Commit Graph

497 Commits

Author SHA1 Message Date
Eric Chiang
74f5eaf47e connector/ldap: support the StartTLS flow for secure connections
When connecting to an LDAP server, there are three ways to connect:

1. Insecurely through port 389 (LDAP).
2. Securely through port 696 (LDAPS).
3. Insecurely through port 389 then negotiate TLS (StartTLS).

This PR adds support for the 3rd flow, letting dex connect to the
standard LDAP port then negotiating TLS through the LDAP protocol
itself.

See a writeup here:

http://www.openldap.org/faq/data/cache/185.html
2017-04-12 15:25:42 -07:00
rithu leena john
9b0af83604 Merge pull request #905 from rithujohn191/error-msg
server/rotation.go: avoid displaying the "keys already rotated" error
2017-04-11 14:17:22 -07:00
Eric Chiang
3d7b1477e7 Merge pull request #903 from ericchiang/ldap-groups-on-user
connector/ldap: fix case where groups are listed on the user entity
2017-04-11 14:06:42 -07:00
rithu john
dd1e901dd9 server/rotation.go: avoid displaying the "keys already rotated" error 2017-04-11 10:48:08 -07:00
Eric Chiang
c3cafc8f39 Merge pull request #902 from ericchiang/saml-stable
*: promote SAML to stable
2017-04-11 10:13:22 -07:00
Eric Chiang
5f377f07d4 *: promote SAML to stable
This means we no longer refer to it as "experimental" and wont make
breaking changes.
2017-04-11 10:09:48 -07:00
rithu leena john
d4274eb0ff Merge pull request #901 from rithujohn191/github-api
connector/github: add support for github enterprise.
2017-04-11 10:09:23 -07:00
rithu leena john
43ad9cc37c Merge pull request #904 from ericchiang/add-gitlab-to-readme
*: add GitLab connector to README
2017-04-11 10:06:28 -07:00
rithu john
76b9eb1db9 connector/github: add support for github enterprise. 2017-04-11 10:04:59 -07:00
Eric Chiang
cf089025ae *: add GitLab connector to README 2017-04-11 10:04:48 -07:00
Eric Chiang
97813ff4fc connector/ldap: fix case where groups are listed on the user entity
Support schemas that determine membership by having fields on the
user entity, instead of listing users on a groups entity. E.g. the
following schema is now supported when it wasn't previously:

    cn=eric,cn=user,dn=exapmle,dn=com
    objectClass=myPerson
    cn: eric
    uid: eric
    email: eric@example.com
    memberOf: foo
    memberOf: bar

    cn=foo,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: foo

    cn=bar,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: bar
2017-04-11 09:48:48 -07:00
Eric Chiang
7395f05e95 Merge pull request #900 from ericchiang/ldap-tests
connector/ldap: add LDAP integration tests
2017-04-10 16:48:40 -07:00
Eric Chiang
b8ba59d7f6 *: run LDAP tests in travis 2017-04-10 15:33:07 -07:00
Eric Chiang
0ac11d93e6 connector/ldap/testdata: add LDAP schema files 2017-04-10 15:33:07 -07:00
Eric Chiang
4a93b55c8b connector/ldap: add LDAP integration tests 2017-04-10 15:33:07 -07:00
Eric Chiang
943253fece Merge pull request #898 from ericchiang/saml-cleanup
connector/saml: clean up SAML verification logic and comments
2017-04-07 14:22:22 -07:00
Eric Chiang
362e0798a4 connector/saml: clean up SAML verification logic and comments 2017-04-07 14:13:05 -07:00
Eric Chiang
258ec4ff4b Merge pull request #897 from Calpicow/issuer_typo
Fix entityIssuer -> ssoIssuer typo
2017-04-06 14:57:33 -07:00
Phu Kieu
bd754e2b2d Fix entityIssuer -> ssoIssuer typo 2017-04-06 14:50:44 -07:00
Eric Chiang
53acaa9e7c Merge pull request #896 from Calpicow/audience_validate_fix
Validate audience with entityIssuer if present, use redirectURI otherwise
2017-04-06 14:47:05 -07:00
Phu Kieu
47897f73fa Validate audience with entityIssuer if present, use redirectURI otherwise 2017-04-06 14:40:56 -07:00
Eric Chiang
40f0265ab4 Merge pull request #885 from Calpicow/saml_issuer_fix
Add ssoIssuer to fix Response issuer checking
2017-04-06 11:19:47 -07:00
Phu Kieu
8c0eb67ecd Update documentation 2017-04-06 11:06:30 -07:00
Phu Kieu
217b5ca2c7 Add ssoIssuer to fix Response issuer checking
Rename issuer to entityIssuer
2017-04-06 11:05:49 -07:00
Eric Chiang
207d20777b Merge pull request #893 from ericchiang/fix-saml-validation
connector/saml: fix validation bug with multiple Assertion elements
2017-04-04 11:18:12 -07:00
Eric Chiang
a97cffcd52 connector/saml: refactor tests and add self-signed responses
Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.
2017-04-04 11:11:35 -07:00
Eric Chiang
e0709dc2ac connector/saml: fix validation bug with multiple Assertion elements
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.
2017-04-04 11:11:35 -07:00
Lucas Servén
a7d443ea2b Merge pull request #891 from squat/garbage_log_info
server/server.go: make successful garbage collection log at info level
2017-04-04 10:14:43 -07:00
Lucas Serven
f3d9bd5008
server/server.go: make successful garbage collection log at info level 2017-04-04 09:47:53 -07:00
rithu leena john
f4865a354c Merge pull request #886 from rithujohn191/error-msg-update
storage/static.go: correct the error message that gets displayed.
2017-03-29 11:54:00 -07:00
rithu john
5abb4b3df6 storage/static.go: correct the error message that gets displayed. 2017-03-29 11:32:02 -07:00
Eric Chiang
5eb8210eb4 Merge pull request #883 from ericchiang/scopes-docs
Documentation: document dex scopes, claims, and client features
2017-03-28 21:26:01 -07:00
Eric Chiang
8902ddc061 Merge pull request #881 from ericchiang/api-test-use-client
server: use client connected to remove server for gRPC tests
2017-03-28 21:25:55 -07:00
Eric Chiang
5e34f0d1a6 Documentation: document dex scopes, claims, and client features 2017-03-28 16:53:06 -07:00
Eric Chiang
f734b140cd server: use client connected to remove server for gRPC tests 2017-03-28 16:41:39 -07:00
rithu leena john
42c1eed231 Merge pull request #880 from rithujohn191/connector-object
storage: add connector object to backend storage.
2017-03-28 14:31:08 -07:00
rithu john
bc55b86d0d storage: add connector object to backend storage. 2017-03-28 14:12:38 -07:00
Eric Chiang
6e50c18458 Merge pull request #875 from ericchiang/fix-example-app-custom-ca
cmd/example-app: fix custom CA behavior
2017-03-24 13:21:20 -07:00
Eric Chiang
9b0e9ab2ca cmd/example-app: fix custom CA behavior 2017-03-24 11:53:28 -07:00
Eric Chiang
2a6ae0a6ea Merge pull request #870 from Calpicow/fix_assertion_fallback
Fix assertion fallback
2017-03-24 11:34:30 -07:00
Phu Kieu
6f9ef961bb Use etreeutils.NSSelectOne to select Assertion element 2017-03-24 11:20:53 -07:00
Phu Kieu
4b457d8c82 vendor: revendor 2017-03-24 11:03:30 -07:00
Phu Kieu
b5f70dac36 glide.yaml: update goxmldsig 2017-03-24 11:02:55 -07:00
rithu leena john
5d49e18478 Merge pull request #873 from rithujohn191/client-example
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
2017-03-23 17:24:11 -07:00
rithu john
562eae3fc7 examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap. 2017-03-23 16:57:23 -07:00
rithu leena john
6146e23396 Merge pull request #872 from rithujohn191/offline-access-error
connector: Connectors without a RefreshConnector should not error out
2017-03-23 16:11:45 -07:00
rithu john
59502850f0 connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring 2017-03-23 14:56:34 -07:00
Eric Chiang
b112aa2ecd Merge pull request #869 from ericchiang/saml-response-to
*: validate InResponseTo SAML response field and make issuer optional
2017-03-22 13:04:41 -07:00
Eric Chiang
50b223a9db *: validate InResponseTo SAML response field and make issuer optional 2017-03-22 13:02:44 -07:00
Eric Chiang
8b2956ddbc Merge pull request #867 from ericchiang/xml-validation
glide.yaml: update goxmldsig
2017-03-21 10:27:04 -07:00