* Validate jsonpath in claim extractor
Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
* Add test and changelog for claim extractor json path
---------
Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Create session cookie when cookie-expire set 0
* Fix format
* add test
* fix lint error
* fix test code
* fix conflicted test case
* update test case of cookie expiration
* update tests of csrf cookies
* update docs
* Update docs/docs/configuration/overview.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
---------
Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
* Log the difference between invalid email and not authorized session
* Add changelog entry
* Remove superfluous argument
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Ensure sign-in page background is uniform throughout the page
Configured banners that take up large amounts of space leave a gap of blank
background between where the body ends and the footer starts. Fix this by
setting the style for the section containing the banner to match the body and
footer
* Add changelog entry
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Fixes CVE-2022-41721 (#1994)
See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/
* update checkout actions (#1981)
* Fix a typo in oauthproxy.go (#2021)
* fix typo (#2001)
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Jeroen Landheer <jlandheer@bintelligence.nl>
Co-authored-by: Ryuichi Watanabe <ryucrosskey@gmail.com>
Co-authored-by: Ho Kim <ho.kim@ulagbulag.io>
Co-authored-by: Terrell Russell <terrellrussell@gmail.com>
* feat: readiness check
* fix: no need for query param
* docs: add a note
* chore: move the readyness check to its own endpoint
* docs(cr): add godoc
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix uninitialized user claim
Some providers doesn't initialize data with setProviderDefaults function
(keycloak-oidc for example), therefore UserClaim is never initialized
with the default value and stay as an empty string.
This result in an empty user.
* Add CHANGELOG.md entry for #1873
* Call setProviderDefaults where missing
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update go-redis/redis to v9.
- And updated redislock, testify, ginko and gomega have also been updated.
- Renamed the option `IdleTimeout` to `ConnMaxIdleTime` because of 517938a6b0/CHANGELOG.md
* Update CHANGELOG.md
* Dropping dot import of the types since they created aliases now
* fixing some error messages to make tests happy
* updating more error messages that were changed to make tests happy
* reverting error messages
Co-authored-by: Muhammad Arham <marham@i2cinc.com>
* Avoid Nextcloud "Current user is not logged in" (Statuscode 997)
The error message results from oauth2-proxy trying to pass the
access token via URL. Instead it needs to be sent via header,
thus the Nextcloud provider requires a fix similar to what #1502
did before for the keycloak provider.
* Implement EnrichSession() for Nextcloud provider
Parse nested JSON to transform relevant information (groups, id,
email) from the OAuth2 userinfo endpoint into session.
* Update CHANGELOG.md (add link to PR #1750)
* Add API route config
In addition to requests with Accept header `application/json` return 401 instead of 302 to login page on requests matching API paths regex.
* Update changelog
* Refactor
* Remove unnecessary comment
* Reorder checks
* Lint Api -> API
Co-authored-by: Sebastian Halder <sebastian.halder@boehringer-ingelheim.com>
* dynamically update the htpasswdMap based on the changes made to the htpasswd file
* added tests to validate that htpasswdMap is updated after the htpasswd file is changed
* refactored `htpasswd` and `watcher` to lower cognitive complexity
* returned errors and refactored tests
* added `CHANGELOG.md` entry for #1701 and fixed the codeclimate issue
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix lint issue from code suggestion
* Wrap htpasswd load and watch errors with context
* add the htpasswd wrapped error context to the test
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Inconsistent code-challenge-method CLI flag and config file naming
- Allow previous config option for now to prevent breaking configs
Fixes#1667
* Add changelog entry
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix vulnerabilities on crypto, net and sys packages and change go version on Docker builder stage
* Changelog related PR $1774
Co-authored-by: Felipe Bonvicini Conti <felipe.conti@totvs.com.br>
* adding IdleTimeout with the redis-connection-idle-timeout flag, to keep redis connections in valid state, when Redis option is set
* docs update - add redis idle timeout configurations
* changelog update for #1691 fix
* Unbreak oauth2-proxy for keycloak provider after 2c668a
With 2c668a, oauth2-proxy fails a request if the token validation fails.
Token validation always fails with the keycloak provider, due to the
valudation request passing the token via the URL, and keycloak not
parsing the url for tokens.
This is fixed by forcing the validation request to pass the token via a
header.
This code taken from the DigitalOcean provider, which presumably forcing
the token to be passed via header for the same reason.
Test plan: I was unable to build a docker image to test the fix, but I
believe it is relatively simple, and it passes the "looks good to me"
test plan.
* Add changelog entry for unbreak keycloak
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Change error type for redirect parsing errors
This changes the error type returned when the proxy fails to parse the
redirect target to be a 400 error instead of a 500 error.
As far as I can tell, the only way that this can fail is a failure to
parse the properties of the request to identity the redirect target.
This indicates that the user has sent a malformed request, and so should
result in a 400 rather than a 500.
I've added a test to exercise this, based on a real work example.
* Update changelog
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add allowed_emails option to the auth endpoint query string
* Don't return true from checkAllowedEmailsOrDomains only because domains field was empty
* Fix checkAllowedEmailsOrDomains logic
* Added tests for allowed_emails query parameter
* Updated CHANGELOG
* Remove checkAllowedEmailsOrDomains
Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
* Build ARMv8 Docker Images
Fixes#1593
* Change platform to arm64/v8
* Drop separate tags for different architectures
* Mark the architecture image tags for deprecation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use distroless debian11 docker image
* Add `Dockerfile` to `.dockerignore`
* Replace `nonroot` with the matching UID/GID
Alpine does not have that user, and it cause issues when trying to start the container
* Use a build arg for setting the runtime image
* Explain why `ARG RUNTIME_IMAGE` is at the top
* Add entry to CHANGELOG
* Move build-arg to `DOCKER_BUILDX_ARGS`
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.
Signed-off-by: Valentin Pichard <github@w3st.fr>
* Fix provider data initialisation
* PKCE Support
Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.
- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them
Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server. Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2
oauth2-proxy will always use S256 unless the user explicitly forces `plain`.
Fixes#1361
* Address PR comments by moving pkce generation
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Encrypt CodeVerifier in CSRF Token instead of Session
- Update Dex for PKCE support
- Expose HTTPBin for further use cases
* Correct the tests
* Move code challenges into extra params
* Correct typo in code challenge method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Correct the extra space in docs
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Address changelog and new line nits
* Add generated docs
Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
* implementation draft
* add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options
* refactor configs, added logging and add additional claim verification
* simplify logic by just having one configuration similar to oidc-email-claim
* added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers
* refactored verification to reduce complexity
* refactored verification to reduce complexity
* added docs
* adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options
* extend unit tests and ensure that audience is set with the value of aud claim configuration
* revert filemodes and update docs
* update docs
* remove unneccesary logging, refactor audience existence check and added additional unit tests
* fix linting issues after rebase on origin/main
* cleanup: use new imports for migrated libraries after rebase on origin/main
* adapt mock in keycloak_oidc_test.go
* allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation
* fixed formatting issue
* do not pass the whole options struct to minimize complexity and dependency to the configuration structure
* added changelog entry
* update docs
Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com>
Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
* Add ValidateSession function to LoginGovProvder to include Auth Header
* Update CHANGELOG for PR 1509
* Update logingov_test to include ValidationURL
* Remove the information about `Microsoft Azure AD`
* Put `proxy_buffer_size` in a code tag
* Update `CHANGELOG.md`
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* init TLS.Config when connecting to Redis with TLS
* don't overwrite TLS config if it exists
* add tests for Redis with TLS
* remove hardcoded certs
* add GenerateCert func
* use GenerateCert util func
* fix issue reported by go fmt
* limit return statements in GenerateCert
* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive
* Tidy up dependencies - yhat/wsutil is no longer required
* Update changelog to include reference to 1348
Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Previously this was only done in the `EnrichSession` stage
which would've missed Bearer usages & `RefreshSession`
would've overriden the User to the Subject.
* extract email from id_token for azure provider (#914)
* extract email from id_token for azure provider
this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api
* fixed typo
* refactor GetEmailAddress to EnrichSessionState
* make getting email from idtoken best effort and fall back to previous behavior when it's absent
* refactor to use jwt package to extract claims
* fix lint
* refactor unit tests to use test table
refactor the get email logic from profile api
* addressing feedback
* added oidc verifier to azure provider and extract email from id_token if present
* fix lint and codeclimate
* refactor to use oidc verifier to verify id_token if oidc is configured
* fixed UT
* addressed comments
* minor refactor
* addressed feedback
* extract email from id_token first and fallback to access token
* fallback to access token as well when id_token doesn't have email claim
* address feedbacks
* updated change log!
* switch to docker buildx for multiarch builds
* add setup docker buildx action
* update docker push to push the multiarch image
* make multiarch image have parity with currently produced images by adding linux/armv6
* triaging issue with arm v6
* incorporating feedback
* fixing rebase disaster
* reset Makefile to blessed state
Co-authored-by: Weinong Wang <weinong@outlook.com>
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes
* added #1276 to changelog
Co-authored-by: Joshua Vécsei <git@vecsei.me>
* Extend email-domain validation with sub-domain capability
* Adding the CHANGELOG entry
* Fixing lint erros
* Fixing lint erros
* Renamed the emailDomains to allowedDomains, plus tests
* Bringing together all basic test-cases
* Fixing unit tests
* Add unit tests to validate additional vulnerability concerns
* Fix - Refresh Session not working for multiple cookies (#1209)
* added comments for flattenheaders fix
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Updated Changelog.md
Co-authored-by: Rishi Kambil <rishi.kambil@lntinfotech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add sensible logging flag to default setup for logger
* Add Redis lock
* Fix default value flag for sensitive logging
* Split RefreshSessionIfNeeded in two methods and use Redis lock
* Small adjustments to doc and code
* Remove sensible logging
* Fix method names in ticket.go
* Revert "Fix method names in ticket.go"
This reverts commit 408ba1a1a5.
* Fix methods name in ticket.go
* Remove block in Redis client get
* Increase lock time to 1 second
* Perform retries, if session store is locked
* Reverse if condition, because it should return if session does not have to be refreshed
* Update go.sum
* Update MockStore
* Return error if loading session fails
* Fix and update tests
* Change validSession to session in docs and strings
* Change validSession to session in docs and strings
* Fix docs
* Fix wrong field name
* Fix linting
* Fix imports for linting
* Revert changes except from locking functionality
* Add lock feature on session state
* Update from master
* Remove errors package, because it is not used
* Only pass context instead of request to lock
* Use lock key
* By default use NoOpLock
* Remove debug output
* Update ticket_test.go
* Map internal error to sessions error
* Add ErrLockNotObtained
* Enable lock peek for all redis clients
* Use lock key prefix consistent
* Fix imports
* Use exists method for peek lock
* Fix imports
* Fix imports
* Fix imports
* Remove own Dockerfile
* Fix imports
* Fix tests for ticket and session store
* Fix session store test
* Update pkg/apis/sessions/interfaces.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Do not wrap lock method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use errors package for lock constants
* Use better naming for initLock function
* Add comments
* Add session store lock test
* Fix tests
* Fix tests
* Fix tests
* Fix tests
* Add cookies after saving session
* Add mock lock
* Fix imports for mock_lock.go
* Store mock lock for key
* Apply elapsed time on mock lock
* Check if lock is initially applied
* Reuse existing lock
* Test all lock methods
* Update CHANGELOG.md
* Use redis client methods in redis.lock for release an refresh
* Use lock key suffix instead of prefix for lock key
* Add comments for Lock interface
* Update comment for Lock interface
* Update CHANGELOG.md
* Change LockSuffix to const
* Check lock on already loaded session
* Use global var for loadedSession in lock tests
* Use lock instance for refreshing and releasing of lock
* Update possible error type for Refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Set and verify a nonce with OIDC
* Create a CSRF object to manage nonces & cookies
* Add missing generic cookie unit tests
* Add config flag to control OIDC SkipNonce
* Send hashed nonces in authentication requests
* Encrypt the CSRF cookie
* Add clarity to naming & add more helper methods
* Make CSRF an interface and keep underlying nonces private
* Add ReverseProxy scope to cookie tests
* Align to new 1.16 SameSite cookie default
* Perform SecretBytes conversion on CSRF cookie crypto
* Make state encoding signatures consistent
* Mock time in CSRF struct via Clock
* Improve InsecureSkipNonce docstring
* Add a clock package for better time mocking
* Make Clock a struct so it doesn't need initialization
* Test clock package
* Use atomic for live time tests
* Refer to same clock.Mock throughout methods
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* fixed typo
* removed weird : file
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* auto generates alpha_config.md
* rebase (mainly service alpha options related conflicts)
* removed :
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* "cntd. rebase"
* ran make generate again
* last conflicts
* removed duplicate client id validation
* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0
* fixed TestGoogleGroupOptions test
* ran make generate
* moved CHANGLOG line to 7.1.1
* moved changelog comment to 7.1.2 (additional rebase)
Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Add example with traefik and keycloak
* Switch to dex
* Remove unneeded change in keycloak settings
* Taken into account review comments
* Add changelog entry
Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add RequestID to the RequestScope
* Expose RequestID to auth & request loggers
* Use the RequestID in templated HTML pages
* Allow customizing the RequestID header
* Document new Request ID support
* Add more cases to scope/requestID tests
* Split Get vs Generate RequestID funtionality
* Add {{.RequestID}} to the request logger tests
* Move RequestID management to RequestScope
* Use HTML escape instead of sanitization for Request ID rendering
* extract email from id_token for azure provider
this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api
* fixed typo
* refactor GetEmailAddress to EnrichSessionState
* make getting email from idtoken best effort and fall back to previous behavior when it's absent
* refactor to use jwt package to extract claims
* fix lint
* refactor unit tests to use test table
refactor the get email logic from profile api
* addressing feedback
* added oidc verifier to azure provider and extract email from id_token if present
* fix lint and codeclimate
* refactor to use oidc verifier to verify id_token if oidc is configured
* fixed UT
* addressed comments
* minor refactor
* addressed feedback
* extract email from id_token first and fallback to access token
* fallback to access token as well when id_token doesn't have email claim
* address feedbacks
* updated change log!
* Use a specialized ResponseWriter in middleware
* Track User & Upstream in RequestScope
* Wrap responses in our custom ResponseWriter
* Add tests for logging middleware
* Inject upstream metadata into request scope
* Use custom ResponseWriter only in logging middleware
* Assume RequestScope is never nil
This includes a fix for our samesite cookie parsing. The behaviour
changed in 1.16 so that the default value now leaves it empty, so it's
equivalent to not setting it (as per spec)
* GH-1015 Adds support for Traefik to OauthStart on '/oauth2/auth' endpoint
* Fix incorrect reference to signout path and point to signin path
- remove commented out alternative solutions and debug log statements
* Remove skip provider button check as SignIn method already does this
* Updated traefik example to match existing file configuration reference, updated tests
* Update doc and refactor nested conditional statements
* Revert code changes as static upstream provides the same functionality
- Add doc on using static upstream with Traefik ForwardAuth middleware
* update changelog
* Move the doc changes to 7.0.x versioned docs
* Re-add traefik docs update in the main docs overview.md
* add missing oauth2-proxy routing
Co-authored-by: Praveen Chinthala <PraveenChinthala@hollandandbarrett.com>
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.
Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy
Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
tuunit
polarctos
Koen van Zuijlen
Cory Bolar
Joseph Weigl
Jan Wystub
t-katsumura
Nuno Miguel Micaelo Borges
Amr Hanafi
Ole-Martin Bratteng
Marc Schiereck
Kobi Meirson
Braunson M
Damien Degois
Joel Speed
dulakm
Muhammad Arham
Centzilius
Adrian Aneci
Chris Bednarz
NiteHawk
Segfault16
tooptoop4
Ian Serpa
Alexandru Ciobanu
Chris Bednarz
Felipe B. Conti
Dmitry Kartsev
Chris
Alexandru Ciobanu
ckwalsh
adamsong
Nik Skoufis
Jack Henschel
Rajesh Krishnamurthy
zv0n
Ian Roberts
mgiessing
Kevin Schu
Valentin Pichard
Andy Thompson
Preston Sheldon
Alex Babel
Nick Meves
Jeeva Kandasamy
Stephan Aßmus
Hiroyuki Wada
Maciej Strzelecki
Luka Zakrajšek
David Emanuel Buchmann
Matt Lilley
Jan Rotter
Ryan Hartje
Fabian Stelzer
Hedi Harzallah
Miks Kalnins
Philippe
Jordie
Peter Braun
JVecsei
Nick Meves
Moraru Costel
Anders Kiel Hovgaard
Sami Racho
Rishi Kambil
Kevin Kreitner
Tarvi Pillessaar
Itay Brandes
yanasega
Oliver
Frédéric Collonval
Weinong Wang
Stefan Sedich
Praveen Chinthala
Sean Jones