Commit graph

99 commits

Author SHA1 Message Date
Ed Tan
6ffc8fcd8d Rename bitbucket to bitbucketcloud 2018-10-06 11:45:56 -04:00
Ed Tan
d26e23c16f Make suggested code changes 2018-10-05 10:43:49 -04:00
Ed Tan
2c024d8caf Fix golint issues 2018-09-30 15:43:50 -04:00
Ed Tan
8c75d85b60 Add Bitbucket connector 2018-09-30 15:08:07 -04:00
Stephan Renatus
26c0206627
connector/saml: make unparsable (trailing, non-space/newline) data an error
Fixes #1304, if we want to be harsh.

However, I think if it was the user's intention to pass two certs, and
the second one couldn't be read, that shouldn't just disappear. After
all, when attempting to login later, that might fail because the
expected IdP cert data isn't there.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-29 11:09:33 +02:00
veily
317f433a14
support self-signed certificates ldap
Format ldap.go

Format ldap.go: with a space for golint

with a space

Rename clientCA is to clientCert

Update ldap.go

modified the ldap client certificate file comments.

modified load ldap client cert error.

modified load ldap client cert error: fmt.Errorf("ldap: load client cert failed: %v", err)
2018-09-22 12:15:11 +08:00
Taras Burko
bf39130bab Configurable team name field for GitHub connector 2018-09-14 01:09:48 +03:00
Eric Chiang
bb75dcd793
Merge pull request #1283 from srenatus/sr/move-github-org/fix-imports
Finish GitHub org move
2018-09-05 09:14:06 -07:00
Stephan Renatus
b9f6594bf0 *: github.com/coreos/dex -> github.com/dexidp/dex
Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 17:57:08 +02:00
Stephan Renatus
6a2d4ab6b4 connectors/ldap: treat 'constraint violation' on bind as bad credentials
Some directory servers (I think it's Oracle) return

    Constraint Violation: Exceed password retry limit. Account locked.

when attempting to login too many times. While constraint violation can
mean many things, we're checking this as an error on BIND, so it's
more likely that something like this has happened than any other thing.

Hence, we should treat it as an "incorrect password" situation, not an
internal error.

It would of course be preferrable to surface more information about this
precise error (and similar ones), but I think this is beyond this small
change.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-09-05 10:03:17 +02:00
Anian Z
5454a4729f fix default baseURL for gitlab connector 2018-08-28 19:05:30 +02:00
silenceshell
468b5e3f0a
fix typo
Should `pulic`  be `public`?
2018-05-10 11:55:11 +08:00
Stephan Renatus
608260d0f1 saml: add tests case covering tampered NameID field (comment)
As sketched here:

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

Thought it was interesting to see how our SAML connector behaved. And
it seems to be behaving well. :)

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2018-02-28 08:42:17 +01:00
pmcgrath
4aec353aec 1170 - Fix comment typos
BsaeDN should be BaseDN
2018-01-14 12:34:45 +00:00
Pavel Borzenkov
47df6ea2ff connector/microsoft: add support for groups
Microsoft connector now provides support for 'groups' claim in case
'tenant' is configured in Dex config for the connector. It's possible to
deny user authentication if the user is not a member of at least one
configured groups.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Pavel Borzenkov
6193bf5566 connector: implement Microsoft connector
connector/microsoft implements authorization strategy via Microsoft's
OAuth2 endpoint + Graph API. It allows to choose what kind of tenants
are allowed to authenticate in Dex via Microsoft:
  * common - both personal and business/school accounts
  * organizations - only business/school accounts
  * consumers - only personal accounts
  * <tenant uuid> - only account of specific tenant

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-11-23 17:01:34 +03:00
Stephan Renatus
b09a13458f password connectors: allow overriding the username attribute (password prompt)
This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
2017-11-09 09:30:03 +01:00
rithu leena john
943e23cd54
Merge pull request #1109 from ericchiang/oidc-test
connector/oidc: remove test that talks to the internet
2017-10-30 11:18:18 -07:00
Eric Chiang
6475ce1f62 connector/oidc: remove test that talks to the internet 2017-10-27 13:40:50 -07:00
Pavel Borzenkov
3b5df52c0f connector/linkedin: implement RefreshConnector interface
Do Refresh() by querying user's profile data.

Since LinkedIn doesn't provide refresh tokens at all, and the access
tokens have 60 days expiration, refresh tokens issued by Dex will fail
to update after 60 days.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Pavel Borzenkov
ab06119431 connector: implement LinkedIn connector
connector/linkedin implements authorization strategy via LinkedIn's
OAuth2 endpoint + profile API.

It doesn't implement RefreshConnector as LinkedIn doesn't provide any
refresh token at all (https://developer.linkedin.com/docs/oauth2, Step 5
— Refresh your Access Tokens) and recommends ordinary AuthCode exchange
flow when token refresh is required.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
2017-10-27 12:54:28 +03:00
Eric Chiang
d099145921 authproxy: update docs and set a userID 2017-10-26 10:47:16 -07:00
Michael Stapelberg
a41d93db4a Implement the “authproxy” connector (for Apache2 mod_auth etc.) 2017-10-25 21:53:51 +02:00
rithu leena john
f3c85e6936 Merge pull request #1096 from ericchiang/ldap-insecure-skip-verify-test
connector/ldap: add test for InsecureSkipVerify option
2017-10-10 11:34:46 -07:00
Eric Chiang
fcf00019de connector/ldap: add test for InsecureSkipVerify option 2017-10-09 14:27:22 -07:00
Lars Sjöström
4605fdd551 connector/gitlab: Fix regexp in Link parser 2017-09-29 21:35:47 +02:00
Eric Chiang
980400db0b Makefile: error out if go files aren't correctly formatted
Noticed in #1058 that our gofmt make target isn't actually erroring
if someone commits misformatted code.
2017-09-14 09:44:15 -07:00
Eric Stroczynski
763e174a7f Merge pull request #1039 from estroz/move-group-scope-check
connector/github: fix groups scope check when 'orgs' is populated
2017-08-21 14:36:44 -07:00
Eric Stroczynski
ce9ac761a6 connector/github: abstract scope check and group getter 2017-08-21 14:30:00 -07:00
rithu leena john
e59d67f466 Merge pull request #1038 from xogroup/github-enterprise
When connecting to GitHub Enterprise, force email verified field to true
2017-08-18 13:58:50 -07:00
Chien Huey
99370b5880 Updated comment to include reference to GitHub Enterprise not supporting verified emails 2017-08-18 11:46:05 -04:00
Eric Stroczynski
e92f38f38f connector/github: error if no groups scope without orgs
We should always check if a user is in any orgs or teams specified
in config, and whether the groups scope is also included in client
requests. If not, return an error, because dex wouldn't have required
permissions to do the request anyway (need read:org).
2017-08-17 17:15:45 -07:00
Chien Huey
98f6a217d3 When connecting to GitHub Enterprise, force email verified field to true 2017-08-17 17:26:10 -04:00
Eric Stroczynski
5894d017d5 connector/github: debug->info logging, more informative userInOrg msg 2017-08-17 11:56:35 -07:00
Eric Stroczynski
484327fd5f connector/github: only user users' login name in API reqs 2017-08-17 10:32:18 -07:00
Eric Stroczynski
ca75470ae3 connector/gitlab: correct scope strings, better default 2017-08-15 14:49:00 -07:00
Eric Chiang
aad328bb35 *: add log events for login, LDAP queries, and SAML responses 2017-08-11 12:00:06 -07:00
Eric Stroczynski
26527011ab connector/github: enable private, primary emails; refactor API calls
Documentation: removed private emails caveats section
2017-08-08 18:04:34 -07:00
Eric Stroczynski
9d154802a2 connector/github: multiple orgs, query by teams
Documentation: examples of GitHub `orgs` field with multiple orgs
and org with teams; note legacy behavior
2017-08-08 10:57:42 -07:00
rithu leena john
05e8d50eca Merge pull request #1000 from rithujohn191/fix-hosted-domain
connector/oidc: fix hosted domain support.
2017-07-31 13:29:26 -07:00
Eric Stroczynski
4a88d0641a : update {S->s}irupsen/logrus 2017-07-25 13:46:44 -07:00
rithu john
5e0bf8b65f connector/oidc: fix hosted domain support. 2017-07-25 13:46:12 -07:00
Ben Navetta
cbb007663f add documentation and tests 2017-06-21 22:56:02 -07:00
Ben Navetta
4194530cf3 initial hostedDomain support 2017-06-20 22:47:28 -07:00
rithu john
682d78f527 connector: improve error message for callback URL mismatch 2017-06-13 15:52:33 -07:00
rithu john
0dd024d669 connector/ldap: correct a comment. 2017-05-04 15:39:08 -07:00
rithu john
6e3e174100 connector/ldap: check for blank passwords and return error. 2017-05-04 13:42:23 -07:00
Eric Chiang
2b8caf9b39 Merge pull request #906 from ericchiang/fix-saml-test
connector/saml/testdata: fix bad status test case
2017-04-19 15:39:11 -07:00
zhuguihua
4e99ec3eeb Fix two typos
Signed-off-by: zhuguihua <zhuguihua@cmss.chinamobile.com>

Change storace to storage in cmd/dex/config.go,
change userSearch to groupSearch in connector/ldap/ldap.go
2017-04-14 03:30:12 +00:00
Eric Chiang
74f5eaf47e connector/ldap: support the StartTLS flow for secure connections
When connecting to an LDAP server, there are three ways to connect:

1. Insecurely through port 389 (LDAP).
2. Securely through port 696 (LDAPS).
3. Insecurely through port 389 then negotiate TLS (StartTLS).

This PR adds support for the 3rd flow, letting dex connect to the
standard LDAP port then negotiating TLS through the LDAP protocol
itself.

See a writeup here:

http://www.openldap.org/faq/data/cache/185.html
2017-04-12 15:25:42 -07:00