Merge pull request 'Authelia | client-secrets hashen' (#3) from dev-authelia_hashed_client_secrets into main

Reviewed-on: #3

roles/authelia-for-dokuwiki/tasks/main.json

@@ -1,4 +1,12 @@
 [
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_dokuwiki_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_dokuwiki_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-dokuwiki/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_dokuwiki_client_id}}",
-	"client_secret": "{{var_authelia_for_dokuwiki_client_secret}}",
+	"client_secret": "{{temp_authelia_for_dokuwiki_client_secret_hashed.stdout}}",
 	"client_name": "DokuWiki",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-forgejo/tasks/main.json

@@ -1,4 +1,12 @@
 [
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_forgejo_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_forgejo_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-forgejo/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_forgejo_client_id}}",
-	"client_secret": "{{var_authelia_for_forgejo_client_secret}}",
+	"client_secret": "{{temp_authelia_for_forgejo_client_secret_hashed.stdout}}",
 	"client_name": "Forgejo",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-gitlab/tasks/main.json

@@ -1,4 +1,12 @@
 [
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_gitlab_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_gitlab_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-gitlab/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_gitlab_client_id}}",
-	"client_secret": "{{var_authelia_for_gitlab_client_secret}}",
+	"client_secret": "{{temp_authelia_for_gitlab_client_secret_hashed.stdout}}",
 	"client_name": "GitLab",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-hedgedoc/tasks/main.json

@@ -1,4 +1,12 @@
 [
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_hedgedoc_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_hedgedoc_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-hedgedoc/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_hedgedoc_client_id}}",
-	"client_secret": "{{var_authelia_for_hedgedoc_client_secret}}",
+	"client_secret": "{{temp_authelia_for_hedgedoc_client_secret_hashed.stdout}}",
 	"client_name": "Hedgedoc",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-owncloud/defaults/main.json

@@ -4,5 +4,7 @@
 	"var_authelia_for_owncloud_android_client_id": "owncloud_android",
 	"var_authelia_for_owncloud_android_client_secret": "REPLACE_ME",
 	"var_authelia_for_owncloud_ios_client_id": "owncloud_ios",
-	"var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME"
+	"var_authelia_for_owncloud_ios_client_secret": "REPLACE_ME",
+	"var_authelia_for_owncloud_desktop_client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+	"var_authelia_for_owncloud_desktop_client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh"
 }

roles/authelia-for-owncloud/tasks/main.json

@@ -1,4 +1,36 @@
 [
+	{
+		"name": "configuration | compute client secret hash | web",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_web_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_owncloud_web_client_secret_hashed"
+	},
+	{
+		"name": "configuration | compute client secret hash | android",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_android_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_owncloud_android_client_secret_hashed"
+	},
+	{
+		"name": "configuration | compute client secret hash | ios",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_ios_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_owncloud_ios_client_secret_hashed"
+	},
+	{
+		"name": "configuration | compute client secret hash | desktop",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_owncloud_desktop_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_owncloud_desktop_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-owncloud/templates/authelia-client-conf-android.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_owncloud_android_client_id}}",
-	"client_secret": "{{var_authelia_for_owncloud_android_client_secret}}",
+	"client_secret": "{{temp_authelia_for_owncloud_android_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | Android Client",
 	"authorization_policy": "one_factor",
 	"scopes": [

roles/authelia-for-owncloud/templates/authelia-client-conf-desktop.json.j2

@@ -1,6 +1,6 @@
 {
-	"client_id": "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69",
+	"client_id": "{{var_authelia_for_owncloud_desktop_client_id}}",
-	"client_secret": "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh",
+	"client_secret": "{{temp_authelia_for_owncloud_desktop_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | Desktop Client",
 	"authorization_policy": "one_factor",
 	"scopes": [

roles/authelia-for-owncloud/templates/authelia-client-conf-ios.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_owncloud_ios_client_id}}",
-	"client_secret": "{{var_authelia_for_owncloud_ios_client_secret}}",
+	"client_secret": "{{temp_authelia_for_owncloud_ios_client_secret_hashed.stdout}}",
 	"client_name": "ownCloud | iOS Client",
 	"authorization_policy": "one_factor",
 	"scopes": [

roles/authelia-for-owncloud/vardef.json

@@ -13,13 +13,21 @@
 	},
 	"android_client_secret": {
 		"type": "string",
-		"mandatory": false
+		"mandatory": true
 	},
 	"ios_client_id": {
 		"type": "string",
 		"mandatory": false
 	},
 	"ios_client_secret": {
+		"type": "string",
+		"mandatory": true
+	},
+	"dektop_client_id": {
+		"type": "string",
+		"mandatory": false
+	},
+	"desktop_client_secret": {
 		"type": "string",
 		"mandatory": false
 	}

roles/authelia-for-synapse/tasks/main.json

@@ -1,4 +1,12 @@
 [
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_synapse_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_synapse_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-synapse/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_synapse_client_id}}",
-	"client_secret": "{{var_authelia_for_synapse_client_secret}}",
+	"client_secret": "{{temp_authelia_for_synapse_client_secret_hashed.stdout}}",
 	"client_name": "Synapse",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-vikunja/tasks/main.json

@@ -1,4 +1,12 @@
 [
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_vikunja_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_vikunja_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-vikunja/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_vikunja_client_id}}",
-	"client_secret": "{{var_authelia_for_vikunja_client_secret}}",
+	"client_secret": "{{temp_authelia_for_vikunja_client_secret_hashed.stdout}}",
 	"client_name": "Vikunja",
 	"public": false,
 	"authorization_policy": "one_factor",

roles/authelia-for-wiki_js/tasks/main.json

@@ -1,4 +1,12 @@
 [
+	{
+		"name": "configuration | compute client secret hash",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "authelia crypto hash generate bcrypt --password {{var_authelia_for_wiki_js_client_secret}} | cut --delimiter=' ' --fields='2-'"
+		},
+		"register": "temp_authelia_for_wiki_js_client_secret_hashed"
+	},
 	{
 		"name": "configuration | emplace",
 		"become": true,

roles/authelia-for-wiki_js/templates/authelia-client-conf.json.j2

@@ -1,6 +1,6 @@
 {
 	"client_id": "{{var_authelia_for_wiki_js_client_id}}",
-	"client_secret": "{{var_authelia_for_wiki_js_client_secret}}",
+	"client_secret": "{{temp_authelia_for_wiki_js_client_secret_hashed.stdout}}",
 	"client_name": "Wiki.js",
 	"public": false,
 	"authorization_policy": "one_factor",