da60fa82ac
Merge pull request #894 from ericchiang/backport-saml-fix-v2.3.x
...
connector/saml: fix validation bug with multiple Assertion elements
2017-04-04 11:24:17 -07:00
6a70148960
connector/saml: refactor tests and add self-signed responses
...
Introduces SAML tests which execute full response processing and
compare user attributes. tesdata now includes a full, self-signed
CA and documents signed using xmlsec1.
Adds deprication notices to existing tests, but don't remove them
since they still provide coverage.
2017-04-04 11:21:41 -07:00
59cefd987b
connector/saml: fix validation bug with multiple Assertion elements
...
When a SAML response provided multiple Assertion elements, only the
first one is checked for a valid signature. If the Assertion is
verified, the original Assertion is removed and the canonicalized
version is prepended to the Response. However, if there were
multiple assertions, the second assertion could end up first in the
list of Assertions, even if it was unsigned.
For example this:
<Response>
<!--
Response unsigned. According to SAML spec must check
assertion signature.
-->
<Assertion>
<Signature>
<!-- Correrctly signed assertion -->
</Signature>
</Assertion>
<Assertion>
<!-- Unsigned assertion inserted by attacker-->
</Assertion>
</Response>
could be verified then re-ordered to the following:
<Response>
<!--
Response unsigned. According to SAML spec must check
assertion signature.
-->
<Assertion>
<!-- Unsigned assertion inserted by attacker-->
</Assertion>
<Assertion>
<!-- Canonicalized, correrctly signed assertion -->
</Assertion>
</Response>
Fix this by removing all unverified child elements of the Response,
not just the original assertion.
2017-04-04 11:18:40 -07:00
6e50c18458
Merge pull request #875 from ericchiang/fix-example-app-custom-ca
...
cmd/example-app: fix custom CA behavior
2017-03-24 13:21:20 -07:00
9b0e9ab2ca
cmd/example-app: fix custom CA behavior
2017-03-24 11:53:28 -07:00
2a6ae0a6ea
Merge pull request #870 from Calpicow/fix_assertion_fallback
...
Fix assertion fallback
2017-03-24 11:34:30 -07:00
6f9ef961bb
Use etreeutils.NSSelectOne to select Assertion element
2017-03-24 11:20:53 -07:00
4b457d8c82
vendor: revendor
2017-03-24 11:03:30 -07:00
b5f70dac36
glide.yaml: update goxmldsig
2017-03-24 11:02:55 -07:00
5d49e18478
Merge pull request #873 from rithujohn191/client-example
...
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
2017-03-23 17:24:11 -07:00
562eae3fc7
examples/grpc-client: clean up the example and add tlsClientCA to ConfigMap.
2017-03-23 16:57:23 -07:00
6146e23396
Merge pull request #872 from rithujohn191/offline-access-error
...
connector: Connectors without a RefreshConnector should not error out
2017-03-23 16:11:45 -07:00
59502850f0
connector: Connectors without a RefreshConnector should not return a refresh token instead of erroring
2017-03-23 14:56:34 -07:00
b112aa2ecd
Merge pull request #869 from ericchiang/saml-response-to
...
*: validate InResponseTo SAML response field and make issuer optional
2017-03-22 13:04:41 -07:00
50b223a9db
*: validate InResponseTo SAML response field and make issuer optional
2017-03-22 13:02:44 -07:00
8b2956ddbc
Merge pull request #867 from ericchiang/xml-validation
...
glide.yaml: update goxmldsig
2017-03-21 10:27:04 -07:00
910d59865b
vendor: revendor
2017-03-21 09:27:22 -07:00
5888220965
glide.yaml: update goxmldsig
2017-03-21 09:25:56 -07:00
95d237003a
Merge pull request #855 from ericchiang/static-storage-fallthrough
...
storage: make static storages query real storages for some actions
2017-03-20 10:42:34 -07:00
af54f59202
Merge pull request #864 from ericchiang/spelling
...
*: fix spelling using github.com/client9/misspell
2017-03-20 10:20:16 -07:00
25fdaa67a7
Merge pull request #860 from ericchiang/oidc-broken-auth-header
...
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
2017-03-20 09:56:09 -07:00
4c39bc20ae
storage: make static storages query real storages for some actions
...
If dex is configured with static passwords or clients, let the API
still add or modify objects in the backing storage, so long as
their IDs don't conflict with the static ones. List options now
aggregate resources from the static list and backing storage.
2017-03-20 09:39:38 -07:00
33f0199077
*: fix spelling using github.com/client9/misspell
2017-03-20 09:16:56 -07:00
f503ff7950
*: add documentation for the OpenID Connect provider
2017-03-20 08:47:02 -07:00
ac032e99f0
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
2017-03-20 08:47:02 -07:00
4bf74d8ac3
Merge pull request #862 from rithujohn191/update-api
...
api: Update timestamp type for RefreshTokenRef to int64.
2017-03-17 15:58:09 -07:00
921090f05f
api: Update timestamp type for RefreshTokenRef to int64.
2017-03-17 15:46:39 -07:00
84af5273c8
Merge pull request #854 from rithujohn191/conformance-tests
...
storage/conformance: update conformance tests with multiple entries per resource
2017-03-17 10:51:24 -07:00
9e88924577
storage/conformance: update conformance tests with multiple entries per resource
2017-03-16 16:35:51 -07:00
7a798844cc
Merge pull request #852 from ericchiang/fix-log-level
...
storage/kubernetes: log INFO level if TPR already exists, not ERROR
2017-03-15 10:50:00 -07:00
6cb38604d9
storage/kubernetes: log INFO level if TPR already exists, not ERROR
2017-03-15 10:30:10 -07:00
d31bb1c8d5
Merge pull request #848 from ericchiang/fix-sql-where-statement
...
storage/sql: add missing WHERE statement to refresh token update
2017-03-13 16:54:58 -07:00
0481fccd76
storage/sql: add missing WHERE statement to refresh token update
2017-03-13 15:53:28 -07:00
d6f4fa5d98
Merge pull request #844 from dmmcquay/master
...
update kubernetes example-app explanation
2017-03-10 09:59:10 -08:00
9b052f37c9
clearified redirect-uri and make cmd location
2017-03-09 22:36:37 -08:00
a6ab82d6c0
update kubernetes example-app explanation
...
Clarify some potentially confusing issues with how to run and build the
example-app binary.
2017-03-09 17:17:07 -08:00
90e9225e05
Merge pull request #842 from ericchiang/go-1-8
...
*: only use docker when releasing, update to Go 1.8, remove aci scripts
2017-03-09 11:04:18 -08:00
ee27a4f9f4
*: only use docker when releasing, update to Go 1.8, remove aci scripts
...
This change modifies our release process to only require Docker
when building a release and updates our released binary to use Go
1.8. It also removes our .aci scripts, which we've not been
regularly building.
A nice consequence is that OSX users can now build a release image.
2017-03-09 10:46:09 -08:00
95d54956e9
Merge pull request #840 from ericchiang/oidc-bump
...
*: update go-oidc and use standard library's context package
2017-03-08 11:46:40 -08:00
e5f60fe9dd
vendor: revendor
2017-03-08 10:33:36 -08:00
777eeafabc
*: update go-oidc and use standard library's context package
2017-03-08 10:33:19 -08:00
6dd415997a
Merge pull request #835 from rithujohn191/fix-client-example
...
examples/grpc-client: minor corrections in the dex client example.
2017-03-07 13:35:44 -08:00
08db0eb5ce
examples/grpc-client: minor corrections in the dex client example.
2017-03-03 15:58:30 -08:00
afe2e47e3d
Merge pull request #834 from pgburt/paulb-prod-users-integrations
...
Added produciton-users and integrations pages
2017-03-03 11:57:14 -08:00
a660e7cd7a
Added produciton-users and integrations pages
2017-03-03 13:49:22 -05:00
3e5480a859
Merge pull request #829 from ericchiang/fix-keys-expiry
...
server: fix expiry detection for verification keys
2017-03-01 12:46:23 -08:00
920f6fb5cd
Merge pull request #825 from ericchiang/http2
...
storage/kubernetes: enable HTTP/2 support
2017-03-01 12:46:07 -08:00
2c4752d5d4
server: fix expiry detection for verification keys
2017-03-01 12:43:45 -08:00
3797a71ec9
Merge pull request #812 from rithujohn191/example-client
...
examples: adding a gRPC client example.
2017-02-28 13:34:23 -08:00
38c77e0f33
storage/kubernetes: enable HTTP/2 support
2017-02-28 12:42:06 -08:00
Eric Chiang
Eric Chiang
Phu Kieu
rithu leena john
Derek McQuay
Paul Burt