1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

496 Commits

Author SHA1 Message Date
Alexander Block
0e119d7c84
Azure token refresh (#754)
* Implement azure token refresh

Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278

* Update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Set CreatedAt to Now() on token refresh

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 11:25:59 -08:00
Kevin Kreitner
65016c8da1
Enable custom structure for group claim with default name group (#839)
* Allow complex structure for groups in group claim.

* Remove unused constant

* Update variable name

* Fix linting

* Use helper method

* Log error if not possible to append group value

* Add missing import

* Use own logger

* Fix imports

* Remove Dockerfile for testing

* Add Changelog entry

* Use formatGroup helper method and update tests

* Return string instead of string array

* Remove groups variable

* Return error in format method.

* Reorder imports

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-11-03 10:10:08 -08:00
Nick Meves
4a54c9421c
Remove EmailDomain verification from GitLab provider
This is handled globally
2020-10-20 10:01:53 -07:00
Nick Meves
2b9e1bbba0
Add EnrichSessionState as main post-Redeem session updater 2020-10-19 14:09:45 -07:00
Joel Speed
132c2cb210
Add changelog for fixing test reporting in github actions 2020-10-07 18:49:32 +01:00
Mitsuo Heijo
f705d2b5d3
Improve CI (#819)
* simplify github actions workflow

no more GOPATH, update Go to 1.15.x

* add script to install golangci-lint

* drop support for Go 1.14

* check docker build in ci

* update alpine linux to 3.12

* update CHANGELOG

* fix golangci-lint installation

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 18:46:41 +01:00
Joel Speed
c9b3422801
Add changelog entry for generic header injectors 2020-10-07 18:24:59 +01:00
Nick Meves
fa4ba5e7ea
Convert allowlist validation test to Ginkgo 2020-10-07 10:13:41 -07:00
Nick Meves
183cb124a4
Support HTTP method based allowlists 2020-10-07 10:13:40 -07:00
Mitsuo Heijo
fcb83c48f4
Update go-redis/redis to v8 (#801)
* update go-redis/redis to v8

testify, ginko and gomega have also been updated.

* update changelog

* Update pkg/sessions/redis/redis_store_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 11:49:27 +01:00
Mitsuo Heijo
5c62690653 Rename test directory to testdata
See https://golang.org/cmd/go/#hdr-Test_packages
2020-10-06 21:37:25 +09:00
Shinebayar G
dc7dbc5d28
ci: migrate to Github Actions, close #546 (#750)
* ci: migrate to Github Actions

* ci: optimize on feedback

* ci: run gocov in correct dir

* ci: running after-build script always

* ci: giving test script execute permission

* ci: correct error handling on test script

* ci: more verbose test script

* ci: configure CC_TEST_REPORTER_ID env

* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset

* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset

* update changelog

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-05 10:29:47 +01:00
Thiago Caiubi
8be97f25e7
Fix build (#813)
* Fix build

Without the v7 path it builds old version of the project (v3.2.0).

* Update CHANGELOG.md
2020-10-03 14:09:40 +01:00
Mitsuo Heijo
e64322b070 Update Go to 1.15 2020-09-30 09:54:43 +09:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Alexander Block
d046782f61 Add link to #753 in changelog 2020-09-29 13:35:40 +02:00
Alexander Block
090eff0197 Add CHANGELOG.md entries for #753 2020-09-28 12:17:06 +02:00
Nick Meves
e0d915cc03
Stop shadowing GetEmailAddress errors in redeemCode 2020-09-24 10:50:18 -07:00
Nick Meves
6db1aeb9c6
Validate Redis session store health on startup 2020-09-24 10:41:43 -07:00
Nick Meves
56f199a24f
Stop accepting legacy SHA1 signed cookies 2020-09-24 10:31:34 -07:00
Stefan Sedich
9d59519a96
Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00
Lennart Jern
e14d6ab791 Document bcrypt encryption for htpasswd
Remove mention of (insecure) SHA option for encryption.
2020-09-11 13:32:00 +03:00
Joel Speed
1337f56188
Prepare CHANGELOG for v6.1.1 release 2020-08-31 17:01:52 +01:00
Joel Speed
b40517bbe3
Fix conversion of static responses in upstreams 2020-08-31 16:54:01 +01:00
Nick Meves
29b24793e3
Use X-Forwarded-Host consistently 2020-08-31 08:31:45 -07:00
Joel Speed
43bf36425d
Prepare changelog for v6.1.0 release 2020-08-27 15:08:46 +01:00
Joel Speed
105d5acb7b
Only log no cookie match if cookie domains specified 2020-08-27 14:48:00 +01:00
Dan Bond
d7abd56981
dist.sh: remove go version from asset links (#733)
* dist.sh: remove go version from asset links

* update changelog
2020-08-25 08:41:14 -07:00
Joel Speed
d05e08cba3
Create generic Authorization Header constructor 2020-08-16 20:04:34 +01:00
Joel Speed
16a30002df
Ensure session times are not nil before printing them 2020-08-16 19:53:52 +01:00
Nick Meves
514db45d1a
Allow OIDC Bearer Tokens without emails
This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.
2020-08-14 13:31:38 -07:00
Nick Meves
51a9062044
Support Password & SentinelPassword in Redis session store 2020-08-11 12:22:05 -07:00
Nick Meves
b6e78efc1e
Add x-oauth-basic nosec annotation & address gosec unhandled errors 2020-08-10 15:15:16 -07:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Nick Meves
65c228394f
Address gosec findings
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
Nick Meves
81ec9edf53
Fix time issue causing finicky failures in logging tests 2020-08-06 15:44:05 -07:00
Nick Meves
19836f85ac
Align persistence ginkgo tests to conventions 2020-07-21 22:13:17 -07:00
Andy Voltz
88ef888752
Preserve query when building redirect (fix for #695) (#696)
* Add test for GetRedirect to check query and fragments.

* Preserve query and fragment when building redirect.

* Add changelog entry for redirect fix
2020-07-21 16:38:13 +01:00
Joel Speed
d4dd34a65a
Move provider URLs to package level vars 2020-07-19 18:34:55 +01:00
Nick Meves
9643a0b10c
Centralize Ticket management of persistent stores (#682)
* Centralize Ticket management of persistent stores

persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.

* Shift to persistence.Manager wrapping a persistence.Store

* Break up the Redis client builder logic

* Move error messages to Store from Manager

* Convert ticket to private for Manager use only

* Add persistence Manager & ticket tests

* Make a custom MockStore that handles time FastForwards
2020-07-19 21:25:13 +01:00
Joel Speed
3f00143175
Add changelog entry for session middleware refactor 2020-07-19 17:24:58 +01:00
Joel Speed
6b27069812
Add changelog entry for integrating new upstream proxy 2020-07-19 14:01:36 +01:00
Joel Speed
e73db7df7b
Add HTPasswd validator refactor to changelog 2020-07-18 11:01:49 +01:00
Nick Meves
abeb0236d8
Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
Nick Meves
bb5977095f
Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
Nick Meves
a09eecc6a2
Reduce SessionState size better with MessagePack + LZ4 (#632)
* Encode sessions with MsgPack + LZ4

Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.

* Only compress encoded sessions with Cookie Store

* Cleanup msgpack + lz4 error handling

* Change NewBase64Cipher to take in an existing Cipher

* Add msgpack & lz4 session state tests

* Add required options for oauthproxy tests

More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.

* Remove support for uncompressed session state fields

* Improve error verbosity & add session state tests

* Ensure all marshalled sessions are valid

Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.

* Add tests for legacy V5 session decoding

Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.

* Make ValidateSession a struct method & add CHANGELOG entry

* Improve SessionState error & comments verbosity

* Move legacy session test helpers to sessions pkg

Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.

* Improve SignatureAuthenticator test helper formatting

* Make redis.legacyV5DecodeSession internal

* Make LegacyV5TestCase test table public for linter
2020-07-13 20:56:05 +01:00
mkontani
dd36138965
docs: Fix required ruby-version (#675)
* fix required ruby-version

Signed-off-by: mkontani <itoama@live.jp>

* add a changelog entry

Signed-off-by: mkontani <itoama@live.jp>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-12 16:09:34 +01:00
Joel Speed
d1c7be565b
Move changelog entry to correct release
This changelog entry was merged into the wrong release, this puts it back to the correct release
2020-07-11 11:14:12 +01:00
Isabelle COWAN-BERGMAN
64ae31b5a0
Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
Joel Speed
7ffe9b7620
Reduce docker context to improve build times 2020-07-07 20:51:43 +01:00
Mariano Vallés
a999270cf3
Add req.host to targetURL when redirecting to https (#668)
* Add req.host to targetURL when redirecting to https

The req.URL.Host might not be present when redirecting to https if the
given req.URL is something like "/". In such scenario, the req.Host is
still present and valid.

This commit adds the original req.Host to the targetURL before returning
the 308 status, to avoid having a `Location: https:///` in the response.

* Bring back empty line

* Wrap the setting of targetURL.Host in a condition

* Add a comment to the test explaining why the redirectURL includes example.com

* Add changelog entry
2020-07-07 09:55:38 +01:00
Joel Speed
02410d3919
Update changelog to add request builder entry 2020-07-06 18:31:28 +01:00
Mitsuo Heijo
97ab3fa005 update CHANGELOG 2020-07-06 19:09:02 +09:00
Jordan Crawford
6346dafc1e (#649) Remove blank helthcheck user agents and paths when setting up the healthcheck middleware
A blank user agent is considered == to an empty string. When no -ping-user-agent option is specified, this is considered to be an empty string.

This reveals two problems:
- When no ping-user-agent is specified, main.go sets up a health check user agent of ""
- When no user agent is specified, the empty string is still checked against the health check user agents.

Now the health check middleware ignores blank user agents and paths in order to sanitise it's input to avoid this issue.

Additional tests have been added to verify these situations.
2020-07-06 14:07:38 +12:00
Joel Speed
37c76b6376
Update changelog to add upstream proxy entry 2020-07-05 10:22:24 +01:00
Joel Speed
eb933cc3f4
Add changelog entry for cookie validation separation 2020-07-05 09:18:45 +01:00
Nick Meves
c6f1daba2f
Split cookies more precisely at 4096 bytes 2020-07-03 20:38:04 -07:00
Joel Speed
1c1106721e
Move RedirectToHTTPS to middleware package
Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic.
Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example)
2020-07-03 17:19:09 +01:00
Joel Speed
5c8a66bcc9
Close client connections after each redis test 2020-07-03 16:24:47 +01:00
k-wall
b0375e85fa
Fix #635: Support specifying alternative provider TLS trust source(s) (#645)
* Fix #635: Support specifying alternative provider TLS trust source(s)

* Update pkg/apis/options/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/validation/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address review comments

* upd CHANGELOG.md

* refactor test to assert textual subjects + add openssl gen cmd

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-03 16:09:17 +01:00
Joel Speed
34137f7305
Move SessionStore tests to independent package 2020-07-01 06:41:35 +01:00
Joel Speed
778463906a
Update changelog for session storage initialisation move 2020-06-28 12:32:06 +01:00
Joel Speed
25154ede41
Update changelog ready for release v6.0.0 2020-06-27 12:10:27 +01:00
İlteriş Eroğlu
1b6c54cae1
Change how gitlab-group is parsed on options (#639)
* Changed how gitlab-group is parsed, from string to []string

See #637

* Point out that gitlab-group can be a list

See #637

* Reflect to the []string change on pkg/apis/options/options.go

See #637

* Move cfg option gitlab_group to gitlab_groups

See #637

* Renamed Group to Groups

See #637

* Reflect the change on gitlab.go as well

See #637

* Added #639

* Added the author of #639 to the CHANGELOG

* Add the gitlab_groups env change to CHANGELOG.md

See #639

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-26 23:26:07 +01:00
Evgeni Gordeev
054979978f Merge remote-tracking branch 'upstream/master' into helm-example
# Conflicts:
#	CHANGELOG.md
2020-06-25 15:24:00 -05:00
Evgeni Gordeev
e8fce0b14d Merge remote-tracking branch 'upstream/master' into helm-example
# Conflicts:
#	CHANGELOG.md
2020-06-19 22:25:14 -05:00
Nick Meves
c2c1caa404
Set User = Subject in ExtraJWTBearer sessions 2020-06-19 11:48:23 -07:00
Joel Speed
dc756b9de3
Don't log invalid redirect if redirect is empty 2020-06-19 18:17:05 +01:00
Evgeni Gordeev
11c033e2c8 * move httpbin and hello-world charts outside.
* expose kind to 443 port
* make helm optional
* rename folder to kubernetes
2020-06-16 16:39:11 -05:00
Evgeni Gordeev
9a495e996b Merge remote-tracking branch 'upstream/master' into helm-example
# Conflicts:
#	CHANGELOG.md
2020-06-16 16:38:01 -05:00
Joel Speed
ba3e40ab1c
Add changelog entry for healthcheck middleware 2020-06-14 21:06:14 +01:00
Evgeni Gordeev
43f214ce8b
Add Keycloak local testing environment (#604)
* Adding one more example - keycloak - alongside with dex IDP.

* don't expose keycloak and proxy ports to the host

* specify email-domain list option in documentation

* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390

* get rid of the scripts - use static file for keycloak startup

* changelog entry

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-14 14:06:12 +01:00
Nick Meves
014fa682be
Add EncryptInto/DecryptInto Unit Tests 2020-06-12 14:42:42 -07:00
Evgeni Gordeev
363eaf1fac changelog entry 2020-06-12 13:55:38 -05:00
Joel Speed
808084b744
Ensure decrypted user/email are valid UTF8 2020-06-12 15:36:55 +01:00
Christopher Kohnert
2c851fcd4f
Allow a health/ping request to be identified by User-Agent (#567)
* Add an option to allow health checks based on User-Agent.

* Formatting fix

* Rename field and avoid unnecessary interface.

* Skip the redirect fix so it can be put into a different PR.

* Add CHANGELOG entry

* Adding a couple tests for the PingUserAgent option.
2020-06-12 14:56:31 +01:00
Joel Speed
160bbaf98e
Fallback to UserInfo is User ID claim not present (#560)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-06-04 17:41:29 +01:00
Scott Guymer
3aeca4368c
ACR values should not be automatically added when blank (#598)
* ACR values should not be automatically added when blank

* Added changelog
2020-06-02 18:17:27 +01:00
Yoshiki Nakagawa
d8d43bb51b
Support new option "github-user" (#421)
* feat(github): support new option "github-user"

* feat(github): rename github-user to github-users

* feat(github): update docs for github-users option

* feat(github): remove unneeded code

* feat(github): remove logging

* feat(github-user): use github-user as flagset options

* feat(github-user): remove optionns.go

* feat(github-user): add github-user flagset

* feat(github): improve readability in the docs

* feat(github-user): refactored SetUsers method

* Update flag description

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-01 20:02:07 +01:00
Joel Speed
f7c88f53d1
Update changelog for logging options move 2020-05-31 14:09:24 +01:00
Joel Speed
f7b28cb1d3
Improvements to Session State code (#536)
* Drop SessionStateJSON wrapper
* Use EncrpytInto/DecryptInto to reduce sessionstate

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-30 08:53:38 +01:00
Amnay
6a88da7f7a
Parse Redis cluster and sentinel urls (#573)
* Parse Redis cluster and sentinel urls

* Add changelog entry for #573

* Add unit tests for redis session store

* Use %v for error fmt

Co-authored-by: Amnay Mokhtari <amnay.mokhtari@adevinta.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-05-27 18:40:50 +01:00
Timo Beckers
276d1c6f19
Always encrypt sessions regardless of configuration 2020-05-24 21:23:04 +01:00
Amnay
0c9795a964
render error page on 502 proxy status (#574)
Co-authored-by: Amnay Mokhtari <amnay.mokhtari@adevinta.com>
2020-05-24 21:09:00 +01:00
Joel Speed
810a9e9967
Rename cookie-domain config to cookie-domains (#559)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-24 20:19:56 +01:00
Isabelle COWAN-BERGMAN
fc11d8d508
Updated autocompletion for -- long options. (#569)
* Updated autocompletion for `--` long options.

* Added CHANGELOG.md entry.
2020-05-24 17:12:28 +01:00
Joel Speed
a0085e9015
Add changelog entry for 489 (#572) 2020-05-23 18:49:09 +01:00
Nick Meves
7e5c8bb579
Fix secretBytes adding unintended padding (#556)
* Fix secretBytes adding unintended padding

* Add more SecretBytes test scenarios

* Add CHANGELOG entry about breaking secret padding change

* Add SecretBytes tests explanation comments
2020-05-21 19:29:45 +01:00
Nick Meves
d228d5a928
Refactor the utils package to other areas (#538)
* Refactor the utils package to other areas

Move cookieSession functions to cookie session store
& align the double implementation of SecretBytes to be
united and housed under encryption

* Remove unused Provider SessionFromCookie/CookieForSession

These implementations aren't used, these are handled in the cookie store.

* Add changelog entry for session/utils refactor
2020-05-14 10:16:35 +01:00
Isabelle COWAN-BERGMAN
111d17efde
Implements --real-client-ip-header option. (#503)
* Implements -real-client-ip-header option.

* The -real-client-ip-header determines what HTTP header is used for
  determining the "real client IP" of the remote client.
* The -real-client-ip-header option supports the following headers:
  X-Forwarded-For X-ProxyUser-IP and X-Real-IP (default).
* Introduces new realClientIPParser interface to allow for multiple
  polymorphic classes to decide how to determine the real client IP.
* TODO: implement the more standard, but more complex `Forwarded` HTTP
  header.

* Corrected order of expected/actual in test cases

* Improved error message in getRemoteIP

* Add tests for getRemoteIP and getClientString

* Add comment explaining splitting of header

* Update documentation on -real-client-ip-header w/o -reverse-proxy

* Add PR number in changelog.

* Fix typo repeated word: "it"

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update extended configuration language

* Simplify the language around dependance on -reverse-proxy

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Added completions

* Reorder real client IP header options

* Update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Isabelle COWAN-BERGMAN <Izzette@users.noreply.github.com>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-12 18:41:25 +01:00
Joel Speed
2e37da4dc4
Update changelog for test environment addition 2020-05-12 16:07:17 +01:00
Joel Speed
4e3dd09cf2
Drop fallback to email when user is empty (#537) 2020-05-12 16:04:51 +01:00
John Clayton
7cf685140b
Restrict access using Github collaborators (#497)
* Allow access based on Github repository
2020-05-11 18:02:40 +01:00
Mitsuo Heijo
e642daef4e Support context in providers (#519)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-10 13:34:59 +01:00
Joel Speed
de280824de
Drop support for pre v3.1 cookies (#535)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-10 10:09:53 +01:00
Joel Speed
24cdfa68b6
Set up code coverage within Travis for Code Climate (#533)
* Set up code coverage within Travis for Code Climate
* Include CodeClimate badges on ReadMe
2020-05-10 07:29:37 +01:00
n-i-x
be9eaaeb48
Add basic string functions to templates (#514)
* Add basic string functions to templates

Co-authored-by: Oliver <oliver006@users.noreply.github.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-09 21:05:51 +01:00
Nick Meves
9d626265e8 Migrate cookie signing to SHA256 from SHA1 (#524)
Also, cleanup the code & make the specific
hashing algorithm chosen a function variable.

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-09 16:14:19 +01:00
Joel Speed
07df29db37
Drop configure script in favour of native Makefile env and checks (#515)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-09 16:07:46 +01:00
Joel Speed
8d3de2dc75
Tidy changelog and update releases to v5.1.1 (#526) 2020-05-06 19:00:12 +01:00
Joel Speed
f7c050e7ba
Switch flags to PFlag to remove StringArray (#487) 2020-05-03 16:55:20 +01:00
Joel Speed
458710149c
Rename Cookie Options to remove extra 'Cookie' 2020-04-29 19:51:24 +01:00
Jakub Holy
1961424561
Feature/configurable userid claim minimal (#499)
* Add -user-id-claim to support other claims than email

Fix #431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".

- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
  `GetJwtSession` and overridden by oidc to respect `user-id-claim`

Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.

* Apply suggestions from code review

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Review feedback: Don't extract claims manually

Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.

* Fix indentation

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-28 07:46:46 +01:00
yaroslavros
4d21b8a04f
Make sure websockets respect ssl-upstream-insecure-skip-verify setting. (#494)
* Make sure websockets respect ssl-upstream-insecure-skip-verify setting.

Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>

* Updated changelog for websockets taking into account ssl-upstream-insecure-skip-verify

Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-04-19 17:41:29 +01:00
Christopher Kohnert
c6294c40a3
Allow the OIDC issuer verification to be skipped if desired. (#467)
* Allow the OIDC issuer verification to be skipped if desired.

* Remove stale warning

* Add CHANGELOG entry

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
Co-authored-by: Dan Bond <pm@danbond.io>
2020-04-19 12:19:21 +01:00
Dan Bond
5fc6bd0e6f
Merge branch 'master' into fix-set-basic-default 2020-04-14 09:37:11 +01:00
Mitsuo Heijo
dd05e7ff0b
Add new linters (#486)
* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization
2020-04-14 09:36:44 +01:00
Joel Speed
581475feec
Set-Basic-Auth should default to false 2020-04-13 14:57:24 +01:00
Joel Speed
fcd52e042e
Warn users when session cookies are split 2020-04-12 12:01:38 +01:00
Eric Dahlseng
a659b9558e
Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
Mitsuo Heijo
7f72a22227
feature: switch Azure AD graph API to Microsoft Graph API (#440)
* feature: switch Azure AD graph API to Microsoft Graph API

* Update CHANGELOG

* Expand Breaking Changes notice

* Update CHANGELOG.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* fix: use constant http method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 11:53:30 +01:00
Moraru Costel
b0b87563dc
Add set basic auth param (#413)
* addint redirect capability to sign_out

* updating changelog

* Add a new param to set the Authorization header to up-stream systems as Basic user:password

* Resolving code review

* mutual exclusiv changes for Basic and Bearer Authorization header

* Fixed the merge mixup and comment error

* Updated changelog and fixed typo

* Adding the new entry in changelog

Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
2020-04-10 14:41:28 +01:00
Mitsuo Heijo
7efc162aaa
Prevent browser caching during auth flow (#453)
* Prevent browser caching during auth flow

* simplify no-cache logic, add tests and update changelog

* checking noCacheHeaders does not exists in response headers from upstream

* remove unnecessary codes

* add no-cache headers in SignInPage and OAuthStart for proxy mode

https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
2020-04-09 15:39:07 +01:00
Trevor Box
7c3efe4f42
Update okta doc (#481)
* updated Okta docs and added localhost example

* add changelog entry

* added pull request # to changelog

Co-authored-by: tbox <tbox@redhat.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-08 21:28:00 +01:00
Josh Bielick
f9f98cb3a7
print full error message when non-api error (#474)
when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult

The particular error this surfaces is:

Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Signed-off-by: Josh Bielick <jbielick@gmail.com>
2020-04-06 09:27:24 +01:00
Mitsuo Heijo
c7bfbdecef
Implement graceful shutdown and propagate request context (#468)
* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout
2020-04-04 16:12:38 +01:00
Siim Tiilen
bdc686103e
Allow html in banner message (#462)
* allow html in banner message

* Fix changelog (move under new version)
2020-04-04 15:01:11 +01:00
Phil Taprogge
3f7837b955
Add logging in case of invalid redirects (#471)
* Add logging in case of invalid redirects

* update changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-02 09:51:38 +01:00
Theo
8641bc4738
Update docs deps 2020-03-29 17:34:17 +01:00
Joel Speed
f832eb1446
Update changelog and readme to reflect migration 2020-03-29 16:24:41 +01:00
Joel Speed
802754caad
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
Joel Speed
9dcd8255bf
Update CHANGELOG for v5.1.0 release 2020-03-29 13:19:38 +01:00
Mitsuo Heijo
362cdf7713
Fix http.Cookie SameSite is not copied. (#450)
* fix: http.Cookie SameSite is not copied.

* Update CHANGELOG.md
2020-03-17 18:48:52 +00:00
Jakub Holy
3108f765a5
Fix #381, expose acr_values to all providers (#445) 2020-03-17 17:57:33 +00:00
Erico Fusco
4d7349f9c6
Update CHANGELOG.md (#446)
Fix PR link for #435
2020-03-16 10:14:38 +00:00
Mitsuo Heijo
81b9a63e51
Support Go 1.14 (#419)
* Upgrade base image tags and golangci-lint

* Upgrade golang and golangci-lint in travis-ci

* fix:  tests, pointed out by golangci-lint and format files

* Upgrade dependencies

* update changelog

* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418

* Separate tests using go version build tags

* Update CHANGELOG

* Revert "Separate tests using go version build tags"

This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.

* fix test to support go1.14 and go1.13

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 10:14:15 +00:00
Jakub Holy
b1c81e2abe
Support prompt in addition to auth-prompt (#444)
Fix #380
2020-03-14 09:53:43 +00:00
Erico Fusco
8d0149ccf8
Fix issue with group validation called on every request (#435)
* Revert group validation on every request

* Fix syntax

* Remove unit tests associated with reverted change

* Update CHANGELOG
2020-03-13 20:10:38 +00:00
Jordan Crawford
4cd43ef397 Support the PreferEmailToUser option on PassUserHeaders
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.

The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.

The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
2020-03-04 11:47:13 +13:00
D. Spindel
51f4d88028
Add option to prefer an Email address to a Username (#401)
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.

When matching this with downstream databases, it's sometimes preferred to use
the email address as the  known identifier.

However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.

This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.

Defaults to Off.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-29 17:38:32 +00:00
Timo Beckers
907de4e141
Use OAuthProxy.GetRedirect in /sign_in, honoring the 'rd' query parameter (#405)
* Use OAuthProxy.GetRedirect in /sign_in, honoring the 'rd' query parameter

* CHANGELOG.md - Add a changelog entry for #405
2020-02-28 09:59:27 +00:00
Luke Tainton
4f553bcfc8
Add nsswitch.conf to Docker image (#400)
* Add nsswitch.conf to Docker image

Created nsswitch.conf to use locally defined translations before DNS. Copied to /etc/nsswitch.conf in the image.

* Add new line

* Updated Changelog

Co-authored-by: Dan Bond <danbond@protonmail.com>
2020-02-23 18:16:18 +00:00
Iain Buclaw
2033ce81c3
Implement ValidateSessionState for GitHubProvider (#385)
Refactors the setting of the Authorization header into getGitHubHeader.

Refs #382

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-15 15:11:14 +00:00
Pavel Kirichenko
f2661c47ba
Support for client secret file. (#355)
* added ClientSecretFile in ProviderData

* add documentation notes on client secret file

* added Changelog entry for Client Secret File PR

* fixing configuration.md

* addressing PR issue of ClientSecret property naming

* Update providers/provider_data.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* corrected changelog entry

* fixed typo in GetClientSecret

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-15 13:44:39 +00:00
Devin Nemec
3a843f815d
GitHub Provider - Fallback to secondary verified email (#372)
* Fallback to secondary verified email

* Add change to changelog
2020-02-15 13:36:28 +00:00
Ben Letton
10adb5c516
Support optional id_tokens in refresh responses (#335)
* OIDC Token Refresh works without id_tokens

Addresses https://github.com/pusher/oauth2_proxy/issues/318

Refactoring the OIDC provider so that the refresh process works when there are
no id_tokens present in the response. Added unit tests to the oidc_test.go to prove
the redeem and refresh still work.

The expiry time of the session is now taken from the outh token expiry and not
the id_token (preventing stale access_tokens in sessions).

* Refactoring the to use a KeySetStub in the oidc_test.go. This allows the
elimination of the slightly contrived function passing elements used
previously. (This change is being applied to address the bug #318)

* Changes as per the PR comments and preparing for 5.x release

* Fixup changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 18:09:30 +00:00
Yan Yao
18d20364a8
Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
Felix Fontein
9670f54dd0
Fix login page fragment handling after soft reload on Firefox (#353)
* Fix login page fragment handling after soft reload on Firefox.

* Add comments.

* Move changelog entry to correct place.

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Felix Fontein <felix@fontein.de>
2020-01-31 11:11:15 +00:00
David Stark
3b0e8c3cb3
Open redirect (security vulnerability) notes 2020-01-29 12:45:19 +00:00
David Stark
e21f09817e
note about open redirect vulneravility 2020-01-29 12:36:11 +00:00
David Stark
c32a7d8e2c
Release v5.0.0
Changelog updated
2020-01-29 12:10:03 +00:00
Martin Campbell
d9362d3bb9 Add reverse proxy setting (#331)
* Add reverse proxy setting (#321)
2020-01-24 17:54:13 +00:00
Joel Speed
17d9961cb9
Merge branch 'master' into pgroudas/add-samesite-cookie-options 2020-01-20 19:21:51 +00:00
Dan Bond
11cc396059
Merge branch 'master' into kamal/whitelist-redirects-with-ports 2020-01-15 14:03:17 +00:00
Kamal Nasser
eee4b55e0f DigitalOcean Auth Provider (#351)
* DigitalOcean provider

* documentation: digitalocean provider

* changelog: digitalocean provider

* codeowners: digitalocean provider
2020-01-15 11:09:34 +00:00
Dan Bond
625909e445
Merge branch 'master' into kamal/whitelist-redirects-with-ports 2020-01-10 09:48:25 +00:00
sushiMix
f94dee6f0d Update keycloak provider configuration doc (#347)
* update keycloak provider configuration doc

* Add changelog entry
2020-01-10 09:41:08 +00:00
Kamal Nasser
5489d1624e
Merge branch 'master' into kamal/whitelist-redirects-with-ports 2020-01-08 22:24:56 +02:00
Paul Groudas
afb7247ad5 Add item to CHANGELOG for SameSite configuration. 2020-01-06 12:21:52 -05:00
Joel Speed
effe1e0bdb
Fix changelog entry release 2019-12-17 12:17:05 +00:00
Joel Speed
3a8b33a017
Merge branch 'master' into nextcloud-provider 2019-12-17 11:56:43 +00:00
Dan Bond
ef8b7b5e25
dist.sh: use sha256sum (#325)
* dist.sh: use sha256sum

* update CHANGELOG
2019-12-10 17:24:15 +00:00
Dan Bond
8165f6c483
Update CHANGELOG for v4.1.0 (#323) 2019-12-10 16:34:33 +00:00
Florian Kaiser
f6790265e1 dist.sh: Add build for FreeBSD (#317) 2019-11-26 16:38:22 +00:00
Casey Link
227ea5da44 Add Nextcloud provider (#179) 2019-11-25 18:47:21 +01:00
Felix Fontein
11205c7399 Allow to change provider's name (#296)
* Allow to change provider's name.

* Add changelog entry.

* Linting.

* provider-name -> provider-display-name.

* Add flag in main.go.

* Update CHANGELOG.md
2019-11-25 17:20:37 +00:00
Moraru Costel
ca0b8375da Add redirect capability to sign_out (#314)
* addint redirect capability to sign_out

* updating changelog
2019-11-19 17:17:26 +00:00
Christian Groschupp
6d74a42e57
Merge branch 'master' into feat/static-upstream 2019-11-19 12:23:42 +01:00
Joel Speed
5c9a0f8308 Fixup Changelog entries (#312) 2019-11-15 04:02:09 -08:00
Kamal Nasser
6d1b5fc4b0
Merge branch 'master' into kamal/whitelist-redirects-with-ports 2019-11-14 17:19:21 +02:00
Joel Speed
6326660699
Merge branch 'master' into ap-gh-pagination-with-lastpage 2019-11-14 14:21:45 +00:00
Lukasz Leszczuk
3c10aee62c Code formatting. Add missing CHANGELOG entry. 2019-11-09 13:57:40 +01:00
Konstantine
fef940da9a Added userinfo endpoint (#300)
* Added userinfo endpoint

* Added documentation for  the userinfo endpoint

* Update oauthproxy.go

Co-Authored-By: Dan Bond <pm@danbond.io>

* Suggested fixes :  Streaming json to rw , header set after error check

* Update oauthproxy.go

Co-Authored-By: Dan Bond <pm@danbond.io>

* fix session.Email

* Ported tests and updated changelog
2019-11-07 14:38:36 -08:00
Christian Groschupp
9e4a7ee84e
Merge branch 'master' into feat/static-upstream 2019-11-01 17:34:27 +01:00
Joel Speed
0df5a77c53
Update changlog 2019-10-30 10:25:51 +00:00
Dan Bond
f40dab8748 Rewrite dist script (#302)
* Rewrite dist scripts

* add changelog entry

* remove multiple loops in dist

* styling
2019-10-29 17:27:08 +00:00
Dan Bond
ba21c90c7a
fix broken changelog link (#301)
* fix broken changelog link

* Update CHANGELOG.md
2019-10-28 10:42:43 -07:00
Johannes-Maria Frank
292d2dc639 Added version check for bash version gteq 4 (#292)
* Added version check for bash version gteq 4

* Added entry to CHANGELOG for bash 4.0 configure script dependency

* Corrected changelog entry to right format

* Fixed link in changelog entry

* Remove uneeded new line.
2019-10-28 09:39:22 -07:00
toshi-miura
eb89047e3a
Merge branch 'master' into ap-gh-pagination-with-lastpage 2019-10-24 11:23:15 +09:00
Tom Deadman
35f2ae9a36 Improved request errors (#286)
* worked on wrapping errors in requests.go, added defer statements

* removed .idea (generated by goland)

* added another require.NoError

* Update pkg/requests/requests.go

Co-Authored-By: Dan Bond <pm@danbond.io>

* fixed out-of-order imports

* changelog entry added

* swapped error definitions to use fmt.Errorf rather than Wrap()

* formatting changes, added new defers to requests_test.go

* suppot for go1.12 pipeline removed from travis pipeline, .idea/ added to gitignore

* Reorder changelog entry
2019-10-23 09:55:34 -07:00
Kamal Nasser
1af7c208ee Update documentation and changelog 2019-10-23 16:48:16 +03:00
Joel Speed
535f6b8e63
Merge branch 'master' into ap-gh-pagination-with-lastpage 2019-10-21 10:21:10 +01:00
toshi-miura
e34f18ef2c
Update CHANGELOG.md
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
2019-10-21 18:14:01 +09:00
Josh Michielsen
052451edef Merge branch 'Issue#259-RedirectToHTTPS' of github.com:jmickey/oauth2_proxy into Issue#259-RedirectToHTTPS 2019-10-17 22:20:21 +01:00
Josh Michielsen
56d195a433 Docs and changelog
Signed-off-by: Josh Michielsen <github@mickey.dev>
2019-10-17 22:20:15 +01:00
leyshon
c3cdcae49b
Merge branch 'master' into feature/azure-idtoken 2019-10-14 11:04:04 +01:00
toshi-miura
610ee6d0ec Fix typo. 2019-10-12 02:30:58 +09:00
Joel Speed
eb1d64a666
Merge branch 'master' into ap-gh-pagination-with-lastpage 2019-10-11 12:02:31 +01:00
toshi-miura
0d256a329f add change log. 2019-10-11 19:49:08 +09:00
Christian Groschupp
f570fb9f58
Update changelog 2019-10-10 10:15:04 +02:00
Dan Bond
486521da96 fix previous CHANGELOG error 2019-10-07 17:11:38 -07:00
Dan Bond
a97710d3d2 update CHANGELOG 2019-10-07 17:11:14 -07:00
Dhi Aurrahman
de16df232d Support Go 1.13.x and allow to override REGISTRY (#273)
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
2019-10-07 13:53:46 -07:00
leyshon
d8d4c687df
Merge branch 'master' into feature/azure-idtoken 2019-10-02 10:33:08 +01:00
Joel Speed
ac0d010371
Merge branch 'master' into support-x-auth-request-redirect 2019-09-30 17:21:05 +01:00
Dan Bond
a122ac60e4
Fix CHANGELOG errors 2019-09-25 13:33:58 -07:00
Ian Hunter
18a77e6618 Reflect #248 PR in CHANGELOG.md 2019-09-19 11:26:18 -05:00
leyshon
41ed9f7429 Updating the changelog to include details of the change 2019-09-02 14:56:20 +01:00
Henry Jenkins
71dfd44149
Merge branch 'master' into keycloak-provider 2019-08-17 08:10:37 +01:00
Joel Speed
44ea6920a7
Update changelog for v4.0.0 release 2019-08-16 15:06:53 +01:00
aledeganopix4d
fa6c4792a1 Add Bitbucket provider. (#201)
Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
2019-08-16 14:53:22 +01:00
Adam Eijdenberg
d5d4878a29 Made setting of proxied headers deterministic based on configuration
alone

Previously some headers that are normally set by the proxy (and may be
replied upstream for authorization decisiions) were not being set
depending on values in the users sesssion.

This change ensure that if a given header is sometimes set, it will
always be either set or removed.

It might be worth considerating always deleting these headers if we
didn't add them.
2019-08-16 11:44:43 +10:00
Ryan Luckie
c457eeb711
Merge branch 'master' into feature/add_oidc_userinfo_support 2019-08-12 17:32:29 -05:00
hjenkins
02dfa87f11 Fix typos in changelog 2019-08-07 18:00:37 +01:00
jansinger
7134d22bcc New flag "-ssl-upstream-insecure-skip-validation" (#234)
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.

* Fix tests for modified NewReverseProxy method.

* Added change to the changelog.

* Remove duplicate entries from changelog.
2019-08-07 17:48:53 +01:00
Alexander Overvoorde
4de49983fb Rework GitLab provider (#231)
* Initial version of OIDC based GitLab provider

* Add support for email domain check to GitLab provider

* Add gitlab.com as default issuer for GitLab provider

* Update documentation for GitLab provider

* Update unit tests for new GitLab provider implementation

* Update CHANGELOG for GitLab provider

* Rename GitLab test access token as response to linter
2019-08-06 12:20:54 +01:00
Justin Palpant
7d910c0ae8 Check Google group membership with hasMember and get. (#224)
* Check Google group membership with hasMember and get.

This PR is an enhancement built on
https://github.com/pusher/oauth2_proxy/pull/160. That PR reduces the
number of calls to the Google Admin API and simplifies the code by
using the hasMember method. It also supports checking membership in
nested groups.

However, the above message doesn't handle members who are not a part
of the domain. The hasMember API returns a 400 for that case. As a
fallback, when the API returns a 400, this change will try using the
`get` API which works as expected for members who aren't a part of the
domain. Supporting members who belong to the Google group but aren't
part of the domain is a requested feature from
https://github.com/pusher/oauth2_proxy/issues/95.

https://developers.google.com/admin-sdk/directory/v1/reference/members/get

Note that nested members who are not a part of the domain will not be
correctly detected with this change.

* Update CHANGELOG.

* Fix incorrect JSON and stop escaping strings.

* Add comments for each scenario.
2019-08-06 10:38:24 +01:00
Reilly Brogan
1ab63304a1 Fix a bunch of places where the repo link was incorrect 2019-08-03 13:22:42 -05:00
Karel Pokorny
800a3694c2 Add docs and record in CHANGELOG 2019-07-28 16:26:09 +02:00
Ryan Luckie
4a6b703c54 Update CHANGELOG 2019-07-19 09:03:01 -05:00
Joel Speed
8635391543
Merge pull request #178 from kskewes/pinglog
Add silence-ping-logging flag
2019-07-19 11:30:31 +01:00
Karl Skewes
84da3c3d8c update changelog with both flags 2019-07-16 10:06:29 +12:00
Karl Skewes
ec97000169 Add silence ping logging flag
Add ability to silence logging of requests to /ping endpoint, reducing
log clutter

Pros:
- Don't have to change all handlers to set/not set silent ping logging
- Don't have to duplicate `loggingHandler` (this could be preferable yet)

Cons:
- Leaking oauth2proxy logic into `package logger`
- Defining default pingPath in two locations

Alternative:
- Add generic exclude path to `logger.go` and pass in `/ping`.
2019-07-16 09:42:24 +12:00
Henry Jenkins
bc81a0f6e4 Merge branch 'master' into go-mod
* master:
  Move docker dep commands to earlier in the build
2019-07-15 21:38:55 +01:00
Henry Jenkins
56f51417ae
Merge branch 'master' into go-mod 2019-07-15 16:08:21 +01:00
Daniel Kimsey
816c2a6da9 Move docker dep commands to earlier in the build
This will let Docker cache the results of the vendor dependencies.
Making re-builds during testing faster.

Also clean-up spurious test & rm in ./configure
2019-07-15 10:00:34 -05:00
Joel Speed
874c147e04
Fix tls-key-file and tls-cert-file consistency 2019-07-15 12:01:44 +01:00
Joel Speed
bdcdfb74f9
Update docs and changelog 2019-07-15 12:01:43 +01:00
Joel Speed
630db3769b
Merge branch 'master' into refactor 2019-07-15 11:30:43 +01:00
Henry Jenkins
179ee6c2db Update CHANGELOG 2019-07-14 13:51:46 +01:00
Henry Jenkins
e92e2f0cb4 Update CHANGELOG 2019-07-14 13:32:37 +01:00
Daryl Finlay
776d063b98 Update changelog to include --insecure-oidc-allow-unverified-email 2019-07-11 15:30:57 +01:00
Henry Jenkins
aa37564655
Merge branch 'master' into banner-flag 2019-07-02 14:03:21 +01:00
Henry Jenkins
b9cfa8f49f Add changelog entry 2019-06-25 16:42:24 +01:00
Henry Jenkins
5bcb998e6b Update changelog 2019-06-23 21:39:13 +01:00
Henry Jenkins
411adf6f21 Switch linter to golangci-lint 2019-06-23 20:44:16 +01:00
Brian Van Klaveren
48dbb391bc Move around CHANGELOG.md update 2019-06-17 12:52:44 -07:00
Brian Van Klaveren
8413c30c26 Update changelog with info about -skip-jwt-bearer-tokens 2019-06-17 12:52:13 -07:00
Joel Speed
0af18d6d7c
Merge pull request #141 from openai/googleGroupEmail
Check google group membership based on email address
2019-06-15 14:05:56 +02:00
Joel Speed
77e1fff753
Merge pull request #185 from jonas/check-against-validate-url-string
Only validate tokens if ValidateURL resolves to a non-empty string
2019-06-15 12:30:03 +02:00
Joel Speed
417fde190c
Update changelog 2019-06-15 11:33:59 +02:00
Adam Eijdenberg
d69560d020 No need for case when only 2 conditions 2019-06-15 18:48:27 +10:00
Jonas Fonseca
7a8fb58ad1
Only validate tokens if ValidateURL resolves to a non-empty string
Fix an unsupported protocol scheme error when validating tokens by
ensuring that the ValidateURL generates a non-empty string. The Azure
provider doesn't define any ValidateURL and therefore uses the default
value of `url.Parse("")` which is not `nil`.

The following log summary shows the issue:

    2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s)
    2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0...
    2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme ""
    2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true}
2019-06-14 12:52:22 -04:00
Joel Speed
78feaec6fa
Merge branch 'master' into bumpoidc 2019-06-06 17:38:19 +01:00
Brian Van Klaveren
405f9b3bb0 Update CHANGELOG with descriptions about redis support
Add updates from master
2019-06-05 00:12:11 -07:00
Brian Van Klaveren
fc06e2dbef Update documentation and changelog for redis store 2019-06-05 00:11:42 -07:00
Adam Eijdenberg
b6c60f52ee Bump go-oidc 2019-06-04 10:58:35 +10:00
Joel Speed
1355c1ce30
Merge pull request #170 from zeha/release-tarballs-as-before
Make release tarballs look like bitly's
2019-06-03 16:23:30 +01:00
Joel Speed
f0b6f1525b
Update changelog 2019-06-03 14:59:56 +01:00
Chris Hofstaedtler
076484297e Make release tarballs look like bitly's
Fixes #162
2019-05-31 14:46:54 +02:00
Karl Skewes
d3f0cb43ca Update Alpine to 3.9 2019-05-31 18:54:20 +12:00
Joel Speed
d40a61613e
Update Changelog 2019-05-20 11:39:41 +02:00
Joel Speed
72fd3b96a6
Update changelog 2019-05-18 13:10:59 +02:00
Icelyn Jennings
5d7d0c4b4b
Shorten README.md (#154)
* Update README.md

* Add changelog entry

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
2019-05-10 12:25:05 +01:00
Phil Taprogge
d4341ec40c
Add breaking changes section to changelog 2019-05-09 10:26:40 +01:00
Phil Taprogge
39d2f28a40
Add comment; update changelog 2019-05-09 10:14:01 +01:00
Phil Taprogge
8b06d255f7
Merge branch 'master' into goversion 2019-05-03 12:37:15 +01:00
Karl Skewes
8fca58cf49 build: use go 1.12 for arm as well 2019-05-03 22:01:36 +12:00
Karl Skewes
308bcc06a4 fix Docker user on arm
Use simple USER directive.
Using `addgroup` in final `arm` image when building on amd64 doesn't work.
I must have made a mistake during cross build verification.

Alternative is to use qemu-static but it's not worth it for this.
2019-05-03 20:54:21 +12:00
Benjamin Chess
3f2fab10e6 check google group based on email address 2019-05-02 17:11:25 -07:00
Mister Wil
72da47509f
Update CHANGELOG.md 2019-04-23 09:22:46 -07:00
Mister Wil
88c518885c
Merge branch 'master' into enhanced_logging 2019-04-16 06:53:45 -07:00
timothy-spencer
1ae62a3343
added jwt-key-file option, update docs 2019-04-15 09:49:05 -07:00
MisterWil
79bcfebb77 Final conflicts 2019-04-12 09:53:07 -07:00
MisterWil
40ba565975 Requested changes 2019-04-12 09:48:21 -07:00
MisterWil
562db1e2da Updated changelog 2019-04-12 09:00:54 -07:00
Joel Speed
6545a33f93
Update changelog for release v3.2.0 2019-04-12 11:23:14 +01:00
Dan Bond
bf9fedb3cf
build: use go 1.12 (#124)
* build: use go 1.12

* Update CHANGELOG.md
2019-04-12 11:15:29 +01:00
Joel Speed
d00e3bddf5
Merge branch 'master' into verified 2019-04-11 13:49:56 +01:00
Joel Speed
3f4420fd58
Merge pull request #120 from costelmoraru/session_state_email
Encrypting user/email from cookie
2019-04-10 13:57:56 +01:00