root: rework and expand security policy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
e22fce02f8
commit
147ebf1a5e
|
@ -17,24 +17,24 @@ diverse, inclusive, and healthy community.
|
||||||
Examples of behavior that contributes to a positive environment for our
|
Examples of behavior that contributes to a positive environment for our
|
||||||
community include:
|
community include:
|
||||||
|
|
||||||
* Demonstrating empathy and kindness toward other people
|
- Demonstrating empathy and kindness toward other people
|
||||||
* Being respectful of differing opinions, viewpoints, and experiences
|
- Being respectful of differing opinions, viewpoints, and experiences
|
||||||
* Giving and gracefully accepting constructive feedback
|
- Giving and gracefully accepting constructive feedback
|
||||||
* Accepting responsibility and apologizing to those affected by our mistakes,
|
- Accepting responsibility and apologizing to those affected by our mistakes,
|
||||||
and learning from the experience
|
and learning from the experience
|
||||||
* Focusing on what is best not just for us as individuals, but for the
|
- Focusing on what is best not just for us as individuals, but for the
|
||||||
overall community
|
overall community
|
||||||
|
|
||||||
Examples of unacceptable behavior include:
|
Examples of unacceptable behavior include:
|
||||||
|
|
||||||
* The use of sexualized language or imagery, and sexual attention or
|
- The use of sexualized language or imagery, and sexual attention or
|
||||||
advances of any kind
|
advances of any kind
|
||||||
* Trolling, insulting or derogatory comments, and personal or political attacks
|
- Trolling, insulting or derogatory comments, and personal or political attacks
|
||||||
* Public or private harassment
|
- Public or private harassment
|
||||||
* Publishing others' private information, such as a physical or email
|
- Publishing others' private information, such as a physical or email
|
||||||
address, without their explicit permission
|
address, without their explicit permission
|
||||||
* Other conduct which could reasonably be considered inappropriate in a
|
- Other conduct which could reasonably be considered inappropriate in a
|
||||||
professional setting
|
professional setting
|
||||||
|
|
||||||
## Enforcement Responsibilities
|
## Enforcement Responsibilities
|
||||||
|
|
||||||
|
@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban.
|
||||||
### 4. Permanent Ban
|
### 4. Permanent Ban
|
||||||
|
|
||||||
**Community Impact**: Demonstrating a pattern of violation of community
|
**Community Impact**: Demonstrating a pattern of violation of community
|
||||||
standards, including sustained inappropriate behavior, harassment of an
|
standards, including sustained inappropriate behavior, harassment of an
|
||||||
individual, or aggression toward or disparagement of classes of individuals.
|
individual, or aggression toward or disparagement of classes of individuals.
|
||||||
|
|
||||||
**Consequence**: A permanent ban from any sort of public interaction within
|
**Consequence**: A permanent ban from any sort of public interaction within
|
||||||
|
|
|
@ -11,19 +11,22 @@ The following is a set of guidelines for contributing to authentik and its compo
|
||||||
[I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
|
[I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
|
||||||
|
|
||||||
[What should I know before I get started?](#what-should-i-know-before-i-get-started)
|
[What should I know before I get started?](#what-should-i-know-before-i-get-started)
|
||||||
* [The components](#the-components)
|
|
||||||
* [authentik's structure](#authentiks-structure)
|
- [The components](#the-components)
|
||||||
|
- [authentik's structure](#authentiks-structure)
|
||||||
|
|
||||||
[How Can I Contribute?](#how-can-i-contribute)
|
[How Can I Contribute?](#how-can-i-contribute)
|
||||||
* [Reporting Bugs](#reporting-bugs)
|
|
||||||
* [Suggesting Enhancements](#suggesting-enhancements)
|
- [Reporting Bugs](#reporting-bugs)
|
||||||
* [Your First Code Contribution](#your-first-code-contribution)
|
- [Suggesting Enhancements](#suggesting-enhancements)
|
||||||
* [Pull Requests](#pull-requests)
|
- [Your First Code Contribution](#your-first-code-contribution)
|
||||||
|
- [Pull Requests](#pull-requests)
|
||||||
|
|
||||||
[Styleguides](#styleguides)
|
[Styleguides](#styleguides)
|
||||||
* [Git Commit Messages](#git-commit-messages)
|
|
||||||
* [Python Styleguide](#python-styleguide)
|
- [Git Commit Messages](#git-commit-messages)
|
||||||
* [Documentation Styleguide](#documentation-styleguide)
|
- [Python Styleguide](#python-styleguide)
|
||||||
|
- [Documentation Styleguide](#documentation-styleguide)
|
||||||
|
|
||||||
## Code of Conduct
|
## Code of Conduct
|
||||||
|
|
||||||
|
@ -39,11 +42,11 @@ Either [create a question on GitHub](https://github.com/goauthentik/authentik/is
|
||||||
|
|
||||||
authentik consists of a few larger components:
|
authentik consists of a few larger components:
|
||||||
|
|
||||||
- *authentik* the actual application server, is described below.
|
- _authentik_ the actual application server, is described below.
|
||||||
- *outpost-proxy* is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
|
- _outpost-proxy_ is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
|
||||||
- *outpost-ldap* is a Go LDAP server that uses the *authentik* application server as its backend
|
- _outpost-ldap_ is a Go LDAP server that uses the _authentik_ application server as its backend
|
||||||
- *web* is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
|
- _web_ is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
|
||||||
- *website* is the Website/documentation, which uses docusaurus.
|
- _website_ is the Website/documentation, which uses docusaurus.
|
||||||
|
|
||||||
### authentik's structure
|
### authentik's structure
|
||||||
|
|
||||||
|
@ -137,10 +140,10 @@ This is documented in the [developer docs](https://goauthentik.io/developer-docs
|
||||||
|
|
||||||
The process described here has several goals:
|
The process described here has several goals:
|
||||||
|
|
||||||
- Maintain authentik's quality
|
- Maintain authentik's quality
|
||||||
- Fix problems that are important to users
|
- Fix problems that are important to users
|
||||||
- Engage the community in working toward the best possible authentik
|
- Engage the community in working toward the best possible authentik
|
||||||
- Enable a sustainable system for authentik's maintainers to review contributions
|
- Enable a sustainable system for authentik's maintainers to review contributions
|
||||||
|
|
||||||
Please follow these steps to have your contribution considered by the maintainers:
|
Please follow these steps to have your contribution considered by the maintainers:
|
||||||
|
|
||||||
|
@ -154,10 +157,10 @@ While the prerequisites above must be satisfied prior to having your pull reques
|
||||||
|
|
||||||
### Git Commit Messages
|
### Git Commit Messages
|
||||||
|
|
||||||
* Use the format of `<package>: <verb> <description>`
|
- Use the format of `<package>: <verb> <description>`
|
||||||
- See [here](#authentik-packages) for `package`
|
- See [here](#authentik-packages) for `package`
|
||||||
- Example: `providers/saml2: fix parsing of requests`
|
- Example: `providers/saml2: fix parsing of requests`
|
||||||
* Reference issues and pull requests liberally after the first line
|
- Reference issues and pull requests liberally after the first line
|
||||||
|
|
||||||
### Python Styleguide
|
### Python Styleguide
|
||||||
|
|
||||||
|
@ -165,11 +168,11 @@ All Python code is linted with [black](https://black.readthedocs.io/en/stable/),
|
||||||
|
|
||||||
authentik runs on Python 3.9 at the time of writing this.
|
authentik runs on Python 3.9 at the time of writing this.
|
||||||
|
|
||||||
* Use native type-annotations wherever possible.
|
- Use native type-annotations wherever possible.
|
||||||
* Add meaningful docstrings when possible.
|
- Add meaningful docstrings when possible.
|
||||||
* Ensure any database migrations work properly from the last stable version (this is checked via CI)
|
- Ensure any database migrations work properly from the last stable version (this is checked via CI)
|
||||||
* If your code changes central functions, make sure nothing else is broken.
|
- If your code changes central functions, make sure nothing else is broken.
|
||||||
|
|
||||||
### Documentation Styleguide
|
### Documentation Styleguide
|
||||||
|
|
||||||
* Use [MDX](https://mdxjs.com/) whenever appropriate.
|
- Use [MDX](https://mdxjs.com/) whenever appropriate.
|
||||||
|
|
|
@ -25,10 +25,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
|
||||||
|
|
||||||
## Screenshots
|
## Screenshots
|
||||||
|
|
||||||
Light | Dark
|
| Light | Dark |
|
||||||
--- | ---
|
| ------------------------------------------------------ | ----------------------------------------------------- |
|
||||||
![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg)
|
| ![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg) |
|
||||||
![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg)
|
| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
|
||||||
|
|
||||||
## Development
|
## Development
|
||||||
|
|
||||||
|
|
38
SECURITY.md
38
SECURITY.md
|
@ -1,17 +1,43 @@
|
||||||
# Security Policy
|
Authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
|
||||||
|
|
||||||
## Supported Versions
|
## Supported Versions
|
||||||
|
|
||||||
(.x being the latest patch release for each version)
|
(.x being the latest patch release for each version)
|
||||||
|
|
||||||
| Version | Supported |
|
| Version | Supported |
|
||||||
| ---------- | ------------------ |
|
| --------- | ------------------ |
|
||||||
| 2022.10.x | :white_check_mark: |
|
| 2022.10.x | :white_check_mark: |
|
||||||
| 2022.11.x | :white_check_mark: |
|
| 2022.11.x | :white_check_mark: |
|
||||||
|
|
||||||
## Reporting a Vulnerability
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io)
|
To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the bug.
|
||||||
|
|
||||||
|
## Criticality levels
|
||||||
|
|
||||||
|
### High
|
||||||
|
|
||||||
|
- Authorization bypass
|
||||||
|
- Circumvention of policies
|
||||||
|
|
||||||
|
### Moderate
|
||||||
|
|
||||||
|
- Denial-of-Service attacks
|
||||||
|
|
||||||
|
### Low
|
||||||
|
|
||||||
|
- Unvalidated redirects
|
||||||
|
- Issues requiring uncommon setups
|
||||||
|
|
||||||
|
## Disclosure process
|
||||||
|
|
||||||
|
1. Issue is reported via Email as listed above.
|
||||||
|
2. The authentik Security team will try to reproduce the issue and ask for more information if required.
|
||||||
|
3. A criticality level is assigned.
|
||||||
|
4. A fix is created, and if possible tested by the issue reporter.
|
||||||
|
5. The fix is backported to other supported versions, and if possible a workaround for other versions is created.
|
||||||
|
6. An announcement is sent out with a fixed release date and criticality level of the issue. The announcement will be sent at least 24 hours before the release of the fix
|
||||||
|
7. The fixed version is released for the supported versions.
|
||||||
|
|
||||||
## Getting security notifications
|
## Getting security notifications
|
||||||
|
|
||||||
|
|
5
website/docs/security/policy.mdx
Normal file
5
website/docs/security/policy.mdx
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
# Security Policy
|
||||||
|
|
||||||
|
import SecurityPolicy from "../../../SECURITY.md";
|
||||||
|
|
||||||
|
<SecurityPolicy />
|
|
@ -282,5 +282,15 @@ module.exports = {
|
||||||
"troubleshooting/missing_admin_group",
|
"troubleshooting/missing_admin_group",
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
type: "category",
|
||||||
|
label: "Security",
|
||||||
|
link: {
|
||||||
|
type: "generated-index",
|
||||||
|
title: "Security",
|
||||||
|
slug: "security",
|
||||||
|
},
|
||||||
|
items: ["security/policy"],
|
||||||
|
},
|
||||||
],
|
],
|
||||||
};
|
};
|
||||||
|
|
Reference in a new issue