Commit graph

83 commits

Author SHA1 Message Date
Stephan Renatus
fa69c918b2 password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-15 13:49:42 -08:00
rithu leena john
943e23cd54
Merge pull request #1109 from ericchiang/oidc-test
connector/oidc: remove test that talks to the internet
2017-10-30 11:18:18 -07:00
Eric Chiang
6475ce1f62 connector/oidc: remove test that talks to the internet 2017-10-27 13:40:50 -07:00
Pavel Borzenkov
3b5df52c0f connector/linkedin: implement RefreshConnector interface
Do Refresh() by querying user's profile data.

Since LinkedIn doesn't provide refresh tokens at all, and the access
tokens have 60 days expiration, refresh tokens issued by Dex will fail
to update after 60 days.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Pavel Borzenkov
ab06119431 connector: implement LinkedIn connector
connector/linkedin implements authorization strategy via LinkedIn's
OAuth2 endpoint + profile API.

It doesn't implement RefreshConnector as LinkedIn doesn't provide any
refresh token at all (https://developer.linkedin.com/docs/oauth2, Step 5
— Refresh your Access Tokens) and recommends ordinary AuthCode exchange
flow when token refresh is required.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Eric Chiang
d099145921 authproxy: update docs and set a userID 2017-10-26 10:47:16 -07:00
Michael Stapelberg
a41d93db4a Implement the “authproxy” connector (for Apache2 mod_auth etc.) 2017-10-25 21:53:51 +02:00
rithu leena john
f3c85e6936 Merge pull request #1096 from ericchiang/ldap-insecure-skip-verify-test
connector/ldap: add test for InsecureSkipVerify option
2017-10-10 11:34:46 -07:00
Eric Chiang
fcf00019de connector/ldap: add test for InsecureSkipVerify option 2017-10-09 14:27:22 -07:00
Lars Sjöström
4605fdd551 connector/gitlab: Fix regexp in Link parser 2017-09-29 21:35:47 +02:00
Eric Chiang
980400db0b Makefile: error out if go files aren't correctly formatted
Noticed in #1058 that our gofmt make target isn't actually erroring
if someone commits misformatted code.
2017-09-14 09:44:15 -07:00
Eric Stroczynski
763e174a7f Merge pull request #1039 from estroz/move-group-scope-check
connector/github: fix groups scope check when 'orgs' is populated
2017-08-21 14:36:44 -07:00
Eric Stroczynski
ce9ac761a6 connector/github: abstract scope check and group getter 2017-08-21 14:30:00 -07:00
rithu leena john
e59d67f466 Merge pull request #1038 from xogroup/github-enterprise
When connecting to GitHub Enterprise, force email verified field to true
2017-08-18 13:58:50 -07:00
Chien Huey
99370b5880 Updated comment to include reference to GitHub Enterprise not supporting verified emails 2017-08-18 11:46:05 -04:00
Eric Stroczynski
e92f38f38f connector/github: error if no groups scope without orgs
We should always check if a user is in any orgs or teams specified
in config, and whether the groups scope is also included in client
requests. If not, return an error, because dex wouldn't have required
permissions to do the request anyway (need read:org).
2017-08-17 17:15:45 -07:00
Chien Huey
98f6a217d3 When connecting to GitHub Enterprise, force email verified field to true 2017-08-17 17:26:10 -04:00
Eric Stroczynski
5894d017d5 connector/github: debug->info logging, more informative userInOrg msg 2017-08-17 11:56:35 -07:00
Eric Stroczynski
484327fd5f connector/github: only user users' login name in API reqs 2017-08-17 10:32:18 -07:00
Eric Stroczynski
ca75470ae3 connector/gitlab: correct scope strings, better default 2017-08-15 14:49:00 -07:00
Eric Chiang
aad328bb35 *: add log events for login, LDAP queries, and SAML responses 2017-08-11 12:00:06 -07:00
Eric Stroczynski
26527011ab connector/github: enable private, primary emails; refactor API calls
Documentation: removed private emails caveats section
2017-08-08 18:04:34 -07:00
Eric Stroczynski
9d154802a2 connector/github: multiple orgs, query by teams
Documentation: examples of GitHub `orgs` field with multiple orgs
and org with teams; note legacy behavior
2017-08-08 10:57:42 -07:00
rithu leena john
05e8d50eca Merge pull request #1000 from rithujohn191/fix-hosted-domain
connector/oidc: fix hosted domain support.
2017-07-31 13:29:26 -07:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00
rithu john
5e0bf8b65f connector/oidc: fix hosted domain support. 2017-07-25 13:46:12 -07:00
Ben Navetta
cbb007663f add documentation and tests 2017-06-21 22:56:02 -07:00
Ben Navetta
4194530cf3 initial hostedDomain support 2017-06-20 22:47:28 -07:00
rithu john
682d78f527 connector: improve error message for callback URL mismatch 2017-06-13 15:52:33 -07:00
rithu john
0dd024d669 connector/ldap: correct a comment. 2017-05-04 15:39:08 -07:00
rithu john
6e3e174100 connector/ldap: check for blank passwords and return error. 2017-05-04 13:42:23 -07:00
Eric Chiang
2b8caf9b39 Merge pull request #906 from ericchiang/fix-saml-test
connector/saml/testdata: fix bad status test case
2017-04-19 15:39:11 -07:00
zhuguihua
4e99ec3eeb Fix two typos
Signed-off-by: zhuguihua <zhuguihua@cmss.chinamobile.com>

Change storace to storage in cmd/dex/config.go,
change userSearch to groupSearch in connector/ldap/ldap.go
2017-04-14 03:30:12 +00:00
Eric Chiang
74f5eaf47e connector/ldap: support the StartTLS flow for secure connections
When connecting to an LDAP server, there are three ways to connect:

1. Insecurely through port 389 (LDAP).
2. Securely through port 696 (LDAPS).
3. Insecurely through port 389 then negotiate TLS (StartTLS).

This PR adds support for the 3rd flow, letting dex connect to the
standard LDAP port then negotiating TLS through the LDAP protocol
itself.

See a writeup here:

http://www.openldap.org/faq/data/cache/185.html
2017-04-12 15:25:42 -07:00
Eric Chiang
00b5c99ffc connector/saml/testdata: fix bad status test case
Notice this when inspecting the code coverage results. For some
reason this test wasn't triggering the bad status code path, maybe
due to signature validation. Removing the comment fixed the code
coverage.
2017-04-11 17:20:29 -07:00
Eric Chiang
3d7b1477e7 Merge pull request #903 from ericchiang/ldap-groups-on-user
connector/ldap: fix case where groups are listed on the user entity
2017-04-11 14:06:42 -07:00
rithu leena john
d4274eb0ff Merge pull request #901 from rithujohn191/github-api
connector/github: add support for github enterprise.
2017-04-11 10:09:23 -07:00
rithu john
76b9eb1db9 connector/github: add support for github enterprise. 2017-04-11 10:04:59 -07:00
Eric Chiang
97813ff4fc connector/ldap: fix case where groups are listed on the user entity
Support schemas that determine membership by having fields on the
user entity, instead of listing users on a groups entity. E.g. the
following schema is now supported when it wasn't previously:

    cn=eric,cn=user,dn=exapmle,dn=com
    objectClass=myPerson
    cn: eric
    uid: eric
    email: eric@example.com
    memberOf: foo
    memberOf: bar

    cn=foo,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: foo

    cn=bar,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: bar
2017-04-11 09:48:48 -07:00
Eric Chiang
0ac11d93e6 connector/ldap/testdata: add LDAP schema files 2017-04-10 15:33:07 -07:00
Eric Chiang
4a93b55c8b connector/ldap: add LDAP integration tests 2017-04-10 15:33:07 -07:00
Eric Chiang
362e0798a4 connector/saml: clean up SAML verification logic and comments 2017-04-07 14:13:05 -07:00
Phu Kieu
bd754e2b2d Fix entityIssuer -> ssoIssuer typo 2017-04-06 14:50:44 -07:00
Phu Kieu
47897f73fa Validate audience with entityIssuer if present, use redirectURI otherwise 2017-04-06 14:40:56 -07:00
Phu Kieu
217b5ca2c7 Add ssoIssuer to fix Response issuer checking
Rename issuer to entityIssuer
2017-04-06 11:05:49 -07:00
Eric Chiang
a97cffcd52 connector/saml: refactor tests and add self-signed responses
Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.
2017-04-04 11:11:35 -07:00
Eric Chiang
e0709dc2ac connector/saml: fix validation bug with multiple Assertion elements
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.
2017-04-04 11:11:35 -07:00
Phu Kieu
6f9ef961bb Use etreeutils.NSSelectOne to select Assertion element 2017-03-24 11:20:53 -07:00
rithu john
59502850f0 connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring 2017-03-23 14:56:34 -07:00
Eric Chiang
50b223a9db *: validate InResponseTo SAML response field and make issuer optional 2017-03-22 13:02:44 -07:00