* chore: bump go to version 1.21
update all depedencies as well
* fix linting issues based on golang 1.20 deprecations
* cleanup go depedencies
* add custom gomega matcher for option intefaces
* revert and upgrade golangci-lint to 1.55.2
* fix lint issues for v1.55.2 of golangci-lint
* fix toml loading test
* remove second runspecs call
* update go.sum
* revert testutil package
* added envsubstring package and added simple test cases.imple tests.
* added documentation
* added changelog entry
* added documentation to wrong file
.
* changed tests to ginkgo format
* update project to use better maintained library
* use defer to clear test variable after tests finished
* updated docs for the new package documentation and fixed bad english
* refactored function to "reduce" complexity.
* updated changelog for new version
updated readme
* minor formatting
---------
Co-authored-by: Haydn Evans <h.evans@douglas.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* update go-jose dependency by switching gopkg.in/square/go-jose.v2
with github.com/go-jose/go-jose/v3
* updated `CHANGELOG.md` with entry for PR #2356
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Validate jsonpath in claim extractor
Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
* Add test and changelog for claim extractor json path
---------
Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Create session cookie when cookie-expire set 0
* Fix format
* add test
* fix lint error
* fix test code
* fix conflicted test case
* update test case of cookie expiration
* update tests of csrf cookies
* update docs
* Update docs/docs/configuration/overview.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
---------
Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Fixes CVE-2022-41721 (#1994)
See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/
* update checkout actions (#1981)
* Fix a typo in oauthproxy.go (#2021)
* fix typo (#2001)
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Jeroen Landheer <jlandheer@bintelligence.nl>
Co-authored-by: Ryuichi Watanabe <ryucrosskey@gmail.com>
Co-authored-by: Ho Kim <ho.kim@ulagbulag.io>
Co-authored-by: Terrell Russell <terrellrussell@gmail.com>
* Update go-redis/redis to v9.
- And updated redislock, testify, ginko and gomega have also been updated.
- Renamed the option `IdleTimeout` to `ConnMaxIdleTime` because of 517938a6b0/CHANGELOG.md
* Update CHANGELOG.md
* Dropping dot import of the types since they created aliases now
* fixing some error messages to make tests happy
* updating more error messages that were changed to make tests happy
* reverting error messages
Co-authored-by: Muhammad Arham <marham@i2cinc.com>
* Fix vulnerabilities on crypto, net and sys packages and change go version on Docker builder stage
* Changelog related PR $1774
Co-authored-by: Felipe Bonvicini Conti <felipe.conti@totvs.com.br>
* Build ARMv8 Docker Images
Fixes#1593
* Change platform to arm64/v8
* Drop separate tags for different architectures
* Mark the architecture image tags for deprecation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive
* Tidy up dependencies - yhat/wsutil is no longer required
* Update changelog to include reference to 1348
Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes
* added #1276 to changelog
Co-authored-by: Joshua Vécsei <git@vecsei.me>
* Add sensible logging flag to default setup for logger
* Add Redis lock
* Fix default value flag for sensitive logging
* Split RefreshSessionIfNeeded in two methods and use Redis lock
* Small adjustments to doc and code
* Remove sensible logging
* Fix method names in ticket.go
* Revert "Fix method names in ticket.go"
This reverts commit 408ba1a1a5.
* Fix methods name in ticket.go
* Remove block in Redis client get
* Increase lock time to 1 second
* Perform retries, if session store is locked
* Reverse if condition, because it should return if session does not have to be refreshed
* Update go.sum
* Update MockStore
* Return error if loading session fails
* Fix and update tests
* Change validSession to session in docs and strings
* Change validSession to session in docs and strings
* Fix docs
* Fix wrong field name
* Fix linting
* Fix imports for linting
* Revert changes except from locking functionality
* Add lock feature on session state
* Update from master
* Remove errors package, because it is not used
* Only pass context instead of request to lock
* Use lock key
* By default use NoOpLock
* Remove debug output
* Update ticket_test.go
* Map internal error to sessions error
* Add ErrLockNotObtained
* Enable lock peek for all redis clients
* Use lock key prefix consistent
* Fix imports
* Use exists method for peek lock
* Fix imports
* Fix imports
* Fix imports
* Remove own Dockerfile
* Fix imports
* Fix tests for ticket and session store
* Fix session store test
* Update pkg/apis/sessions/interfaces.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Do not wrap lock method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use errors package for lock constants
* Use better naming for initLock function
* Add comments
* Add session store lock test
* Fix tests
* Fix tests
* Fix tests
* Fix tests
* Add cookies after saving session
* Add mock lock
* Fix imports for mock_lock.go
* Store mock lock for key
* Apply elapsed time on mock lock
* Check if lock is initially applied
* Reuse existing lock
* Test all lock methods
* Update CHANGELOG.md
* Use redis client methods in redis.lock for release an refresh
* Use lock key suffix instead of prefix for lock key
* Add comments for Lock interface
* Update comment for Lock interface
* Update CHANGELOG.md
* Change LockSuffix to const
* Check lock on already loaded session
* Use global var for loadedSession in lock tests
* Use lock instance for refreshing and releasing of lock
* Update possible error type for Refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add a clock package for better time mocking
* Make Clock a struct so it doesn't need initialization
* Test clock package
* Use atomic for live time tests
* Refer to same clock.Mock throughout methods
* Add RequestID to the RequestScope
* Expose RequestID to auth & request loggers
* Use the RequestID in templated HTML pages
* Allow customizing the RequestID header
* Document new Request ID support
* Add more cases to scope/requestID tests
* Split Get vs Generate RequestID funtionality
* Add {{.RequestID}} to the request logger tests
* Move RequestID management to RequestScope
* Use HTML escape instead of sanitization for Request ID rendering
This includes a fix for our samesite cookie parsing. The behaviour
changed in 1.16 so that the default value now leaves it empty, so it's
equivalent to not setting it (as per spec)
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.
Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy
Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
renovate[bot]
Jan Larwig
darh
Conrad Hoffmann
Koen van Zuijlen
Pierluigi Lenoci
vllvll
Joseph Weigl
t-katsumura
Nuno Miguel Micaelo Borges
Amr Hanafi
Jeroen Landheer
Joel Speed
Muhammad Arham
Adrian Aneci
Chris Bednarz
Felipe B. Conti
Rajesh Krishnamurthy
Braunson
polarctos
Matt Lilley
JVecsei
Nick Meves
Kevin Kreitner
Nick Meves
Sean Jones