg: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /app/static/img/android-chrome-192x192.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/android-chrome-192x192.png -------------------------------------------------------------------------------- /app/static/img/android-chrome-512x512.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/android-chrome-512x512.png -------------------------------------------------------------------------------- /app/static/img/apple-touch-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/apple-touch-icon.png -------------------------------------------------------------------------------- /app/static/img/favicon-16x16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/favicon-16x16.png -------------------------------------------------------------------------------- /app/static/img/favicon-32x32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/favicon-32x32.png -------------------------------------------------------------------------------- /app/static/img/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/favicon.ico -------------------------------------------------------------------------------- /app/static/img/google-auth.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/google-auth.png -------------------------------------------------------------------------------- /app/static/img/lockdown.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/lockdown.png -------------------------------------------------------------------------------- /app/static/img/logo-cropped.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 25 | 26 | 27 | 28 | 29 | 30 | 37 | 38 | 39 | 40 | 41 | 42 | 48 | 49 | 50 | 51 | 52 | 53 | 59 | 60 | 61 | 62 | 63 | 64 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /app/static/img/logo-cropped.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/app/static/img/logo-cropped.webp -------------------------------------------------------------------------------- /app/static/img/plus.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /app/static/img/remove.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /app/static/js/accordian.js: -------------------------------------------------------------------------------- 1 | // create an array of objects with the id, trigger element (eg. button), and the content element 2 | const accordionItems = [ 3 | { 4 | id: 'config-main-heading', 5 | triggerEl: document.querySelector('#config-main-heading'), 6 | targetEl: document.querySelector('#config-main-body'), 7 | active: true 8 | }, 9 | { 10 | id: 'config-totp-heading', 11 | triggerEl: document.querySelector('#config-totp-heading'), 12 | targetEl: document.querySelector('#config-totp-body'), 13 | active: false 14 | }, 15 | { 16 | id: 'accordion-example-heading-3', 17 | triggerEl: document.querySelector('#config-auth_backend-heading'), 18 | targetEl: document.querySelector('#config-auth_backend-body'), 19 | active: false 20 | } 21 | ]; 22 | 23 | // options with default values 24 | const options = { 25 | alwaysOpen: false, 26 | activeClasses: 'bg-gray-100 dark:bg-gray-800 text-gray-900 dark:text-white', 27 | inactiveClasses: 'text-gray-500 dark:text-gray-400', 28 | onOpen: (item) => { 29 | console.log('accordion item has been shown'); 30 | console.log(item); 31 | }, 32 | onClose: (item) => { 33 | console.log('accordion item has been hidden'); 34 | console.log(item); 35 | }, 36 | onToggle: (item) => { 37 | console.log('accordion item has been toggled'); 38 | console.log(item); 39 | }, 40 | }; 41 | 42 | import { Accordion } from 'flowbite'; 43 | 44 | /* 45 | * accordionItems: array of accordion item objects 46 | * options: optional 47 | */ 48 | const accordion = new Accordion(accordionItems, options); -------------------------------------------------------------------------------- /app/static/js/add_remove.js: -------------------------------------------------------------------------------- 1 | // document.getElementById('add_network').onclick = duplicate; 2 | var i = 0; 3 | var original = document.getElementById('network_add'); 4 | function duplicate() { 5 | var clone = original.cloneNode(true); // "deep" clone 6 | clone.id = "network_add" + ++i; // there can only be one element with an ID 7 | console.log(original.parentNode) 8 | original.parentNode.appendChild(clone); 9 | document.getElementById(clone.id).focus(); 10 | } -------------------------------------------------------------------------------- /app/static/js/api_comms.js: -------------------------------------------------------------------------------- 1 | let formClass = "w-screen-lg mb-4" 2 | 3 | let labelClass = "block mt-4 mb-1 text-sm font-medium text-gray-900 dark:text-white"; 4 | 5 | let formFieldClass = "text-sm border block p-2.5 w-full rounded-lg\ 6 | border-gray-300 dark:border-gray-600 focus:border-primary-500 dark:focus:border-primary-500\ 7 | focus:ring-primary-500 dark:focus:ring-primary-500 dark:placeholder-gray-400"; 8 | 9 | let submitClass = "lg:col-span-2 inline-flex items-center px-5 text-sm font-medium text-center\ 10 | text-white bg-blue-800 rounded-lg focus:ring-4 focus:ring-primary-200\ 11 | dark:focus:ring-primary-900 hover:bg-primary-800 mt-2 px-5 py-2.5"; 12 | 13 | let enabledClass = " bg-gray-50 dark:bg-gray-700 dark:text-white text-gray-900"; 14 | 15 | let disabledClass = " bg-slate-500 text-black"; 16 | 17 | let origin = window.location.origin; 18 | 19 | let apiBase = origin + "/api/" 20 | 21 | let forms = [] 22 | 23 | function createElement(parentid,index,value,data){ 24 | var elementTag = "input"; 25 | var elementType = "text"; 26 | var elementDisable = false; 27 | if(value.includes("email")){ 28 | elementTag = "input"; 29 | elementType = "email"; 30 | elementDisable=false; 31 | } 32 | else if(value.includes("groups") || value.includes("display")){ 33 | elementTag = "input"; 34 | elementType="text"; 35 | elementDisable=false; 36 | } 37 | else if(value.includes("user")){ 38 | elementTag = "input"; 39 | elementType="text"; 40 | elementDisable=true; 41 | } 42 | 43 | var element = document.createElement(elementTag); 44 | element.className = formFieldClass; 45 | element.name = value; 46 | element.disabled=elementDisable; 47 | if(elementTag == "input"){ 48 | element.type = elementType; 49 | element.value = data; 50 | } 51 | else if(elementTag == "textarea"){ 52 | element.innerHTML = data; 53 | } 54 | if (elementDisable){ 55 | element.className += disabledClass; 56 | } 57 | else{ 58 | element.className += enabledClass; 59 | } 60 | 61 | return element; 62 | } 63 | 64 | 65 | 66 | async function getJSONData(baseID,parentID) { 67 | source = apiBase + baseID; 68 | const response = await fetch(source); 69 | const jsonData = await response.json(); 70 | console.log(source) 71 | console.log(response) 72 | console.log(jsonData) 73 | if(jsonData['Error'] === 'Invalid Request'){ 74 | var message = "Cannot retrieve data from "+source; 75 | notify(message,"error","getDataError"); 76 | } 77 | else{ 78 | parent = document.getElementById(parentID) 79 | parent.innerHTML = ""; 80 | for (let index in jsonData){ 81 | var div = document.createElement("div"); 82 | divID = baseID+"-"+index+"-container"; 83 | div.id=divID; 84 | div.className=formClass; 85 | parent.appendChild(div); 86 | var form = document.createElement("form"); 87 | formID = baseID+"-"+index; 88 | form.name=formID; 89 | form.id=formID; 90 | form.className = formClass; 91 | div.appendChild(form); 92 | var elements = {}; 93 | var textareaExists = false; 94 | var loopIndex = 1; 95 | for (let value in jsonData[index]){ 96 | if (value.includes("hash")){ 97 | } 98 | else if(value.includes("note")){ 99 | textareaExists = true; 100 | textareaID = "note"; 101 | var textarea = document.createElement("textarea"); 102 | textarea.id = textareaID; 103 | textarea.name = textareaID; 104 | textarea.cols = "2"; 105 | textarea.className = formFieldClass + enabledClass; 106 | textarea.innerHTML = jsonData[index][value]; 107 | } 108 | else{ 109 | elements[value] = createElement(formID,index,value,jsonData[index][value]); 110 | } 111 | } 112 | for(let element in elements){ 113 | var label = document.createElement("label"); 114 | label.for = element; 115 | label.className = labelClass; 116 | label.innerHTML = element; 117 | form.appendChild(label); 118 | form.appendChild(elements[element]); 119 | } 120 | if (textareaExists){ 121 | var label = document.createElement("label"); 122 | label.for = textareaID; 123 | label.className = labelClass; 124 | label.innerHTML = textareaID; 125 | form.appendChild(label); 126 | form.appendChild(textarea); 127 | } 128 | var submit = document.createElement("button"); 129 | submitID = baseID+"-"+index+"-submit"; 130 | submit.id = submitID; 131 | submit.innerHTML = "Update"; 132 | submit.className = submitClass; 133 | submit.type="button"; 134 | submit.onclick="submitformData(document.querySelector('#"+formID+"'))" 135 | form.appendChild(submit); 136 | forms.push(formID) 137 | } 138 | notify("Successfully retrieved data from API","success","dataRefreshed") 139 | } 140 | } 141 | 142 | 143 | 144 | async function submitFormData(form,apiEndpoint) { 145 | console.log(form) 146 | // Convert form data to JSON format 147 | const postForm = new FormData(form); 148 | const jsonObject = {}; 149 | postForm.forEach((value, key) => jsonObject[key] = value); 150 | const jsonData = JSON.stringify(jsonObject); 151 | console.log(jsonObject) 152 | var postURL = apiBase + apiEndpoint; 153 | console.log(postURL) 154 | 155 | const rawResponse = await fetch(postURL,{ 156 | method: 'POST', 157 | headers: { 158 | 'Accept': 'application/json', 159 | 'Content-Type': 'application/json' 160 | }, 161 | body: jsonData 162 | }); 163 | const content = await rawResponse.json(); 164 | console.log(content); 165 | if (content['return'] === 0){ 166 | console.log('OKAY') 167 | getJSONData('users','jsonDataContents') 168 | } 169 | else{ 170 | msg = "ERROR: " + content['error']; 171 | notify(msg,'error') 172 | console.log(msg) 173 | } 174 | 175 | // Submit form data using Fetch API 176 | // try { 177 | // const response = await 178 | // const response = await fetch(postForm.action, { 179 | // method: postForm.method, 180 | // body: jsonData, 181 | // headers: { 182 | // 'Content-Type': 'application/json' 183 | // } 184 | // }); 185 | // const data = await response.json(); 186 | // console.log(data); // Handle response data 187 | // } catch (error) { 188 | // } 189 | 190 | console.log(jsonData) 191 | } -------------------------------------------------------------------------------- /app/static/js/custom.js: -------------------------------------------------------------------------------- 1 | function fadeNotification(id) { 2 | var notification = document.getElementById(id); 3 | if (notification){ 4 | setTimeout( 5 | function() { 6 | notification.classList.add('transition-opacity', 'duration-1000', 'ease-out'); 7 | notification.classList.add('opacity-0', 'hidden'); 8 | }, 4000); 9 | } 10 | } 11 | 12 | function notify(message,alertType="success",notifyId="notification"){ 13 | // remove old notification before posting a new one 14 | var alertsDiv = document.getElementById(notifyId) 15 | if (alertsDiv){ 16 | alertsDiv.remove() 17 | } 18 | // create alerts div 19 | var alertDiv = document.getElementById('alerts'); 20 | alertDiv.className = "flex flex-col items-end w-full fixed top-20"; 21 | alertDiv.id = "alerts" 22 | // create notify div 23 | var notifyDiv = document.createElement("div"); 24 | notifyDiv.id = notifyId 25 | // define base classes 26 | var notifyBaseClasses = "ring-2 hover:opacity-100 transition-opacity duration-200 opacity-80 w-11/12\ 27 | flex p-2 m-4 mt-0 rounded-lg lg:w-1/3 md:w-1/2 "; 28 | // define colors 29 | var notifyRed = "ring-red-800 dark:ring-red-400 hover:bg-red-800 hover:text-sky-100\ 30 | dark:hover:bg-red-400 dark:hover-text-sky-100 bg-red-50 dark:bg-gray-800\ 31 | dark:text-red-400 text-red-800"; 32 | var notifyGreen="ring-green-800 dark:ring-green-400 hover:bg-green-800 hover:text-sky-100\ 33 | dark:hover:bg-green-400 dark:hover-text-sky-100 bg-green-50 dark:bg-gray-800\ 34 | dark:text-green-400 text-green-800"; 35 | var notifyBlue="ring-blue-800 dark:ring-blue-400 hover:bg-blue-800 hover:text-sky-100\ 36 | dark:hover:bg-blue-400 dark:hover-text-sky-100 bg-blue-50 dark:bg-gray-800\ 37 | dark:text-blue-400 text-blue-800"; 38 | // set role to alert 39 | notifyDiv.role = "alert"; 40 | // set info SVG 41 | var infoSVG = "\ 45 | Info"; 46 | var notifyClasses = notifyBaseClasses; 47 | switch(alertType){ 48 | case "error": 49 | notifyClasses += notifyRed; 50 | case "success": 51 | notifyClasses += notifyGreen; 52 | case "info": 53 | notifyClasses += notifyBlue; 54 | default: 55 | notifyClasses += notifyGreen; 56 | } 57 | notifyDiv.classList = notifyClasses; 58 | var notifyMsg = document.createElement("div"); 59 | notifyMsg.ClassList = "opacity-100 ml-3 text-sm font-medium"; 60 | if (alertType === "info"){ 61 | notifyMsg.innerHTML = infoSVG; 62 | } 63 | notifyMsg.innerHTML += message; 64 | 65 | // start building 66 | alertDiv.appendChild(notifyDiv); 67 | notifyDiv.appendChild(notifyMsg); 68 | 69 | // add auto fade script 70 | var autoFade = document.createElement("script");; 71 | autoFade.innerHTML = "fadeNotification('"+notifyId+"')"; 72 | alertDiv.appendChild(autoFade); 73 | } 74 | 75 | let formClass = "w-screen-lg mb-4"; 76 | 77 | let labelClass = "block mt-4 mb-1 text-sm font-medium text-gray-900 dark:text-white"; 78 | 79 | let formFieldClass = "text-sm border block p-2.5 w-full rounded-lg\ 80 | border-gray-300 dark:border-gray-600 focus:border-primary-500 dark:focus:border-primary-500\ 81 | focus:ring-primary-500 dark:focus:ring-primary-500 dark:placeholder-gray-400"; 82 | 83 | let submitClass = "lg:col-span-2 inline-flex items-center px-5 text-sm font-medium text-center\ 84 | text-white bg-blue-800 rounded-lg focus:ring-4 focus:ring-primary-200\ 85 | dark:focus:ring-primary-900 hover:bg-primary-800 mt-2 px-5 py-2.5"; 86 | 87 | let enabledClass = " bg-gray-50 dark:bg-gray-700 dark:text-white text-gray-900"; 88 | 89 | let disabledClass = " bg-slate-500 text-black"; 90 | 91 | let origin = window.location.origin; 92 | 93 | let apiBase = origin + "/api/"; 94 | 95 | let forms = []; 96 | 97 | function createInput(value,data,inputType="text"){ 98 | var elementTag = "input"; 99 | var elementType = inputType; 100 | var elementDisable = false; 101 | if(value.includes("email")){ 102 | elementTag = "input"; 103 | elementType = "email"; 104 | elementDisable=false; 105 | } 106 | else if(value.includes("groups") || value.includes("display")){ 107 | elementTag = "input"; 108 | elementType="text"; 109 | elementDisable=false; 110 | } 111 | else if(value.includes("user") || value.includes("id")){ 112 | elementTag = "input"; 113 | elementType="text"; 114 | elementDisable=true; 115 | } 116 | 117 | var element = document.createElement(elementTag); 118 | element.name = value; 119 | element.className = formFieldClass; 120 | element.readOnly=elementDisable; 121 | 122 | if (elementDisable){ 123 | element.className += disabledClass; 124 | } 125 | else{ 126 | element.className += enabledClass; 127 | } 128 | if(elementTag == "input"){ 129 | element.type = elementType; 130 | element.value = data; 131 | } 132 | else if(elementTag == "textarea"){ 133 | element.innerHTML = data; 134 | } 135 | 136 | 137 | return element; 138 | } 139 | 140 | 141 | 142 | async function apiGetData(baseID,parentID) { 143 | source = apiBase + baseID; 144 | const response = await fetch(source); 145 | const jsonData = await response.json(); 146 | console.log(source) 147 | console.log(response) 148 | console.log(jsonData) 149 | if(jsonData['Error'] === 'Invalid Request'){ 150 | var message = "Cannot retrieve data from "+source; 151 | notify(message,alertType="error",notifyId="getDataError"); 152 | } 153 | else{ 154 | parent = document.getElementById(parentID) 155 | parent.innerHTML = ""; 156 | for (let index in jsonData){ 157 | var div = document.createElement("div"); 158 | divID = baseID+"-"+index+"-container"; 159 | div.id=divID; 160 | div.className=formClass; 161 | parent.appendChild(div); 162 | var form = document.createElement("form"); 163 | formID = baseID+"-"+index; 164 | form.name=formID; 165 | form.id=formID; 166 | form.className = formClass; 167 | div.appendChild(form); 168 | var elements = {}; 169 | var textareaExists = false; 170 | var loopIndex = 1; 171 | for (let value in jsonData[index]){ 172 | elements['id'] = createInput('id',index) 173 | if (value.includes("hash")){ 174 | } 175 | else if(value.includes("note")){ 176 | textareaExists = true; 177 | textareaID = "note"; 178 | var textarea = document.createElement("textarea"); 179 | textarea.id = textareaID; 180 | textarea.name = textareaID; 181 | textarea.cols = "2"; 182 | textarea.className = formFieldClass + enabledClass; 183 | textarea.innerHTML = jsonData[index][value]; 184 | } 185 | else{ 186 | elements[value] = createInput(value,jsonData[index][value]); 187 | } 188 | } 189 | for(let element in elements){ 190 | if (elements[element].type !== 'hidden'){ 191 | var label = document.createElement("label"); 192 | label.for = element; 193 | label.className = labelClass; 194 | label.innerHTML = element; 195 | form.appendChild(label); 196 | } 197 | form.appendChild(elements[element]); 198 | } 199 | if (textareaExists){ 200 | var label = document.createElement("label"); 201 | label.for = textareaID; 202 | label.className = labelClass; 203 | label.innerHTML = textareaID; 204 | form.appendChild(label); 205 | form.appendChild(textarea); 206 | } 207 | var submit = document.createElement("button"); 208 | submitID = baseID+"-"+index+"-submit"; 209 | submit.id = submitID; 210 | submit.innerHTML = "Save"; 211 | submit.className = submitClass; 212 | submit.type="button"; 213 | submit.setAttribute("onclick","apiPostData(document.querySelector('#"+formID+"'),'"+baseID+"')"); 214 | form.appendChild(submit); 215 | forms.push(formID); 216 | } 217 | notify("Successfully retrieved data from API",alertType="success",notifyId="dataRefreshed") 218 | } 219 | } 220 | 221 | 222 | 223 | async function apiPostData(form,apiEndpoint) { 224 | console.log(form) 225 | // Convert form data to JSON format 226 | const postForm = new FormData(form); 227 | const jsonObject = {}; 228 | postForm.forEach((value, key) => jsonObject[key] = value); 229 | const jsonData = JSON.stringify(jsonObject); 230 | console.log("JSON OBJECT: "+jsonObject) 231 | var postURL = apiBase + apiEndpoint; 232 | console.log(postURL) 233 | 234 | const rawResponse = await fetch(postURL,{ 235 | method: 'POST', 236 | headers: { 237 | 'Accept': 'application/json', 238 | 'Content-Type': 'application/json' 239 | }, 240 | body: jsonData 241 | }); 242 | const content = await rawResponse.json(); 243 | console.log(content); 244 | if (content['return'] === 0){ 245 | console.log('OKAY') 246 | notify("SUCCESS: "+apiEndpoint+" saved",alertType='success',notifyId="apiPost") 247 | apiGetData(apiEndpoint,'apiDataForms') 248 | } 249 | else{ 250 | msg = "ERROR: " + content['error']; 251 | notify(msg,alertType='error',notifyId="apiPost") 252 | console.log(msg) 253 | } 254 | console.dir(jsonData) 255 | } -------------------------------------------------------------------------------- /app/static/js/menu.js: -------------------------------------------------------------------------------- 1 | // set the target element that will be collapsed or expanded (eg. navbar menu) 2 | const $targetEl = document.getElementById('navbar-sticky'); 3 | 4 | // optionally set a trigger element (eg. a button, hamburger icon) 5 | const $triggerEl = document.getElementById('hamburger'); 6 | 7 | // optional options with default values and callback functions 8 | const options = { 9 | onCollapse: () => { 10 | console.log('element has been collapsed') 11 | }, 12 | onExpand: () => { 13 | console.log('element has been expanded') 14 | }, 15 | onToggle: () => { 16 | console.log('element has been toggled') 17 | } 18 | }; 19 | 20 | import { Collapse } from 'flowbite'; 21 | 22 | /* 23 | * $targetEl: required 24 | * $triggerEl: optional 25 | * options: optional 26 | */ 27 | const collapse = new Collapse($targetEl, $triggerEl, options); -------------------------------------------------------------------------------- /app/static/js/path.js: -------------------------------------------------------------------------------- 1 | function replaceSrc(element) { 2 | var path = window.location.pathname; 3 | var origin = window.location.origin; 4 | if (path.includes('ui')){ 5 | baseURL = origin + path.split('ui')[0]; 6 | } else if (!path.includes('api')) { 7 | baseURL = origin + path.split('api')[0]; 8 | } else { 9 | baseURL = origin + path; 10 | } 11 | imgPath = element.src; 12 | newImgPath = baseURL + imgPath; 13 | console.log(newImgPath); 14 | element.src = newImgPath; 15 | } 16 | 17 | function replaceAllImgSrc() { 18 | var path = window.location.pathname; 19 | if (path.includes('ui')){ 20 | path = path.split('/ui')[0] 21 | } 22 | else if (path.includes('api')){ 23 | path = path.split('/api')[0] 24 | } 25 | var origin = window.location.origin; 26 | var imgs = document.getElementsByTagName("img"); 27 | for (var i=0; i < imgs.length; i++) { 28 | imgSrc = imgs[i].src 29 | console.log(imgSrc) 30 | if (!imgSrc.includes(path)) { 31 | console.log('Adding origin to ' + imgSrc) 32 | oldSrc = "/static/img" 33 | console.log('oldSrc: ' + oldSrc) 34 | newSrc = path + oldSrc 35 | console.log('newSrc: ' + newSrc) 36 | imgSrc = imgSrc.replace('/static/img',newSrc) 37 | imgs[i].src = imgSrc 38 | console.log(imgs[i]) 39 | } 40 | } 41 | } 42 | 43 | replaceAllImgSrc(); -------------------------------------------------------------------------------- /app/static/site.webmanifest: -------------------------------------------------------------------------------- 1 | {"name":"","short_name":"","icons":[{"src":"/android-chrome-192x192.png","sizes":"192x192","type":"image/png"},{"src":"/android-chrome-512x512.png","sizes":"512x512","type":"image/png"}],"theme_color":"#ffffff","background_color":"#ffffff","display":"standalone"} -------------------------------------------------------------------------------- /app/static/users_database-live.yml: -------------------------------------------------------------------------------- 1 | users: 2 | myuser: 3 | disabled: false 4 | displayname: My User 5 | email: myuser@example.com 6 | groups: 7 | - admins 8 | - dev 9 | password: $argon2id$v=19$m=4096,t=3,p=1$c2FsdEl0V2l0aFNhbHQ$bpQfn8cG8LB6jy5G4MCa1oJD1eBHErwRWlDJVkog0Y4 10 | -------------------------------------------------------------------------------- /app/templates/apidocs.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 | 5 |
6 |
7 |
8 | 9 | 10 | 11 | 14 | 17 | 18 | 19 | 20 | {% for api in apidocs %} 21 | {% for url in apidocs[api] %} 22 | 23 | 26 | 29 | 30 | {% endfor %} 31 | {% endfor %} 32 | 33 |
12 | endpoint 13 | 15 | Description 16 |
24 | 
{{url}}
25 | 		27 | {{apidocs[api][url]}} 28 |
34 |
35 |
36 |
37 | 38 | {% endblock %} 39 | 40 | -------------------------------------------------------------------------------- /app/templates/config_file.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% if data == "configuration" %} 4 | {% set ftype = "config" %} 5 | {% elif data == "users_database" %} 6 | {% set ftype = "users" %} 7 | {% endif %} 8 | 9 | {% block content %} 10 |
11 | 12 | {% if format|upper == "JSON" %} 13 |

Current {{data}}: JSON YAML

14 | {% elif format|upper == "YAML" %} 15 |

Current {{data}}: YAML JSON

16 | {% endif %} 17 | 
{{Data}}
18 |
19 | {% endblock %} 20 | -------------------------------------------------------------------------------- /app/templates/home.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | authelia-manager 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 | 97 | 126 |
127 | 128 | 129 | 130 | 131 |
132 | 133 |
134 | {% with messages = get_flashed_messages() %} 135 | {% if messages %} 136 | {% for message in messages %} 137 | 138 | 148 | {% endfor %} 149 | {% endif %} 150 | {% endwith %} 151 |
152 | 153 | {% block content %} 154 | {% endblock %} 155 |
156 | 157 | 158 | 159 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | -------------------------------------------------------------------------------- /app/templates/login-form.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
7 | 8 |
9 |

10 | Sign in to your account 11 |

12 |
13 |
14 | 15 | 16 |
17 |
18 | 19 | 20 |
21 |
22 |
23 |
24 | 25 |
26 |
27 | 28 |
29 |
30 | Forgot password? 31 |
32 | 33 |

34 | Don’t have an account yet? Sign up 35 |

36 |
37 |
38 |
39 |
40 |
41 | 42 | {% endblock %} 43 | -------------------------------------------------------------------------------- /app/templates/main-config.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 | 5 | 6 | 7 | {% endblock %} -------------------------------------------------------------------------------- /app/templates/markdown.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 |
5 | {{markdown|safe}} 6 |
7 | {% endblock %} 8 | -------------------------------------------------------------------------------- /app/templates/test: -------------------------------------------------------------------------------- 1 | "
" -------------------------------------------------------------------------------- /app/templates/textbody.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 |
5 | {{textbody}} 6 |
7 | {% endblock %} -------------------------------------------------------------------------------- /app/templates/ui-config.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | {% block content %} 3 |
4 | 5 |
6 |
7 |

Edit configuration.yaml

8 |

Each accordian represents a section of the configuration.yaml file. Sane defaults will be listed in each field if the value is not yet set.

9 |

Click save on each section after editing.

10 |
11 |
12 | 13 |
14 | 15 |

16 | 20 |

21 | 22 | 23 | 92 | 93 |
94 | 95 | 96 | 97 |
98 | 99 |

100 | 104 |

105 | 106 | 133 | 134 |
135 | 136 | 137 | 138 |
139 | 140 |

141 | 145 |

146 | 200 | 201 |
202 | 203 | 204 | 205 | 206 |
207 | 208 |

209 | 213 |

214 | 247 | 333 | 334 |
335 | 336 | 337 | 338 | 341 | 342 |
343 | {% endblock %} -------------------------------------------------------------------------------- /app/templates/ui-edit.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
7 |

Edit {{data}}

8 |

To Edit a{{data}}, make changes and click `Save`

9 |

To refresh data, click `Refresh Data`.

10 |
11 |
12 | 13 | 14 |
15 |
16 |
17 |
18 | {% endblock %} -------------------------------------------------------------------------------- /app/templates/ui-home.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 |
5 |
6 |
7 |

{{intro['header']}}

8 | {% for item in intro['body'] %} 9 | {% if 'button' in item %} 10 | 11 | {{ intro['body'][item]['text'] }} 12 | {% if 'true' in intro['body'][item]['focus'] %} 13 | 14 | {% endif %} 15 | 16 | {% else %} 17 |

{{ intro['body'][item] }}

18 | {% endif %} 19 | {% endfor %} 20 |
21 | {% for item in intro['image'] %} 22 | 32 |
33 |
34 | 35 |
36 |
37 | {% for item in intro2['image'] %} 38 | 47 | {% endfor %} 48 |
49 |

{{intro2['header']}}

50 | {% for item in intro2['body'] %} 51 | {% if 'button' in item %} 52 | 53 | {{ intro2['body'][item]['text'] }} 54 | {% if 'true' in intro2['body'][item]['focus'] %} 55 | 56 | {% endif %} 57 | 58 | {% else %} 59 |

{{ intro2['body'][item] }}

60 | {% endif %} 61 | {% endfor %} 62 |
63 |
64 |
65 | 66 | {% endblock %} 67 | -------------------------------------------------------------------------------- /app/templates/ui-main.html: -------------------------------------------------------------------------------- 1 | {% extends "home.html" %} 2 | 3 | {% block content %} 4 |
5 | 6 |
7 | 8 |
9 |

Descriptive Title

10 |

by Admin

11 |
12 |
13 |

Descriptive Subtitle

14 |

{{ lipsum(2) }}

15 |

{{ lipsum(2) }}

16 |
17 |
18 | 19 | 20 | 21 |
22 |
23 |

Another Descriptive Title

24 |

by Admin

25 |
26 |
27 | 28 |

{{ lipsum(2) }}

29 |

{{ lipsum(2) }}

30 |
31 |
32 |
33 | {% endblock %} -------------------------------------------------------------------------------- /authelia-manager.py: -------------------------------------------------------------------------------- 1 | from app import app -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | authelia-manager: 4 | image: beardedtek/authelia-manager:demo 5 | container_name: authelia-manager-demo 6 | ports: 7 | - 9999:5000 8 | restart: unless-stopped -------------------------------------------------------------------------------- /docs/images/ui_login-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/docs/images/ui_login-screenshot.png -------------------------------------------------------------------------------- /docs/images/ui_main-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BeardedTek-com/authelia-manager/66f187300b1b23a883a242671e05219fe31ccbbb/docs/images/ui_main-screenshot.png -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | apt-update -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | passlib 2 | argon2-cffi 3 | flask 4 | flask_sqlalchemy 5 | flask-login 6 | uwsgi 7 | markdown 8 | PyYAML -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | RED=$'\033[0;31m' 3 | LRED=$'\033[1;31m' 4 | CYAN=$'\033[0;36m' 5 | NC=$'\033[0m' # No Color 6 | LABEL="${LRED}[ ${RED}Authelia-Manager ${LRED}]${CYAN}" 7 | if [ ! -d "./.venv" ]; then 8 | echo "${LABEL} Creating Python Virtual Environment${NC}" 9 | python3 -m venv .venv 10 | else 11 | echo "${LABEL} Python Virtual Environment Exists at .venv${NC}" 12 | fi 13 | echo "${LABEL} Activating Python Virtual Environment${NC}" 14 | source .venv/bin/activate 15 | [ ! -f '.pip' ] && echo "${LABEL} Installing Python Requirements${NC}" && python -m pip install -r requirements.txt 16 | if [ "$?" == "0" ]; then 17 | echo "${LABEL} Creating .pip to bypass installing Python Requirements next time${NC}" 18 | touch .pip 19 | else 20 | echo "${LABEL} Python Requirements already installed. Skipping." 21 | fi 22 | echo "${LABEL} Starting UWSGI Web Server${NC}" 23 | uwsgi --http 0.0.0.0:5000 --wsgi-file authelia-manager.py --callable app --workers 4 --uid 1000 --gid 1000 24 | -------------------------------------------------------------------------------- /uwsgi.ini: -------------------------------------------------------------------------------- 1 | [uwsgi] 2 | wsgi-file = uwsgi.py 3 | callable = app 4 | uid = 1000 5 | gid = 1000 6 | single-interpreter = true 7 | enable-threads = true 8 | master = true 9 | 10 | static-map = /static=/home/localadmin/github/authelia-manager/app/static 11 | static-expires = /* 7776000 12 | offload-threads = %k 13 | --------------------------------------------------------------------------------