Since Go 1.21 the go toolchain validates strictly the "go" version
directive in go.mod, and downloads and uses the requested toolchain if
necessary. See https://go.dev/doc/toolchain
So we can just run "go list" to tell the Go toolchain to validate our
build environment according to go.mod.
To extract the "go" directive version from go.mod (used to select the
Docker build image) we also use "go list".
* add new docs version 7.11.x
* update to release version v7.11.0
* add changelog entry for v7.11.0
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: add feature support for cookie-secret-file
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-Authored-By: Sandy Chen <Yuxuan.Chen@morganstanley.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Perform a regex replace of $NUM to $$NUM before running envsubst
* Perform a regex replace of $NUM to $$NUM before running envsubst
* add test case; fix linter warnings; add method documentation
Signed-off-by: Jan Larwig <jan@larwig.com>
* add changelog entry
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: Allow use more possible google admin-sdk api scopes.
* reduce cognitive complexity
Signed-off-by: Bob Du <i@bobdu.cc>
* remove unnecessary else block / indentation
Signed-off-by: Jan Larwig <jan@larwig.com>
* add changelog entry
Signed-off-by: Jan Larwig <jan@larwig.com>
* slight formatting and error message rephrasing
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Bob Du <i@bobdu.cc>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Change Dex port in local-environment from 4190 to 5556
Port 4190 is blocked by standards-compliant browsers (e.g. Firefox), as per https://fetch.spec.whatwg.org/#port-blocking.
Port 5556 is used by Dex in its example config files: 745e1114f3/examples/config-dev.yaml (L50)
* Fix upstream in local-environment/oauth2-proxy.cfg
http://httpbin.localtest.me:8080 is only exposed to the host, not to httpbin Docker network.
Causes Bad Gateway before.
* Do not expose unauthenticated httpbin service in local-environment
This defeats the point of having oauth2-proxy.
It has already been misleading by causing the bug fixed in cafc6af48fc38f6fe4395fb0c7e2638bc84e6091.
It serves as a bad example: users might accidentally expose the service they're trying to protect in the first place.
* Remove unnecessary httpbin.localtest.me alias from local-environment
* fix: redirect on invalid cookie
* docs: update changelog
* chore: remove duplicated code
* fix: status code handling if wrong http method is used
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Allow setting maximum number of csrf cookies, deleting the oldest if necessary
* Add a test for multiple CSRF cookies to remove the old cookie
* Add docs/changelog
* If limit is <=0 do not clear
Signed-off-by: test <bert@transtrend.com>
* Better docs
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct check of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct use of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* sort based on clock compare vs time compare
Co-authored-by: Jan Larwig <jan@larwig.com>
* clock.Clock does not implement Compare, fix csrf cookie extraction after rename
Signed-off-by: Bert Helderman <bert@transtrend.com>
* Linter fix
* add method signature documentation and slight formatting
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix: test case for csrf cookie limit and flag
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Bert Helderman <bert@transtrend.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: test <bert@transtrend.com>
Co-authored-by: bh-tt <71650427+bh-tt@users.noreply.github.com>
* upgrade to go1.24.5
dependency updates
lint fixes
chore(deps): upgrade github.com/spf13/viper to v1.20.1
Note that this upgrade also implied to upgrade github.com/mitchellh/mapstructure
(nowadays unmaintained: https://gist.github.com/mitchellh/90029601268e59a29e64e55bab1c5bdc)
to github.com/go-viper/mapstructure/v2.
fix: adapt tests to match mapstructure v2 error messages
pkg/apis/options/load_test.go: skip tests on Go 1.23
Add a compile guard for Go < 1.24 for the pkg/apis/options/load_test.go
because the LoadYAML test depends on error messages produced by
encoding/json that changed slightly (names of embedded structs are now
reported). As we updated the test for go1.24, the test now fails on
1.23, but just for a slight difference, so we disable the test there.
fix: adapt tests to match mapstructure v2 error messages
remove pre 1.24 disclaimer
add changelog entry
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-Authored-By: Olivier Mengué <dolmen@cpan.org>
* add exclusion for 'avoid meaningless package names' in .golangci.yml
* chore(dep): upgrade all dependencies
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Olivier Mengué <dolmen@cpan.org>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix for github teams
* Update github.go
* added errorhandling
* Update github.md
* refactored GitHub provider
refactored hasOrg, hasOrgAndTeams and hasTeam into hasAccess to stay within function limit
* reverted Refactoring
* refactored github.go
- joined hasOrgAndTeamAccess into checkRestrictions
* refactored github.go
- reduced number of returns of function checkRestrictions to 4
* updated GitHub provider to accept legacy team ids
* GoFmt and golangci-lint
Formatted with GoFmt and followed recommendations of GoLint
* added Tests
added Tests for checkRestrictions.
* refactored in maintainer feedback
* Removed code, documentation and tests for legacy ids
* add changelog and update docs
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* docs: clear up multiple-providers is unimplemented
Currently this configuration option is held up by #926. So users don't
assume this solution will work for them, and later find the feature is
not yet implemented -- own the shortcoming clearly.
* doc: add note about missing multi provider implementation to versioned docs
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.9.x
* update to release version v7.9.0
* doc: add changelog summary
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: use federated credentials to refresh token in entra id
* fix: add some error handling
* chore: update changelog
* chore: update comments
* chore: update comments
* doc: reference entra id docs and clearer phrasing of comments
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Olivier Mengué
Theron Boerner
github-actions[bot]
Jan Larwig
nobletrout
Sourav Agrawal
Michael Cornel
Sandy Chen
Ashkan Daie
Conrad Hoffmann
Bob Du
Simmo Saan
Johann
renovate[bot]
Joel Speed
Daniel Givens
Edward Viaene
Daniel Mersch
Evan Carroll
ikarius
Guillaume "Elektordi" Genty
Michael Niksa
Richard Hagen
Enrico
Justin Ryan