Commit Graph

2194 Commits

Author SHA1 Message Date
Stephen Augustus
c742b2a40a Update image versions
- golang:1.15.6-alpine3.12
- postgres:10.15
- gcr.io/etcd-development/etcd:v3.4.9

Signed-off-by: Stephen Augustus <saugustus@vmware.com>
2020-12-14 03:23:15 -05:00
Stephen Augustus
2b0f47306b README.md: Use maintainers list for reporting security issues
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
2020-12-14 03:23:15 -05:00
Stephen Augustus
324b1c886b
Merge pull request from GHSA-m9hp-7r99-94h5
connector/saml: Validate XML roundtrip data before processing request
2020-12-14 03:21:11 -05:00
Stephen Augustus
6e5176822b
Merge pull request #1880 from dexidp/sr/remove-srenatus-from-maintainers
MAINTAINERS: drop @srenatus
2020-12-08 07:42:51 -05:00
Stephen Augustus
57640cc7a9 connector/saml: Validate XML roundtrip data before processing request
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
2020-12-08 07:26:48 -05:00
Stephan Renatus
706c3bba68 MAINTAINERS: drop @srenatus
This reflects that I currently don't have time to contribute to this fine
project. It's been fun, thanks a lot to all the current and past maintainers!

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
2020-12-08 10:35:41 +01:00
Stephen Augustus
a136ab6969 go.mod: Update goxmldsig to v1.1.0
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
2020-12-07 19:00:25 -05:00
Márk Sági-Kazár
845fb1e0f0
Merge pull request #1878 from pbalogh-sa/docs/fix-links
docs: fix broken links
2020-12-04 13:14:58 +01:00
Peter Balogh
64d7156d5f
docs: fix broken links
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
2020-12-04 08:57:30 +01:00
Márk Sági-Kazár
5a87bc5d59
Merge pull request #1874 from dexidp/add-codeql
Add CodeQL
2020-12-02 14:42:56 +01:00
Chris Aniszczyk
ac43200665
Add CodeQL
Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
2020-12-01 12:17:28 -08:00
Stephen Augustus
33e13c2aad
Fully automate dev setup with Gitpod (#1868)
* Fully automate dev setup with Gitpod

This commit implements a fully-automated development setup using Gitpod.io, an
online IDE for GitHub and GitLab that enables Dev-Environments-As-Code.
This makes it easy for anyone to get a ready-to-code workspace for any branch,
issue or pull request almost instantly with a single click.

Signed-off-by: justaugustus <foo@agst.us>
2020-11-20 01:00:16 +01:00
Márk Sági-Kazár
d97d6de88c
Merge pull request #1863 from faro-oss/feature/go-mod-dockerimage
Copy module dependencies to Docker image for CVE scanning / dependency analysis
2020-11-19 17:57:55 +01:00
Martin Heide
f7efe49e5e Copy module dependencies to Docker image for CVE scanning / dependency analysis
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-18 12:55:20 +00:00
Márk Sági-Kazár
6ca0cbc857
Merge pull request #1866 from pachyderm/actgardner/split-sqlite
Don't try to build sqlite storage when cgo isn't enabled
2020-11-18 10:41:23 +01:00
A Gardner
19d7edd530 Don't try to build sqlite when cgo isn't enabled
Signed-off-by: A Gardner <3100188+actgardner@users.noreply.github.com>
2020-11-17 17:48:40 -05:00
m.nabokikh
bcaddd4354 feat: Change default themes to light/dark
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-11-08 02:12:06 +04:00
Márk Sági-Kazár
71bbbee075
Merge pull request #1856 from dexidp/improve-docker-build
Improve docker build
2020-11-05 15:53:54 +01:00
Mark Sagi-Kazar
9b629b6568
Fix docker workflow name
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 15:35:31 +01:00
Mark Sagi-Kazar
0520465207
Separate docker job again
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 15:34:18 +01:00
Mark Sagi-Kazar
b580ffad70
Remove cache for now
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 15:30:17 +01:00
Mark Sagi-Kazar
4c86a5e7fe
Ignore files from docker context
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:46:32 +01:00
Mark Sagi-Kazar
85239d515d
Download dependencies in advance
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:26:39 +01:00
Mark Sagi-Kazar
10ac93d42b
Add docker layer caching
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:24:35 +01:00
Mark Sagi-Kazar
5cc8b562ec
Run build on ubuntu-latest
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:21:18 +01:00
Mark Sagi-Kazar
b9bc0b8b11
Remove unused workflow
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:12:16 +01:00
Mark Sagi-Kazar
b971415f0c
Improve Docker build
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 14:11:59 +01:00
Mark Sagi-Kazar
6500fdbdd1
Improve issue templates
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:44:16 +01:00
Mark Sagi-Kazar
d62f312402
Improve issue templates
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:37:58 +01:00
Mark Sagi-Kazar
fb282c3506
add documentation to contact links
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:36:38 +01:00
Mark Sagi-Kazar
1e14a33553
fix: missing frontmatter in issue templates
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:34:29 +01:00
Mark Sagi-Kazar
ef7e9e5c99
Fix issue template config
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-05 11:32:37 +01:00
Márk Sági-Kazár
170794725d
Merge pull request #1822 from faro-oss/feature/redirect-uris-for-public-clients
Allow public clients (e.g. SPAs using implicit flow or PKCE) to have redirect URLs other than localhost
2020-11-05 11:02:25 +01:00
Márk Sági-Kazár
6fcd9b4887
Merge pull request #1852 from flant/description_templates
chore: Add description templates
2020-11-05 10:43:27 +01:00
Márk Sági-Kazár
40409eafe8
Merge pull request #1847 from flant/retry-kubernetes-update-requests
feat: Retry Kubernetes update requests
2020-11-05 10:41:58 +01:00
Márk Sági-Kazár
bca77245df
Merge pull request #1853 from dexidp/linter-config
Linter config
2020-11-05 10:33:19 +01:00
Mark Sagi-Kazar
349832b380
Run fixer
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:14 +01:00
Mark Sagi-Kazar
84ea790885
Enable gci and gofumpt
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:14 +01:00
Mark Sagi-Kazar
cafea292ca
Update linter
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:52:13 +01:00
Mark Sagi-Kazar
3841f05ba4
Update linter config
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:51:29 +01:00
Mark Sagi-Kazar
ed7b71a190
chore: add editorconfig
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2020-11-03 20:37:38 +01:00
Martin Heide
162073b33e No longer allow desktop/mobile redirect URIs implicitly if RedirectURIs is set
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 14:05:47 +00:00
Martin Heide
c15e2887bc Add oob, device and localhost redirect URI tests
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 13:41:56 +00:00
Martin Heide
1ea481bb73 Fix gofmt in oauth2_test.go
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:52 +00:00
Martin Heide
b894d9c888 Allow public clients (e.g. using implicit flow or PKCE) to have redirect URIs configured
Signed-off-by: Martin Heide <martin.heide@faro.com>
2020-11-02 12:52:10 +00:00
m.nabokikh
7198f17d0e chore: Add description templates
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-11-02 10:52:08 +04:00
m.nabokikh
be378dd9a7 feat: Retry Kubernetes update requests
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-28 12:46:58 +04:00
Márk Sági-Kazár
6cdbb59406
Merge pull request #1845 from flant/minor-linter-fixes
fix: Minor style fixes after merging PKCE implementation
2020-10-26 21:37:30 +01:00
m.nabokikh
a5ad5eaf08 fix: Minor style fixes after merging PKCE implementation
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2020-10-26 23:20:33 +04:00
Bernd Eckstein
b5519695a6
PKCE implementation (#1784)
* Basic implementation of PKCE

Signed-off-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>

* @mfmarche on 24 Feb: when code_verifier is set, don't check client_secret

In PKCE flow, no client_secret is used, so the check for a valid client_secret
would always fail.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* @deric on 16 Jun: return invalid_grant when wrong code_verifier

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enforce PKCE flow on /token when PKCE flow was started on /auth
Also dissallow PKCE on /token, when PKCE flow was not started on /auth

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* fixed error messages when mixed PKCE/no PKCE flow.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* server_test.go: Added PKCE error cases on /token endpoint

* Added test for invalid_grant, when wrong code_verifier is sent
* Added test for mixed PKCE / no PKCE auth flows.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* cleanup: extracted method checkErrorResponse and type TestDefinition

* fixed connector being overwritten

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* /token endpoint: skip client_secret verification only for grand type authorization_code with PKCE extension

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow "Authorization" header in CORS handlers

* Adds "Authorization" to the default CORS headers{"Accept", "Accept-Language", "Content-Language", "Origin"}

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Add "code_challenge_methods_supported" to discovery endpoint

discovery endpoint /dex/.well-known/openid-configuration
now has the following entry:

"code_challenge_methods_supported": [
  "S256",
  "plain"
]

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Updated tests (mixed-up comments), added a PKCE test

* @asoorm added test that checks if downgrade to "plain" on /token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* remove redefinition of providedCodeVerifier, fixed spelling (#6)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
Signed-off-by: Bernd Eckstein <HEllRZA@users.noreply.github.com>

* Rename struct CodeChallenge to PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* PKCE: Check clientSecret when available

In authorization_code flow with PKCE, allow empty client_secret on /auth and /token endpoints. But check the client_secret when it is given.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Enable PKCE with public: true

dex configuration public on staticClients now enables the following behavior in PKCE:
- Public: false, PKCE will always check client_secret. This means PKCE in it's natural form is disabled.
- Public: true, PKCE is enabled. It will only check client_secret if the client has sent one. But it allows the code flow if the client didn't sent one.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Redirect error on unsupported code_challenge_method

- Check for unsupported code_challenge_method after redirect uri is validated, and use newErr() to return the error.
- Add PKCE tests to oauth2_test.go

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Reverted go.mod and go.sum to the state of master

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Don't omit client secret check for PKCE

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Allow public clients (e.g. with PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>

* Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

This reverts commit b6e297b78537dc44cd3e1374f0b4d34bf89404ac.

Signed-off-by: Martin Heide <martin.heide@faro.com>

* PKCE on client_secret client error message

* When connecting to the token endpoint with PKCE without client_secret, but the client is configured with a client_secret, generate a special error message.

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* Output info message when PKCE without client_secret used on confidential client

* removes the special error message

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

* General missing/invalid client_secret message on token endpoint

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>

Co-authored-by: Tadeusz Magura-Witkowski <tadeuszmw@gmail.com>
Co-authored-by: Martin Heide <martin.heide@faro.com>
Co-authored-by: M. Heide <66078329+heidemn-faro@users.noreply.github.com>
2020-10-26 11:33:40 +01:00