Commit graph

98 commits

Author SHA1 Message Date
Eric Chiang
7bac93aa20 *: remove in memory session repos
Move manager to it's own package so it can import db. Move all
references to the in memory session repos to use sqlite3.
2016-02-12 13:19:05 -08:00
Eric Chiang
af790e46bb Merge pull request #267 from ericchiang/metadata
add dynamic client registration
2016-02-01 16:25:57 -08:00
Eric Chiang
04cd1851aa server: add dynamic client registration 2016-02-01 16:06:46 -08:00
Frode Nordahl
5d284e08ae Change status code used for redirects from StatusTemporaryRedirect (307) to StatusFound (302)
HTTP code 307 aka. StatusTemporaryRedirect is used throughout the
project. However, the endpoints redirected to explicitly expects
the client to make a GET request.

If a HTTP client issues a POST request to a server and receives a
HTTP 307 redirect, it forwards the POST request to the new URL.

When using 302 the HTTP client will issue a GET request.

Fixes #287
2016-01-23 22:33:53 +01:00
bobbyrullo
789d9a68cc Merge pull request #282 from ericchiang/fix_token_test
server: fix reset password test
2016-01-20 14:35:46 -08:00
Eric Chiang
4da143ca2d server: fix reset password test
TestResetPasswordHandler depended on makeToken begin called twice
during the initialization of a single test case and later assuming
the result would match. Because the token has a timestamp accurate
to the second, occasionally the timestamps would be slightly off
within a single test case and cause the test to fail.

Adding a sleep statement to makeToken would cause the test to fail
reliably.

Define a single token for each test case outside of the struct
initializer so test cases compare the same token.

Closes #274

Additionally remove logging statements that dump entire HTML pages.
2016-01-19 19:45:16 -08:00
Eric Chiang
6b4aa88306 Merge pull request #280 from ericchiang/user_api
*: move user API auth to middleware and fix return status
2016-01-19 15:52:11 -08:00
Eric Chiang
0ada4c8010 *: move user API auth to middleware and fix return status
Move client authentication into its own middleware and provide
differentiation between HTTP requests that do not provide
credentials (401) and requests that authenticate as a non-admin
user (403).

Closes #152
2016-01-19 13:49:01 -08:00
Eric Chiang
ec3bc7f258 *: allow dexctl set-connector-configs to read from stdin
Closes #276
2016-01-19 08:59:34 -08:00
Eric Chiang
5e44b6bc27 *: update all to accommodate changes to go-oidc
Update dex to comply with the changes to fieldnames and types of
the client and provider metadata structs in coreos/go-oidc.
2016-01-12 17:16:28 -08:00
bobbyrullo
71f5021678 Merge pull request #246 from bobbyrullo/maybe
server: better UX when remote ID already exists
2015-12-23 18:17:54 -08:00
Bobby Rullo
dc828825e6 server: better UX when remote ID already exists
Instead of cryptic message with nowhere to, give them the choice to
login with that account or register.
2015-12-23 17:11:03 -08:00
Eric Chiang
ad6e331860 server: fix flow when user logs in through wrong connector
This cleans up the code that deals with a user attempting to login
through a different connector than they registered with. The only
functional change is that `newLoginURLFromSession` is now called
with register = false when a user has an existing account.
2015-12-22 13:20:40 -08:00
Eric Chiang
99e1163972 server: fix tests
In #210 a field name in the provider config was corrected. However
the old, and incorrect, value was hard coded in the tests. This
change updates the test case to hold the correct field name.

There are no other references to the old name in dex or its
vendored packages.
2015-12-16 18:20:14 -08:00
Eric Chiang
f63ec158a5 Merge pull request #197 from ericchiang/oauth2_connector
connector: github and bitbucket oauth2 connectors added
2015-12-10 08:56:09 -08:00
Eric Chiang
f2c3dbc5e6 static, server: add styles for github and bitbucket connectors
Add icons and styles for github and bitbucket buttons.
2015-12-08 10:20:13 -08:00
Eric Chiang
f43655a8c3 user/manager: connector must exists when creating remote identity
Add ConnectorConfigRepo to UserManager. When trying to create a
RemoteIdentity, validate that the connector ID exists.

Fixes #198
2015-12-07 17:34:08 -08:00
Eric Chiang
d518447282 user: move user manager to it's own package
This commit moves the user.Manage to its own package (user/manager)
so it can import the connector package in a later commit.

For clarity, it renames "Manager" to "UserManager" using gorname.

This commit has no functional changes.
2015-12-07 15:34:14 -08:00
Eric Chiang
8be9396811 registration: trim spaces and sanity check user email from form
When a user attempts to register an email, trim prefixed and
trailing spaces, then perform a basic sanity check to ensure it's
of form "test@example.com".

Fixes #163
2015-12-01 10:20:00 -08:00
Joe Bowers
a9ab63893d Merge pull request #179 from coreos/new-invitation-endpoint
New invitation endpoint
2015-11-18 14:25:09 -08:00
Joe Bowers
0c854a21d6 server: endpoint and system for sending invitations to dex
An invitation allows users to both verify their email address and set
a new password.
2015-11-18 14:24:19 -08:00
Marcus Stong
7d0ecf9532 server: add scope to newLoginURLFromSession
need to make sure the scope is present otherwise will be considered an invalid request

fixes #135
2015-11-18 14:16:35 -05:00
Joe Bowers
792b72ef54 server: spelling of error message 2015-11-11 10:04:54 -08:00
Joe Bowers
ca9227fc19 various: spelling, logging, and commentary cleanup 2015-11-11 10:04:54 -08:00
Bobby Rullo
d1e292eb94 server: pass issuer name to emailer
Issuer name can be used in Emailer
2015-10-30 15:00:40 -07:00
Bobby Rullo
2ef1b4beff user: introduce "invite" emails
Invite emails are essentially just reset password emails with a
different template (though this can and probably will change (slightly)
in the near future)
2015-10-30 14:41:00 -07:00
George Tankersley
07a4d4441e pkg/crypto: replace old crypto with new crypto 2015-10-29 13:45:25 -07:00
Joe Bowers
85113748a8 server: unify password reset and email verification code and behavior
This patch proposes behavioral changes. In particular, referring
systems will need to provide client ids under all circumstances.
2015-10-16 14:47:58 -07:00
bobbyrullo
8360f18fea Merge pull request #147 from gyuho/use_stdpkg_basicauth
server: use standard lib http.Request.BasicAuth
2015-10-13 11:37:31 -07:00
Yifan Gu
7282dd5187 refreshtoken: return base64 encoded token for in-memory backend.
Previously if we use the in-memory backend, it will return a raw
binary token for refresh token. This fixes the case.
2015-10-12 14:51:52 -07:00
Gyu-Ho Lee
f06073fbcd server: use standard lib http.Request.BasicAuth
Go 1.4+ has https://golang.org/pkg/net/http/#Request.BasicAuth
method for http.Request and it was requested by CoreOS(kelsey) [1]
with the same functionalities. If dex's Go development is being done
in Go 1.4 or later, we should use the standard library.

Thanks!

---
[1] https://codereview.appspot.com/76540043/
2015-10-06 05:00:33 -07:00
Bobby Rullo
55040c55fa server, integration, cmd: Protect Admin API
Admin API now requires a 128 byte base64 encoded secret to be passed in
Authorization header, closing up a potential security hole for those
who expose this service.
2015-10-01 13:15:45 -07:00
Bobby Rullo
d3d6a75b91 fixup - Code review changes. 2015-09-30 17:07:00 -07:00
Bobby Rullo
bf9517fdaa server,cmd: Add flag for disabling registation
For situations where admins add users.
2015-09-30 16:35:58 -07:00
Joe Bowers
e5db302312 server: expose user disable API endpoint 2015-09-29 16:46:30 -07:00
Joe Bowers
b19adefde5 Merge pull request #138 from joeatwork/disable-users
server: disable users
2015-09-28 12:36:09 -07:00
Joe Bowers
fbbb3cc2df server: all authorizations fail for disabled users 2015-09-25 17:29:59 -07:00
Joe Bowers
ffabe03bc0 server: don't allow disabled users to access the api 2015-09-25 15:47:42 -07:00
Joe Bowers
60a36e2c2e server,db: flag for disabling user login 2015-09-25 14:25:06 -07:00
Joe Bowers
4c9bab0890 server: user management endpoints strictly conform to schema
This change disables the URL fixing behavior or the router associated
with the user management schema. After this commit, URLS routing
to /api/$VERSION/users must target exactly the specified paths. In
addition, `/api/$VERSION/users/` will serve a 404

This change allows users to hit the user create endpoint, which
would previously serve a redirect rather than actually making the
associated change.
2015-09-24 16:41:29 -07:00
Giulio Iotti
472e4a02a4 *: Remove unnecessary else statements
Whenever it makes the code easier to follow, use early return to
avoid else statements.
2015-09-04 22:45:32 +03:00
bobbyrullo
0ec24a17bd Merge pull request #104 from bobbyrullo/flags_are_good
cmd,server,static/html: Configurable name, logo
2015-09-02 18:00:58 -07:00
Bobby Rullo
f1820cda14 cmd,server,static/html: Configurable name, logo
fixes #47
2015-09-02 18:00:28 -07:00
Yifan Gu
44c6cb44f5 refresh: bcrypt raw bytes rather than base64 encoded string.
This enables us to control the length of the bytes that will be bcrypted,
by default it's 64.

Also changed the token's stored form from string('text') to []byte('bytea')
and added some test cases for different types of invalid tokens.
2015-09-02 14:23:20 -07:00
Yifan Gu
93a0830ae0 server: check scope in requests.
Require 'openid' in scope for all requests.
Require 'offline_access' for returning refresh token.
2015-08-31 13:51:59 -07:00
Yifan Gu
066fd859ec session: add 'scope' field in session. 2015-08-31 13:51:59 -07:00
Bobby Rullo
d0c199b62c cmd, server: base64 encode multiple secrets
Two things here:

    * key secrets are now base64 encoded strings, so we get the full key
      space

    * we can pass >1 of them in so we can rotate them
2015-08-26 10:43:24 -07:00
Bobby Rullo
66fe201c24 *: move original project to dex 2015-08-18 11:26:57 -07:00