1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-12-04 10:34:59 +02:00
Commit Graph

45 Commits

Author SHA1 Message Date
t-katsumura
d107d885e4
Session-Cookie Support ()
* Create session cookie when cookie-expire set 0

* Fix format

* add test

* fix lint error

* fix test code

* fix conflicted test case

* update test case of cookie expiration

* update tests of csrf cookies

* update docs

* Update docs/docs/configuration/overview.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

---------

Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-08-16 12:23:02 +01:00
Nuno Miguel Micaelo Borges
6f11e60c0a
Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS ()
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
2023-04-07 12:33:42 +01:00
Amr Hanafi
dd4fa414ea
Update golang.org/x/net to v0.7.0 ato address GHSA-vvpx-j8f3-3w6h ()
* Update golang.org/x/net to v0.7.0 ato address GHSA-vvpx-j8f3-3w6h

Addresses https://github.com/advisories/GHSA-vvpx-j8f3-3w6h

Signed-off-by: Amr Hanafi (MAHDI)) <amrh@microsoft.com>

* Update CHANGELOG

---------

Signed-off-by: Amr Hanafi (MAHDI)) <amrh@microsoft.com>
2023-03-07 10:42:12 +00:00
Nuno Miguel Micaelo Borges
e079c60dfe
Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is wri… ()
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Fixes CVE-2022-41721 ()

See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/

* update checkout actions ()

* Fix a typo in oauthproxy.go ()

* fix typo ()

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Jeroen Landheer <jlandheer@bintelligence.nl>
Co-authored-by: Ryuichi Watanabe <ryucrosskey@gmail.com>
Co-authored-by: Ho Kim <ho.kim@ulagbulag.io>
Co-authored-by: Terrell Russell <terrellrussell@gmail.com>
2023-03-05 17:12:55 +00:00
Jeroen Landheer
a061cd52e9
Fixes CVE-2022-41721 ()
See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/
2023-02-13 09:25:33 +00:00
Joel Speed
4a2cf153cf
Fixup update session state handling 2022-10-29 12:49:53 +01:00
Joel Speed
7034f0db53
Do not update viper
This breaks our deafult structures tests
2022-10-29 12:49:50 +01:00
Joel Speed
5dfefb6d9b
Update session state handling 2022-10-29 12:49:49 +01:00
Joel Speed
f55d24bfcf
Update dependencies
Ran `go get -u` to update depdendencies automatically to newer versions.
I'm aware of a few CVEs that this should resolve
2022-10-29 12:49:48 +01:00
Muhammad Arham
1e21a56f99
Update go-redis/redis to v9. ()
* Update go-redis/redis to v9.
- And updated redislock, testify, ginko and gomega have also been updated.
- Renamed the option `IdleTimeout` to `ConnMaxIdleTime` because of 517938a6b0/CHANGELOG.md

* Update CHANGELOG.md

* Dropping dot import of the types since they created aliases now

* fixing some error messages to make tests happy

* updating more error messages that were changed to make tests happy

* reverting error messages

Co-authored-by: Muhammad Arham <marham@i2cinc.com>
2022-10-24 16:41:06 +01:00
Adrian Aneci
a5d918898c Add azure groups support and oauth2 v2.0 2022-10-21 20:23:21 +03:00
Chris Bednarz
6afcae295a
Updated net and text packages to address CVE-2022-27664 and CVE-2022-32149. ()
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-10-15 14:33:44 +01:00
Felipe B. Conti
ff03c43842
Fix vulnerabilities on crypto, net and sys packages and change go ver… ()
* Fix vulnerabilities on crypto, net and sys packages and change go version on Docker builder stage

* Changelog related PR $1774

Co-authored-by: Felipe Bonvicini Conti <felipe.conti@totvs.com.br>
2022-08-31 21:37:07 +01:00
Joel Speed
d3f428a1a6
Discover signature algorithms from OIDC provider () 2022-05-29 13:48:09 +01:00
Rajesh Krishnamurthy
f8ddc130d8 CVE fixes pertaining to text, crypto and prometheus 2022-05-13 14:53:24 -07:00
Joel Speed
3bb9621f5d
Add DiscoveryProvider to perform OIDC discovery 2022-02-19 15:37:55 +00:00
Matt Lilley
3957183fd5
Use the httputil.NewSingleHostReverseProxy instead of yhat/wsutil for … ()
* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive

* Tidy up dependencies - yhat/wsutil is no longer required

* Update changelog to include reference to 1348

Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-10-03 15:38:40 +01:00
JVecsei
8967873659
Updated dependency versions which include CVE fixes ()
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes

* added  to changelog

Co-authored-by: Joshua Vécsei <git@vecsei.me>
2021-07-29 17:45:41 +01:00
Nick Meves
0b4bc36554
Upgrade go-oidc to v3 () 2021-07-17 09:55:05 -07:00
Joel Speed
6c62b25bf1
Allow request paths to be rewritten before proxying to upstream server 2021-06-23 12:20:46 +01:00
Joel Speed
a8c9b2903d
Use gorilla mux for OAuth Proxy routing 2021-06-19 11:17:16 +01:00
Kevin Kreitner
f648c54d87
Add redis lock feature ()
* Add sensible logging flag to default setup for logger

* Add Redis lock

* Fix default value flag for sensitive logging

* Split RefreshSessionIfNeeded in two methods and use Redis lock

* Small adjustments to doc and code

* Remove sensible logging

* Fix method names in ticket.go

* Revert "Fix method names in ticket.go"

This reverts commit 408ba1a1a5.

* Fix methods name in ticket.go

* Remove block in Redis client get

* Increase lock time to 1 second

* Perform retries, if session store is locked

* Reverse if condition, because it should return if session does not have to be refreshed

* Update go.sum

* Update MockStore

* Return error if loading session fails

* Fix and update tests

* Change validSession to session in docs and strings

* Change validSession to session in docs and strings

* Fix docs

* Fix wrong field name

* Fix linting

* Fix imports for linting

* Revert changes except from locking functionality

* Add lock feature on session state

* Update from master

* Remove errors package, because it is not used

* Only pass context instead of request to lock

* Use lock key

* By default use NoOpLock

* Remove debug output

* Update ticket_test.go

* Map internal error to sessions error

* Add ErrLockNotObtained

* Enable lock peek for all redis clients

* Use lock key prefix consistent

* Fix imports

* Use exists method for peek lock

* Fix imports

* Fix imports

* Fix imports

* Remove own Dockerfile

* Fix imports

* Fix tests for ticket and session store

* Fix session store test

* Update pkg/apis/sessions/interfaces.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Do not wrap lock method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Use errors package for lock constants

* Use better naming for initLock function

* Add comments

* Add session store lock test

* Fix tests

* Fix tests

* Fix tests

* Fix tests

* Add cookies after saving session

* Add mock lock

* Fix imports for mock_lock.go

* Store mock lock for key

* Apply elapsed time on mock lock

* Check if lock is initially applied

* Reuse existing lock

* Test all lock methods

* Update CHANGELOG.md

* Use redis client methods in redis.lock for release an refresh

* Use lock key suffix instead of prefix for lock key

* Add comments for Lock interface

* Update comment for Lock interface

* Update CHANGELOG.md

* Change LockSuffix to const

* Check lock on already loaded session

* Use global var for loadedSession in lock tests

* Use lock instance for refreshing and releasing of lock

* Update possible error type for Refresh

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-02 19:08:19 +01:00
Nick Meves
d3423408c7
Add a clock package for better time mocking ()
* Add a clock package for better time mocking

* Make Clock a struct so it doesn't need initialization

* Test clock package

* Use atomic for live time tests

* Refer to same clock.Mock throughout methods
2021-04-18 18:25:57 +01:00
yanasega
42475c28f7
Multiple providers in alpha config ()
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* fixed typo

* removed weird : file

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* auto generates alpha_config.md

* rebase (mainly service alpha options related conflicts)

* removed :

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* "cntd. rebase"

* ran make generate again

* last conflicts

* removed duplicate client id validation

* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0

* fixed TestGoogleGroupOptions test

* ran make generate

* moved CHANGLOG line to 7.1.1

* moved changelog comment to 7.1.2 (additional rebase)

Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2021-04-03 17:06:30 +01:00
Nick Meves
c1267bb92d
Request ID Logging ()
* Add RequestID to the RequestScope

* Expose RequestID to auth & request loggers

* Use the RequestID in templated HTML pages

* Allow customizing the RequestID header

* Document new Request ID support

* Add more cases to scope/requestID tests

* Split Get vs Generate RequestID funtionality

* Add {{.RequestID}} to the request logger tests

* Move RequestID management to RequestScope

* Use HTML escape instead of sanitization for Request ID rendering
2021-03-21 18:20:57 +00:00
Joel Speed
d8aca8ac30
Add new http server implementation 2021-03-07 11:49:09 +00:00
Sean Jones
a7c8a233ba
Add Prometheus metrics endpoint
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.

Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy

Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
2021-02-15 13:45:26 +00:00
Joel Speed
5c64e236fb
Generate reference page in configuration 2021-01-18 09:57:44 +00:00
Joel Speed
f36dfbb494
Introduce alpha configuration loading 2020-12-01 08:56:49 +00:00
Nick Meves
44fa8316a1
Aggregate error logging on JWT chain failures 2020-11-28 10:25:12 -08:00
Mitsuo Heijo
fcb83c48f4
Update go-redis/redis to v8 ()
* update go-redis/redis to v8

testify, ginko and gomega have also been updated.

* update changelog

* Update pkg/sessions/redis/redis_store_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 11:49:27 +01:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 ()
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Nick Meves
19836f85ac
Align persistence ginkgo tests to conventions 2020-07-21 22:13:17 -07:00
Nick Meves
a09eecc6a2
Reduce SessionState size better with MessagePack + LZ4 ()
* Encode sessions with MsgPack + LZ4

Assumes ciphers are now mandatory per . Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.

* Only compress encoded sessions with Cookie Store

* Cleanup msgpack + lz4 error handling

* Change NewBase64Cipher to take in an existing Cipher

* Add msgpack & lz4 session state tests

* Add required options for oauthproxy tests

More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.

* Remove support for uncompressed session state fields

* Improve error verbosity & add session state tests

* Ensure all marshalled sessions are valid

Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.

* Add tests for legacy V5 session decoding

Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.

* Make ValidateSession a struct method & add CHANGELOG entry

* Improve SessionState error & comments verbosity

* Move legacy session test helpers to sessions pkg

Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.

* Improve SignatureAuthenticator test helper formatting

* Make redis.legacyV5DecodeSession internal

* Make LegacyV5TestCase test table public for linter
2020-07-13 20:56:05 +01:00
Joel Speed
34137f7305
Move SessionStore tests to independent package 2020-07-01 06:41:35 +01:00
Joel Speed
5ce9e75c21
Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
Joel Speed
6b43b41638
Fix tests broken by security advisory 2020-06-27 12:41:46 +01:00
Joel Speed
ca416a2ebb
Add HealthCheck middleware 2020-06-14 21:05:17 +01:00
Amnay
6a88da7f7a
Parse Redis cluster and sentinel urls ()
* Parse Redis cluster and sentinel urls

* Add changelog entry for 

* Add unit tests for redis session store

* Use %v for error fmt

Co-authored-by: Amnay Mokhtari <amnay.mokhtari@adevinta.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-05-27 18:40:50 +01:00
Joel Speed
c5be09ca48
Replace options loading with viper 2020-04-29 19:51:24 +01:00
Joel Speed
8749cbb424
Add Viper based config loader 2020-04-29 19:51:24 +01:00
Mitsuo Heijo
c7bfbdecef
Implement graceful shutdown and propagate request context ()
* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout
2020-04-04 16:12:38 +01:00
Mitsuo Heijo
81b9a63e51
Support Go 1.14 ()
* Upgrade base image tags and golangci-lint

* Upgrade golang and golangci-lint in travis-ci

* fix:  tests, pointed out by golangci-lint and format files

* Upgrade dependencies

* update changelog

* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418

* Separate tests using go version build tags

* Update CHANGELOG

* Revert "Separate tests using go version build tags"

This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.

* fix test to support go1.14 and go1.13

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 10:14:15 +00:00
Dhi Aurrahman
de16df232d Support Go 1.13.x and allow to override REGISTRY ()
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
2019-10-07 13:53:46 -07:00
Henry Jenkins
e245ef4854 Switch from dep to go mod
Update modules to avoid issues with golangci-lint
2019-07-13 21:54:45 +01:00