diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2c6f19e9..4ab7f7ac 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,7 +14,7 @@ jobs: build: env: COVER: true - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Check out code @@ -28,7 +28,7 @@ jobs: - name: Get dependencies run: | - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0 + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.36.0 go mod download curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter chmod +x ./cc-test-reporter @@ -52,7 +52,7 @@ jobs: ./.github/workflows/test.sh docker: - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 steps: - name: Check out code diff --git a/CHANGELOG.md b/CHANGELOG.md index 385a8f81..9c6e3a38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ## Changes since v7.0.1 +- [#1052](https://github.com/oauth2-proxy/oauth2-proxy/pull/1052) Update golangci-lint to latest version (v1.36.0) (@JoelSpeed) - [#1043](https://github.com/oauth2-proxy/oauth2-proxy/pull/1043) Refactor Sign In Page rendering and capture all page rendering code in pagewriter package (@JoelSpeed) - [#1029](https://github.com/oauth2-proxy/oauth2-proxy/pull/1029) Refactor error page rendering and allow debug messages on error (@JoelSpeed) - [#1028](https://github.com/oauth2-proxy/oauth2-proxy/pull/1028) Refactor templates, update theme and provide styled error pages (@JoelSpeed) diff --git a/oauthproxy.go b/oauthproxy.go index 7cd747bd..7bf524aa 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -641,7 +641,7 @@ func (p *OAuthProxy) SignIn(rw http.ResponseWriter, req *http.Request) { } } -//UserInfo endpoint outputs session email and preferred username in JSON format +// UserInfo endpoint outputs session email and preferred username in JSON format func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) { session, err := p.getAuthenticatedSession(rw, req) @@ -805,6 +805,8 @@ func (p *OAuthProxy) redeemCode(req *http.Request) (*sessionsapi.SessionState, e func (p *OAuthProxy) enrichSessionState(ctx context.Context, s *sessionsapi.SessionState) error { var err error if s.Email == "" { + // TODO(@NickMeves): Remove once all provider are updated to implement EnrichSession + // nolint:staticcheck s.Email, err = p.provider.GetEmailAddress(ctx, s) if err != nil && !errors.Is(err, providers.ErrNotImplemented) { return err @@ -1106,7 +1108,7 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R // TODO (@NickMeves): This method is a placeholder to be extended but currently // fails the linter. Remove the nolint when functionality expands. // -//nolint:S1008 +//nolint:gosimple func authOnlyAuthorize(req *http.Request, s *sessionsapi.SessionState) bool { // Allow secondary group restrictions based on the `allowed_groups` // querystring parameter diff --git a/pkg/validation/options.go b/pkg/validation/options.go index 52b0fb69..35c3ae1a 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -41,10 +41,10 @@ func Validate(o *options.Options) error { } else if len(o.ProviderCAFiles) > 0 { pool, err := util.GetCertPool(o.ProviderCAFiles) if err == nil { - transport := &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: pool, - }, + transport := http.DefaultTransport.(*http.Transport).Clone() + transport.TLSClientConfig = &tls.Config{ + RootCAs: pool, + MinVersion: tls.VersionTLS12, } http.DefaultClient = &http.Client{Transport: transport} diff --git a/providers/logingov.go b/providers/logingov.go index 44d1cb46..9e70c857 100644 --- a/providers/logingov.go +++ b/providers/logingov.go @@ -3,9 +3,10 @@ package providers import ( "bytes" "context" + "crypto/rand" "crypto/rsa" "fmt" - "math/rand" + "math/big" "net/url" "time" @@ -34,7 +35,13 @@ var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") func randSeq(n int) string { b := make([]rune, n) for i := range b { - b[i] = letters[rand.Intn(len(letters))] + max := big.NewInt(int64(len(letters))) + bigN, err := rand.Int(rand.Reader, max) + if err != nil { + // This should never happen + panic(err) + } + b[i] = letters[bigN.Int64()] } return string(b) } diff --git a/providers/provider_default.go b/providers/provider_default.go index d3c6d113..01b626e8 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -94,7 +94,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string { } // GetEmailAddress returns the Account email address -// DEPRECATED: Migrate to EnrichSession +// Deprecated: Migrate to EnrichSession func (p *ProviderData) GetEmailAddress(_ context.Context, _ *sessions.SessionState) (string, error) { return "", ErrNotImplemented } diff --git a/providers/providers.go b/providers/providers.go index 6aeb5426..d4f05e2c 100644 --- a/providers/providers.go +++ b/providers/providers.go @@ -9,7 +9,7 @@ import ( // Provider represents an upstream identity provider implementation type Provider interface { Data() *ProviderData - // DEPRECATED: Migrate to EnrichSession + // Deprecated: Migrate to EnrichSession GetEmailAddress(ctx context.Context, s *sessions.SessionState) (string, error) Redeem(ctx context.Context, redirectURI, code string) (*sessions.SessionState, error) EnrichSession(ctx context.Context, s *sessions.SessionState) error