Commit graph

145 commits

Author SHA1 Message Date
veily
317f433a14
support self-signed certificates ldap
Format ldap.go

Format ldap.go: with a space for golint

with a space

Rename clientCA is to clientCert

Update ldap.go

modified the ldap client certificate file comments.

modified load ldap client cert error.

modified load ldap client cert error: fmt.Errorf("ldap: load client cert failed: %v", err)
2018-09-22 12:15:11 +08:00
Scott Reisor
2707302054 add Refresh() to mock passwordConnector 2018-09-21 11:55:14 -04:00
Taras Burko
bf39130bab Configurable team name field for GitHub connector 2018-09-14 01:09:48 +03:00
Eric Chiang
bb75dcd793
Merge pull request #1283 from srenatus/sr/move-github-org/fix-imports
Finish GitHub org move
2018-09-05 09:14:06 -07:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Stephan Renatus
6a2d4ab6b4 connectors/ldap: treat 'constraint violation' on bind as bad credentials
Some directory servers (I think it's Oracle) return

    Constraint Violation: Exceed password retry limit. Account locked.

when attempting to login too many times. While constraint violation can
mean many things, we're checking this as an error on BIND, so it's
more likely that something like this has happened than any other thing.

Hence, we should treat it as an "incorrect password" situation, not an
internal error.

It would of course be preferrable to surface more information about this
precise error (and similar ones), but I think this is beyond this small
change.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 10:03:17 +02:00
Anian Z
5454a4729f fix default baseURL for gitlab connector 2018-08-28 19:05:30 +02:00
silenceshell
468b5e3f0a
fix typo
Should `pulic`  be `public`?
2018-05-10 11:55:11 +08:00
Stephan Renatus
608260d0f1 saml: add tests case covering tampered NameID field (comment)
As sketched here:

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

Thought it was interesting to see how our SAML connector behaved. And
it seems to be behaving well. :)

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-02-28 08:42:17 +01:00
pmcgrath
4aec353aec 1170 - Fix comment typos
BsaeDN should be BaseDN
2018-01-14 12:34:45 +00:00
Pavel Borzenkov
47df6ea2ff connector/microsoft: add support for groups
Microsoft connector now provides support for 'groups' claim in case
'tenant' is configured in Dex config for the connector. It's possible to
deny user authentication if the user is not a member of at least one
configured groups.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Pavel Borzenkov
6193bf5566 connector: implement Microsoft connector
connector/microsoft implements authorization strategy via Microsoft's
OAuth2 endpoint + Graph API. It allows to choose what kind of tenants
are allowed to authenticate in Dex via Microsoft:
  * common - both personal and business/school accounts
  * organizations - only business/school accounts
  * consumers - only personal accounts
  * <tenant uuid> - only account of specific tenant

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Stephan Renatus
b09a13458f password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
rithu leena john
943e23cd54
Merge pull request #1109 from ericchiang/oidc-test
connector/oidc: remove test that talks to the internet
2017-10-30 11:18:18 -07:00
Eric Chiang
6475ce1f62 connector/oidc: remove test that talks to the internet 2017-10-27 13:40:50 -07:00
Pavel Borzenkov
3b5df52c0f connector/linkedin: implement RefreshConnector interface
Do Refresh() by querying user's profile data.

Since LinkedIn doesn't provide refresh tokens at all, and the access
tokens have 60 days expiration, refresh tokens issued by Dex will fail
to update after 60 days.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Pavel Borzenkov
ab06119431 connector: implement LinkedIn connector
connector/linkedin implements authorization strategy via LinkedIn's
OAuth2 endpoint + profile API.

It doesn't implement RefreshConnector as LinkedIn doesn't provide any
refresh token at all (https://developer.linkedin.com/docs/oauth2, Step 5
— Refresh your Access Tokens) and recommends ordinary AuthCode exchange
flow when token refresh is required.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Eric Chiang
d099145921 authproxy: update docs and set a userID 2017-10-26 10:47:16 -07:00
Michael Stapelberg
a41d93db4a Implement the “authproxy” connector (for Apache2 mod_auth etc.) 2017-10-25 21:53:51 +02:00
rithu leena john
f3c85e6936 Merge pull request #1096 from ericchiang/ldap-insecure-skip-verify-test
connector/ldap: add test for InsecureSkipVerify option
2017-10-10 11:34:46 -07:00
Eric Chiang
fcf00019de connector/ldap: add test for InsecureSkipVerify option 2017-10-09 14:27:22 -07:00
Lars Sjöström
4605fdd551 connector/gitlab: Fix regexp in Link parser 2017-09-29 21:35:47 +02:00
Eric Chiang
980400db0b Makefile: error out if go files aren't correctly formatted
Noticed in #1058 that our gofmt make target isn't actually erroring
if someone commits misformatted code.
2017-09-14 09:44:15 -07:00
Eric Stroczynski
763e174a7f Merge pull request #1039 from estroz/move-group-scope-check
connector/github: fix groups scope check when 'orgs' is populated
2017-08-21 14:36:44 -07:00
Eric Stroczynski
ce9ac761a6 connector/github: abstract scope check and group getter 2017-08-21 14:30:00 -07:00
rithu leena john
e59d67f466 Merge pull request #1038 from xogroup/github-enterprise
When connecting to GitHub Enterprise, force email verified field to true
2017-08-18 13:58:50 -07:00
Chien Huey
99370b5880 Updated comment to include reference to GitHub Enterprise not supporting verified emails 2017-08-18 11:46:05 -04:00
Eric Stroczynski
e92f38f38f connector/github: error if no groups scope without orgs
We should always check if a user is in any orgs or teams specified
in config, and whether the groups scope is also included in client
requests. If not, return an error, because dex wouldn't have required
permissions to do the request anyway (need read:org).
2017-08-17 17:15:45 -07:00
Chien Huey
98f6a217d3 When connecting to GitHub Enterprise, force email verified field to true 2017-08-17 17:26:10 -04:00
Eric Stroczynski
5894d017d5 connector/github: debug->info logging, more informative userInOrg msg 2017-08-17 11:56:35 -07:00
Eric Stroczynski
484327fd5f connector/github: only user users' login name in API reqs 2017-08-17 10:32:18 -07:00
Eric Stroczynski
ca75470ae3 connector/gitlab: correct scope strings, better default 2017-08-15 14:49:00 -07:00
Eric Chiang
aad328bb35 *: add log events for login, LDAP queries, and SAML responses 2017-08-11 12:00:06 -07:00
Eric Stroczynski
26527011ab connector/github: enable private, primary emails; refactor API calls
Documentation: removed private emails caveats section
2017-08-08 18:04:34 -07:00
Eric Stroczynski
9d154802a2 connector/github: multiple orgs, query by teams
Documentation: examples of GitHub `orgs` field with multiple orgs
and org with teams; note legacy behavior
2017-08-08 10:57:42 -07:00
rithu leena john
05e8d50eca Merge pull request #1000 from rithujohn191/fix-hosted-domain
connector/oidc: fix hosted domain support.
2017-07-31 13:29:26 -07:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00
rithu john
5e0bf8b65f connector/oidc: fix hosted domain support. 2017-07-25 13:46:12 -07:00
Ben Navetta
cbb007663f add documentation and tests 2017-06-21 22:56:02 -07:00
Ben Navetta
4194530cf3 initial hostedDomain support 2017-06-20 22:47:28 -07:00
rithu john
682d78f527 connector: improve error message for callback URL mismatch 2017-06-13 15:52:33 -07:00
rithu john
0dd024d669 connector/ldap: correct a comment. 2017-05-04 15:39:08 -07:00
rithu john
6e3e174100 connector/ldap: check for blank passwords and return error. 2017-05-04 13:42:23 -07:00
Eric Chiang
2b8caf9b39 Merge pull request #906 from ericchiang/fix-saml-test
connector/saml/testdata: fix bad status test case
2017-04-19 15:39:11 -07:00
zhuguihua
4e99ec3eeb Fix two typos
Signed-off-by: zhuguihua <zhuguihua@cmss.chinamobile.com>

Change storace to storage in cmd/dex/config.go,
change userSearch to groupSearch in connector/ldap/ldap.go
2017-04-14 03:30:12 +00:00
Eric Chiang
74f5eaf47e connector/ldap: support the StartTLS flow for secure connections
When connecting to an LDAP server, there are three ways to connect:

1. Insecurely through port 389 (LDAP).
2. Securely through port 696 (LDAPS).
3. Insecurely through port 389 then negotiate TLS (StartTLS).

This PR adds support for the 3rd flow, letting dex connect to the
standard LDAP port then negotiating TLS through the LDAP protocol
itself.

See a writeup here:

http://www.openldap.org/faq/data/cache/185.html
2017-04-12 15:25:42 -07:00
Eric Chiang
00b5c99ffc connector/saml/testdata: fix bad status test case
Notice this when inspecting the code coverage results. For some
reason this test wasn't triggering the bad status code path, maybe
due to signature validation. Removing the comment fixed the code
coverage.
2017-04-11 17:20:29 -07:00
Eric Chiang
3d7b1477e7 Merge pull request #903 from ericchiang/ldap-groups-on-user
connector/ldap: fix case where groups are listed on the user entity
2017-04-11 14:06:42 -07:00
rithu leena john
d4274eb0ff Merge pull request #901 from rithujohn191/github-api
connector/github: add support for github enterprise.
2017-04-11 10:09:23 -07:00
rithu john
76b9eb1db9 connector/github: add support for github enterprise. 2017-04-11 10:04:59 -07:00
Eric Chiang
97813ff4fc connector/ldap: fix case where groups are listed on the user entity
Support schemas that determine membership by having fields on the
user entity, instead of listing users on a groups entity. E.g. the
following schema is now supported when it wasn't previously:

    cn=eric,cn=user,dn=exapmle,dn=com
    objectClass=myPerson
    cn: eric
    uid: eric
    email: eric@example.com
    memberOf: foo
    memberOf: bar

    cn=foo,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: foo

    cn=bar,cn=group,dn=exapmle,dn=com
    objectClass=myGroup
    cn: bar
2017-04-11 09:48:48 -07:00
Eric Chiang
0ac11d93e6 connector/ldap/testdata: add LDAP schema files 2017-04-10 15:33:07 -07:00
Eric Chiang
4a93b55c8b connector/ldap: add LDAP integration tests 2017-04-10 15:33:07 -07:00
Eric Chiang
362e0798a4 connector/saml: clean up SAML verification logic and comments 2017-04-07 14:13:05 -07:00
Phu Kieu
bd754e2b2d Fix entityIssuer -> ssoIssuer typo 2017-04-06 14:50:44 -07:00
Phu Kieu
47897f73fa Validate audience with entityIssuer if present, use redirectURI otherwise 2017-04-06 14:40:56 -07:00
Phu Kieu
217b5ca2c7 Add ssoIssuer to fix Response issuer checking
Rename issuer to entityIssuer
2017-04-06 11:05:49 -07:00
Eric Chiang
a97cffcd52 connector/saml: refactor tests and add self-signed responses
Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.

Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.
2017-04-04 11:11:35 -07:00
Eric Chiang
e0709dc2ac connector/saml: fix validation bug with multiple Assertion elements
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.

For example this:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <Signature>
          <!-- Correrctly signed assertion -->
        </Signature>
      </Assertion>

      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>
    </Response>

could be verified then re-ordered to the following:

    <Response>
      <!--
         Response unsigned. According to SAML spec must check
         assertion signature.
      -->
      <Assertion>
        <!-- Unsigned assertion inserted by attacker-->
      </Assertion>

      <Assertion>
        <!-- Canonicalized, correrctly signed assertion -->
      </Assertion>
    </Response>

Fix this by removing all unverified child elements of the Response,
not just the original assertion.
2017-04-04 11:11:35 -07:00
Phu Kieu
6f9ef961bb Use etreeutils.NSSelectOne to select Assertion element 2017-03-24 11:20:53 -07:00
rithu john
59502850f0 connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring 2017-03-23 14:56:34 -07:00
Eric Chiang
50b223a9db *: validate InResponseTo SAML response field and make issuer optional 2017-03-22 13:02:44 -07:00
Eric Chiang
af54f59202 Merge pull request #864 from ericchiang/spelling
*: fix spelling using github.com/client9/misspell
2017-03-20 10:20:16 -07:00
Eric Chiang
33f0199077 *: fix spelling using github.com/client9/misspell 2017-03-20 09:16:56 -07:00
Eric Chiang
ac032e99f0 connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider 2017-03-20 08:47:02 -07:00
Eric Chiang
777eeafabc *: update go-oidc and use standard library's context package 2017-03-08 10:33:19 -08:00
rithu leena john
167d7be281 Merge pull request #790 from givia/github-teams-pagination
Fixes #706
2017-02-06 11:13:03 -08:00
rithu leena john
42d0728048 Merge pull request #785 from holgerkoser/master
Improve SAML Signature and Response Validation
2017-02-01 11:14:13 -08:00
Ali Javadi
e623ad4d35 connector: add GitLab connector 2017-01-28 01:36:02 +03:30
Ali Javadi
98bfa4fbb1 Fixes #706 2017-01-27 05:12:58 +03:30
Holger Koser
e46f2ebe40 Improve SAML Signature and Response Validation
* Improve Order of Namespace Declarations and Attributes in Canonical XML. This is related to an issue in goxmldsig for which I created an [pull request](https://github.com/russellhaering/goxmldsig/pull/17).
* Do not compress the AuthnRequest if `HTTP-POST` binding is used.
* SAML Response is valid if the Message and/or the Assertion is signed.
* Add `AssertionConsumerServiceURL` to `AuthnRequest`
* Validate Status on the Response
* Validate Conditions on the Assertion
* Validation SubjectConfirmation on the Subject
2017-01-26 19:05:40 +01:00
Eric Chiang
31dfb54b6f connector: add a SAML connector 2017-01-09 18:30:58 -08:00
rithu john
6a728f107e connector/ldap: enable groupSearch to be empty 2016-12-27 11:07:03 -08:00
rithu john
9949a1313c server: modify error messages to use logrus. 2016-12-13 11:52:44 -08:00
rithu john
2e22a948cf cmd/dex: add logging config and serve logger for different modules. 2016-12-12 15:56:50 -08:00
Eric Chiang
1e0cf3c068 connector/ldap: default email_verified to true 2016-12-09 13:22:19 -08:00
Eric Chiang
522749b5d8 *: switch oidc client to github.com/coreos/go-oidc
This saves us from having to import two different versions of
square/go-jose.
2016-11-22 13:29:17 -08:00
Eric Chiang
55e97d90a6 *: add tests for the RefreshConnector 2016-11-22 12:53:46 -08:00
Eric Chiang
952e0f81f5 connector: add RefreshConnector interface 2016-11-22 12:53:46 -08:00
Eric Chiang
ae4c32bc3b connector/ldap: use gopkg.in/ldap.v2's escape filter
Use the escape filter method provided by the upstream LDAP package
instead of rolling our own.
2016-11-18 15:16:40 -08:00
Phu Kieu
d4aba443ac Allow getAttr to return DN
Specify "DN" as attribute name to return, but will only work if not present in ldap.Entry.Attributes
Use when full DN is stored in groupSearch's userAttr
2016-11-18 13:51:47 -08:00
Chris Jones
384ac87deb connector/ldap: Always set tls.Config.ServerName, to support LDAP servers with public CA certs. 2016-11-15 14:06:39 -07:00
Eric Chiang
0f31566b27 connector: accept base64 encoded CA and add convience open method 2016-11-03 16:28:23 -07:00
Eric Chiang
aa7f304bc1 *: switch to github.com/ghodss/yaml for more consistent YAML parsing
ghodss/yaml converts from YAML to JSON before attempting to unmarshal.
This allows us to:

* Get the correct behavor when decoding base64'd []byte slices.
* Use *json.RawMessage.
* Not have to support extravagant YAML features.
* Let our structs use `json:` tags
2016-11-03 14:39:32 -07:00
Eric Chiang
57a59d4631 *: don't error out if a username doesn't exist in the backing connector
Instead of throwing a 500 error if a user enters an invalid name,
display the same text box as if the user had entered the wrong
password.

NOTE: An invalid username now returns much quicker than an invalid
password. Consider adding an arbitrary sleep in the future if we
care about masking which was invalid.
2016-11-01 14:10:55 -07:00
Eric Chiang
4329406158 connector/ldap: fix bug in switch statement 2016-10-28 10:11:18 -07:00
Eric Chiang
d7912a3a97 Merge pull request #638 from ericchiang/dev-share-a-single-callback
*: allow call connectors to share a single a single callback
2016-10-27 16:59:04 -07:00
Eric Chiang
13f7dfaef0 connector/ldap: expand LDAP connector to include searches 2016-10-27 13:11:30 -07:00
Eric Chiang
a3235d022a *: verify "state" field before passing request to callback connectors
Let the server handle the state token instead of the connector. As a
result it can throw out bad requests earlier. It can also use that
token to determine which connector was used to generate the request
allowing all connectors to share the same callback URL.

Callbacks now all look like:

    https://dex.example.com/callback

Instead of:

    https://dex.example.com/callback/(connector id)

Even when multiple connectors are being used.
2016-10-27 10:23:09 -07:00
Eric Chiang
a11db557b4 *: expand environment variables in config
Allow users to define config values which are read form environemnt
variables. Helpful for sensitive variables such as OAuth2 client IDs
or LDAP credentials.
2016-10-22 13:49:40 -07:00
Eric Chiang
68746fd795 *: add a mock connector which takes a username and password for testing
Since we don't have a good strategy which takes a username and password
add a mock connector which implementes PasswordConnector so we can
develop the frontend screens.
2016-09-05 17:25:12 -07:00
Eric Chiang
bfe560ee21 rename 2016-08-10 22:31:42 -07:00
Eric Chiang
fd5e508f1c *: implement the OpenID Connect connector 2016-08-08 11:49:47 -07:00
Eric Chiang
f4c5722e42 *: connectors use a different identity object than storage 2016-08-02 21:20:18 -07:00
Eric Chiang
cab271f304 initial commit 2016-07-26 15:51:24 -07:00