* implementation draft
* add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options
* refactor configs, added logging and add additional claim verification
* simplify logic by just having one configuration similar to oidc-email-claim
* added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers
* refactored verification to reduce complexity
* refactored verification to reduce complexity
* added docs
* adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options
* extend unit tests and ensure that audience is set with the value of aud claim configuration
* revert filemodes and update docs
* update docs
* remove unneccesary logging, refactor audience existence check and added additional unit tests
* fix linting issues after rebase on origin/main
* cleanup: use new imports for migrated libraries after rebase on origin/main
* adapt mock in keycloak_oidc_test.go
* allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation
* fixed formatting issue
* do not pass the whole options struct to minimize complexity and dependency to the configuration structure
* added changelog entry
* update docs
Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com>
Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
* init TLS.Config when connecting to Redis with TLS
* don't overwrite TLS config if it exists
* add tests for Redis with TLS
* remove hardcoded certs
* add GenerateCert func
* use GenerateCert util func
* fix issue reported by go fmt
* limit return statements in GenerateCert
* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive
* Tidy up dependencies - yhat/wsutil is no longer required
* Update changelog to include reference to 1348
Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes
* added #1276 to changelog
Co-authored-by: Joshua Vécsei <git@vecsei.me>
They will only be used in tests, but it doesn't play
nice with copy operations many tests use. The linter was
not happy. While the global clock needs mutexes for parallelism,
local Clocks only used it for Set/Add and didn't even use the
mutex for actual time functions.
The reflect.DeepCopy doesn't play nice with the new Lock and Clock
fields in sessions. And it added unneeded session deserialization
logic to every request.
* Add sensible logging flag to default setup for logger
* Add Redis lock
* Fix default value flag for sensitive logging
* Split RefreshSessionIfNeeded in two methods and use Redis lock
* Small adjustments to doc and code
* Remove sensible logging
* Fix method names in ticket.go
* Revert "Fix method names in ticket.go"
This reverts commit 408ba1a1a5.
* Fix methods name in ticket.go
* Remove block in Redis client get
* Increase lock time to 1 second
* Perform retries, if session store is locked
* Reverse if condition, because it should return if session does not have to be refreshed
* Update go.sum
* Update MockStore
* Return error if loading session fails
* Fix and update tests
* Change validSession to session in docs and strings
* Change validSession to session in docs and strings
* Fix docs
* Fix wrong field name
* Fix linting
* Fix imports for linting
* Revert changes except from locking functionality
* Add lock feature on session state
* Update from master
* Remove errors package, because it is not used
* Only pass context instead of request to lock
* Use lock key
* By default use NoOpLock
* Remove debug output
* Update ticket_test.go
* Map internal error to sessions error
* Add ErrLockNotObtained
* Enable lock peek for all redis clients
* Use lock key prefix consistent
* Fix imports
* Use exists method for peek lock
* Fix imports
* Fix imports
* Fix imports
* Remove own Dockerfile
* Fix imports
* Fix tests for ticket and session store
* Fix session store test
* Update pkg/apis/sessions/interfaces.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Do not wrap lock method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use errors package for lock constants
* Use better naming for initLock function
* Add comments
* Add session store lock test
* Fix tests
* Fix tests
* Fix tests
* Fix tests
* Add cookies after saving session
* Add mock lock
* Fix imports for mock_lock.go
* Store mock lock for key
* Apply elapsed time on mock lock
* Check if lock is initially applied
* Reuse existing lock
* Test all lock methods
* Update CHANGELOG.md
* Use redis client methods in redis.lock for release an refresh
* Use lock key suffix instead of prefix for lock key
* Add comments for Lock interface
* Update comment for Lock interface
* Update CHANGELOG.md
* Change LockSuffix to const
* Check lock on already loaded session
* Use global var for loadedSession in lock tests
* Use lock instance for refreshing and releasing of lock
* Update possible error type for Refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
