Add authelia dev deployment (#479)

* Add authelia dev deployment

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
-        with: { go-version: '1.19', cache: true }
+        with: { go-version: '1.19' }
       - run: |
           mkdir -p ui/dist/img
           touch ui/dist/index.html ui/dist/favicon.ico ui/dist/manifest.json ui/dist/img/fake.png
@@ -33,7 +33,7 @@ jobs:
       - run: |
           mkdir -p ui/dist/img
           touch ui/dist/index.html ui/dist/favicon.ico ui/dist/manifest.json ui/dist/img/fake.png
-      - run: docker compose -f docker-compose-with-keycloak.yml up --quiet-pull --detach
+      - run: docker compose up --quiet-pull --detach
         working-directory: dev
       - name: Install ArangoDB
         run: |
@@ -49,7 +49,7 @@ jobs:
     strategy:
       matrix:
         test: [ tickets, templates, playbooks ]
-        auth: [ keycloak ] # simple
+        auth: [ authelia ]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -64,17 +64,12 @@ jobs:
         working-directory: ui
       - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:8080
       # run containers
-      - run: | 
+      - run: sed -i 's/host.docker.internal/172.17.0.1/g' dev/nginx.conf
-          sed -i 's/host.docker.internal/172.17.0.1/g' dev/nginx.conf
-          sed -i 's/host.docker.internal/172.17.0.1/g' dev/nginx-with-keycloak.conf
       - run: docker compose up --quiet-pull --detach
         working-directory: dev
-        if: matrix.auth == 'simple'
+        if: matrix.auth == 'authelia'
-      - run: docker compose -f docker-compose-with-keycloak.yml up --quiet-pull --detach
+      - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:8082
-        working-directory: dev
+        if: matrix.auth == 'authelia'
-        if: matrix.auth == 'keycloak'
-      - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:9002/auth/realms/catalyst
-        if: matrix.auth == 'keycloak'
       # run catalyst
       - run: |
           mkdir -p ui/dist/img
@@ -82,10 +77,7 @@ jobs:
       - run: go mod download
       - run: bash start_dev.sh &
         working-directory: dev
-        if: matrix.auth == 'simple'
+        if: matrix.auth == 'authelia'
-      - run: bash start_dev_with_keycloak.sh &
-        working-directory: dev
-        if: matrix.auth == 'keycloak'
       - run: curl --head -X GET --retry 60 --retry-connrefused --retry-delay 10 http://localhost:8000
       # run cypress
       - uses: cypress-io/github-action@v4
@@ -95,12 +87,6 @@ jobs:
         with:
           browser: chrome
           working-directory: ui
-      - uses: actions/upload-artifact@v3
-        if: always() && matrix.auth == 'simple'
-        with:
-          name: cypress-videos
-          path: ui/cypress/videos
-          retention-days: 1
 
   build-npm:
     name: Build npm

dev/authelia/configuration.yml

@@ -0,0 +1,42 @@
+---
+server:
+  host: 0.0.0.0
+  port: 8082
+default_redirection_url: "http://localhost/auth/callback"
+
+log:
+  format: text
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: one_factor
+
+session:
+  domain: localhost
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt
+
+identity_providers:
+  oidc:
+    cors:
+      # allowed_origins_from_client_redirect_uris: true
+      allowed_origins: [ "*" ]
+    clients:
+      - id: "catalyst"
+        description: API
+        secret: "secret"
+        public: false
+        authorization_policy: one_factor
+        scopes: [ openid, email, profile ]
+        redirect_uris:
+          - "http://localhost/auth/callback"
+        userinfo_signing_algorithm: none

dev/authelia/private.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEA0OYfHDBvLOMQHjGb2bZGZh6j+nfWihAVWAycCR5ZOGwaRQuW
+Z0iFzkDlsj0ENG65H5DkRB1mu93LXi7yzLs7Iu4mNQDtLH2EPN1HzgmwxIevL+Ud
+6H6wCZQrZxp9bah/BKjChfURDK7gmUzY0F/sbi1upI4uVuwUrMsYroKBS4R4crHm
+mqH1ACY8pih/d/4tpsGTs0ruLkFd5dGh/Vopcx7U4iPBxTL8SvkcUQ3TYqTjcKaV
+Zb8DoiKaGmVRUFEqYtiBPykC0MNRDK8DZTuIbwZPQM0c3OWCGm2JPR6qQfgCacyY
+JirsuN9gCMxXVCjLcaxCgWiftvhnr9YpdOYkX4ROY9qo4JNGN6Pd8Q5qX5GvSwa9
+fdtMn0shCyv2MRgSq2SfZ5+DT3eUUrDQkNQoHOxxR9VPdYcPFDNLgAbydwnrlqwZ
+X9rnaKuoRaJ6N4rOgJoaUR3LVXs8QrIGcJx9VRplm2NuElsDMm7fkAEEs2y/yAeW
+qjkVnwITCKB9qoMSjpj8KpjHYdXWZqdTJWNLdKLK3iH/2lpp71utobSNLjdojifN
+wmdQNzdVwAg56R7+YDDyCPEBsPO89s8b2E8SuYF2A9KRTD5Usd3k5aaMkaLrf4bu
+igpW7MBWwE9HQjMSgX8HxHsBDl/TGhK/c/GsTBN9UlUD1MFi9yn5PmtL+lcCAwEA
+AQKCAgBfm+NDOJu5lJbs6tGk3DruRDnSygRkHiZWrTbBKaW2ICwJy9rjnJq5IpS+
+dhS1lrOd0efXkQlTFJkemyg/MbZIL21HNwxWH4BlhvV1RJQl7t/scNW2cj1JtQoE
+X2hmxwaTcFXPj7Fk96kOINDe1fhVGPAZ2oU0/UodJ7s9K7fXg2LJQ8kCnvuOPPHn
+LoPgvHHSb6iVF8dZXkuGguK8HQb5jHPsqGboRYSZH9io9EX6UPNTvLqF3d3g2Ctl
+x1dnBi77HJJTAQcr2yj+QB+ytoOkJOQjCX2bUGOyis2ULrPIC6W3HI/KcDz2BC5k
++HlDqIQsm6W4qtTmnlx+auuAeFDOnr2lpPt4hVlyq3jkkSUqrcYs9NBsPdXz+80K
++NzRnv9EytHsliZJd4hUxwyh6y0BEo9QqgrpjlTFxYmRTGzZUu9qtcSCcVg9saZy
+vvJxFuzs5zDBqL44pMbNF/NB6fDYgkDEUOdAO6QVl6lPc3sYJcyQ0JNR2cWwlCq7
+EaamUJwTcCzUIT1ych/lYzVXqFF12urPavrqsaMbFHOQIRC9mjMgnm/eHZXB744e
+nhe7YFL94fxvMD+Ekr+3tVFskVfYYUwuQnUOCwxprnZXQxSAiABhbANBg4LOzBqP
+0yWSK7yrvjC0ktnt3q9NRtY8zRrZypric++zbhLddGdxydVCGQKCAQEA83f2WnZd
+UdbP2XhDoY/hYoVm48mgn81neElxxwalom39BJ4meHGAeDq6XDOZtRn2tiiAh+HJ
+JHU7twtHlHttkSjqP0a7zVCHbIostJZRLZRa1bAlu9hjynuHmMu3/7AcNJhYV1gH
+cJTFo4w4EkFUT3zcuMrJpkWbJ+syDNa+x22Vx/YR0Wk7PPVE32lXzOYx4KYk8R8g
+B7PvePJW3wPaWSC5sgPzmbpnbHTEP8pRN9N173IFF0S00wwV5Pea3ltOB5R2ALkZ
+pkTo/ck5xmcEwEk8DZsybe/uE/gyBoSRhOEqCbgxb/qkq/guYaHo7lvjGRjhgF16
+3orwBStzjZCjNQKCAQEA26anyawLGKgIix2eQAXO7GxPmQToWdp5JGZr9u7bnGrp
+Q5qJBe4gx26WgDa17zonAD9YgE7Fv5WV/zjqiI06wNSDostz6OayUsn5tttFWlVv
+QlBWBspQu8alhCq4OgxMfhxXEGQtWrqc3TlJMebEsiTlrqP7bnvpGwADVGuhUyQ7
+t+L9oQ8SBgcJ+gGOc0P3GDPGni36itqxYNO/e1edkQAsdQh5TEsTsT1uNxPXOvv9
+PMK0QhP/jECBjjQ8MAuMnYalQl0y8WqqQPgGKUHlx20Aydy9IBUTWpG2t0Gxcike
+WncXomBJSEXppp8uNiz5gqKqyq4ODFZa14FlbZ5s2wKCAQEA6zmdxGzTYHxgOEXf
+Ybq3EQ6+B5oIHBzBuQ+MY7PiV3pYmBuMI5XVf1OONgKMoNJC8F9VPvM/+H9jgEff
+km9lvnd/Sj82tvj0vkMJSjhomdbZo9cZvdElKL4Mle1NCjXGKnJ993VPStAR2x9g
+FRMVN+70+XzDMmfRrdGoe4sGq3sO2TC+qko3N3/oWMlYUNiem+MpkeR2d7q6xWmt
+0K3SSYY6ouj6dC4KOljeOptnuL4PFZZdoMt6wOTOSneHIwmn697d23j6dQ/i4z+F
+GFDz4CthX+vv3xOOO7Dx9CYkyfMZQGa7LOtGKfgQJ7fcal5QnTDSvciTK2uk1fnT
+HJT/eQKCAQABbl2Lf9Z2q6malm/QhPkrKy19lr2Y0EaXyR8M9dNyenPYn+oiosGN
+6xeJ8FFRJLTaWI9QDrNVIzld91X328u1M+1Do0W3D8G7rls1KMqT4xidev6Efs71
+2j571PdsUWYyMCcVEUIGZE7fVh829wTzEDB66dCakK4dIevjoevkKclF0nHKmdmJ
+NoSHH3l5IMk8XCIAJ9aJDxG2ysplmFWLe0/O12ZK6/ZN4lOUgkmVtcyZl78q6wxw
+Mn9lmMuHmJuq7xSmkQri7cn8MGGB5U8E9J3bstd8nQaKQYbKPOBWGRR8jGgYA76W
+fPYfwsu/SJ27jynDtkybIfjnjI1HoI+fAoIBAQCMrcRGmksweAgFs/fq24pYxV/K
+oF98txTINrV7MJQamDfpzqlCML9Vo8WFk56BRGj9NqOU+kgvi3aTfRhN5kSeE6y/
+Kb/u89dVYhKpzr2zAy9/msup8yPKD9sT/c7S3DJRlNp5DXy48MSntz0+k710SaYe
+1GXOwfch8WwkkVpgWY/08WRuNbRbD7Jmkqjz/PtcirkewljpWn+05kUSqAgEyBfy
+kCahABRtdH0FAMQjzqb5kS/g0K4BEje9ie81wvtd3r2b89WSgBDFCno/Oq8hKEC0
+DP828OmbLWSiRvnYCcKxVaWnDvsgFTALySB89dQpTGEWFoHC1XbNJgnwg/9l
+-----END RSA PRIVATE KEY-----

dev/authelia/users_database.yml

@@ -0,0 +1,13 @@
+users:
+  alice:
+    displayname: Alice
+    password: "$argon2id$v=19$m=65536,t=3,p=4$S3hTSS90U1QycjNEWURZTw$aJP1fI/byC/3A7NCz5lyrXR7NS+l+1YMnqj5qFopZRk"
+    email: alice@example.com
+  bob:
+    displayname: "Bob"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$amxRcURFVUk4TlhPOXFmWg$sPRsvGg9rrqefRp0fFA7wQG3O8OcMnQhj4IckHYPEz8"
+    email: bob@example.com
+  admin:
+    displayname: "Admin"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$SFBXa1BXblNZKytoZ1ZLYQ$JruWROu9opYmcPNw1cIiHms4k4466DqrKIPvJe94nfA"
+    email: admin@example.com

dev/docker-compose-with-keycloak.yml

@@ -1,52 +0,0 @@
-version: '2.4'
-services:
-  nginx:
-    image: nginx:1.23
-    volumes:
-      - ./nginx-with-keycloak.conf:/etc/nginx/nginx.conf:ro
-    ports: [ "80:80", "8529:8529", "9000:9000", "9002:9002", "9003:9003" ]
-    networks: [ catalyst ]
-
-  arangodb:
-    image: arangodb/arangodb:3.8.1
-    environment:
-      ARANGO_ROOT_PASSWORD: foobar
-    networks: [ catalyst ]
-
-  minio:
-    image: minio/minio:RELEASE.2021-12-10T23-03-39Z
-    environment:
-      MINIO_ROOT_USER: minio
-      MINIO_ROOT_PASSWORD: minio123
-    command: server /data -console-address ":9003"
-    networks: [ catalyst ]
-
-  postgres:
-    image: postgres:13
-    environment:
-      POSTGRES_DB: keycloak
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: password
-    networks: [ catalyst ]
-
-  keycloak:
-    image: quay.io/keycloak/keycloak:14.0.0
-    environment:
-      DB_VENDOR: POSTGRES
-      DB_ADDR: postgres
-      DB_DATABASE: keycloak
-      DB_USER: keycloak
-      DB_SCHEMA: public
-      DB_PASSWORD: password
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: admin
-      KEYCLOAK_IMPORT: /tmp/realm.json
-      PROXY_ADDRESS_FORWARDING: "true"
-    volumes:
-      - ./keycloak/realm.json:/tmp/realm.json
-    depends_on: [ postgres ]
-    networks: [ catalyst ]
-
-networks:
-  catalyst:
-    name: catalyst

dev/docker-compose.yml

@@ -4,7 +4,7 @@ services:
     image: nginx:1.23
     volumes:
       - ./nginx.conf:/etc/nginx/nginx.conf:ro
-    ports: [ "80:80", "8529:8529", "9000:9000", "9003:9003" ]
+    ports: [ "80:80", "8529:8529", "9000:9000", "8082:8082", "9003:9003" ]
     networks: [ catalyst ]
 
   arangodb:
@@ -21,6 +21,20 @@ services:
     command: server /data -console-address ":9003"
     networks: [ catalyst ]
 
+  authelia:
+    image: authelia/authelia:4
+    environment:
+      AUTHELIA_JWT_SECRET: "AUTHELIA_JWT_SECRET"
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: "/config/private.pem"
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "AUTHELIA_HMAC_SECRET"
+      AUTHELIA_STORAGE_ENCRYPTION_KEY: "AUTHELIA_STORAGE_ENCRYPTION_KEY"
+      AUTHELIA_SESSION_SECRET: "AUTHELIA_SESSION_SECRET"
+    volumes:
+      - ./authelia/configuration.yml:/config/configuration.yml
+      - ./authelia/users_database.yml:/config/users_database.yml
+      - ./authelia/private.pem:/config/private.pem
+    networks: [ catalyst ]
+
 networks:
   catalyst:
     name: catalyst

dev/nginx-with-keycloak.conf

@@ -1,112 +0,0 @@
-user                www-data;
-worker_processes    5;
-error_log           /var/log/nginx/error.log;
-
-events {
-  worker_connections  4096;
-}
-
-http {
-  include  mime.types;
-  index    index.html index.htm;
-
-  log_format   main '$remote_addr - $remote_user [$time_local]  $status '
-    '"$request" $body_bytes_sent "$http_referer" '
-    '"$http_user_agent" "$http_x_forwarded_for"';
-  access_log   /var/log/nginx/access.log main;
-
-  server {
-    listen       80 default_server;
-    server_name _;
-
-    location / {
-      resolver        127.0.0.11 valid=30s;
-      set             $upstream_catalyst host.docker.internal;
-      proxy_pass      http://$upstream_catalyst:8000;
-    }
-
-    location /wss {
-      resolver        127.0.0.11 valid=30s;
-      set             $upstream_catalyst host.docker.internal;
-      proxy_pass      http://$upstream_catalyst:8000;
-
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection "upgrade";
-      proxy_read_timeout 86400;
-    }
-  }
-
-  server {
-    listen       8529 default_server;
-    server_name _;
-
-    location / {
-      resolver        127.0.0.11 valid=30s;
-      set             $upstream_arangodb arangodb;
-      proxy_pass      http://$upstream_arangodb:8529;
-    }
-  }
-
-  server {
-    listen       9000 default_server;
-    server_name _;
-
-    location / {
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-      proxy_set_header Host $http_host;
-
-      proxy_connect_timeout 300;
-      # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
-      proxy_http_version 1.1;
-      proxy_set_header Connection "";
-      chunked_transfer_encoding off;
-
-      resolver        127.0.0.11 valid=30s;
-      set             $upstream_minio minio;
-      proxy_pass      http://$upstream_minio:9000;
-    }
-  }
-
-  server {
-    listen       9002 default_server;
-    server_name _;
-
-    location / {
-      resolver        127.0.0.11 valid=30s;
-      set             $upstream_keycloak keycloak;
-      proxy_pass      http://$upstream_keycloak:8080;
-      proxy_set_header Host               $host;
-      proxy_set_header X-Real-IP          $remote_addr;
-      proxy_set_header X-Forwarded-Proto  $scheme;
-      proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Port   $server_port;
-      proxy_set_header X-Forwarded-Host   $host;
-      proxy_set_header X-Forwarded-Server $host;
-    }
-  }
-
-  server {
-    listen       9003 default_server;
-    server_name _;
-
-    location / {
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-      proxy_set_header Host $http_host;
-
-      proxy_connect_timeout 300;
-      # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
-      proxy_http_version 1.1;
-      proxy_set_header Connection "";
-      chunked_transfer_encoding off;
-
-      resolver        127.0.0.11 valid=30s;
-      set             $upstream_minio minio;
-      proxy_pass      http://$upstream_minio:9003;
-    }
-  }
-}

dev/nginx.conf

@@ -70,6 +70,29 @@ http {
     }
   }
 
+  server {
+    listen       8082 default_server;
+    server_name _;
+
+    location / {
+      resolver              127.0.0.11 valid=30s;
+      set                   $upstream_authelia authelia;
+      proxy_pass            http://$upstream_authelia:8082;
+      proxy_set_header      Host $host;
+      proxy_set_header      X-Real-IP $remote_addr;
+      proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header      X-Forwarded-Proto $scheme;
+      proxy_set_header      X-Forwarded-Host $http_host;
+      proxy_set_header      X-Forwarded-Uri $request_uri;
+      proxy_set_header      X-Forwarded-Ssl on;
+      proxy_http_version    1.1;
+      proxy_set_header      Connection "";
+      proxy_cache_bypass    $cookie_session;
+      proxy_no_cache        $cookie_session;
+      proxy_buffers         64 256k;
+    }
+  }
+
   server {
     listen       9003 default_server;
     server_name _;

dev/start_dev.sh

@@ -1,8 +1,12 @@
+#!/bin/bash
+set -e
+
 export SECRET=4ef5b29539b70233dd40c02a1799d25079595565e05a193b09da2c3e60ada1cd
 
-# export OIDC_ENABLE=true
+export SIMPLE_AUTH_ENABLE=false
-export OIDC_ISSUER=http://localhost:9002/auth/realms/catalyst
+export OIDC_ENABLE=true
-export OIDC_CLIENT_SECRET=d3ec0d91-b6ea-482d-8a4e-2f5a7ca0b4cb
+export OIDC_ISSUER=http://localhost:8082
+export OIDC_CLIENT_SECRET=secret
 
 export ARANGO_DB_HOST=http://localhost:8529
 export ARANGO_DB_PASSWORD=foobar

dev/start_dev_with_keycloak.sh

@@ -1,20 +0,0 @@
-export SECRET=4ef5b29539b70233dd40c02a1799d25079595565e05a193b09da2c3e60ada1cd
-
-export SIMPLE_AUTH_ENABLE=false
-export OIDC_ENABLE=true
-export OIDC_ISSUER=http://localhost:9002/auth/realms/catalyst
-export OIDC_CLIENT_SECRET=d3ec0d91-b6ea-482d-8a4e-2f5a7ca0b4cb
-
-export ARANGO_DB_HOST=http://localhost:8529
-export ARANGO_DB_PASSWORD=foobar
-export S3_HOST=http://localhost:9000
-export S3_PASSWORD=minio123
-
-export AUTH_BLOCK_NEW=false
-export AUTH_DEFAULT_ROLES=analyst,admin
-
-export EXTERNAL_ADDRESS=http://localhost
-export CATALYST_ADDRESS=http://host.docker.internal
-export INITIAL_API_KEY=d0169af94c40981eb4452a42fae536b6caa9be3a
-
-go run ../cmd/catalyst-dev/*.go

server.go

@@ -2,6 +2,7 @@ package catalyst
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"time"
 
@@ -46,36 +47,36 @@ func New(hooks *hooks.Hooks, config *Config) (*Server, error) {
 
 	catalystStorage, err := storage.New(config.Storage)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create storage: %w", err)
 	}
 
 	catalystIndex, err := index.New(config.IndexPath)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create index: %w", err)
 	}
 
 	catalystBus := bus.New()
 
 	catalystDatabase, err := database.New(ctx, catalystIndex, catalystBus, hooks, config.DB)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create database: %w", err)
 	}
 
 	busservice.New(config.InternalAddress+"/api", config.Auth.InitialAPIKey, config.Network, catalystBus, catalystDatabase)
 
 	catalystService, err := service.New(catalystBus, catalystDatabase, catalystStorage, GetVersion())
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create service: %w", err)
 	}
 
 	authenticator, err := maut.NewAuthenticator(ctx, config.Auth, newCatalystResolver(catalystDatabase))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create authenticator: %w", err)
 	}
 
 	apiServer, err := setupAPI(authenticator, catalystService, catalystStorage, catalystDatabase, config.DB, catalystBus, config)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to create api server: %w", err)
 	}
 
 	return &Server{
@@ -132,7 +133,6 @@ func fileServer(authenticator *maut.Authenticator, catalystDatabase *database.Da
 
 func backupServer(authenticator *maut.Authenticator, catalystStorage *storage.Storage, catalystDatabase *database.Database, dbConfig *database.Config) *chi.Mux {
 	server := chi.NewRouter()
-	// TODO: add test
 	server.With(authenticator.AuthorizePermission("backup:create")).Get("/create", backupHandler(catalystStorage, dbConfig))
 	server.With(authenticator.AuthorizePermission("backup:restore")).Post("/restore", restoreHandler(catalystStorage, catalystDatabase, dbConfig))
 

test/test.go

@@ -50,7 +50,7 @@ func Config(ctx context.Context) (*catalyst.Config, error) {
 			SimpleAuthEnable: true,
 			APIKeyAuthEnable: true,
 			OIDCAuthEnable:   true,
-			OIDCIssuer:       "http://localhost:9002/auth/realms/catalyst",
+			OIDCIssuer:       "http://localhost:8082",
 			OAuth2: &oauth2.Config{
 				ClientID:     "catalyst",
 				ClientSecret: "13d4a081-7395-4f71-a911-bc098d8d3c45",

ui/cypress/support/e2e.js

@@ -24,5 +24,11 @@ Cypress.Commands.add('login', (options = {}) => {
         cy.get("#username").type("bob");
         cy.get("#password").type("bob");
         cy.get("#kc-login").click();
+    } else if (Cypress.env('AUTH') === 'authelia') {
+        cy.contains("Login with OIDC").should('be.visible').click();
+        cy.get("#username-textfield").should('be.visible').type("bob");
+        cy.get("#password-textfield").type("bob");
+        cy.get("#sign-in-button").click();
+        cy.get("#accept-button").should('be.visible').click();
     }
 })

ui/src/views/User.vue

@@ -61,7 +61,7 @@
         <v-text-field v-if="!user.apikey" label="New Password (leave empty to keep)" v-model="user.password" hide-details class="mb-4"></v-text-field>
         <v-checkbox v-if="!user.apikey" label="Blocked" v-model="user.blocked" hide-details class="mb-4"></v-checkbox>
 
-        <v-select multiple chips v-if="!user.apikey" label="Roles" v-model="user.roles" :items="$store.state.settings.roles"></v-select>
+        <v-select multiple chips v-if="!user.apikey" label="Roles" v-model="user.roles" :items="['analyst', 'engineer', 'admin']"></v-select>
         <div v-else>
           <v-chip v-for="role in user.roles" :key="role" class="mr-1 mb-1">{{ role }}</v-chip>
         </div>