Some oauth providers return "thin tokens" which won't include all of the
claims requested. This simply adds an option which will make the oidc
connector use the userinfo endpoint to fetch all the claims.
- Update build container to golang:1.12.4-alpine
- Update dex image to alpine:3.9
- Run dex as non-root user
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
Go 1.11.3 changed how checksums are created in some cases, which caused
failures building via modules. (ref golang/go#29278)
Update the checksums for the failing modules.
To catch this is the future, a modules build was added to the build matrix. I
also noted that we were pinning the `.0` patchlevel of each go version which
wouldn't have picked this up, updated it to build with the latest patch
release.
The filters for user and group searches hadn't been included in our LDAP
tests. Now they are.
The concrete test cases are somewhat contrived, but that shouldn't
matter too much. Also note that the example queries I've used are not
supported in AD: https://stackoverflow.com/a/10043452
Signed-off-by: Stephan Renatus <srenatus@chef.io>
For downstream apps using a github handle is much simpler than working
with numbers.
WHilst the number is stable and the handle is not - GitHUb does give you
a big scary wanring if you try and change it that bad things may happen
to you, and generally few users ever change it.
This can be enabled with a configuration option `useLoginAsId`
Some environments are subject to strict rules about the permitted TLS
protocol verion and available ciphers. Setting TLSv1.2 as the minimum
version ensures we do not use weaker protocols. We've opted against
making this configurable given the age of TLSv1.2 and the increasing
push to deprecate TLSv1.1 and older.
The PreferServerCipherSuites setting is also commonly flagged by SSL
quality scanning tools. Since Go provides a relatively modern set of
default ciphers by default, defaulting this to true is unlikely to
make much practical difference.
Signed-off-by: Steven Danna <steve@chef.io>
